SMTP Message Headers Anatomy of a Message Header
- Slides: 13
SMTP Message Headers
Anatomy of a Message Header Hops • Received from, received by, timestamps, protocol or ciphers Regular headers • From: , To: , Subject: , Message-ID: , Date: , etc. Optional headers • SPF, DKIM, DMARC • X-Headers • SCL Received: from MN 2 PR 19 MB 3647. namprd 19. prod. outlook. com (2603: 10 b 6: 910: 15: : 24) by CY 4 PR 19 MB 1127. namprd 19. prod. outlook. com with HTTPS via CY 4 PR 1101 CA 0014. NAMPRD 11. PROD. OUTLOOK. COM; Wed, 23 Oct 2019 17: 41: 47 +0000 Received: from DM 5 PR 19 CA 0018. namprd 19. prod. outlook. com (2603: 10 b 6: 3: 151: : 28) by MN 2 PR 19 MB 3647. namprd 19. prod. outlook. com (2603: 10 b 6: 208: 189: : 14) with Microsoft SMTP Server (version=TLS 1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA 384) id 15. 20. 2367. 20; Wed, 23 Oct 2019 17: 41: 45 +0000 Received: from BY 2 NAM 05 FT 040. eopnam 05. prod. protection. outlook. com (2 a 01: 111: f 400: 7 e 52: : 201) by DM 5 PR 19 CA 0018. outlook. office 365. com (2603: 10 b 6: 3: 151: : 28) with Microsoft SMTP Server (version=TLS 1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 384) id 15. 20. 2367. 21 via Frontend Transport; Wed, 23 Oct 2019 17: 41: 44 +0000 Received: from NAM 02 -CY 1 -obe. outbound. protection. outlook. com 40. 107. 76. 89) by BY 2 NAM 05 FT 040. mail. protection. outlook. com (10. 152. 100. 177) with Microsoft SMTP Server (version=TLS 1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 384) id 15. 20. 2387. 9 via Frontend Transport; Wed, 23 Oct 2019 17: 41: 44 +0000 Received: from BN 8 PR 04 MB 5764. namprd 04. prod. outlook. com (20. 179. 75. 86) by BN 8 PR 04 MB 6050. namprd 04. prod. outlook. com (20. 178. 215. 206) with Microsoft SMTP Server (version=TLS 1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA 384) id 15. 20. 2387. 20; Wed, 23 Oct 2019 17: 41 +0000 Received: from BN 8 PR 04 MB 5764. namprd 04. prod. outlook. com ([fe 80: : 995 f: cf 36: b 84 e: dfdb]) by BN 8 PR 04 MB 5764. namprd 04. prod. outlook. com ([fe 80: : 995 f: cf 36: b 84 e: dfdb%6]) with mapi id 15. 20. 2347. 029; Wed, 23 Oct 2019 17: 41: 40 +0000
Anatomy of a Message Header Hops • Received from, received by, timestamps, protocol or ciphers Regular headers • From: , To: , Subject: , Message-ID: , Date: , etc. Optional headers • SPF, DKIM, DMARC • X-Headers • SCL Received: from BN 8 PR 04 MB 5764. namprd 04. prod. outlook. com ([fe 80: : 995 f: cf 36: b 84 e: dfdb]) by N 8 PR 04 MB 5764. namprd 04. prod. outlook. com ([fe 80: : 995 f: cf 36: b 84 e: dfdb%6]) with mapi id 15. 20. 2347. 029; Wed, 23 Oct 2019 17: 41: 40 +0000 From: "Jeff Guillet (MVP/MCSM)" <jguillet@expta. com> To: John Smith <john@contoso. com> Subject: Test Thread-Topic: Test Thread-Index: Ad. WJy. Rr. NPSon 1 n 7+T/Ooh. VCxz. Yhur. A== Date: Wed, 23 Oct 2019 17: 41: 40 +0000 Message-ID: <BN 8 PR 04 MB 576417505 D 3 CC 2569 EEEB 93 ECD 6 B 0@BN 8 PR 04 MB 5764. namprd 04. prod. outlook. com> Accept-Language: en-US Content-Type: multipart/related; boundary="_011_BN 8 PR 04 MB 576417505 D 3 CC 2569 EEEB 93 ECD 6 B 0 BN 8 PR 04 MB 5764 namp_"; type="multipart/alternative" MIME-Version: 1. 0
Anatomy of a Message Header Hops • Received from, received by, timestamps, protocol or ciphers Regular headers • From: , To: , Subject: , Message-ID: , Date: , etc. Optional headers • SPF, DKIM, DMARC • X-Headers • Spam Confidence Level (SCL) Authentication-Results: spf=pass (sender IP is 40. 107. 76. 89) smtp. mailfrom=expta. com; contoso. com; dkim=pass (signature was verified) header. d=expta. com; contoso. com; dmarc=pass action=none header. from=expta. com; compauth=pass reason=100 Received-SPF: Pass (protection. outlook. com: domain of expta. com designates 40. 107. 76. 89 as permitted sender) receiver=protection. outlook. com; client-ip=40. 107. 76. 89; helo=NAM 02 -CY 1 -obe. outbound. protection. outlook. com; . . . X-MS-Has-Attach: yes x-originating-ip: [162. 228. 162. 117] X-MS-Office 365 -Filtering-Correlation-Id : ad 8 d 52 a 7 -fbda-415 c 1050 -08 d 757 e 0453 a X-Microsoft-Antispam: BCL: 0; X-Cross. Premises. Headers. Promoted: BY 2 NAM 05 FT 005. eopnam 05. prod. protection. outlook. com X-MS-Exchange-Organization-SCL: -1 X-Originator. Org: expta. com
Anti Spam Headers https: //docs. microsoft. com/enus/microsoft-365/security/office-365 security/anti-spam-message-headers
Two Real World Examples How in the world did this email get through? Why didn’t this message come through? An obviously spoofed email was received in the Inbox Email from the CEO’s Gmail account went to quarantine
Header Analyzer Tools and Demos Message Header Analyzer • Message Analyzer tab on Ex. RCA (aka. ms/mha) • MHA add-in for Outlook/OWA Report Message and Office 365 Security & Compliance • Report Message add-in for Outlook/OWA • Get headers from protection. office. com > Threat management > Submissions
Recommended Reading So long and thanks for all the (email) phish Ignite 2018 session https: //youtu. be/6 XFTDds. ILZw Manage deployment of Office 365 add-ins in the Microsoft 365 admin center https: //docs. microsoft. com/enus/office 365/admin/manage-deployment-of-addins Enable the Report Message add-in for Outlook https: //docs. microsoft. com/en-us/microsoft 365/security/office-365 -security/enable-the-reportmessage-add-in Submit spam, phish and malware messages via the Security and Compliance Center https: //www. michev. info/Blog/Post/2662/submit-spamphish-and-malware-messages-via-the-security-andcompliance-center
Please evaluate this session Your feedback is important to us! https: //aka. ms/ignite. mobileapp https: //myignite. techcommunity. microsoft. com/evaluations
Find this session in Microsoft Tech Community
