TR-34 How to view and extract raw messages in common email clients

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

Next to the user visible part of the mail, emails also contain a header part and a body part, normally not visible to the user. The body mainly consists of the message itself while the header contains meta informations, most of which was added by the servers that handled the email. CIRCL TR-07 already explains how to extract the headers part from the most popular email clients.

This document describes the process on how to extract the full email (including headers, body and attachment parts). The information can be used to analyze fully the email (are there any malicious files? or suspicious files attached the mails? are there any URLs?). The extracted raw messages can be reported send to a CERT like CIRCL.

Initial step

The initial step strongly depends on the email client in use:

Mozilla Thunderbird

  1. Activate the suspicious email by single click on it. From the “View” menu of Thunderbird select “Message Source” to open a new window which contains all the raw plain-text message. A fast shortcut to archive the same result is to press the keys “CTRL” + “u” while the suspicious email is activated.

Mozilla Thunderbird Screenshot

Windows Live Mail / Outlook Express

Since Windows 7, Outlook Express is replaced by Windows Live Mail which is part of the free Windows Essentials.

1a. In the Inbox right click the suspicious email and select “Properties” to open the properties window.

Windows Live Mail

1b. In the properties window select the “Details” tab and their push the “Message Source” buton to open a new windows which contains all the raw plain-text message.

Windows Live Mail

Microsoft Webmail Hotmail/Live/Outlook

  1. In the Webmail Inbox right click the suspicious email and select “View message source” to open a new window which contains all the raw plaintext message.

Microsoft Hotmail Screenshot

Google Webmail Gmail

  1. In the Webmail Inbox select the suspicious Email. Click the “down” arrow next to the “Reply” button and select “Show original”, to open a new window which contains all the raw plaintext message.

Google Webmail Screenshot

Copy and Paste the raw message

  1. Mark all the raw content by pressing “CTRL” + “a” and copy it into the computers clipboard by pressing “CTRL” + “c”.

  2. Go to the reporting form and past the clipboard with “CTRL” + “v”.

  3. Submit the form.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 March 13, 2015 (TLP:WHITE)