Parsing Message Headers using Powershell

So sometimes I want or need to look at the message headers of an email to work out where it comes from. You can use something like http://mxtoolbox.com/public/tools/emailheaders.aspx to do that, but I thought, you must be able to so this with Windows Powershell. Guess what you can ;-)

Meet Parse-EmailHeaders.ps1. Now I cheated a little by using Sapien Powershell Studio to build the GUI as I couldn’t be bothered to manually create the GUI in notepad ;-)

So fireup powershell and run the script.

Essentially, in outlook get the message header of an email and paste it in to the GUI box and click on the Parse Button.

In the shell you will see what it’s up to.

PS C:\PS> .\Parse-EmailHeader.ps1
Looking for C:\PS\Parse-EmailHeader_KnownIPs.csv
 - Found
 --  60  Found
Discovering IP Geo Information
 + / +
[fe80::4100:46ba:3a5c:54ce] + / + [fe80::b42c:7f9:e0ef:23d%10]
10.11.123.10 + / + 10.11.250.20
91.206.176.84 + / + 10.47.216.189
2a01:111:f400:7e04::177 + / + 2a01:111:e400:8814::26
10.242.16.26 + / + 10.242.136.153
213.199.154.78 + / + 10.174.65.75
2a01:111:f400:7e00::105 + / + 2a01:111:e400:1000::18
10.242.64.18 + / + 10.242.68.20
unknown unknown GB GB GB unknown unknown GB unknown unknown
http://maps.googleapis.com/maps/api/staticmap?size=800x800&sensor=false&path=color:0xff0000ff|weight:5|UB40SL|E149YY&mar
kers=size:mid%7Ccolor:red%7CUB40SL%7CE149YY
Looking for C:\PS\Parse-EmailHeader_KnownIPs.csv
 - Found
 --  60  Found
Discovering IP Geo Information
 + / +
 + / + 10.180.165.174
 + / + 10.114.67.131
 + / + 10.152.6.199
 + / + mail-la0-f45.google.com
relay146.msgfocus.com. [86.54.102.146] + / + mx.google.com
209.85.215.45 + / + 10.47.216.92
2a01:111:f400:7e04::108 + / + 2a01:111:e400:9414::19
10.141.8.147 + / + 10.242.141.17
unknown unknown unknown unknown unknown unknown unknown CL unknown unknown
http://maps.googleapis.com/maps/api/staticmap?size=800x800&sensor=false&path=color:0xff0000ff|weight:5|UB40SL|E149YY&mar
kers=size:mid%7Ccolor:red%7CUB40SL%7CE149YY
Looking for C:\PS\Parse-EmailHeader_KnownIPs.csv
 - Found
 --  60  Found
Discovering IP Geo Information
 + / +

http://maps.googleapis.com/maps/api/staticmap?size=800x800&sensor=false&path=color:0xff0000ff|weight:5|UB40SL|E149YY&mar
kers=size:mid%7Ccolor:red%7CUB40SL%7CE149YY
PS C:\PS> .\Parse-EmailHeader.ps1
Looking for C:\PS\Parse-EmailHeader_KnownIPs.csv
 - Found
 --  60  Found
Discovering IP Geo Information
 + / +
[10.0.0.189:8127] helo=HOME-?? + / + Momo-dev:3.5.1.0
unknown unknown UA
http://maps.googleapis.com/maps/api/staticmap?size=800x800&sensor=false&path=color:0xff0000ff|weight:5|UB40SL|E149YY&mar
kers=size:mid%7Ccolor:red%7CUB40SL%7CE149YY

The end result is a saved file called Parse-EmailHeaders.html which will automagically open once the parsing is complete.

Now, as an added bonus, if a file called Parse-EmailHeaders_KnownIPs.csv exists, it will use it to populate Country and City of IP’s you know about.

IP,Country,City
2a01:111:e400:8000::28,Microsoft EOP (NL),Amsterdam
10.242.80.27,Microsoft EOP (NL),Amsterdam
10.242.77.156,Microsoft EOP (NL),Amsterdam
10.16.249.240,Microsoft EOP (IE),Dublin

Why have this? Well I put all my known Exchange Hub and Edge servers in, with the Datacentre location so I can see the path it took. Create the csv file in the same folder as the .ps1 and chop and change as you wish.

Hope you like

Parse-EmailHeader.ps1 (zip)