Next to the user visible part of the mail, emails also contain a header part and a body part, normally not visible to the user. The body mainly consists of the message itself while the header contains meta informations, most of which was added by the servers that handled the email. CIRCL TR-07 already explains how to extract the headers part from the most popular email clients.
This document describes the process on how to extract the full email (including headers, body and attachment parts). The information can be used to analyze fully the email (are there any malicious files? or suspicious files attached the mails? are there any URLs?). The extracted raw messages can be reported send to a CERT like CIRCL.
The initial step strongly depends on the email client in use:
- Activate the suspicious email by single click on it. From the “View” menu of Thunderbird select “Message Source” to open a new window which contains all the raw plain-text message. A fast shortcut to archive the same result is to press the keys “CTRL” + “u” while the suspicious email is activated.
Windows Live Mail / Outlook Express
Since Windows 7, Outlook Express is replaced by Windows Live Mail which is part of the free Windows Essentials.
1a. In the Inbox right click the suspicious email and select “Properties” to open the properties window.
1b. In the properties window select the “Details” tab and their push the “Message Source” buton to open a new windows which contains all the raw plain-text message.
Microsoft Webmail Hotmail/Live/Outlook
- In the Webmail Inbox right click the suspicious email and select “View message source” to open a new window which contains all the raw plaintext message.
Google Webmail Gmail
- In the Webmail Inbox select the suspicious Email. Click the “down” arrow next to the “Reply” button and select “Show original”, to open a new window which contains all the raw plaintext message.
Copy and Paste the raw message
Mark all the raw content by pressing “CTRL” + “a” and copy it into the computers clipboard by pressing “CTRL” + “c”.
Go to the reporting form and past the clipboard with “CTRL” + “v”.
Submit the form.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 March 13, 2015 (TLP:WHITE)