Potential Manipulat...
 
Notifications
Clear all

Potential Manipulation of Email Name  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Opponents in a civil case I am working on have produced multiple emails with different "aliases" and are suspected of fraud

James Smith
JS
JSmith
MyCompany
JamesSmith

I have performed email header analysis and some of the above emails include an Apple Mail designation in the header, whereas other email headers refer to Google.

The suspected fraud includes the manual manipulation of the sent emails.

QUESTION

What would cause the "alias" (if I am using the correct terminology) of emails to differ such as "James Smith" versus "JS" versus "MyCompany"???

Quote
Posted : 11/11/2019 11:52 pm
athulin
(@athulin)
Community Legend

QUESTION

What would cause the "alias" (if I am using the correct terminology) of emails to differ such as "James Smith" versus "JS" versus "MyCompany"???

What you call 'alias' is generally called 'display-name' from the term defined by RFC 2822 specification (section 3.4). It's a name intended for human eyes only. It's typically (but not exclusively) added by the email client when it sends a mail to its MTA, the outgoing mail server for transport, and is, generally, based on information the user has supplied when that specific account setup was done.

(Added RFC 2822 has been obsoleted. But 3.4 in RFC 5322 says the same thing …)

If you set up multiple clients, (or multiple accounts on the same client) and give those accounts different display names, different names will be used in From addresses in mails sent.

In To addresses, they are not technically significant they're typically what the replying part writes in/ copies from a mail, or has in his address book. And that in turn is often dependent on what an earlier mail contained, and that, as already noted, may depend on which of multiple clients the sender was using. But … as most email clients allow users to enter display names in recipient addresses, it can be just what that user does enter – multiple clients need not be involved.

Often, when beginning email users learn what the names they entered during client account set up, they go back and change it. I've seen 'WhatTheF…ShouldIWriteHere' (or words to similar effect) as display-name in mail addresses. As a user is usually given the ability to do that at any time or any number of times, using that ability is, on its own, hardly an issue.

Thus, significance of display-name is in general low. It's first when you know that it has not been supplied by hand, nor faked by a name generator, and does rely on earlier mail the sender received, that it may start to mean anything.

I have performed email header analysis and some of the above emails include an Apple Mail designation in the header, whereas other email headers refer to Google.

The suspected fraud includes the manual manipulation of the sent emails.

So, without further details, I would expect the Apple Mail client to have been set up to use one display-name, and a Google mail account to set up to use another. Add additional account set up, or a user who hasn't decided what his display-name should be, and changes it, to make up for the rest.

I can see no fraud involved in changing a display-name, at least not without further details. I'd need at least a display-name definitely associated with an entirely different person, and some form of assumption that that false display-name be taken for a real one, and so a mail from user A be taken for a mail from user B, before I would even entertain the idea.

If the display-names you mention are real (or at least reflect reality), I'd suspect a user with multiple mail accounts, set up at different times, on different stationary and mobile devices … and even some web mail accounts, and who didn't think having the same display-name would be of any significance whatsoever. If they mails were sent (?) over a very short time, say a few hours, I might want to ask what problems he was experiencing at the time. If they are from a much longer period, I'd might want to ask how many mobile phones had been replaced over that period.

If I knew that the recipient used display-name for mail filtering (instead of the real sender address – which seems to stay the same) I might suspect attempt to bypass a mail filter. But I'd also expect some wildly new display-names, not ones that are closely-related with 'the real one' (if one exists).

ReplyQuote
Posted : 12/11/2019 6:49 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Thank you - very helpful.

So basically one can input different "Display Names" on different email clients

I could input "John Smith" as a display name using an Outlook client on one laptop and input "JSmith" as a display name using Outlook on a separate desktop computer, which would result in the different display names appearing depending upon which Oulook client was used to send a given email.

ReplyQuote
Posted : 14/11/2019 8:37 pm
athulin
(@athulin)
Community Legend

I could input "John Smith" as a display name using an Outlook client on one laptop and input "JSmith" as a display name using Outlook on a separate desktop computer, which would result in the different display names appearing depending upon which Oulook client was used to send a given email.

I'm not sufficiently expert in Outlook client management to answer in the affirmative for all cases. For example, Outlook in corporate environments may have display name stored in AD, and so be dependent on AD user account information, and AD setups may also allows for admins to prevent alteration of some information by the end-user. That kind of possible complication would need the knowledge of an Outlook admin to be able to be reasonably confident about. (Added With Microsoft 365, there apparently is an AD around even if the customer may not be aware of it … potentially more complexity.)

Local admin user rights might also be a complicating affair.

I'd basically want to talk to anyone who was mail admin for any organizatorial infrastructure to get my head around how these things were set up, if there were any policies or recommendations or guidelines to use, or to learn that it was free-for-all, and dependent on whoever got the relevant ticket to help the user.

If there is no such infrastructure, and for standalone installations on separate computers/platforms, I believe it to be correct.

ReplyQuote
Posted : 15/11/2019 8:13 pm
gungora
(@gungora)
Junior Member

The suspected fraud includes the manual manipulation of the sent emails.

If this manual manipulation took place after the email passed through the MTA, I would check to see if the email passes DKIM validation. If DKIM fails, and if you have information on what the display name should look like, you can even take this a step further and see if DKIM verifies with the display name you assume to be correct.

I had a quick writeup on this here
Leveraging DKIM in Email Forensics

ReplyQuote
Posted : 16/11/2019 3:15 am
Share: