Hidden Timestamps

technoviking · November 10, 2020, 11:51pm

I have read the very nice article on hidden timestamps in emails.

Do all mime type delimiters have timestamps, andis this a format that anyone has come across?
Content-type: multipart/mixed;
boundary="B_nnnnnnnnnn_nnnnnnnnn

(n = a number)

Additionally, do hotmail.com message-id’s have a time stamp within eg:
Message-ID: 72771B44-7CEC-1B0A-6CB7-0BC83BC8AE23@hotmail.com

agungor · November 11, 2020, 6:47pm

Hi there!

Not all MIME boundaries contain timestamps. According to RFC 2046, a boundary delimiter line can be as simple as this:

---

with a closing boundary delimiter line of:

-----

Or something like:

--foo

and to close:

--foo--

The example you posted doesn’t ring any bells. Hopefully, someone else from the community can place it.

In some cases, even if the boundary delimiter was based on a timestamp, it may not be trivial to decode it. For instance, I have seen implementations where the software takes the current time and then hashes it before using it as the boundary.

The local part of that message ID lines up with a GUID. So, my guess is that it does not represent a timestamp. To confirm, I would recommend finding a number of those and observing how they change. If the digits change rapidly and randomly, it is unlikely that there is a timestamp there that you can decode. If you see some repeating patterns, there is hope

technoviking · November 16, 2020, 10:01pm

Here is a test example, this boundary has been extracted from an email in the sent folder of outlook for mac configured with outlook.com and this is what I have been looking at to see if I can figure out if sent emails in the sent folder in this setup have been edited after the fact.

Content-type: multipart/mixed;
boundary="B_3688397425_1859074706 it looks like the first section is a HFS timestamp, and seems to correspond with when the email was received / edited in the sent folder on the current machine (Today) but not when actually sent, not sure how useful this actually is, eg if Outlook was installed today but the email was sent last year this is going to be todays date even if not edited I think.

If this correct, does this shed any light on what the second part may be?

agungor · November 17, 2020, 11:57pm

Thanks for the sample. This first part does look like an HFS+ timestamp and decodes to November 16, 2020 6:50:25 PM (UTC). If this matches when that email was created in its current form, I would test it on a few more messages and add it to the list of data points you can consider going forward. I do not have any thoughts on what, if anything useful, the second part of the boundary might represent. If you have multiple messages, seeing additional examples might be helpful.

The MIME boundaries would typically be created when the email is composed and prepared for submission. So, the timestamps you decode from these MIME boundaries should not show you the time when Outlook was installed. It is important to look at the raw MIME messages to rule out any changes made to the messages due to conversions.

Also, the fact that you are observing these emails within Outlook in the “Sent Items” folder does not necessarily mean that they were created by Outlook. They might have been created by another email client and synced to the “Sent Items” folder. On my end, Outlook for Mac does not create boundaries that look like your example.

technoviking · November 18, 2020, 12:15pm

Thank you hfs does correspond to the time either sent from outlook or downloaded to outlook:
More test examples
Sent last couple of days
Content-type: multipart/alternative
boundary="B_3688397425_1859074706

Content-type: multipart/alternative;
boundary=“B_3688402415_1246447836”

The below email was sent 2017 but outlook connected only connected to the mailbox this week hence the recent hfs timestamp.

Content-type: multipart/alternative;
boundary="B_3688402415_1246447836

the same email edited the same day to see what would change

Content-type: multipart/alternative;
boundary=“B_3688403136_2015488137”

This is the message id of that same message, are there any time stamps in there, I cant see any so far.
Message-ID: “DB6PR1001MB10324A42C4B6C7D6C817E571A65A0@DB6PR1001MB1032.EURPRD10.PROD.OUTLOOK.COM”

technoviking · November 30, 2020, 4:35pm

Is the above also likely only a GUID rather than having any timestamp?

technoviking · February 7, 2021, 12:30pm

Further to this, it would appear that these boundaries are created on submission of email, and are edited when saved outside of outlook on that date saved.

Question, are the boundary formats in the sent items of the client, identical to what would then appears in the sent items on the actual server outlook.com for example?