How can you tell when an email has been doctored?

M

Melin

Recently, a customer sent my boss an email which was claimed to have been
sent to me a few days back. I never received such email and I believe the
email was doctored because the attachment of the said original message was
not an attachment directly from the sent box. Customer forwarded the message
to herself first and then created the attachment from the inbox and claimed
that the forwarded message was sent on the given date as shown. I requested
the customer to send me the original sent message as an attachment directly
from the sent items without it being forwarded to herself first. Customer
claims she could not send me the original sent message because the message
was in her archives and she had to forward it to herself first.

I believe that one cannot edit sent messages while in the sent items box.
Therefore, a forwarded email cannot be accepted as an original message.
Customer must be able to attach the original message in it's untouched state
as it was originally sent. If customer forwards the message to herself
first, then she can edit the original message. Consequently, such message
cannot be trusted. Am I right?
 
V

VanguardLH

Melin said:
Recently, a customer sent my boss an email which was claimed to have
been sent to me a few days back.

There is no guaranteed delivery for e-mail.
I never received such email and I believe the email was doctored
because the attachment of the said original message was not an
attachment directly from the sent box.

And how could you ever determine from where the attachment originated?
There is no trace to the source of the attachment. The attachment is a
MIME part within the body of the email which the email client presents
as an attachment.
Customer forwarded the message to herself first and then created the
attachment from the inbox

Then what she attached was not sent from you. It was sent from her and
then attached to another e-mail from her. The attachment might be
itself another e-mail with an attachment, so the e-mail would have to
be opened twice for the forwarded copy: once in the received e-mail to
see an attached copy of *her* e-mail and then that one opened to see
the claimed attachment that was the original message.

That it was an e-mail sent from her to you which she then forwarded to
herself to send herself again never proves that you received the
e-mail. There is no guaranteed delivery for e-mail. She wasn't ever
sending a attached copy of an e-mail that you sent her (to show headers
for you) but was always a copy of her own e-mails. She has no proof
that you received her e-mail.

The sender never does get irrefutable proof. Even if you enabled
automatically sending read receipts, that only means that the e-mail
was supposedly opened by *someone* that accessed your e-mail. It
doesn't prove that you opened it. It is also possible that an add-on
would automatically open an e-mail to have the e-mail client issue the
read receipt but you never read the e-mail. Delivery receipts never
prove that an e-mail reached the recipient's mailbox, only that the
receiving mail host accepted the e-mail.
and claimed that the forwarded message was sent on the given date as
shown.

So the forwarded message was her original e-mail that she sent. Yeah,
so what? How does that prove that YOU got her e-mail? No one but her
would even know if her sending SMTP mail host had accepted the e-mail
(rather than her manually moving the failed e-mail from her Outbox to
her Sent Items folder). Only logs in her sending mail host could show
if it successfully received the e-mail and if it ever successfully sent
that e-mail. All that proves is that the receiving mail host accepted
the e-mail, not that it got into your mailbox.

Consider e-mail like a postit note: you might've stuck in on the door
but that doesn't mean it didn't fall off, get blown away, or someone
picked it off before you happen to reach the door (on the same side as
the sticky note). The sender can only attempt to get their message
delivered. They cannot force that it gets delivered.

However, it is possible that her e-mail did reach your receiving mail
host but it got rejected. Most times the NDR (non-delivery report)
e-mail gets sent back to the sender but not always. Some receiving
mail hosts don't check DURING the mail session with the sending mail
host that the e-mail is deliverable. Instead they accept the e-mail
and then find out later that it wasn't deliverable. They have no more
information that you would have as to where to send the NDR: the
return-path info that the *sender* put in their e-mail. If the sender
lies about their e-mail address or it is invalid then the NDR goes off
to someone else or to a bit bucket. Your mail host might use a
blacklist and have rejected her e-mail (but then an NDR should get sent
back to her). The NDR may never even get issued (a known problem with
some e-mail services, like Hotmail). I know one company who rejects
e-mails from @yahoo.com senders, never sends back and NDR, and the
e-mail never reaches the recipients mailbox.

It is also possible that the server-side anti-spam filter tagged her
e-mail and it is sitting in a different folder than the Inbox (which is
the only one that a POP connect will access versus IMAP, HTTP, or
Exchange that access all folders). Most e-mail providers have a
retention interval after which any e-mails moved into the Bulk, Junk,
or Trash folders will get deleted after some number of days. You
didn't mention how old was this issue.
I requested the customer to send me the original sent message as an
attachment directly from the sent items without it being forwarded to
herself first.

Whether she sends the original as an attachment in a new mail or
forwards it as an attachment to herself and then attaches that message
to a new mail to then send you is worthless. She is the one that sent
you a message so all she is showing is what is in her message store,
not a copy of the message that would've actually been delivered. Just
because she sent it doesn't mean you got it.

If the customer want guaranteed delivery of her messages to you, she
will need to use something other than e-mail.
Customer claims she could not send me the original sent message
because the message was in her archives and she had to forward it to
herself first.

If the customer can get at the archived message to forward it then she
can get at the archived message to attach it.
I believe that one cannot edit sent messages while in the sent items
box.

You can edit any message in any folder. Double-click the message to
open in its own window and use the View -> Edit Message menu.
Therefore, a forwarded email cannot be accepted as an original
message. Customer must be able to attach the original message in it's
untouched state as it was originally sent. If customer forwards the
message to herself first, then she can edit the original message.
Consequently, such message cannot be trusted. Am I right?

No, you are wrong.

If you don't want someone editing your message without a trace, start
digitally signing your e-mails. Then can still edit the message but
the hash using your public key won't match the hash on the edited
version. If you digitally sign all your outbound e-mails, a recipient
will get alerted if the message has been altered. It is possible to
edit the message to remove the digital signature but then the recipient
will see that it is not signed by you. This user doesn't even need to
edit the original message. They could just copy and paste the body of
your message but the signature won't match or it will be missing.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top