Not sure where to put this one...someone has forwarded my wife an e-mail that is supposed to be a foward from yet another person. Is there a way that I can verify that an e-mail is or is not a fowarded message?? Just to clarify IF need be.
Person A claims that person B has gotten access to their ( A's) e-mail account and is using it to send messages to various people to manipulate them. Person A has forwarded an e-mail supposedly sent by person B to them using A's own e-mail account.
Family is involved here and I am trying to figure out whom I can trust. Is there any technical help you can give me that may help me figure out who actually wrote these messages??
E-mail origin ?
E-mail origin ?
Merlin
Windows 10 64 bit home on both
ASUS Z97-A LGA1150|i7 4790K|32Gb G-skill Ripjaws DDR3 2400| EVGA GTX660 | Corsair HX520W PSU
ASUS ROG MAXIMUS X HERO 1151|i7 8700K|32Gb G-skill Ripjaws DDR4-2666| EVGA GTX1080 | Samsung 500GB SSD | Corsair AX760 PSU
Windows 10 64 bit home on both
ASUS Z97-A LGA1150|i7 4790K|32Gb G-skill Ripjaws DDR3 2400| EVGA GTX660 | Corsair HX520W PSU
ASUS ROG MAXIMUS X HERO 1151|i7 8700K|32Gb G-skill Ripjaws DDR4-2666| EVGA GTX1080 | Samsung 500GB SSD | Corsair AX760 PSU
thats been done...I just don't know which one A or B is the liar.
Merlin
Windows 10 64 bit home on both
ASUS Z97-A LGA1150|i7 4790K|32Gb G-skill Ripjaws DDR3 2400| EVGA GTX660 | Corsair HX520W PSU
ASUS ROG MAXIMUS X HERO 1151|i7 8700K|32Gb G-skill Ripjaws DDR4-2666| EVGA GTX1080 | Samsung 500GB SSD | Corsair AX760 PSU
Windows 10 64 bit home on both
ASUS Z97-A LGA1150|i7 4790K|32Gb G-skill Ripjaws DDR3 2400| EVGA GTX660 | Corsair HX520W PSU
ASUS ROG MAXIMUS X HERO 1151|i7 8700K|32Gb G-skill Ripjaws DDR4-2666| EVGA GTX1080 | Samsung 500GB SSD | Corsair AX760 PSU
-
Dragon_Cooler
- Legit Extremist
- Posts: 2405
- Joined: Wed Oct 12, 2005 10:17 am
- Location: DFW Texas
- Contact:
examine the full email message headers
Short answer: There is uncertainty in determining if emails are legitimate, and unless a crime was committed you may not be able to find the author.
Long answer,
We have three cases here.
1. Person B spoofed person A's email address or more
Look at the full email message, view header information, text, display full whatever the email client wants to call it. Each time an email is received (forwards too) a message block is attached containing the mail server address it was received from. If the mail server address does not belong to the same network as the one listed in the persons email then it was partially spoofed. Check whois information to verify this.
http://www.arin.net/whois/
While you could prove it is spoofed if a mismatch exists between the email address received and network address received, an unsecured mail server would allow someone to send a message that appears to be completely legitimate. There has been a push for email authentication for some time:
http://www.habeas.com/en-US/News/Habeas ... ation-101/
2. Person B compromised Person A's account and sent mail
There is no way using an email or header contents to establish who logged into an email account and sent an email. Access info is stored by the sending mail server and would be provided to law enforcement.
3. Person A sent them and now blames person B
see above
Really interesting topic, I'm sure I've missed some things others will point out. Only option I see left is damage control, so the password was changed, great. =) Sometimes you can also complain to the service provide or mail server admin about the abuse, terms of service may have been violated and they may punish the person even if they won't identify them. Keep us posted and beware false positives.
Long answer,
We have three cases here.
1. Person B spoofed person A's email address or more
Look at the full email message, view header information, text, display full whatever the email client wants to call it. Each time an email is received (forwards too) a message block is attached containing the mail server address it was received from. If the mail server address does not belong to the same network as the one listed in the persons email then it was partially spoofed. Check whois information to verify this.
http://www.arin.net/whois/
While you could prove it is spoofed if a mismatch exists between the email address received and network address received, an unsecured mail server would allow someone to send a message that appears to be completely legitimate. There has been a push for email authentication for some time:
http://www.habeas.com/en-US/News/Habeas ... ation-101/
2. Person B compromised Person A's account and sent mail
There is no way using an email or header contents to establish who logged into an email account and sent an email. Access info is stored by the sending mail server and would be provided to law enforcement.
3. Person A sent them and now blames person B
see above
Really interesting topic, I'm sure I've missed some things others will point out. Only option I see left is damage control, so the password was changed, great. =) Sometimes you can also complain to the service provide or mail server admin about the abuse, terms of service may have been violated and they may punish the person even if they won't identify them. Keep us posted and beware false positives.
