Overview of parsed mail headers
The following is a list of all the mail headers that this script can recognise, and the information we have on it.General Mail Details
| Header | Matching RegEx | Explanation |
|---|---|---|
| From | |^from: (.*)|mi | The From-address, the person who (allegedly) sent this e-mail. |
| To | |^to: (.*)|mi | The To-address, to whom the mail was addressed. |
| Subject | |^subject: (.*)|mi | The subject of the e-mail, as shown in the mailclient. |
| Carbon Copy | |^cc: (.*)|mi | Carbon Copy list of e-mail addresses |
| MIME Version | |^mime\-version: (.*)|mi | MIME |
| Return path | |^Return\-Path: (.*)|mi | Return Path to which mails would bounce |
| Reply to | |^Reply\-To: (.*)|mi | A reply to this e-mail would be sent to this address, which is not necessarily the same as the From-address. |
| Originating IP | |^X\-Originating\-IP: (.*)|mi | The IP address of the computer on which the email originated. |
| Originating e-mail | |^X\-Originating\-Email: (.*)|mi | Another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line. |
| Delivered to | |^Delivered\-To: (.*)|mi | The account to which the e-mail was finally delivered to. |
| In reply to | |^In\-Reply\-To: (.*)|mi | This e-mail message was sent as a reply to this address. |
| Forwarded to | |^X\-Forwarded\-To: (.*)|mi | This message was forwarded from another account (probably automatic). |
| Forwarded for | |^X\-Forwarded\-For: (.*)|mi | The account which forwarded this e-mail. |
| References | |^References: (.*)|mi | |
| Message ID | |^Message\-ID: (.*)|mi | A unique identifier for this e-mail (at least, in the sending MTA). |
Anti-Spam & Anti-virus (generic)
| Header | Matching RegEx | Explanation |
|---|---|---|
| Received SPF | |^received\-spf: (.*)|mi | The received SPF record |
| Authentication Results | |^Authentication\-Results: (.*)|mi | Authentication Results (usually SPF related) |
| Spamcheck Version | |^X\-Spam\-Checker\-Version: (.*)|mi | X-Spam-Checker-Version: which software was used |
| Spam Status | |^X\-Spam\-Status: (.*)|mi | X-Spam-Status: was this spam? |
| Scanned by | |^X\-Scanned\-By: (.*)|mi | Software used to scan this message. |
| Virus scanned | |^X\-Virus\-Scanned: (.*)|mi | Scanned for virusses. |
Language
| Header | Matching RegEx | Explanation |
|---|---|---|
| Accept Language | |^Accept\-Language: (.*)|mi | Indicates the preference with regard to language. |
| Content Language | |^Content\-Language: (.*)|mi | Indicates the language of the content. |
| Accept Language | |^acceptlanguage: (.*)|mi | See: 'Accept-Language' |
Nucleus Mailscanner
| Header | Matching RegEx | Explanation |
|---|---|---|
| MailScanner Information | |^X\-NUCLEUS\-MailScanner\-Information: (.*)|mi | Additional information on the MailScanner. |
| Mailscanner ID | |^X\-NUCLEUS\-MailScanner\-ID: (.*)|mi | Internal ID used in MailScanner software. |
| Mailscanner result | |^X\-NUCLEUS\-MailScanner: (.*)|mi | Result of the MailScanner process, whether it was spam or not. |
| Mailscanner spamcheck | |^X\-NUCLEUS\-MailScanner\-SpamCheck: (.*)|mi | |
| Mailscanner from | |^X\-NUCLEUS\-MailScanner\-From: (.*)|mi | From-header received by MailScanner. |
| Spamscore | |^X\-NUCLEUS\-MailScanner\-SpamScore: (.*)|mi | If mail was marked as spam, this will hold the spamscore. |
Dates & Times
| Header | Matching RegEx | Explanation |
|---|---|---|
| Date Sent | |^date: (.*)|mi | Date at which the e-mail was sent. |
| Original Arrival Time | |^X\-OriginalArrivalTime: (.*)|mi | This is a time stamp placed on the message when it first passes through a Microsoft Exchange server. |
Mail Content
| Header | Matching RegEx | Explanation |
|---|---|---|
| Content Type | |^Content\-Type: (.*)|mi | The type of content that is being sent via mail. |
| Transfer Encoding | |^Content\-Transfer\-Encoding: (.*)|mi | The encoding used to send the message. |
| Content class | |^Content\-class: (.*)|mi | Another MIME header, telling MIME-compliant mail programs what type of content to expect in the message. |
| Content disposition | |^Content\-Disposition: (.*)|mi | How the content of the mail should be handled (inline, attachment, ...). |
Mailclient - Generic
| Header | Matching RegEx | Explanation |
|---|---|---|
| Mailer software | |^X\-Mailer: (.*)|mi | The mailclient or mailing software used to send out the e-mail. |
| User Agent | |^User\-Agent: (.*)|mi | The mailing software that the client has identified himself as. |
| Mail Priority | |^X\-Priority: (.*)|mi | The priority with which this e-mail was sent. |
| Sender | |^X\-Sender: (.*)|mi | A custom header, to show the real sender e-mail address. |
| Microsoft Mail Priority | |^X\-Msmail\-Priority: (.*)|mi | The priority as entered in Microsoft Mail. |
| User Agent | |^X\-User\-Agent: (.*)|mi | User Agent used to send the e-mail. |
Mailclient - Outlook (Express), Windows Mail
| Header | Matching RegEx | Explanation |
|---|---|---|
| Mime OLE | |^X\-MimeOLE: (.*)|mi | Mime OLE software used by the sender. |
| Thread index | |^Thread\-Index: (.*)|mi | Is used for associating multiple messages to a similar thread. For example, in Outlook the conversation view would use this information to find messages in one conversation thread. |
| TNEF Correlator | |^X\-MS\-TNEF\-Correlator: (.*)|mi | The Transport Neutral Encapsulation Format is Microsoft Exchange/Outlook specific, used when sending messages formatted as Rich Text Format (RTF). |
| Has attachment | |^X\-MS\-Has\-Attach: (.*)|mi | Informs that the client is ready to send attachments and it also informs whether or not the e-mail contains any attachments. If the e-mail contains attachments the information header X-MS-Has-Attach: will say "yes" after colon. |
| Thread topic | |^Thread\-Topic: (.*)|mi | Usually the original subject, used as the readable version of Thread-Index. |
Campaign Commander
| Header | Matching RegEx | Explanation |
|---|---|---|
| E-mail Platform | |^X\-EMV\-Platform: (.*)|mi | Which e-mail platform was used to send this e-mail. |
| Campagne ID | |^X\-EMV\-CampagneId: (.*)|mi | The internal ID used for this campagne. |
| Member ID | |^X\-EMV\-MemberId: (.*)|mi | The memberID as used by the campagne software. |
| Unsubscribe | |^List\-Unsubscribe: (.*)|mi | Usually contains the URL used to unsubscribe to the mailing list. |
SpamAssassin
| Header | Matching RegEx | Explanation |
|---|---|---|
| Spam flag | |^X\-Spam\-Flag: (.*)|mi | If the mail was marked as spam or not. |
| Spam status | |^X\-Spam\-Status: (.*)|mi | If the mail was marked as spam or not. |
| Spam report | |^X\-Spam\-Report: (.*)|mi | The report of the SpamAssassin scanning process. |
| Spam level | |^X\-Spam\-Level: (.*)|mi | The score that was assigned to this message. A higher score, means more likely to be spam. |
| Spam Score | |^X\-Spam\-Score: (.*)|mi | The spam score assigned to this e-mail, by the filtering software. |
SnertSoft smtpf - BarricadeMX
| Header | Matching RegEx | Explanation |
|---|---|---|
| BarricadeMX report | |^X\-smtpf\-Report: (.*)|mi | Report header by BarricadeMX/smtpf. |
j-chkmail
| Header | Matching RegEx | Explanation |
|---|---|---|
| Mail Score | |^X\-j\-chkmail\-Score: (.*)|mi | The score that was assigned to the e-mail, based on patterns. |
| Mail Status | |^X\-j\-chkmail\-Status: (.*)|mi | Whether it was spam or ham. |
| Envelopped Sender | |^X\-j\-chkmail\-Enveloppe: (.*)|mi | The enveloppe sender found in the mail. |
| Miltered | |^X\-Miltered: (.*)|mi | Where this e-mail was miltered by. |