0

How can I prevent someone from modifying the contents of an email they received and then forwarding it to others? Some employees cheat managers by changing the content of emails and forwarding the modified email to them. I need a policy that prevents this backdoor.

D.W.
  • 98,420
  • 30
  • 267
  • 572
Emad Ezzo
  • 39
  • 1
  • 2
  • 2
    What you want to prevent is not possible. Have managers fire these employees that try to cheat the company. One solution to your problem forward all mail sent to an employee to another mailbox. This will give a manager independent verification. More information is required to help you, for instance, what email system your using. – Ramhound Sep 18 '12 at 11:51
  • 9
    Tell your employees that if they manipulate email contents, they will be fired. Then actually fire the ones that do it. Simple, no? – Polynomial Sep 18 '12 at 11:56
  • 1
    What do you mean by manipulated forwarding of emails? Depending on the context signing the emails might be a technical solution. – CodesInChaos Sep 18 '12 at 12:27
  • I tried to improve the language of the posting. Despite the down votes, I think, it is a very valid question. Some more details may be useful, through. – Hendrik Brummermann Sep 18 '12 at 12:32
  • 1
    @HendrikBrummermann I don't think it's really that valid. You cannot prevent anyone from altering a plaintext document that you've sent, especially if it's quoted underneath another email. The solution is to use disciplinary action, which makes this a HR question, not a security one. – Polynomial Sep 18 '12 at 15:38
  • @Polynomial, the human side of security is considered on-topic here. (While often not practical, signatures, perhaps even using a government issued id-cards with a card-reader/display/signing-terminal, do allow detection of manipulated text files.) – Hendrik Brummermann Sep 18 '12 at 15:50
  • @HendrikBrummermann I'm aware of that, but it's not a human security question, it's a HR question. If he asked "how do I convince people that changing stuff in an email is bad for security?", then sure. But instead, it boils down to "how should I stop my employees from being manipulative asshats?", which is off topic. – Polynomial Sep 18 '12 at 15:58
  • If you need a policy, write a policy. If you need a technical countermeasure, reject all email that doesn't have a digital signature. – MCW Nov 21 '13 at 18:24

5 Answers5

4

Email is unsafe -- deal with it.

Email can be made safe for an adequately defined value of "safe", through the use of signatures (S/MIME or OpenPGP). This is not as easy as it seems (I mean, it does not look easy, but in reality it is worse). The cornerstone of the system is that unsigned emails should be rejected automatically; human users should never see them at all, because if they read them, they will always believe them a little, regardless of how much you may have explained to them how insecure and unsafe plain emails are. Therefore, switching to signed emails is like a big jump into the unknown. In practice, it is essentially a way to break emails (or to induce users to switch to gmail...).

What you can do is to educate and then to educate again:

  • The smooth education: explain to your users how untrustworthy email is as a medium. Show how easy it is to forge an email (e.g. with this answer). Try to prevent the "wizardry effect" which makes most human beings lose common sense as soon as a computer is involved (as Clarke was putting it, computers are beyond the "magical horizon" of most people -- solution is to make them understand how a computer works). As a bonus, this makes the users more resilient to phishing.

  • The less smooth education: let all the might of the Law fall on wannabe fraudsters. Have it known that the slightest phony game with email is a shooting offense; the guilty will be fired, jailed, shot and flogged (not necessarily in that order). The idea is to make faking emails not worth it. This works well: this is how the non-computer world deals with handwritten signatures, and it has done so for several centuries.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

Email is an insecure communication channel. The "to" and "from" headers can be set to anything. Anything can be written into the body of an email message. This includes changing the quote text.

The first issue of manipulating "to" and "from" headers can be prevented in a closed environment such as company internal mail. The company mail server can verify that the "from" header matches the account used to send the email. And it can verify that the visible "to" header matches the real recipient.

But there is no easy and reliable way to prevent manipulation of quoted text.

You could use GPG / PGP or s/mime signatures. But rolling out a public/private key infrastructure is usually not worth the costs.

Summary

There is no simple technical solution. Use a social or legal approach ("Cheating a manager" sounds serious enough to warrant a talk with the human resources department).

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
2

This is what cryptographic signatures are for. GPG or PGP signed messages ensure integrity of the messages.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
1

Besides the very valid answer of having managers sign communications, referencing sources would be the other appropriate way of handling things. If there's a debate about the content of an email, the sent messages archive is the better reference for each party. If you have an email archiving system, then the server's copy of the message would be best.

At that point, we're back to the human element. If you forge an email and the server shows that you wrote something which wasn't really sent then you can forget about having a job.

One last comment on signing: a caveat with signing is that you'll run into issues where the message is signed, then altered, then sent. If the receiver doesn't verify every signature, then nothing would really be "valid."

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
1

Archive it - this is what archiving is for.

People treat email like it's gospel but it's so easy to manipulate (as you've identified).

There are some off the shelf solutions, or you can get some consultancies to roll out a whole apparatus just for archiving - SaaS sort of thing.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
MikeySumo
  • 11
  • 1