Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Electronic Mail (E-Mail), which is one of the most widely used applications of Internet, has become a global communication infrastructure service. However, security loopholes in it enable cybercriminals to misuse it by forging its headers or by sending it anonymously for illegitimate purposes, leading to e-mail forgeries. E-mail messages include transit handling envelope and trace information in the form of structured fields which are not stripped after messages are delivered, leaving a detailed record of e-mail transactions. A detailed header analysis can be used to map the networks traversed by messages, including information on the messaging software and patching policies of clients and gateways, etc. Cyber forensic e-mail analysis is employed to collect credible evidence to bring criminals to justice. This paper projects the need for e-mail forensic investigation and lists various methods and tools used for its realization. A detailed header analysis of a multiple tactic spoofed e-mail message is carried out in this paper. It also discusses various possibilities for detection of spoofed headers and identification of its originator. Further, difficulties that may be faced by investigators during forensic investigation of an e-mail message have been discussed along with their possible solutions.


Allma, E., Callas, J., Delan, M., Libbey, M., Fenton J. & Thomas, M. (2007). DomainKeys Identified Mail (DKIM). Internet Engineering Task Force (IETF), RFC 4871.

Banday MT, et al., (2010a) “Analyzing Internet e-mail date-spoofing”, Digital Investigation (2010), doi:10.1016/j.diin.2010.11.001.

Banday, M.T., Qadri, J.A. (2010b). “A Study of E-mail Security Protocols,” eBritian, ISSN: 1755-9200, British Institute of Technology and E-commerce, UK, Issue 5, Summer 2010, pp. 55-60. Available online at: http://www.bite.ac.uk/ebritain/ebritain_summer_10.pdf.

Banday, M.T., Qadri, J.A., Shah, N.A. (2009). "Study of Botnets and Their Threats to Internet Security,". Sprouts: Working Papers on Information Systems, 9(24). http://sprouts.aisnet.org/9-24.

Berthold, O., Federrath, K¨opsell, H. S. (2000), “Web MIXes: A system for anonymous and unobservable Internet access”, In Proc. of Designing Privacy Enhancing Technologies:Workshop on Design Issues in Anonymity and Unobservability, July 2000.

Crocker, D. (2009), “Internet Mail Architecture”, RFC 5598, July 2009. http://tools.ietf.org/pdf/rfc5598.pdf, (25-Mar-2011).

Cherry, S.M. (2001), "Remailers Elude E-mail Surveillance", IEEE Spectrum, 38 (11), p.69 2001, 10.1109/MSPEC.2001.963268.

Dusi, M., Gringoli, F. Salgarelli, L. (2008), "A Preliminary Look at the Privacy of SSH Tunnels," in Proceedings of the 17th IEEE International Conference on Computer Communications and Networks (ICCCN 2008), (St. Thomas, U.S. Virgin Islands), Aug. 2008.

Ehrenkranz, T. and Li, J. On the state of IP spoofing defense. In Proceedings of ACM Trans. Internet Techn.. 2009.

Emmanuel S Pilli, R C Joshi and Rajdeep Niyogi, (2010), “A Generic Framework for Network Forensics”, International Journal of Computer Applications 1(11), February 2010, pp.1–6.

Hastings, N. E, McLean, P. A., (1996), “TCP/IP spoofing fundamentals”, In Proceedings of the IEEE 15th Annual International Phoenix Conference; 1996. pp. 218-224.

Marwan A. Z., (2004), “Tracing E-mail Headers”, Proceedings of Australian Computer, Network & Information Forensics Conference on 25th November, School of Computer and Information Science, Edith Cowan University Western Australia 2004, pp. 16-30.

Natarajan, M., Reddy, S., Allam, Moore, L. A. (2009), Tools and Techniques for Network Forensics, International Journal of Network Security and its Applications, 1(1), April 2009, pp. 14-25. Available online at: http://airccse.org/journal/nsa/0409s2.pdf.

Landsiedel, O., Niedermayer, H., Wehrle, K. (2005), An Infrastructure for Anonymous Internet Services, In IWI2005, Chiba/Tokyo, Japan, May 2005.

Radvanovsky, B. (2006), “Analyzing spoofed e-mail header”, Journal of Digital Forensic Practice, 1(3), 2006, pp. 231-243.

Resnick, P. editor, (2001), “Internet message format”, Internet Engineering Task Force (IETF); 2001. RFC 2822.

Shue, C. A., Gupta, M., Lubia, J. J., Kong, C. H., Yuksel, (2009), “A. Spamology: A study of spam origins”, In the 6th Conference on Email and Anti-Spam (CEAS) (2009).

Shunman, W., Ran, T., Yue, W., Ji, Z., (2003), “WLAN and its security problems”, In 4th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT2003), 2003, pp. 241– 244.

Vivek S. P., Wang, L., Park, K., Pang, R., Peterson, L. (2004), “The dark side of the Web: an open proxy's view”, SIGCOMM Comput. Commun. Rev. 34, 1 (January 2004), 57-62. DOI=10.1145/972374.972385. Available online at: http://doi.acm.org/10.1145/972374.972385.

Wong, M., Schlitt, W. (2006). Sender Policy Framework (SPF) for Authorizing Use of Domains in E-MAIL, version 1. Internet Engineering Task Force (IETF), RFC 4408.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.