current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 82 down vote favorite
12

I just got a letter from court saying I made 49 threats to someone I had a problem with three years ago. This person presents "my emails" as evidence. I went through all my emails, and I haven't found a single one. The mail presented as evidence all come from my email address. He asks for 20,000 dollars for moral damage! How can this happen?

share|improve this question
135  
It's easy to send email which appears to come from any address. Sounds like a scam, to be honest... Contact the court, via details found through independent methods (Web search, for example). – Matthew Feb 6 at 15:41
79  
Just because an email says "from [email protected]", that does not mean it came from your account. Just like a paper letter, any return address can be used – schroeder Feb 6 at 15:52
5  
Scam, yes! For the second time. But one of my most important mails to him desapeared from my mail box. Searched for 5 hours, and it is really gone. It was one he used to acuse me. He took some words of of the context, to blame me, and now I cannot retrieve the original to defend myself... – Leah G Feb 6 at 21:15
21  
@LeahG If your email service supports it enable two factor authentication and change your password. Never hurts to play it safe. – Seth Feb 6 at 21:23
8  
I don't understand what "others are done thru my mail" means, did he hack into your email, yes or no? If yes, report the crime, already. If no, I think you mean "he forged the From: header and the email never came from my account". – smci 2 days ago
up vote 181 down vote

Is it a scam?

First of all, make sure that you actually got the letter from a court. This might very well be a scam - it sure sounds like one. Do this to verify that the letter is real:

  1. Make sure that the name of the court correspond to a real court.
  2. Find contact information to that court through some independent method (i.e. not using any information in the letter).
  3. Contact them and ask them if they did in fact send the letter.

If it is not a scam

If it is not a scam, I see three possibilities:

  • The person accusing you of the threats never received the emails, and have forged the evidence. That would not be hard to do. (An investigation of the email headers will not help here, since they can also be forged.)
  • Someone has spoofed your email address, and has sent emails that appear to come from you. This is by no means impossible. (An investigation of the email headers could be useful here.)
  • Someone has hacked your email account (perhaps you used the same password on a site that was breached), sent the emails, and then deleted all traces (e.g. removed them from the sent items folder). (An investigation of the email headers would not help here, since the email is in fact sent from your address. Access logs from your email provider could prove useful, though.)

In any case, what you need to do is get some legal advice.

share|improve this answer
8  
An investigation of the e-mail headers could help in #3 (the case of hacking), because many e-mail servers are set up to include the originating IP address somewhere in the headers. If that can be taken as legitimate, your ISP should be able to confirm or deny whether the IP address was assigned to your account at the time in question. Of course, there's always case #4: someone hacked your computer and used it to send the e-mails... – Michael Kjörling Feb 6 at 21:24
6  
@T.E.D. Email headers sometimes have a signature, that's unique to the sender and the content. Even though it's plain text, it's pretty darn close to not-forgable. Sure anyone can edit it, but then it's trivial to show it's been tampered with, because it no longer matches the message + supposed sender's info. (However, someone can simply delete these signatures, in which case you're correct) – Mooing Duck Feb 6 at 23:13
3  
@MooingDuck DKIM signatures are based on RSA and SHA256 (ie. strong cryptography). The public key is kept in a dns record for the domain. It is pretty good evidence that the email was sent by whoever controls the domain, particularly if the email server is hosted by a large provider like gmail. – Bailey S Feb 7 at 10:30
3  
@LeahG If you want an answer for that, I think you need to ask a new question. Focus on the technical aspects, not the court drama. You could link to this question. Include all technical details you can, e.g. what email provider you are using, maybe the email headers. – Anders 2 days ago
3  
@MooingDuck A removal of the DKIM-Signature can be shown with high confidence by taking a different E-Mail from the same (alleged) mail service provider and around the same time (eariler may also be fine) and see if it has a DKIM signature. MSPs won’t change their DKIM habits that often. If the early email is still signed with the same key which is currently published in the DNS, I’d consider that very strong evidence. – Jonas Wielicki yesterday
up vote 124 down vote

(Assuming US) No court is going to pre-emptively demand a settlement of $20K for a misdemeanor(!!!) before you've even had a chance to testify. Furthermore, threats are a criminal matter; this isn't a property dispute-- the police would have questioned you long ago, before this ever went to court.

If this letter truly claims to have been issued by a court (and you're not misreading it), it's bogus. Call the magistrate's office for the issuing municipality and verify.

If it came from a lawyer's office, it's a shakedown. Don't sweat it. Consult your own-- they may well tell you to just ignore it. The victim/scammer can demand whatever they want; it doesn't mean you're obligated to pay.

Either way, someone's targeting you (possibly the "victim") and one of your first steps needs to be filing a police report to document the fact that someone is either making false accusations or committing criminal behavior in your name. It's easy, free, and sets a precedent that you can later point back to if this escalates or happens again.

Whether or not this is bogus, under no circumstance should you talk to the (alleged) victim.

share|improve this answer
13  
(...) talk to the alleged victim / possible scammer. That is why sometimes it is a good policy to cut phone calls short too. You can never be 100% sure the person on the other side is really what they state to be. – Mindwin Feb 6 at 18:38
    
Technical issues aside this is probably the best answer here. A settlement in and out of court is a long lengthy process no matter where in the world(errr.... bar some radical exceptions). – Namphibian Feb 6 at 23:49
1  
@Johnny, It is a real Court letter. Maybe my english is not good enough to tell you the exact name in english. I went to the Court today, and really have to prove that I did not write those emails.... – Leah G Feb 7 at 17:50
28  
@LeahG if it's a real court letter and has been independently verified by the court, do not waste any more time on StackExchange and immediately seek the services of a legal professional who understands electronic evidence and can disprove that those letters actually came from you. – Doktor J Feb 8 at 1:17
5  
@LeahG, I don't know what country you are in, and I Am Not A Lawyer, but I am fairly certain that no, you don't have to prove you didn't write those emails - the burden of proof lies on the accuser. In my country, email headers do not constitute burden of proof without a lot of other corroborating evidence. In any case, consult a lawyer! – Greenstone Walker 2 days ago
up vote 8 down vote

Given the additional information in comments,

I have a gmail account and use Mac. He wants to delete evidence. He used the original one, edited it, printed it, presented to his lawyer and deleted the original.

He did hack my email. Last week he deleted the original of one of emails that he edited and presented as evidence. Other mails are simply forged.

you must secure your email account. Change your password to a strong password you don't use anywhere else. Log out all other sessions. Since you use GMail, set up 2-factor authentication (that is, when someone attempts to log in, Google texts your phone to send a code which is needed to complete that access).

Before you do that, in order to preserve access data, use the "Details" link at the bottom right of the GMail screen to show accesses to your account. Screenshot that data: it will change with subsequent accesses and the earliest ones shown will disappear. That's also the screen you use to sign out all other open sessions on your mailbox. Once you have secured as much access data as you can and signed out everywhere else, change your password.

You may find that deleted emails are still retained in the Bin/Trash/Deleted folder (although I suspect he will have removed anything relevant from here as well).

Unfortunately, if he has gained access to your account, then the emails which appear to have been sent from your account have actually been sent from that account. Forgery protection is useless in this case, and it will be difficult to prove that you did not do that or that you did not delete emails. If your limited access log does not provide proof of access from a location which wasn't yours, then you will need Google to provide server logs, but that will not be easy to achieve.

share|improve this answer
    
To late for "details". I did set up the 2-factor yesterday... – Leah G 2 days ago
    
@LeahG That's a pity. But if you have set up 2FA and forced every other session to be signed out then that will make it difficult to happen again. Now you just need to sort out his unauthorised use of your account. Hopefully that won't cost the 20k he's claiming. – Andrew Leach 2 days ago
    
If you really need it in court, Google might still have some info for you. It's probably worth your while to reach out to them, @LeahG. – Shokhet yesterday
    
@LeahG: Probably your computer itself is infected. You cannot trust any device you previously owned or any subsequent device that you connect to any of them. If you use them to access your gmail account, you run a high risk of getting it hacked again. 2FA does not prevent a malware that resides and runs on your compromised device from doing things when you are logged in to your gmail account. – user21820 yesterday
    
Also contact Google as Shokhet suggested. If their logs show that the only activity comes from your devices, then my hypothesis is the only possible one (unless the hacker hacked Google). – user21820 yesterday
up vote 6 down vote

It is actually very easy to send an email and to enter the email you would like it to show as sent from.

Here is one that i found on a quick google search

I do believe it is a scam like all the others said. But it is very possible for someone to send emails that appear to come from you.

share|improve this answer
    
anonymousemail.me/mobile this website works. The point that i whanted to make was that you can send an email from an external website that shows from other emai – werner van deventer Feb 7 at 14:45
    
@ werner van deventer, please do it and share the results. I have to prove that i did not send those mails, or provide to the Court information about how it can be done without beeing me. – Leah G Feb 7 at 17:53
up vote 5 down vote

Due to the nature of electronic mails, anyone can send a mail with any name from NASA to FBI to your neighbour. You need to raise the court's attention to this.

Get the court release the full emails, including its headers. The headers will tell that the emails did not go through your mail server (or the mail server you use). If you are using an email giant like Google, Yahoo, etc., like 99% of other people use, it's pretty easy to prove you're right, because the absence of DKIM is a clear sign of spoofing. If not, you might have to prove that you did not have access to the server the mail is originated from.

P.S.: Modern email providers automatically use DKIM and SPF for validating authority, and some of them (Gmail for example) constantly mark emails as spam whose senders don't use these. I think it's by now a widely accepted standard, and exchanging mails without these techniques is just like regular mail where you claim to be yourself just by writing your name on the envelope.

share|improve this answer
3  
While you're right, it's still trivial to fake an email including all its headers, DKIM/SPF notwithstanding. – Lightness Races in Orbit Feb 6 at 18:58
3  
@LightnessRacesinOrbit - Yup. If it was (allegedly) sitting on the guy's computer, he could have easily done anything with it, including write the whole thing himself. – T.E.D. Feb 6 at 21:20
2  
Heck, you can fake a whole lot more than e-mail headers. – Michael Kjörling Feb 6 at 21:26
3  
...including its headers. And "the court" should actually access the server and e-mails. And the server should be verified. Printed or text-file copies can have anything in them with no logical relationship to whatever might have been "sent". – user2338816 Feb 7 at 10:15
    
@LightnessRacesinOrbit SPF would be pretty worthless because they could write whatever origin IP is approved by SPF in the header. DKIM is pretty secure though... – Bailey S Feb 7 at 10:40
up vote 0 down vote

This this is on security, I'll ignore the legal questions and go to the e-mail issue:

It is absolutely trivial to fake e-mail. Even making a reasonably good fake that stands up to surface scrutiny is not very hard. Inspecting headers may or may not be worth the effort, they can be faked, too. Especially if you have no access to the original mail resting on the original server that is not under the control of the person making the claim, then an e-mail is basically just a text that I can just as well fabricate wholesale.

In short: Someone claiming to have mails from you that you didn't send does not mean your mail was hacked. If it had been sent through your (hacked) account, you would most likely find them in the outbox or in the trash can. (of course, the attacker could clean up after himself, but why should he? the mail actually being there makes his case stronger, and you claiming you didn't send it when it's in your outbox is a weak defense)

tl;dr: Most likely, nobody hacked your mail, someone just forged one or made up the whole thing.

share|improve this answer

protected by Community 2 days ago

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged or ask your own question.