News SysTools Represented MailXaminer in AISS in December 2021.

SendMail Forensics – An Approach to Analyze Bulk SendMail Account Manually

Creative Team | Modified: 2016-09-01T10:42:26+05:30|Forensics | 4 Minutes Reading

SendMail is basically a web based Mail Transfer Agent(MTA) that allows a user to send email between servers. It provides a command line support to compose and send the emails using SMTP services. The basic implementation of this email client is meant for UNIX systems. To provide support for Windows NT, a POP3 based commercial version of SendMail has been released. The user needs to write the code in PHP or PERL, which contains email information such as recipient, subject, main body of the email.

The following article will be discussing the various aspects of SendMail forensics in a simple language. It covers the various aspects that play an important role while analyzing the emails during forensic investigation.

Mechanism of SendMail Service

The email messages being sent through SendMail client undergoes many stages during email processing and transmission. A specific function is performed at each stage, which ensures the security and consistency of the message being sent. The various stages involved during the email transmission include:

1. Argument Processing & Address Passing

  • – When SendMail receives an email as input, it figures out recipient’s name & creates two files.
  • – The first file contains the message header and list of all recipients. The other one contains body of email.
  • – The SendMail performs validations and verifies local recipient to maintain data authentication.

2. Message Collection

  • -After the verification of recipients, the message is collected in two parts: message header and email body.
  • -The header field may be manipulated by the email client as some additional header fields are included in the existing header.
  • -The email body is kept intact and does not undergo any manipulation or formatting.

3. Message Delivery

  • – The SendMail maintains a send queue for all the emails that are requested to be sent.
  • – A connection is tried to be established with the destination mail server.
  • – On successful establishment of the connection, SendMail forwards the specific email message to the mail server.

SendMail Message ID

Every email being sent through SendMail is associated with a unique message id, which acts as a source of identification for each email. On studying the message id, the following parameters can be determined:


  • $t- It indicates UTC data and time in the yyyymmddhhmm format.
  • $i- It specifies a unique queue id, which is generated by using complex algorithms.
  • $j- It consist of a FQDN, which provides complete information about domain names.

Significance of Message Header

The careful examination of message header can be beneficial for performing SendMail forensics and gathering information about various parameters of the email.

The following information can be easily collected from the message header, which helps in carrying out SendMail forensics efficiently:

1. Domain Name

The domain name associated with the email can be easily tracked from the message ID. It also provides information about the local host name. So, the investigation can be started smoothly by having an idea about domain.

2. Time Stamp

Time and date play a crucial role in the forensics investigation. The time and date header fields can be analysed to cross check the accurate date and time of the email message. It also helps in checking the email consistency.

3. IP Address

The IP address is the authenticated key for every email message being sent. The investigators can easily locate the location of the sender from the time zone evaluated from the time stamp.

4. In-Reply-To

The in-reply-to field of the message contains the original email id of the recipient. This field can be checked in case of spoofing issue. This is because this field cannot be altered in any case. So, any mismatch in the field can help to identify spoofing.

5. Masquerade

This feature facilitates to rewrite the sender email field with the local domain name. So, the outgoing message does not contain any FQDN list as it hides away the details of the local domain.


With the increasing cases of cyber crimes or email frauds, the demand of cyber forensics is on the peak. Examining the emails also help to track the cyber terrorist or hackers. It is quite tedious for experts to analyze bulk emails manually. An email examiner software, MailXaminer can be used to analyse and examine the emails efficiently. It performs the batch Sendmail forensics within a few easy steps.