MBOX stands for Mailbox, which is a file format that holds a
collection of email messages in plain text format. All the messages are stored
in individual, long text format and the new messages are appended to the end of
the file. MBOX stores the messages in RFC 2822, original Internet Message
format, making it easily accessible.
Many desktop mail client like; Mozilla Thunderbird, Eudora, Entourage, etc., support MBOX file as their default message storage file. Each message starts with “From” header and ends with a blank line with no tags or space. Every message in the file is: prefaced by a separation line and terminates with an empty line. However, the first message is prefaced by separation line and others begin with two end-of-line sequence and separator line. MBOX file format is simple to understand and it is supported universally and can be opened even in Notepad which makes it investigation friendly.
Structure of “From”:
Structure of “From” is From sender date moreinfo:
sender: It is a one word, indicates sender of message.
date: It refers to standard C format time with 24 characters,
indicating the delivery date of message.
moreinfo: It contains the arbitrary or other information.
The storage of emails or messages is done by the mailbox file in a
file with .mbox extension which denotes a respective folder from the email
client configured profile: folder
name.mbox like; Inbox.mbox,
Outbox.mbox, etc.
Two Routes to Save Emails:
There are two ways to save emails: directory and concatenate
message formats.
·
Directory Format: The Mail client creates an individual file for the
messages and is stored in folder directory.
·
Concatenate Message
Format: In this, all
messages are stored in single file and makes up the mailbox.
What The Header Fields Indicate?
As we can see from the above picture that, there are certain
fields in the header portion. Some of the fields are:
·
MIME Version: It indicates the
MIME version and shows if the message is composed of MIME format.
·
Message-ID: It is a unique ID
for the messages. Every message is provided a different message ID that makes it
unique.
·
X-Priority: Indicates how
important the message was for the sender by showing some numbers that denote
the following:
1-
Highest
2-
High
3-
Normal
4-
Low
5-
Lowest
·
Return-Path:
It indicates the path to which the email should reach if not delivered.
It is not necessary that this ID remains the same as the sender’s ID but mostly
it is.
·
Content-Type:
Indicates the type of the content that is present inside the
message body.
·
To:
It indicates the person who receives the message.
·
From:
It shows from where the message has arrived, i.e. the sender.
The first line of the header shows the information of the sender,
the date and time at which the message is send. On the next line, it mentions
the MIME-version, if any. Then, we can see the ID of the message, importance of
the message through X-Priority, content type, etc. It also shows the body in
HTML structure along with the tags.
How A Message is Read When Received?
Message is scanned by starting from the From_ lines. When it is
seen, this portion indicates the starting of message. The message header starts
with From address, date and time at which it was received. The message
terminates with blank lines, i.e. until it sees an end-of-line and separator
line. MBOX files can be opened and read on any form of text editors owing to
their simple text based structure.
Further Details:
There are many locking mechanisms for MBOX. Some of them are:
·
flock(): This system call
is used commonly for read and write lock.
·
Lockf: It allows
exclusive locks only and is a POSIX locking (lockf()).
·
Dotlock: In this, writer
has the exclusive lock on the MBOX. When this lock is called then,
mailboxname.lock file is created.
Conclusion: MBOX file is
supported universally for storing electronic mails. MBOX files allow faster
appending of the files into the mailbox and makes searching of files easier. MBOX
file extension is supported by many of the desktop mail clients and so, they
can be carried to different client platforms. In addition, the file also proves
advantageous for forensic purposes, as its readability is not restricted to a
certain platform, i.e. the file is not dependent. Whereas, the locked files are
slightly different than the standard MBOX files which makes all the difference
in its structure as well as parsing.
No comments:
Post a Comment