This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
I have an email message header that I'm trying to verify the message date on. Does anyone know if Microsoft record the message timestamp in the Message-ID in a way that be decoded into a human readable date?
Unfortunately there are no other potential timestamps in the email header, the message did not pass thru spam filters etc. The message-id in question relates to a message bounce-back due to incorrect address - I have suspicions the copy of the email I have been given has had the date fields manipulated and hope I can verify this against a timestamp encoded in the message-id.
It appears the 13-37th characters preceding the @ contain hex values. I collected a handful of test emails sent in quick succession to try and identify possible incrementing values but haven't been able to solve it.
Message-ID with untrusted date:
Message-ID: <
[PS2SPRMB0004B0677BCF8E4217020C5DD0E6A@PS2SPRMB0004.KORP216.PROD.OUTLOOK.COM
](mailto:PS2SPRMB0004B0677BCF8E4217020C5DD0E6A@PS2SPRMB0004.KORP216.PROD.OUTLOOK.COM)>
Test messages sent via Outlook with trusted dates for comparison:
Date: Sat, 2 Sep 2023 02:07:12 0000
Message-ID: <SYBP282MB23504948545FFE3EF5634A32BEEBA@SYBP282MB2350.AUSP282.PROD.OUTLOOK.COM>
Date: Sat, 2 Sep 2023 02:07:32 0000
Message-ID: <SYBP282MB23500107C35D0553DF1DA417BEEBA@SYBP282MB2350.AUSP282.PROD.OUTLOOK.COM>
Date: Sat, 2 Sep 2023 02:07:58 0000
Message-ID: <SYBP282MB235045B75BD4BCF0A57EEE84BEEBA@SYBP282MB2350.AUSP282.PROD.OUTLOOK.COM>
Date: Sat, 2 Sep 2023 02:08:20 0000
Message-ID: <SYBP282MB2350542DF29F1A7B8B060DD6BEEBA@SYBP282MB2350.AUSP282.PROD.OUTLOOK.COM>
Thanks for your input. I've also asked on r/computerforensics
Subreddit
Post Details
- Posted
- 1 year ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/AskNetsec/c...