Diagnosing Email: How to forward message headers

This is actually an article from my old site. But it is useful to point here when customers need me to analyze suspicious email messages.

When email goes wrong, one of the things your IT support may ask for is a copy of the full message headers. Headers are the audit trail of how the message was processed and the path it took to get from the sender to your inbox. Normally you don’t see most headers. The ones you do see are To:, From: and Date:, but there are many others contained in most email messages. Your IT support can use these headers to diagnose how the message was handled along the way.

Different mail clients handle forwarding headers in different ways. Here’s how to forward headers from some of the common client programs.

Outlook 2016

  1.  Start a new message.
  2. Select Attach Item from the toolbar.
  3. Select Outlook Item.
  4. Browse to the message you are inquiring about, and select it to attach it.
  5. Send the message.

Office 365 Outlook online

  1. Open the email message by double clicking it.
  2. Click on the ellipsis (the 3 dots) to the right of “Forward” to open a drop-down menu
  3. Click “View Message Details”.
  4. Select all the text (Click anywhere in the text and then press Ctrl-A) and copy it. 
  5. Close the header information window.
  6. Click on the forward icon of your message. 
  7. Paste the copied text at the beginning of the message. 
  8. Send the message.

A Free Boost for Your Network Security

There is a way to enhance your network security just by changing a setting in your router or computer. Quad9, a non-profit DNS provider, offers filtered DNS as a free service. But first, let me explain what DNS is.

DNS = Domain Name System

DNS is the internet system that allows computers to locate each other. When you request a web site in your browser, your computer carries on a brief conversation behind the scenes. It takes the web address you’ve asked for, reduces it to just the domain name part, and then asks DNS for the network address of that domain. For example,

You: “Browser, show me https://www.computasssist.com/support!” (You make that demand by clicking a link, a bookmark, or typing the address into your browser.)
Computer: “Hey, DNS server, what’s the IP address of www.computassist.com?”
DNS server: “Computer, that address is!”
Computer: “, show me your page at /support.”
You: The page appears on your screen.

Filter Me

That’s regular plain vanilla DNS. What filtered DNS does is check your request against lists of known bad sites. Quad9’s DNS filters out sites known to push malware attacks. So the above conversation would go like this:

You: “Browser, show me https://www.badsite.com/iamunaware!”
Computer: “Hey, DNS server, what’s the IP address of www.badsite.com?”
Quad9 DNS server: “Computer, that address is in my list of bad sites, so I am going to hand you a Domain Not Found result!”
Computer: “Hmm, that domain does not resolve, so I have to show the Site Not Found error.”
You: The Site Not Found page appears on your screen.
Computer: continues operating normally, having not been attacked by a malicious site.

Changing your DNS settings

The best place to set up Quad9 DNS is in your router. This protects every device on your network that uses auto-DNS configuration (probably all of them, unless you have manually altered network settings.) Every brand of router is different, so you will have to search for the steps to change your router. You are looking for the DHCP configuration, and within that, the DNS server IP addresses that are set there. Replace whatever is there with to begin using Quad9 DNS. The next time your devices renew their network connection, they will be using Quad9.

If you don’t have the router admin password or are locked out of the router, Quad9 provides help on how to set your individual computer to use their servers. This will only protect the device on which you make this change, so change your router instead, if possible. But if not, the Quad9 setup page will walk you through the procedure for Mac and Windows.

Modern network security is layer-upon-layer of defensive strategies. I highly recommend DNS filtering as one of those layers. This one is free and easy, so why not add this layer to improve your security?

Using Windows 7 after Jan 14th 2020

The Windows 7 operating system is reaching end of support. Microsoft will soon begin displaying a warning on your computers that still run this OS:

I strongly recommend that you replace your Windows 7 PCs. Older PCs should be recycled, newer Win 7 PCs can be upgraded to Windows 10. But if, for whatever reason, you must keep using Windows 7, here are a few must-dos. These are good practice for anyone, but as a vulnerable target, they are particularly important when you are using Windows 7.

Here is the condensed version:

  • Don’t click links or open attachments in emails
  • Examine all search results very carefully before clicking
  • Run up-to-date security software that includes Internet protection

Most attacks on Windows 7 PCs will come via email or hacked web sites. So treat your inbox like a minefield, and your searches like a covert operation.

Windows 7 and Email

No matter how safe an email appears to be, you must not click any links or open any attachments until you are absolutely certain that the email is genuine. Every link and every attachment must be suspect. You cannot go by appearance — the attacks can look identical to a legitimate message from your bank, a shipping company, or a friend from your address book.

You can evaluate links, buttons and clickable images in an email by pointing at them without clicking. Most email clients will show a tool-tip or hint somewhere on screen that displays the actual content of the link. (Go ahead and try it with the links in the sidebar to the right. Remember, point, but don’t click.)

Using my bank as an example, let’s say I receive an email that tells me to check my account, with a link to First National Bank. If I then hover my mouse pointer on the link, a tip will pop up showing where the link will actually take you. If it’s genuinely First National, the link should look like this: https://fnbo.com/somepage… The fnbo.com part is the bank’s actual domain name. If the link is to anywhere else, like https://someotherplace.ru/…, you know it is a malicious email.

Windows 7 and the Web

When using a web search page, be extremely careful where you click! Don’t just look at the big bold titles of search results — just as with email links, check the URL (usually shown below the title.) It should have a believable domain name in it, related to what the title shows. Be wary of links that don’t end in .com, .net or .org. They may be legit, but country-code domains (.ru, .cn, .br, etc) are sometimes used for malicious purposes.

Sometimes you hear or are given a web address to visit. It may be a radio ad or billboard, or a friendly recommendation–“Hey, you should check out example.com!” When you already know where you want to go, do not type the address into a search box. This is almost guaranteed to return imposters and look-alikes. Instead, use the address bar at the very top of your browser window to enter URLs.

This image has an empty alt attribute; its file name is ksnip_20200110.png

Windows 7 and Security (AV) software

It goes without saying, but I will stress it anyway–a good security program like Bitdefender, ESET or Sophos is absolutely necessary on your Windows 7 PCs after Microsoft support ends. It must be the latest version, with an active subscription and up-to-date threat data. You need the most effective defense you can have on a vulnerable system.

The best option is still to not use Windows 7 anymore. But the real world sometimes overrules best practices for a variety of reasons. If you must keep using Windows 7, please follow these recommendations to stay as safe as you can.

Phishing – part 2

Last time we looked at the reasons one needs to distrust all email. Here we continue with two more methods you can use to make sure you don’t get phished.

Digging deeper

Email servers use standardized ways to relay and deliver mail. Every time a server acts on a message, it adds a header to the message describing what it has done. Your email client, whether it is web mail, Outlook or some other, hides most of these headers for you. If it didn’t, you would have to wade through dozens of lines of server dialog to get to the message body.

But we can use these headers to our advantage, if we believe the message may be forged, fake or malicious. Your mail app provides a way to view the headers in their entirety. The steps are different for each app, but MxToolBox provides a page describing them all. Just click on your mail app in the left column and follow the steps provided.

Once you have the headers before you, you should be able to find the To, From, Date, and Subject headers in a group near the bottom. Start from there and work your way up. Very often the next line or two will answer the question.

  • Examine the Received From headers. Are the mail servers shown from other countries than where the sender is located? If the last letters after the last dot are not .com, .net, or .org, they will frequently be “country codes”. These are two-letter codes that are assigned to each nation in the world, for example, “.us” – United States, “.br” – Brazil, “.cn” – China. (For a complete list, refer to the ICANNWiki page.) A message from a source somewhere in the States should not have any Received From headers with server names like mail.xyz123.ru.
  • The part of the From address after the “@” should match the business domain name. For example, all messages from ComputAssist should have “@computassist.com” as the ending of the address. If it does not, it likely did not originate here.
  • If there is a Reply-To address header, does it differ from the From address? This is a way to hijack your reply to a hidden address.
  • Still not sure? Look for headers with SPF and DKIM results. The ideal result of these validation tests is a Pass score. A safe message may not always have a pass score, but fake ones never do.

Attachments can be dangerous

One way for phishers to get you hooked is to attach a malicious file to the message. Click it, and the attack on your computer and network begins. These attacks can appear quite genuine. It might look like a bank statement, or an invoice from a supplier, complete with corporate logo and boilerplate fine print.

  • Never trust an attachment that you were not expecting.
  • Even if it appears to be familiar, such as a monthly invoice, use the other techniques here to verify the authenticity of the message first!
  • Be especially careful with Office documents which can contain code that runs on your computer when opened.

Everyone who uses email is potentially a phishing target. These techniques will go a long way in keeping you from becoming a victim.