Modifying email after it is sent/received

jlopilato · 2 Sep 2016, 01:38 PM

Hi All:

I have a technical question that I hope someone can answer:

Not long ago, I received an email from a lawyer that told me to look at a document that he supposedly had attached to the email he sent me.

When I received the email, there was nothing attached to it. He's claiming that his outgoing email has the attachment and that I must have erased it.

I can tell you that I did no such thing. I did some testing on emails that I sent to my gmail account with an attachment and then looked at the email source and tried to delete that but could not do it.

in Apple Mail there is a drop-down that allows one to delete an attachment, but Mail adds a statement to the email that says "The attachment was deleted manually"

So, I'm wondering if he might have added the attachment AFTER he sent me the email. Is this possible?

Could anyone here offer an opinion on whether it is possible to modify an email after it is sent or received in an underhanded way and not leave any clues?

TIA for help received...

janusz · 2 Sep 2016, 04:10 PM

Quote:

Originally Posted by jlopilato

So, I'm wondering if he might have added the attachment AFTER he sent me the email. Is this possible?

No.
Is it an insurmountable problem for the lawyer to send the attachment again?

jlopilato · 3 Sep 2016, 05:06 AM

Quote:

Originally Posted by janusz

No.
Is it an insurmountable problem for the lawyer to send the attachment again?

The lawyer is my adversary in court. The attachment was a summons to appear in court. I called his office when I had not received the attachment and left a message, but he never returned my call.

Now I am trying to prove that the attachment was not sent. I need to give the judge a proper explanation. The phone call to his office is not proof - he deleted my message. My phone bill is not proof.

I need to show that I could not have been able to delete the attachment from the email I received from him.

Please help...

n5bb · 3 Sep 2016, 07:53 AM

We cannot provide any legal advice on this forum. But here is some basic information about emails and attachments.

An email consists of headers followed by a blank line followed by the message body (which may contain attachments). The complete contents of an email are sent as 7-bit ASCII human readable characters. The only characters you can't see are those associated with the end of line terminators. Non-plaintext attachments (such as Word or PDF documents) were originally 8-bit binary data, so they are encoded as ASCII human-readable characters in blocks. The usuall term for this is MIME encoding.

During transmission, each new header (which show how the message is transferred between servers) is added at the top. So the headers are read in reverse, with the oldest headers at the bottom of the header list (immediately before the blank line separating the headers from the message body).

The complete content of an email (headers and message body, including possible attachments and embedded images) is sent as 7-bit ASCII human-readable text. So they can be easily modified by anyone using a text editor.

The best way to check for potential editing of stored emails would be for the sending and the receiving parties to simultaneously exchange what they believe to be the full raw contents of each message. The ".eml" file extension is often used for such saved emails. The two parties could also send their copy to a trusted third party. What is important is that each party not be allowed to edit their copy AFTER viewing the copy held by the other end of the message path. Someone could then line up the various message headers and message body contents and see if there is any obvious editing. At least it should be possible to determine if the message you received was the same message as saved by the sender. A unique Message-ID header is usually added by the sender, and this header and appropriate transfer headers with date/time and server names should match.

It should be possible to see simple forgery by someone who didn't understand the details of email formatting, but it might be possible to modify the sent copy to look like an attachment was falsely sent if you had a copy of the actual received message and could compare the sent and received messages. Again, it's important that each side not see the exact headers of the message held by the other side until the raw message contents are shared by the two sides, to prevent either side from editing their copy after viewing the other side's copy.

A better way might be to get copies of the server logs at the sending and receiving email systems. Combined with the raw message contents of the sent and received purported messages, it should be possible to detect most types of forgery. But this is only if each side keeps their version secret until the copies are simultaneously shared (to prevent editing based on what you see in the other person's version).

Bill

communicant · 3 Sep 2016, 07:58 PM

Quote:

Originally Posted by jlopilato

The lawyer is my adversary in court. The attachment was a summons to appear in court. I called his office when I had not received the attachment and left a message, but he never returned my call.

Now I am trying to prove that the attachment was not sent. I need to give the judge a proper explanation. The phone call to his office is not proof - he deleted my message. My phone bill is not proof.

I need to show that I could not have been able to delete the attachment from the email I received from him.

Please help...

This is NOT legal advice, and in any case I do not know your location or jurisdiction, or even what country's laws are being applied here. Simply as a couple of general observations, however, first, when you say you are "trying to prove that the attachment was not sent," it is my understanding that it is logically impossible to prove a negative. Second, I was unaware that a valid and binding summons to appear in court could be sent by email and have official force (as opposed to being merely informational). That is why such things are usually still sent by some certified or registered form of paper mail if they are to have complete legal standing. Finally, if the sender deliberately tried to manipulate an electronic communication in order to make it appear that you were doing something wrong (or failing to do something legally required of you), then he may well have behaved improperly and I am sure the judge would strongly disapprove.

jlopilato · 7 Sep 2016, 02:10 AM

RE: n5bb response...

I was not looking for legal advice (I only offered the rest of the story in response to the query by Janusz),

What I am looking for is an answer to the question I posed in my first post:

Could anyone here offer an opinion on whether it is possible to modify an email after it is sent or received in an underhanded way and not leave any clues?

I appreciate your response, and you did give me a clue when you stated that the best way to verify the authenticity of the emails is to compare them."The best way to check for potential editing of stored emails would be for the sending and the receiving parties to simultaneously exchange what they believe to be the full raw contents of each message." I think that the key word here is "raw"

So, with that in mind, I have been studying RFC 1341 and discovered some information about the "boundary" characteristics of an email. Specifically, the "boundary string" that separates the various parts and inclusions of an email. The last two characters of the boundary string after the very end of all parts to an email must be two dashes. I found those two dashes at the very end of the email that was sent to me. This is what I plan to show the court.

Further, the email header/source that I looked at contains a packet of information identified as "X-MXL-HASH:". The string that follows the colon seems to be the MD 5 or the SHA of something or some part of the email. I have not been able to find out any information about this packet. If you can supply me with some information as to what the calculation includes, it would be much appreciated.

(I will ask the question in a new thread)

------------------------------------------------------------------------------------------------

RE: communicant response...

Once again, I don't need nor was I asking for "legal advice".

With all due respect, while I appreciate your observations, they were not particularly helpful in answering my initial question (See above).

------------------------------------------------------------------------------------------------

Many thanks to both of you for your responses.

Joe.

2 Sep 2016, 01:38 PM	#1
jlopilato Junior Member Join Date: Sep 2016 Posts: 4	Modifying email after it is sent/received Hi All: I have a technical question that I hope someone can answer: Not long ago, I received an email from a lawyer that told me to look at a document that he supposedly had attached to the email he sent me. When I received the email, there was nothing attached to it. He's claiming that his outgoing email has the attachment and that I must have erased it. I can tell you that I did no such thing. I did some testing on emails that I sent to my gmail account with an attachment and then looked at the email source and tried to delete that but could not do it. in Apple Mail there is a drop-down that allows one to delete an attachment, but Mail adds a statement to the email that says "The attachment was deleted manually" So, I'm wondering if he might have added the attachment AFTER he sent me the email. Is this possible? Could anyone here offer an opinion on whether it is possible to modify an email after it is sent or received in an underhanded way and not leave any clues? TIA for help received...

7 Sep 2016, 02:10 AM	#6
jlopilato Junior Member Join Date: Sep 2016 Posts: 4	RE: n5bb response... I was not looking for legal advice (I only offered the rest of the story in response to the query by Janusz), What I am looking for is an answer to the question I posed in my first post: Could anyone here offer an opinion on whether it is possible to modify an email after it is sent or received in an underhanded way and not leave any clues? I appreciate your response, and you did give me a clue when you stated that the best way to verify the authenticity of the emails is to compare them."The best way to check for potential editing of stored emails would be for the sending and the receiving parties to simultaneously exchange what they believe to be the full raw contents of each message." I think that the key word here is "raw" So, with that in mind, I have been studying RFC 1341 and discovered some information about the "boundary" characteristics of an email. Specifically, the "boundary string" that separates the various parts and inclusions of an email. The last two characters of the boundary string after the very end of all parts to an email must be two dashes. I found those two dashes at the very end of the email that was sent to me. This is what I plan to show the court. Further, the email header/source that I looked at contains a packet of information identified as "X-MXL-HASH:". The string that follows the colon seems to be the MD 5 or the SHA of something or some part of the email. I have not been able to find out any information about this packet. If you can supply me with some information as to what the calculation includes, it would be much appreciated. (I will ask the question in a new thread) ------------------------------------------------------------------------------------------------ RE: communicant response... Once again, I don't need nor was I asking for "legal advice". With all due respect, while I appreciate your observations, they were not particularly helpful in answering my initial question (See above). ------------------------------------------------------------------------------------------------ Many thanks to both of you for your responses. Joe. Last edited by jlopilato : 7 Sep 2016 at 02:24 AM.

3 Sep 2016, 07:53 AM	#4
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	We cannot provide any legal advice on this forum. But here is some basic information about emails and attachments. An email consists of headers followed by a blank line followed by the message body (which may contain attachments). The complete contents of an email are sent as 7-bit ASCII human readable characters. The only characters you can't see are those associated with the end of line terminators. Non-plaintext attachments (such as Word or PDF documents) were originally 8-bit binary data, so they are encoded as ASCII human-readable characters in blocks. The usuall term for this is MIME encoding. During transmission, each new header (which show how the message is transferred between servers) is added at the top. So the headers are read in reverse, with the oldest headers at the bottom of the header list (immediately before the blank line separating the headers from the message body). The complete content of an email (headers and message body, including possible attachments and embedded images) is sent as 7-bit ASCII human-readable text. So they can be easily modified by anyone using a text editor. The best way to check for potential editing of stored emails would be for the sending and the receiving parties to simultaneously exchange what they believe to be the full raw contents of each message. The ".eml" file extension is often used for such saved emails. The two parties could also send their copy to a trusted third party. What is important is that each party not be allowed to edit their copy AFTER viewing the copy held by the other end of the message path. Someone could then line up the various message headers and message body contents and see if there is any obvious editing. At least it should be possible to determine if the message you received was the same message as saved by the sender. A unique Message-ID header is usually added by the sender, and this header and appropriate transfer headers with date/time and server names should match. It should be possible to see simple forgery by someone who didn't understand the details of email formatting, but it might be possible to modify the sent copy to look like an attachment was falsely sent if you had a copy of the actual received message and could compare the sent and received messages. Again, it's important that each side not see the exact headers of the message held by the other side until the raw message contents are shared by the two sides, to prevent either side from editing their copy after viewing the other side's copy. A better way might be to get copies of the server logs at the sending and receiving email systems. Combined with the raw message contents of the sent and received purported messages, it should be possible to detect most types of forgery. But this is only if each side keeps their version secret until the copies are simultaneously shared (to prevent editing based on what you see in the other person's version). Bill