Jump to content
Mark Williams

Email Tampering

Recommended Posts

Apologies in advance as this isn't really an Indy question, but not sure where else to ask it.

 

I have written functions to batch parse information from emails. I would also like to be able to flag up possible suspicious activity such as date tampering.

 

One of the things I am looking at is the difference between the date time in the Date header and the date time of the first Received header. If there is a significant difference between the two then I will flag the item as suspicious.

 

However, I am not sure what would be a significant time difference to warrant flagging. Anything more than a few minutes strikes me as too long and my initial view is to opt for about 30 minutes. Views as to whether that sounds sensible would be appreciated.

Share this post


Link to post

Measure! Try trials. Setup a "sandbox". IMHO the values/factors will be dependent on your specific stream of messages.

  • Like 1

Share this post


Link to post

E-mail clients often are able to work in offline mode and then send/receive e-mails when connection is available. I believe that in this case "Date" and first "Received" can differ significantly.

  • Like 1

Share this post


Link to post
1 hour ago, Mark Williams said:

Anything more than a few minutes strikes me as too long and my initial view is to opt for about 30 minutes.

Depending on the MTA settings it could keep and try to pass it to the MX for even 5+ days. 

Date could also be in the future and not only in the past.

Spamfilters are ranking emails with points, you could adopt this method.

Also, you could look up spamassassin's and policyd-weight's rules to find out more.

 

  • Like 1

Share this post


Link to post

Thanks for the responses. Hadn't though of delayed sends. What I'm trying to catch is someone setting the date on their computer to a date in the past and sending an email to make it appear as though it was sent earlier than it in fact was. 

 

21 hours ago, Attila Kovacs said:

Date could also be in the future and not only in the past.

I haven't come across this, but surely if the Date header is later than the Received header someone's clock someone is showing the wrong time?

Share this post


Link to post
2 hours ago, Mark Williams said:

I haven't come across this, but surely if the Date header is later than the Received header someone's clock someone is showing the wrong time?

I wouldn't depend on date to filter emails, nor will suggest it, while when it happen it means 99% that such email is a spam, but the 1% is real and important, imagine you turned you phone and unplugged the battery for some reason then returned the battery and turned the mobile on, an email comes along and you replayed before the mobile got the correct time from the provider, there is also another examples like using your own SMTP server hosted somewhere on a dedicated server like Hyper-V, these servers tend to stick the host timing and no matter what or how you fix the the guest time it will revert to host timing and the only possible fix is configuring time zone, so in theory if the host have UTC time zone and you wanted your guest to have other time zone, you will see differences , if these time zones does have different summer/winter times.

Share this post


Link to post
17 hours ago, Kas Ob. said:

I wouldn't depend on date to filter emails,

It's not for filtering purposes. It is for a system that will store documents/resources including emails. When users are examining email threads I simply want to highlight that there may be something suspicious about one of the emails in the thread not exclude it from the thread.

 

So if in 99% of the cases a Date header later than the Received header is suspicious that works for me. 

 

Perhaps my original question was unclear and answers have been given on the basis that I was looking to exclude such emails. Far from it, I am looking to highlight them. With that in mind perhaps I can ask my original question again. 

 

What sort of time difference by which the Date header is greater than the first Received header would you consider suspicious? I have opted for 30 minutes, but presumably there is an argument to say any difference is suspicious as I would expect most users' computers' and servers' clocks are automatically set.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×