Overview of parsed mail headers
The following is a list of all the mail headers that this script can recognise, and the information we have on it.General Mail Details
Header | Matching RegEx | Explanation |
---|---|---|
From | |^from:(.*)|mi | The From-address, the person who (allegedly) sent this e-mail. |
To | |^to:(.*)|mi | The To-address, to whom the mail was addressed. |
Subject | |^subject:(.*)|mi | The subject of the e-mail, as shown in the mailclient. |
Carbon Copy | |^cc:(.*)|mi | Carbon Copy list of e-mail addresses |
MIME Version | |^mime\-version:(.*)|mi | MIME |
Return path | |^Return\-Path:(.*)|mi | Return Path to which mails would bounce |
Reply to | |^Reply\-To:(.*)|mi | A reply to this e-mail would be sent to this address, which is not necessarily the same as the From-address. |
Originating IP | |^X\-Originating\-IP:(.*)|mi | The IP address of the computer on which the email originated. |
Originating e-mail | |^X\-Originating\-Email:(.*)|mi | Another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line. |
Delivered to | |^Delivered\-To:(.*)|mi | The account to which the e-mail was finally delivered to. |
In reply to | |^In\-Reply\-To:(.*)|mi | This e-mail message was sent as a reply to this address. |
Forwarded to | |^X\-Forwarded\-To:(.*)|mi | This message was forwarded from another account (probably automatic). |
Forwarded for | |^X\-Forwarded\-For:(.*)|mi | The account which forwarded this e-mail. |
References | |^References:(.*)|mi | |
Message ID | |^Message\-ID:(.*)|mi | A unique identifier for this e-mail (at least, in the sending MTA). |
Anti-Spam & Anti-virus (generic)
Header | Matching RegEx | Explanation |
---|---|---|
Received SPF | |^received\-spf:(.*)|mi | The received SPF record |
Authentication Results | |^Authentication\-Results:(.*)|mi | Authentication Results (usually SPF related) |
Spamcheck Version | |^X\-Spam\-Checker\-Version:(.*)|mi | X-Spam-Checker-Version: which software was used |
Spam Status | |^X\-Spam\-Status:(.*)|mi | X-Spam-Status: was this spam? |
Scanned by | |^X\-Scanned\-By:(.*)|mi | Software used to scan this message. |
Virus scanned | |^X\-Virus\-Scanned:(.*)|mi | Scanned for virusses. |
Language
Header | Matching RegEx | Explanation |
---|---|---|
Accept Language | |^Accept\-Language:(.*)|mi | Indicates the preference with regard to language. |
Content Language | |^Content\-Language:(.*)|mi | Indicates the language of the content. |
Accept Language | |^acceptlanguage:(.*)|mi | See: 'Accept-Language' |
Nucleus Mailscanner
Header | Matching RegEx | Explanation |
---|---|---|
MailScanner Information | |^X\-NUCLEUS\-MailScanner\-Information:(.*)|mi | Additional information on the MailScanner. |
Mailscanner ID | |^X\-NUCLEUS\-MailScanner\-ID:(.*)|mi | Internal ID used in MailScanner software. |
Mailscanner result | |^X\-NUCLEUS\-MailScanner:(.*)|mi | Result of the MailScanner process, whether it was spam or not. |
Mailscanner spamcheck | |^X\-NUCLEUS\-MailScanner\-SpamCheck:(.*)|mi | |
Mailscanner from | |^X\-NUCLEUS\-MailScanner\-From:(.*)|mi | From-header received by MailScanner. |
Spamscore | |^X\-NUCLEUS\-MailScanner\-SpamScore:(.*)|mi | If mail was marked as spam, this will hold the spamscore. |
Dates & Times
Header | Matching RegEx | Explanation |
---|---|---|
Date Sent | |^date:(.*)|mi | Date at which the e-mail was sent. |
Original Arrival Time | |^X\-OriginalArrivalTime:(.*)|mi | This is a time stamp placed on the message when it first passes through a Microsoft Exchange server. |
Mail Content
Header | Matching RegEx | Explanation |
---|---|---|
Content Type | |^Content\-Type:(.*)|mi | The type of content that is being sent via mail. |
Transfer Encoding | |^Content\-Transfer\-Encoding:(.*)|mi | The encoding used to send the message. |
Content class | |^Content\-class:(.*)|mi | Another MIME header, telling MIME-compliant mail programs what type of content to expect in the message. |
Content disposition | |^Content\-Disposition:(.*)|mi | How the content of the mail should be handled (inline, attachment, ...). |
Mailclient - Generic
Header | Matching RegEx | Explanation |
---|---|---|
Mailer software | |^X\-Mailer:(.*)|mi | The mailclient or mailing software used to send out the e-mail. |
User Agent | |^User\-Agent:(.*)|mi | The mailing software that the client has identified himself as. |
Mail Priority | |^X\-Priority:(.*)|mi | The priority with which this e-mail was sent. |
Sender | |^X\-Sender:(.*)|mi | A custom header, to show the real sender e-mail address. |
Microsoft Mail Priority | |^X\-Msmail\-Priority:(.*)|mi | The priority as entered in Microsoft Mail. |
User Agent | |^X\-User\-Agent:(.*)|mi | User Agent used to send the e-mail. |
Mailclient - Outlook (Express), Windows Mail
Header | Matching RegEx | Explanation |
---|---|---|
Mime OLE | |^X\-MimeOLE:(.*)|mi | Mime OLE software used by the sender. |
Thread index | |^Thread\-Index:(.*)|mi | Is used for associating multiple messages to a similar thread. For example, in Outlook the conversation view would use this information to find messages in one conversation thread. |
TNEF Correlator | |^X\-MS\-TNEF\-Correlator:(.*)|mi | The Transport Neutral Encapsulation Format is Microsoft Exchange/Outlook specific, used when sending messages formatted as Rich Text Format (RTF). |
Has attachment | |^X\-MS\-Has\-Attach:(.*)|mi | Informs that the client is ready to send attachments and it also informs whether or not the e-mail contains any attachments. If the e-mail contains attachments the information header X-MS-Has-Attach: will say "yes" after colon. |
Thread topic | |^Thread\-Topic:(.*)|mi | Usually the original subject, used as the readable version of Thread-Index. |
Campaign Commander
Header | Matching RegEx | Explanation |
---|---|---|
E-mail Platform | |^X\-EMV\-Platform:(.*)|mi | Which e-mail platform was used to send this e-mail. |
Campagne ID | |^X\-EMV\-CampagneId:(.*)|mi | The internal ID used for this campagne. |
Member ID | |^X\-EMV\-MemberId:(.*)|mi | The memberID as used by the campagne software. |
Unsubscribe | |^List\-Unsubscribe:(.*)|mi | Usually contains the URL used to unsubscribe to the mailing list. |
SpamAssassin
Header | Matching RegEx | Explanation |
---|---|---|
Spam flag | |^X\-Spam\-Flag:(.*)|mi | If the mail was marked as spam or not. |
Spam status | |^X\-Spam\-Status:(.*)|mi | If the mail was marked as spam or not. |
Spam report | |^X\-Spam\-Report:(.*)|mi | The report of the SpamAssassin scanning process. |
Spam level | |^X\-Spam\-Level:(.*)|mi | The score that was assigned to this message. A higher score, means more likely to be spam. |
Spam Score | |^X\-Spam\-Score:(.*)|mi | The spam score assigned to this e-mail, by the filtering software. |
SnertSoft smtpf - BarricadeMX
Header | Matching RegEx | Explanation |
---|---|---|
BarricadeMX report | |^X\-smtpf\-Report:(.*)|mi | Report header by BarricadeMX/smtpf. |
j-chkmail
Header | Matching RegEx | Explanation |
---|---|---|
Mail Score | |^X\-j\-chkmail\-Score:(.*)|mi | The score that was assigned to the e-mail, based on patterns. |
Mail Status | |^X\-j\-chkmail\-Status:(.*)|mi | Whether it was spam or ham. |
Envelopped Sender | |^X\-j\-chkmail\-Enveloppe:(.*)|mi | The enveloppe sender found in the mail. |
Miltered | |^X\-Miltered:(.*)|mi | Where this e-mail was miltered by. |
Cisco Ironport
Header | Matching RegEx | Explanation |
---|---|---|
IronPort Filtered | |^X\-IronPort\-Anti\-Spam\-Filtered:(.*)|mi | This mail has been filtered via a Cisco Ironport. |
IronPort Spam Result | |^X\-IronPort\-Anti\-Spam\-Result:(.*)|mi | Result after a mail filter via Cisco Ironport. |