What does X-Sender-Id mean in email raw source (Found in phishing email)?

Question

Somebody in my company is being subject to phishing. My first suggestion was just to change the password. However after awhile I received a fake mail from her address again.

Looking at the raw source of the email I found that there is another person's email in X-Sender-ID and I'm wondering who that might be. Is that the person who sent the email or can it be an account that has been hijacked? (I replaced the email with "somebody@host.com")

X-Virus-Scanned: OK
Received: by smtp5.relay.iad3a.emailsrvr.com (Authenticated sender: somebody-AT-host.com) with ESMTPA id DF2788019C;
    Fri, 21 Nov 2014 07:54:42 -0500 (EST)
X-Sender-Id: somebody@host.com
Received: from smtp.emailsrvr.com ([UNAVAILABLE]. [2.133.148.211])
    by 0.0.0.0:587 (trex/5.3.2);
    Fri, 21 Nov 2014 12:54:46 GMT

What is X-Sender-ID? And what is the email it contains?

Answer 1

My deliberations are based on this RFC which describes the Privacy Enhancement for Emails which you are obviously using.

Basically it says about the X-Sender-ID:

[...] encapsulated header field, required for all privacy-enhanced messages, identifies a message's sender and provides the sender's IK identification component.

What does this mean?

First of all you have to check if the mail is properly signed. If thats the case you can be sure that somebody@host.com has a certificate. And you can be sure that the mail you received has been sent from this mail address.

I can't tell you the consequences which result out of this fact as I don't know how your company is deploying the certificates etc. ... the mail address/certificate could also have been hacked and thereby abused.

I hope this helps you for your further research.

Answer 2

While @LMF's answer is useful technical information, I'd like to offer a possible alternative explanation.

Spammers who are not familiar with e-mail (and PHP programmers with no other malicious intent) tend to succumb to cargo cult programming when it comes to email headers. In other words, if there is something they don't understand, they might think it does something useful, and include it in their message template.

Without knowledge about your email infrastructure, or other messages of yours to compare to, I would simply assume everything below the top-most Received: header is forged, and basically without meaning.

If you have a system which runs something called trex (maybe this one?) and it really manages to write a Received: header like that, I might be wrong. The format needlessly deviates from the de-facto standard Sendmail template in a few places, but it's not technically wrong (the format is basically free-form, but introducing ad-hoc syntax makes it harder to guess what the fields mean).

Again, more information about what your typical email (and your correspondent's typical mail) looks like, this is heavy on speculation.

Answer 3

The x-sender-id, along with the x-recipient-id are used to specify which interchange key was used in the broadcast of the message.

X-Sender-ID entity_id : issuing_authority : version
X-Recipient-ID entity_id : issuing_authority : version

1. The first field contains the identity of the sender or receiver. The first field is mandatory, must be unique, and must be formatted as user@host whereas the host is a fully qualified host address.

2. The second identifies the name of the authority which issued the interchange key.

3. The third field specifies the specific type of interchange key which was used. This is represented by an alphanumeric string defined by the issuing authority to label and organize the numerous interchange keys issued by that authority. It is recommmended that they use a timestamp but is not always the case.

If the field values of the x-sender-id second and third field are identical to that of the x-recipient-id they may be only listed in the field which is defined last.

---

Further Reading

• "Distributed Computing & Cryptography: Proceedings of a DIMACS Workshop"