Tampering with emai...
 
Notifications
Clear all

Tampering with email

9 Posts
5 Users
0 Likes
1,990 Views
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Hi guys!

I was wondering if any of you have ever found tampered mails. I am refering to a mail saying it is coming from a sender who didn't send it, or a mail with the body changed from an original one… how do you usually face these issues?

By the way, do you know any software tool that helps you with this tampering process? I was thinking about searching for installed tools of this type as the first step.

Any suggestion is welcome! Thanks.

 
Posted : 28/07/2009 5:45 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Most spam headers are "tampered" with.

Sam Spade used to be able to highlight discrepancies within the header.

 
Posted : 28/07/2009 7:45 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Great link. Thank you. I have never used it, but I will give it a look. On the other hand, relating to my second question, anyone knows of any tool the "bad guys" usually use to change this kind of info in the headers to make a mail look as they want it to look?

 
Posted : 29/07/2009 2:15 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

There are an enormous number of email direct marketing tools out there that will allow you to customize email headers. Any decent programmer could write code or scripts to do this as well.

You could Google "email direct marketing" to start getting a sense of what is out there.

-David

 
Posted : 29/07/2009 10:26 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

I think I have been unable to explain myself. I really appreciate your thoughts on "email direct marketing", but I wasn't that interested in "spam", or "mass mailing". I was rather interested in some tool to locally modify certain attributes or headers of an email. I was thinking about some tool of the type of Metadata Analyzer for Office documents, but to be used with a mail items in an Outlook mailbox.

Think for example that one person wants to say that his boss is harassing him or her. This employee sends a mail to himself/herself with some sexual offenses in it, an after been received, he deletes the "sent" mail, modifies the sender and the receiver and compresses the mailbox. My question was… how could you modify that parameters in the received mail? And… how could you detect the trick?

I was appointed to Sam Spade for the second point (detection), but I still don't know how someone could do the fake itself.

Thank you anyway.

 
Posted : 30/07/2009 1:08 pm
(@ddewildt)
Posts: 123
Estimable Member
 

I think it depends a lot on the client used. For example I have looked at scenarios exactly like this in Lotus Notes and there is a $LastUpdatedBy field in the email. This stores the name of the ID file in use when the update is made. There are lots of things that can change this field, but you can usually combine this with other fields in the document to get an idea of what happened.

Also in your scenario there might be some remnants still in the full headers of the message, depending on how the changes were made. So if they've just made some changes through the gui rather than editing the source, there still might be something there in the headers.

Something I would also look for in this scenario is any backups that might be available. Is there journaling on the server that logs all messages? If you can show there was a message in one mailbox that had changed at a later version of the mailbox, surely thats a strong indication of something being amiss!

 
Posted : 30/07/2009 1:52 pm
(@seanmcl)
Posts: 700
Honorable Member
 

Anyone who can read the RFC's can learn how to hack e-mail headers and how to create fake but legitimately formatted headers however certain of the data are hard to hack because they are created by the Message Transfer Agent (MTA) which delivers the mail to the client and unless you control the MTA, you aren't going to be able to hack the header item that it inserts.

When mail is between two account holders using the same MTA, such as Exchange, there may be very little data in the headers.

 
Posted : 30/07/2009 6:24 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

The techniques used to do spam and direct marketing email campaigns are the same techniques an individual could use to forge harassing email. Seanmcl's comments about the RFCs goes to the foundation of this and the various spam tools just automate the process.

These tools do exactly what you're looking for - control the information that goes into various email headers.

-David

 
Posted : 30/07/2009 11:29 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I think I get it.

Presumably someone modified message header(s) within .eml/.msg/.PST /.OST, MS Exchange mail store, Lotus Notes DB. Is this correct?

If so, very much depends on the configuration of the mail infrastructure/flow.

For example - Using MS Exchange infrastructure, message sent to self (Outlook), as you described it, moved to .PST, deleted from sent folder, then compressed .PST.

Possible things to cross reference with server logs and client logs are time date stamps, Message-ID, X-MS-TNEF-Correlator, Thread-Index, Return-Path, X-OriginalArrivalTime.

Or, you could just pull up the Exchange Message Tracking console, and after a short search would produce details as to what machine touched the message. If the boss's machine never came into play, it would be hard to prove the message actually went through the Exchange infrastructure. Of course purged/modified logs can always be claimed.

 
Posted : 31/07/2009 12:44 am
Share: