RE: message-id formatting Mar 30 2007 07:02AM
Glenn Dardick (gdardick dardick net)

My apologies, I thought I had sent out the following to the list, but it
only went to Santiago.

It is a summary of what we found. Also, the links were
very informative as well as Wiki entries on UUIDs and GUIDs



Thanks Santiago (and Scott Talkovic, Chuck Swiger, and everyone else)

It's interesting. The examples of the webmail server-created
message-id's that you (Santiago) sent use a time based version 1 UUID,
whereas the Mac client-created message-id's use a random based version 4

This question originated because of two emails with suspect
message-id's. None of the messages were recorded in the mail logs of the
receiving email server, but were none-the-less in the user's IMAP email

However, one of the two message-id's did appear previously in the
receiving email server's log files. All UUID's are supposed to be

It would appear that the message-id in the email headers for one of the
bogus emails was copied from a previous email and the second was either
user generated ( or copied.
Since the emails do not show up in the receiving email server's logs, it
would further appear that they were placed by the user into the IMAP
inbox folder.


-----Original Message-----
From: Santiago Barahona [mailto:sant-bar (at) (dot) se [email concealed]]
Sent: Tuesday, March 20, 2007 4:26 AM
To: Glenn Dardick
Subject: Re: message-id formatting

Take a look:

These IDs are generated by the webmail servers,

27945F5D-0111-1000-A5C1-5D2B1F2782EA-Webmail-10022 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEAD-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEB5-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEBC-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEB9-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEBF-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEC2-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B048-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04B-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04E-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B056-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04E-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0C3-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0E9-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0EC-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0EF-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0F2-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B109-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B10E-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B118-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B11F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B127-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B137-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B13F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B143-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B145-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B14F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]

These by the client:

5B2DCFA0-DE9E-4D2D-8E83-4F75AC6A6FB4 (at) mac (dot) com [email concealed]
6AA2C198-48A8-4C9D-9D76-5C2F58A9DB08 (at) mac (dot) com [email concealed]
B35E3779-C18D-4320-B171-6C7E4BBE5974 (at) mac (dot) com [email concealed]
B7780243-9BE2-4D22-969C-6E9C77776792 (at) mac (dot) com [email concealed]
C996B503-4286-414B-A1AF-369966A5918A (at) mac (dot) com [email concealed]
EAE7F921-CE33-41AD-A40B-9A20D3313DBA (at) mac (dot) com [email concealed]
74DA4FAE-F23A-4893-9C13-84A844B6321F (at) mac (dot) com [email concealed]
EE0A30F3-A95B-4145-9BA9-1213B00A7759 (at) mac (dot) com [email concealed]
652A524B-7DFC-4BCD-A97D-6051907C0CF6 (at) mac (dot) com [email concealed]
7EE3F3BC-45A8-46EA-A48E-B2138BEAEC8F (at) mac (dot) com [email concealed]
2AA5693C-0E45-4FB6-A99F-B4659A2AD6F6 (at) mac (dot) com [email concealed]

which seem to fit the description of rfc2822 or rfc 2352?
this seems to follow the absolute date and time and content id hash
don't you think?


On 19 Mar 07, at 23:47, Glenn Dardick wrote:

I believe the second one may be spoofed - not the first.


-----Original Message-----
From: Santiago Barahona [mailto:sant-bar (at) (dot) se [email concealed]]
Sent: Monday, March 19, 2007 4:42 PM
To: Glenn Dardick
Cc: forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: message-id formatting

It is weird... in deed they use alpha-numeric account names but as
far as I know they are limited to 12 o 16 characters... (i'll check
it and comeback to you with that)...

are you sure it is not a spoofed ""??

On 16 Mar 07, at 07:14, gdardick (at) dardick (dot) net [email concealed] wrote:

I am trying to find the format of message-ids. The following
are examples of message-id's received in emails from

F39DF6D4-4C64-4C78-91E1-EB9EF83F492A (at) MAC (dot) COM [email concealed]
11DF7440-1BAC-4E05-9A6D-5F13C3DA7A53 (at) MAC (dot) COM [email concealed]

Any ideas?

