We are a medium-sized company, and deal with many suppliers all over the world. I was recently asked to look in to a ticket that was a bit confusing. Apparently a user was trying to find an email they said they did not remember sending, to a supplier. Our infrastructure support guys said that the "WebSense" logs didn't have information going back that far (June), so there was no record of the email in anybody's deleted, sent items, etceteras.

I looked at the exchange of emails that the supplier had forwarded to our staff member and noticed something suspicious... On the part of the chain where our staff member was supposed to have replied, there was no line break between the html header (that says From/To/Subject), whilst everywhere else there was.

I did a "View Source" and had a look around, and interestingly enough - around that area, I found a lot of:

<span class="XXXXXXXX 01092015">text</span>

In the above text, "XXXXXX" is some number I can't find rhyme or reason for, but the number after clearly represents the 1st of September. This "Span" class was found in the email-chain in the body of an email dating back to June. It was found in the body text of the email, and also in the time-sent (if something somewhere were tracking changes, somebody wanted to change the appearance of the time the email was sent in the chain). So there were a couple of instances of this. This was very suspicious that a tag dating 1st September, in the part of an email chain when the email was dated June.

I found this <span> tag all over the email chain. A colleague looked in to various inboxes and found every other email sent in the chain, with the exception of this one that appears to have edits in it.

The header HTML has a MSHTML 11 generator tag.

Where did this <span> class come from, and has there been forgery of emails?

Side note: the supplier in question I do not believe is technically savvy.