15

Could someone doctor an email to make it appear that it was sent from a different sender at an earlier date? For example, could someone who knows my email address make it appear that I had emailed someone last year?

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
Gemini
  • 259
  • 1
  • 5
  • 10
    It greatly matters who the malicious party is. Are you asking if an attacker can fool the recipient? If an attacker working in concert with the alleged recipient can fool an expert? – Ben Voigt Sep 30 '21 at 15:50

3 Answers3

32

Yes, there are a bunch of different ways to forge emails. Almost the entire contents of the email your receive is sent as data over SMTP, and as such, the headers are just as forgeable as the body: that is, trivially. This is why spammers can send mail that appears to be from your own account (or someone else's) on an arbitrary date.

However, there are a few things that can prevent this from happening. First, every server that receives a mail over SMTP inserts a Received header in order. This header states information about the transmission: the server from which it was received, the server which received it, the email address to which it was to be delivered, and the date and time at which it was received are all customarily included. Thus, if the recipient's mail server received the mail from an unexpected source (i.e., not your mail server), that would likely be suspicious.

There is also DKIM, which cryptographically signs various header fields in the email. This is an assertion by the sending mail server that it has seen these fields and presumably believes them to be valid. Most providers include the From, To, and Date headers, as well as the Message-ID (which often contains a server-assigned timestamp), so if the message is signed with DKIM, these entries cannot be changed from the ones the server saw without detection. Whether unsigned emails should be presumed forged and whether the server is scrupulous about checking the headers for validity before signing are quality of implementation issues (that is, determined by the sending domain's policy).

For example, it is well known that Gmail signs every mail that goes through it (for domains they control) with DKIM and that it does not permit people to send from addresses not associated with their account. As a result, it would be nearly impossible for someone to forge an email since the signature would not validate, and an unsigned email could safely be assumed to be forged. Other domains will have different policies.

bk2204
  • 7,828
  • 16
  • 15
  • 5
    Except for your first paragraph, this is a good answer. Unfortunately your first paragraph contradicts your otherwise good answer. Yes forged headers can be inserted, but actual headers cannot be removed. Simplistic forgeries can superficially confuse the average user, but the real content can still be examined in the headers. To be clear, your statement of *"... the headers are just as forgeable as the body: that is, trivially."* is simply not true. – user10216038 Sep 30 '21 at 02:51
  • 4
    Basically, if I wanted an email to appear to have been sent earlier, I'd create a bunch of `Received:` headers with a short distance from the `Date:` header -- this will make it appear as if the mail was delayed in transit. This ceases to be believable after a few days though, because mail servers are expected to generate an error report if they are unsuccessful in forwarding a mail for a time (configuration guides suggest times between three and seven days). – Simon Richter Sep 30 '21 at 17:21
  • 7
    DKIM covers the body as well. My answer states that yes, it is trivially easy to forge emails unless people take suitable precautions to avoid that, such as DKIM. Many sites still don't use DKIM, much to my annoyance, so for them, forgery is trivial. – bk2204 Sep 30 '21 at 21:40
  • 1
    @user10216038 I don't think that's a fair criticism without more information about the threat model. In general, there could be a malicious SMTP server somewhere along the chain which absolutely could rewrite an email in transit to remove headers. A malicious IMAP or POP3 _client_ on the receiving end can change anything at all about the message. – David Z Oct 02 '21 at 00:32
  • @David Z - The days of malicious SMTP servers are essentially gone. Without appropriate vetting and control, most mainline servers won't talk to them. A *malicious IMAP or POP3 client on the receiving end* is **you**, or at least the OP in this scenario. Yes you can alter your own email received, but that was never the question. There may be some other abnormal special edge case you could create but I don't believe that was the intent of the question. – user10216038 Oct 02 '21 at 00:56
  • @user10216038 So what _was_ the intent of the question? Who or what is doing the doctoring the OP asked about, if it's not an SMTP server and not an IMAP/POP3 client? – David Z Oct 02 '21 at 02:09
  • @David Z - You're assuming things not said with, *"if it's not an SMTP server and not an IMAP/POP3 client?"*. You mentioned a *client on the receiving end*, which would be yourself, a trivial end case not at issue. Typically forgeries are via **sending** clients, which can only add false headers. True a completely compromised server can potentially do everything, but they tend to be blacklisted very quickly. What might be theoretically possible is quite different from realistic capabilities. If your baseline is a Nation State then yes, but that's well outside of *"trivial"*. – user10216038 Oct 02 '21 at 03:31
  • 3
    It could be the **recipient** that is trying to forge the mail: "Here is the proof of payment that you emailed me last yeat" for example – Rodney Oct 02 '21 at 11:11
17

Existing answers are correct, but incomplete. I would like to highlight two other scenarios.

First, about SMTP.

Under some conditions, someone can connect directly to the final SMTP server and deliver an email. SPF for instance could be used to prevent that.

If that was to happen, then the sender has full control over the email, except the possible last bit added in the header by the final SMTP server.

That means that all headers but the last one (or ALL, if the final SMTP doesn't add a header) are under control of the sender, who can make it look like the email went thru a long list of legitimate email servers.

However as long as the receiving server includes the date in the added header, there will be a discrepancy.

Second, about emails in general.

You do not necessarily have to store email on a third party server. Emails can be downloaded on my computer and deleted from the server. Then, we're talking about files on my server, which, with the right knowledge of course, I can edit to make look like anything I want.

Also most server storing emails allow access using IMAP. And you will find nice tools that allow you to move emails from a provider to another, using IMAP. Give your credentials to both account, and they will copy all emails from source to target. It is similar to when you send an email using an email client like Thunderbird... The email is sent over SMTP, but the copy that goes to your account in the sent folder is actually placed there using IMAP.

So somebody could use IMAP to place an email with the exact content they want on their account.

At that level, forensic analysis might help prove the fake. If still available, server logs. If the email header says "received from server 10.0.0.1 on 01/01/2020 at 21:00" and the SMTP server logs show no connection from 10.0.0.1 on that date/time, then it could quite be a fake. If the email has an attachment that use Y-enc and is claimed to have been sent by Outlook, while Outlook doesn't support Y-enc, then it's likely to be a fake.

Conclusion

As long as there's no cryptographic signature, yes, there are various ways to make an email appear as sent from someone else. In the end, an email is stored somewhere as file or database entry.

Determining if the email is legit is a forensic job, and depending on how the fake would have been made, it may prove quite hard, and may require to involve a court (to get server logs, granted they still exist).

user1532080
  • 583
  • 2
  • 8
7

At the SMTP level, the SMTP server receives a fully composed text consisting of the headers, a blank line, and the body. It also has what is called the enveloppe addresses and what are given in other commands of the SMTP protocol.

A normal server adds some lines into the header normally a Received one and optionally others. But it neither controls a consistence between the enveloppe addresses and the header addresses nor removes any existing header.

That means that if the message contains headers like

From: joe.biden@white_house.gov
Date: Tue, 1 Apr 2021 12:00:00 +0000

chances are that a mail reader presents it as being sent by Joe Biden on first day of April.

The limitation is that if any header line can be forged, it is not possible to forge them all (unless you have full control over the last SMTP server) because each server on the chain should add its own received line. So if you have any doubt on the authenticity of a mail, you should first check the chain of servers. If the first one is not consistent with the From address, chances are that the address has been forged, and same for the date.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84