Email Headers and Phishing
Questions
30
Duration
15 min
Faculty-reviewed
0
Updated
28 Apr 2026
About this mock
This mock covers email forensics — header analysis, sender authentication (SPF, DKIM, DMARC), spoofing techniques and how to detect them, phishing investigation, business email compromise (BEC), and the legal framework for email-based offences in India. Thirty questions test what every header field means and how to read it, how SPF / DKIM / DMARC verdicts appear in Authentication-Results, the difference between display-name spoofing and full envelope forgery, how to trace a phishing campaign back to its kit and infrastructure, attachment forensics (MIME, Base64, hash matching to MITRE ATT&CK and VirusTotal), and the prosecution handles under IT Act Sections 66C, 66D and BNS Section 318.
It is pitched at BSc and first-year MSc cyber forensics students, FACT and UGC-NET aspirants, and incident-response analysts at Indian SOCs and CERT-In-affiliated teams. Email is the single largest entry vector for cyber-crime complaints registered on the National Cyber Crime Reporting Portal; every cyber-crime cell sees dozens of email cases per week, which makes mastering this area one of the highest-leverage investments for any cyber forensics student.
Themes covered:
- Email header anatomy: Received, Message-ID, Return-Path, Reply-To, From, Date, X-Originating-IP
- SMTP / IMAP / POP3 — what each protocol does, the standard ports, and what trace each leaves
- SPF (RFC 7208), DKIM (RFC 6376), DMARC (RFC 7489), ARC (RFC 8617), BIMI
- Header spoofing vs envelope spoofing; how From and Return-Path can disagree
- Display-name attacks, IDN homograph attacks vs ASCII typosquats, lookalike-domain detection
- Phishing kit fingerprinting and OSINT pivots from a phishing URL (WHOIS, DNS, ASN, crt.sh)
- Attachment forensics: MIME structure, Base64, hash-to-malware-family lookup
- Email storage formats: EML, MSG, PST, OST, MBOX — what each is and how to parse
- Indian legal handle: IT Act Sections 66C (identity theft), 66D (cheating by personation), BNS Section 318
- Operational response: 1930 helpline, cybercrime.gov.in, the CFCFRMS golden-hour fund-hold mechanism
Each question carries a detailed explanation citing the relevant RFC verbatim, NIST SP 800-86 for incident-response procedure, MITRE ATT&CK for technique mappings, the IT Act for the Indian legal handle, and Microsoft / Google admin documentation for header behaviour. Allow 15 minutes; the explanations are long enough to use as study notes by themselves.
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.