EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 28 Mar 2014, 10:26 PM   #1
BLQ105
Junior Member
 
Join Date: Mar 2014
Posts: 1
Forging an email in Sent Items

Hi,

I have a staff member working for me that appears to have forged an email to appear legitimate in his Sent Items.

We run Windows SBS 2008 and we use Mimecast Unified Email Management. The email headers on the email he supposedly sent to a service provider also looks different from his normal sent emails in the following ways:
1) Header From address in Sent Items shows his full email address rather than his full user name as it would normally display.
2) Header To addresses shows the service providers' email addresses rather than their full names. In all his other sent emails to the same recipients the full names display the way they are saved in his contacts.
3) When you open the suspicious email in his Sent Items and select any of the email addresses he supposedly sent it to the email address has no hyperlink. Normally the whole address is selected if you click on it, these addresses are like plain text entries and the cursor just blinks wherever you click in the address.
4) He has somehow managed to get this email address in his Sent Items on the date and time he should have sent it, but the service provider didn't receive it. He copied an internal email address of a local user, but they also didn't receive it.
5) Although the email is in his Sent Items, the email is not found on a Mimecast archive search via the admin console.

Does anyone know if he could have forged the email to appear half legitimate but with a few anomalies? If so, how did he do it. I cannot fire him for lying and losing a major client without proving it was a fraudulent email.
BLQ105 is offline   Reply With Quote

Old 29 Mar 2014, 03:20 AM   #2
Adrian Bell
Cornerstone of the Community
 
Join Date: Apr 2001
Location: Darlington, UK
Posts: 938
I'm far from an expert but it may be possible to save a draft and just move it to the Sent Items.

As for the other things, did he sent it via mail merge, or is it possible he could have sent it from different email client or webmail?
Adrian Bell is offline   Reply With Quote
Old 29 Mar 2014, 01:03 PM   #3
Cory
Essential Contributor
 
Join Date: May 2012
Posts: 459
You can actually forge an email by editing (or even "creating") an email in a text editor (such as notepad or text edit), saving it as a .eml file, then copy/pastying it into the sent folder (especially in the case of a local client such as Thunderbird). I haven't done this in a while so I don't know how it looks though so someone should give it a try to make sure.
Cory is offline   Reply With Quote
Old 29 Mar 2014, 03:49 PM   #4
kijinbear
Cornerstone of the Community
 
Join Date: Mar 2011
Location: ~$
Posts: 652
Yes, it's trivial to forge an email and save it to any folder you like.

1) and 2) can be caused by someone who doesn't know how the full name + email address should be formatted in an email header.

3) can be caused by the message being plain text rather than HTML. This can be an indicator of which program he used to compose the email. For example, it's possible to compose an email with Notepad, but a lot more difficult to compose a proper HTML email because it requires knowledge of MIME and various encoding schemes.

But the same thing can happen if the user's email client was temporarily misconfigured or he used a different email client. For example, he could have sent the email on his phone, where the email client doesn't support composing HTML emails and he doesn't have his usual address book at his disposal. So the above evidence on their own cannot prove that the email is forged.

The most conclusive evidence will be the logs on the mail server. I'm not familiar with the specific system that you're using, but most mail servers keep a log of all emails it handled during the last several days. If there is no record of the email in the logs of the server he claims to have used, then the email is probably forged.
kijinbear is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:20 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy