email-headersemailrelaysender-idinterchange

What does X-Sender-Id mean in email raw source (Found in phishing email)?


Somebody in my company is being subject to phishing. My first suggestion was just to change the password. However after awhile I received a fake mail from her address again.

Looking at the raw source of the email I found that there is another person's email in X-Sender-ID and I'm wondering who that might be. Is that the person who sent the email or can it be an account that has been hijacked? (I replaced the email with "somebody@host.com")

X-Virus-Scanned: OK
Received: by smtp5.relay.iad3a.emailsrvr.com (Authenticated sender: somebody-AT-host.com) with ESMTPA id DF2788019C;
    Fri, 21 Nov 2014 07:54:42 -0500 (EST)
X-Sender-Id: somebody@host.com
Received: from smtp.emailsrvr.com ([UNAVAILABLE]. [2.133.148.211])
    by 0.0.0.0:587 (trex/5.3.2);
    Fri, 21 Nov 2014 12:54:46 GMT

What is X-Sender-ID? And what is the email it contains?


Solution

  • My deliberations are based on this RFC which describes the Privacy Enhancement for Emails which you are obviously using.

    Basically it says about the X-Sender-ID:

    [...] encapsulated header field, required for all privacy-enhanced messages, identifies a message's sender and provides the sender's IK identification component.

    What does this mean?

    First of all you have to check if the mail is properly signed. If thats the case you can be sure that somebody@host.com has a certificate. And you can be sure that the mail you received has been sent from this mail address.

    I can't tell you the consequences which result out of this fact as I don't know how your company is deploying the certificates etc. ... the mail address/certificate could also have been hacked and thereby abused.

    I hope this helps you for your further research.