[Tutor] Parsing email headers

Jim jf_byrnes at comcast.net
Sun Apr 26 20:26:22 EDT 2020 

On 4/26/20 6:08 PM, DL Neil via Tutor wrote:
> On 27/04/20 9:13 AM, Jim wrote:
>> What I want to do is figure out where an email came from without 
>> actually opening it. We all get possible malicious emails. Some are 
>> obvious but some look pretty real. Many times the From line just says 
>> "Google" or "Chase", etc.  I wrote a little bare bones script that 
>> will print out the From:, Return-Path: and the Sender: names from the 
>> header.
>>
>> Right now using Thunderbird, I right-click on the email in question. 
>> Then I click Save As and give it a name. It is then saved as a .eml 
>> file. Then I give the file name to my script and see the header info.
>>
>> I worry about discarding a legitimate email or getting some type 
>> infection by opening an email to check if it is legitimate. So am I 
>> protecting myself with the above procedure or will the above procedure 
>> still subject me to risks of opening a bad email?
>>
>> Right now it is a fairly manual process. If it is worth while I would 
>> like to spend the time making it a one click process if possible.
> 
> Have you seen the PSL's imaplib — IMAP4 protocol client? With 
> appropriate coding, this would save the manual effort by enabling direct 
> access to the server.
> 
> Sadly, you may need to tangle with whatever security/encryption is used 
> by the email server.
> 
> It would give the opportunity to move msgs from INBOX to a Junk folder 
> or similar - rather than deleting any false-negatives, per your concern!

I didn't know about it. I was focused on the mail sitting in my inbox.

> OT: Yes, be aware (if you are not already) that many headers can be 
> "spoofed" and thus email can be made to come from one place/person but 
> actually originates elsewhere, eg a spammer. So, even if the header says 
> 'whitehouse.gov', it may not be true!

Yeah I understand that. I am just looking for a safe way to look behind 
the Comcast Tech Support displayed by Thunderbird and see it is from 
vadamir at someisp.ru.

> 
> Notes:
> - suggested IMAP rather than POP because you might want to [re]move 'the 
> bad stuff' but not the 'good'. This further implies that either you are 
> using IMAP with Thunderbird, or that the 'filter program' would have to 
> be run before Thunderbird is started (and Tb's regular 'Get messages' 
> function switched off.
> 
> IMAP stores msg on the server
> 
> POP downloads msgs and stores them 'in Thunderbird' on the client
> 
> PSL = Python Standard Library
> 
> 
> WebRef:
> https://docs.python.org/3.8/library/imaplib.html

I am using IMAP.

Thanks,  Jim

More information about the Tutor mailing list