SMTP/POP3/IMAP - Learn Tech From Zero

4.8 Interpret the fields in protocol headers as related to intrusion analysis

Purpose:
SMTP is used to send emails from a client (like Outlook, Thunderbird) to a mail server or between mail servers. It is outgoing mail only.
Port Numbers:
- Default: 25 (server-to-server communication)
- Secure (with TLS/SSL): 587 (submission from client to server)
- Sometimes 465 (deprecated, SSL)
How SMTP Works:
1. Client connects to the mail server.
2. Client sends commands to initiate the email (like HELO, MAIL FROM, RCPT TO, DATA).
3. Server responds with numeric SMTP response codes (e.g., 250 = OK, 550 = mailbox unavailable).
4. Message is transmitted, and connection is closed.
SMTP Header Fields:
While SMTP is a text-based protocol, it still has headers that are useful for intrusion analysis: FieldDescriptionExampleMAIL FROM:Sender email addressMAIL FROM:<alice@example.com>RCPT TO:Recipient email addressRCPT TO:<bob@example.com>DATAStart of the email contentEmail body begins after DATASubject:Email subject lineSubject: Security UpdateDate:Timestamp of the emailDate: Mon, 15 Mar 2026 14:00:00 +0000
- Why important for intrusion analysis:
  - Detect spoofed senders (MAIL FROM)
  - Identify unusual or malicious subjects
  - Track email timestamps to spot suspicious spikes in traffic

Purpose:
POP3 is used to download emails from the mail server to the client. After downloading, emails are usually deleted from the server (unless configured to leave a copy).
Port Numbers:
- Default: 110 (non-secure)
- Secure (POP3S): 995 (SSL/TLS)
How POP3 Works:
1. Client connects to the server.
2. Authentication occurs (USER and PASS commands).
3. Emails are listed (LIST) and retrieved (RETR).
4. Emails can be deleted (DELE).
5. Connection ends (QUIT).
POP3 Header Fields:
POP3 itself mostly transmits commands and responses, but when you look at the email messages it retrieves, you can see the same headers as SMTP emails: From, To, Subject, Date, etc.
Why important for intrusion analysis:
- Check for unusual email access patterns
- Detect unauthorized login attempts
- Monitor for mass email downloads (possible data exfiltration)

Purpose:
IMAP is used to access emails on the server without downloading them permanently. This allows multiple devices to sync emails and folders.
Port Numbers:
- Default: 143 (non-secure)
- Secure (IMAPS): 993 (SSL/TLS)
How IMAP Works:
1. Client connects to the server.
2. Authentication (LOGIN command).
3. Client can list folders (LIST) and messages (FETCH).
4. Changes are synchronized (read/unread, move, delete).
5. Connection ends (LOGOUT).
IMAP Header Fields:
IMAP doesn’t modify the email headers but fetches messages containing: FieldDescriptionFrom:Sender of the emailTo:RecipientSubject:Email subjectDate:TimestampFlags:Seen, Answered, Deleted, etc.
Why important for intrusion analysis:
- Detect unauthorized folder access
- Track emails flagged as read/deleted remotely
- Monitor for suspicious IMAP commands indicating malware or scripts accessing emails

When performing intrusion analysis, knowing SMTP, POP3, and IMAP headers and commands helps you detect:

Phishing or spoofed emails – by checking MAIL FROM vs. From: header.
Unauthorized logins – unusual POP3 or IMAP logins, failed authentication attempts.
Malware communication – attackers sometimes use email for command-and-control messages.
Data exfiltration – mass downloads via POP3 or IMAP can indicate sensitive data theft.
Anomalous patterns – sudden spikes in email sending (SMTP) or fetching (POP3/IMAP).

Remember ports:
- SMTP: 25, 587 (TLS)
- POP3: 110, 995 (SSL)
- IMAP: 143, 993 (SSL)
Know commands and responses:
- SMTP: HELO, MAIL FROM, RCPT TO, DATA, QUIT
- POP3: USER, PASS, LIST, RETR, DELE, QUIT
- IMAP: LOGIN, LIST, FETCH, LOGOUT
Focus on headers for analysis: From, To, Subject, Date, Flags
Recognize anomalies: sudden spikes, unusual addresses, unknown ports, or repeated failed logins.