Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Using message id headers to determine if an email has been forged
According to the RFCs for email, RFC 822 and RFC 2822, every email should have a message id field that: "provides a unique message identifier that refers to a particular version of a particular message. The uniqueness of the message identifier is guaranteed by the host that generates it. ... This message identifier is intended to be machine readable and not necessarily meaningful to humans. A message identifier pertains to exactly one instantiation of a particular message; subsequent revisions to the message each receive new message identifiers."
The message id headers can prove useful when trying to determine if a email is authentic. Although they can't always prove that message is authentic, they can often show that a message has been forged.
Repeated Message ID
In this case, the forger, when creating a fake email, reuses the headers belonging to an earlier message. The examiner need only compare the Message-ID from the email in question to all of the other email messages in the world. Ok, probably not all of the other email messages out there. Usually just the messages on the systems in question are good enough. But finding the same message id on the "smoking gun" email and an old guacamole recipe can be used as evidence that a message was forged.
Impossible Message ID
This case is more subtle, but can be used quite effectively. Although the RFC states that the message id should be globally unique, it says nothing about how it should be constructed. Most email programs have their own format for generating the message id. For example, Apple Mail uses a Universally Unique Identifier and the sender's domain. Thunderbird, on the other hand, uses a combination of the time the message was sent, a salt, and the sender's domain.
Sample Apple Mail Message ID:
Sample Thunderbird Message ID:
If a message was purportedly sent by a certain email program but does not have a message id created by that program, it has obviously been forged. It would be like a round cookie-cutter making square holes; it just can't happen. Thus, if somebody claims that they received an authentic email, look at the message-id and the format of the headers. If the message id does not match the format for that program, the message has been forged!