114

I just got a letter from court saying I made 49 threats to someone I had a problem with three years ago. This person presents "my emails" as evidence. I went through all my emails, and I haven't found a single one. The mail presented as evidence all come from my email address. He asks for 20,000 dollars for moral damage! How can this happen?

(ed. The letter is a valid and official legal document in accordance with the normal procedures in the country of Portugal. OP has already engaged with a lawyer. The accuser is a known scam artist. This question is about the technical details of the emails.)

schroeder
  • 125,553
  • 55
  • 289
  • 326
Leah G
  • 1,079
  • 2
  • 7
  • 5
  • 162
    It's easy to send email which appears to come from any address. Sounds like a scam, to be honest... Contact the court, via details found through independent methods (Web search, for example). – Matthew Feb 06 '17 at 15:41
  • 102
    Just because an email says "from LeahG@email.com", that does not mean it came from your account. Just like a paper letter, any return address can be used – schroeder Feb 06 '17 at 15:52
  • 2
    the "how" is easy, Your Mail provider and the mail provider of the person you allegedly send e-mails to did not employ the proper anti-spam techniques to prevent sender-spoofing. (stuff like DKIM,SPF , etc.). However, just because a name is present on an envelop does not prove that person send it. That proof has to be derived through other means (like logs or the mail headers). – LvB Feb 06 '17 at 15:59
  • 10
    Scam, yes! For the second time. But one of my most important mails to him desapeared from my mail box. Searched for 5 hours, and it is really gone. It was one he used to acuse me. He took some words of of the context, to blame me, and now I cannot retrieve the original to defend myself... – Leah G Feb 06 '17 at 21:15
  • 27
    @LeahG If your email service supports it enable two factor authentication and change your password. Never hurts to play it safe. – Seth Feb 06 '17 at 21:23
  • 3
    Regarding the missing mail: Do you store your mail on a server and connect via IMAP? If so, deleting mail on the server will usually cause your client to delete it as well. If it's been deleted on the server, it may be because whoever is trying to scam you decided to remove your evidence against them. In the future, keep an offline backup of any important emails, particularly if you use IMAP (or a webmail interface, for that matter). – micheal65536 Feb 07 '17 at 08:12
  • 1
    bishop, when I say "a letter" I mean the entire Court acusation, with his lwayer's acusations, something like 90 pages. It is an official document and now I have to defend myself. That's why I came here. To try to understand how he could get those mails. And in Portugal the Court sends you a registered/certified letter with all the details. And I know the man very well. He scammed me three years ago... – Leah G Feb 07 '17 at 08:13
  • 2
    Micheal Johnson, I have a gmail account and use Mac. And you are right, he wants to delete evidence. He used the original one, edited it, printed it, presented to his lawyer and deleted the original, so I could not defend me. – Leah G Feb 07 '17 at 08:17
  • 5
    @smci It is Portugal, I know the guy, name, address, and all. IT IS a real court issue. I'm just arriving from Court, and had a meeting with a lawyer. He scams people, that's how he earns his money. My question, as you can read in the begining is how can those mails be made? Some of them are fake, like copy past and others are done thru my mail. I changed the password again, today. He point is to make me pay him the 20k for moral damage caused by my threats of spanking him... he says he is affraid of leaving home. We don't even live in the same city... what a novel!!!! – Leah G Feb 07 '17 at 17:41
  • 14
    I don't understand what *"others are done thru my mail"* means, **did he hack into your email, yes or no?** If yes, report the crime, already. If no, I think you mean "he forged the From: header and the email never came from my account". – smci Feb 08 '17 at 03:55
  • Most e-mail services do not validate that the sender is who he claims to be and even some of those that do permit supplying false credentials. Over the years I've written multiple programs that "forge" the sender, no problem at all. (Completely innocent--sending through my ISPs mail server but I want my proper e-mail address to show up on the message.) – Loren Pechtel Feb 08 '17 at 05:00
  • 2
    @smci, yes, he did hack my email. Last week he deleted the original of one of emails that he edited and presented as evidence. Other mails are simply forged. I am waiting for his lawyer to give it to court so that we can verify. – Leah G Feb 08 '17 at 09:38
  • 11
    If he did in fact break into your email account and sent and deleted emails within that account, you should contact your email provider to let them know your account has been breached and ask if they log the IP addresses used to access your account. This could be useful to show that it was accessed from his IP. – Reinstate Monica -- notmaynard Feb 08 '17 at 22:07
  • @LeahG How did the court case turn out? – mbomb007 Mar 02 '18 at 20:00

7 Answers7

213

Is it a scam?

First of all, make sure that you actually got the letter from a court. This might very well be a scam - it sure sounds like one. Do this to verify that the letter is real:

  1. Make sure that the name of the court correspond to a real court.
  2. Find contact information to that court through some independent method (i.e. not using any information in the letter).
  3. Contact them and ask them if they did in fact send the letter.

If it is not a scam

If it is not a scam, I see three possibilities:

  • The person accusing you of the threats never received the emails, and have forged the evidence. That would not be hard to do. (An investigation of the email headers will not help here, since they can also be forged.)
  • Someone has spoofed your email address, and has sent emails that appear to come from you. This is by no means impossible. (An investigation of the email headers could be useful here.)
  • Someone has hacked your email account (perhaps you used the same password on a site that was breached), sent the emails, and then deleted all traces (e.g. removed them from the sent items folder). (An investigation of the email headers would not help here, since the email is in fact sent from your address. Access logs from your email provider could prove useful, though.)

If it's not a scam, what you need to do in any case is to get some legal advice.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 1
    I think many emails have source signatures, in which case investigation of those headers may show that they were forged in that first option. Maybe. – Mooing Duck Feb 06 '17 at 20:36
  • 1
    @MooingDuck ...of course those could be forged too. All that header stuff in emails is essentially just plain text. Its so easy to edit, it doesn't even really qualify as "hacking". I'd say get a good lawyer, and have him subpoena the guy's computer. If the guy forged them himself, and has half a brain, he'll drop the case immediately. (Anyone who'd do something that dishonest to someone is quite likely to have stuff in there he doesn't want coming out in court). – T.E.D. Feb 06 '17 at 21:12
  • 12
    An investigation of the e-mail headers *could* help in #3 (the case of hacking), because many e-mail servers are set up to include the originating IP address somewhere in the headers. If that can be taken as legitimate, your ISP should be able to confirm or deny whether the IP address was assigned to your account at the time in question. Of course, there's always case #4: someone hacked your computer and used *it* to send the e-mails... – user Feb 06 '17 at 21:24
  • Well, it is a real letter from Court!!!!!!! – Leah G Feb 06 '17 at 21:24
  • If I get the emails (printed) from the Court, I can I investigate the headers? Meeting with a lawyer tomorrow! – Leah G Feb 06 '17 at 21:29
  • *how can I investigate the headers? – Leah G Feb 06 '17 at 21:59
  • 3
    @LeahG Most email software by default omits most of the headers from printouts including all the headers which could be used as hard evidence. The `DKIM-Signature` header is the most likely one to provide any real evidence, but you need some of the other headers as well in order to verify the signature. Ask your lawyer what it means to the case if that person is in possession of evidence but is withholding it. – kasperd Feb 06 '17 at 22:14
  • 8
    @T.E.D. Email headers sometimes have a signature, that's unique to the sender and the content. Even though it's plain text, it's pretty darn close to not-forgable. Sure anyone can edit it, but then it's trivial to show it's been tampered with, because it no longer matches the message + supposed sender's info. (However, someone can simply delete these signatures, in which case you're correct) – Mooing Duck Feb 06 '17 at 23:13
  • 4
    @LeahG Email headers can be quite complicated. A good answer for how to do that does not fit into this question, and I don't think I am qualified to answer it anyway. – Anders Feb 07 '17 at 00:22
  • 4
    @MooingDuck DKIM signatures are based on RSA and SHA256 (ie. strong cryptography). The public key is kept in a dns record for the domain. It is pretty good evidence that the email was sent by whoever controls the domain, particularly if the email server is hosted by a large provider like gmail. – trognanders Feb 07 '17 at 10:30
  • 3
    @LeahG I think you asked the wrong question. You asked "How can this happend?", but reading your comments it sounds like what you actually wanted to ask was "How can I prove I did not send an email?" Perhaps you should start a new question asking that? – Anders Feb 07 '17 at 20:22
  • 1
    @Anders In tne beggining I really wanted to know how can this happen, got the answers and want to know "How can I prove I did not send an email?" – Leah G Feb 08 '17 at 09:42
  • 4
    @LeahG If you want an answer for that, I think you need to ask a new question. Focus on the technical aspects, not the court drama. You could link to this question. Include all technical details you can, e.g. what email provider you are using, maybe the email headers. – Anders Feb 08 '17 at 09:50
  • @Anders. But I don't find those emails in my mail... spent hours looking for it. ZERO! – Leah G Feb 08 '17 at 21:43
  • @LeahG I assumed you could get the headers from the court, if it is a real court case. Question might work without them, though. – Anders Feb 08 '17 at 22:16
  • 4
    @MooingDuck A removal of the DKIM-Signature can be shown with high confidence by taking a different E-Mail from the same (alleged) mail service provider and around the same time (eariler may also be fine) and see if it has a DKIM signature. MSPs won’t change their DKIM habits *that* often. If the early email is still signed with the same key which is *currently* published in the DNS, I’d consider that very strong evidence. – Jonas Schäfer Feb 09 '17 at 08:52
  • no, one shouldn't get legal advice for bs like this. legal advice cost money. – Claudiu Creanga Feb 13 '17 at 14:20
  • @ClaudiuCreanga I have clarified that legal advice is only needed if it is not a scam. If the letter is in fact from a real court, I think legal advice is appropriate. – Anders Feb 13 '17 at 16:03
145

(Assuming US) No court is going to pre-emptively demand a settlement of $20K for a misdemeanor(!!!) before you've even had a chance to testify. Furthermore, threats are a criminal matter; this isn't a property dispute-- the police would have questioned you long ago, before this ever went to court.

If this letter truly claims to have been issued by a court (and you're not misreading it), it's bogus. Call the magistrate's office for the issuing municipality and verify.

If it came from a lawyer's office, it's a shakedown. Don't sweat it. Consult your own-- they may well tell you to just ignore it. The victim/scammer can demand whatever they want; it doesn't mean you're obligated to pay.

Either way, someone's targeting you (possibly the "victim") and one of your first steps needs to be filing a police report to document the fact that someone is either making false accusations or committing criminal behavior in your name. It's easy, free, and sets a precedent that you can later point back to if this escalates or happens again.

Whether or not this is bogus, under no circumstance should you talk to the (alleged) victim.

Doktor J
  • 324
  • 2
  • 8
Ivan
  • 6,338
  • 3
  • 18
  • 22
  • 18
    (...) talk to the *alleged* victim / possible scammer. That is why sometimes it is a good policy to cut phone calls short too. You can never be 100% sure the person on the other side is really what they state to be. – Mindwin Remember Monica Feb 06 '17 at 18:38
  • Technical issues aside this is probably the best answer here. A settlement in and out of court is a long lengthy process no matter where in the world(errr.... bar some radical exceptions). – Namphibian Feb 06 '17 at 23:49
  • @Johnny The document I got from the Court has the accusations/pleas including the list os mails I "sent him" threatening him to the point he cannot leave home out of fear" (ahah! he goes to gym everyday and take anabolisants that make him a huuuge guy) and asks for 20K for the psichological damage I made.... – Leah G Feb 07 '17 at 09:04
  • 3
    @Johnny, It is a real Court letter. Maybe my english is not good enough to tell you the exact name in english. I went to the Court today, and really have to prove that I did not write those emails.... – Leah G Feb 07 '17 at 17:50
  • 45
    @LeahG if it's a real court letter and has been independently verified by the court, do not waste any more time on StackExchange and immediately seek the services of a legal professional who understands electronic evidence and can disprove that those letters actually came from you. – Doktor J Feb 08 '17 at 01:17
  • 9
    @LeahG, I don't know what country you are in, and I Am Not A Lawyer, but I am fairly certain that no, you don't have to prove you didn't write those emails - the burden of proof lies on the accuser. In my country, email headers do not constitute burden of proof without a lot of other corroborating evidence. In any case, consult a lawyer! – Greenstone Walker Feb 09 '17 at 00:36
  • 3
    She said that she's in Portugal in the comments on the question (after this answer was posted). – Brian Feb 10 '17 at 18:43
  • 1
    @GreenstoneWalker Burden of Proof laws vary wildly by country and charge. – Weckar E. Feb 13 '17 at 13:59
16

Given the additional information in comments,

I have a gmail account and use Mac. He wants to delete evidence. He used the original one, edited it, printed it, presented to his lawyer and deleted the original.

He did hack my email. Last week he deleted the original of one of emails that he edited and presented as evidence. Other mails are simply forged.

you must secure your email account. Change your password to a strong password you don't use anywhere else. Log out all other sessions. Since you use GMail, set up 2-factor authentication (that is, when someone attempts to log in, Google texts your phone to send a code which is needed to complete that access).

Before you do that, in order to preserve access data, use the "Details" link at the bottom right of the GMail screen to show accesses to your account. Screenshot that data: it will change with subsequent accesses and the earliest ones shown will disappear. That's also the screen you use to sign out all other open sessions on your mailbox. Once you have secured as much access data as you can and signed out everywhere else, change your password.

You may find that deleted emails are still retained in the Bin/Trash/Deleted folder (although I suspect he will have removed anything relevant from here as well).

Unfortunately, if he has gained access to your account, then the emails which appear to have been sent from your account have actually been sent from that account. Forgery protection is useless in this case, and it will be difficult to prove that you did not do that or that you did not delete emails. If your limited access log does not provide proof of access from a location which wasn't yours, then you will need Google to provide server logs, but that will not be easy to achieve.

Andrew Leach
  • 384
  • 1
  • 10
  • 1
    To late for "details". I did set up the 2-factor yesterday... – Leah G Feb 08 '17 at 21:49
  • @LeahG That's a pity. But if you have set up 2FA and forced every other session to be signed out then that will make it difficult to happen again. Now you just need to sort out his unauthorised use of your account. Hopefully that won't cost the 20k he's claiming. – Andrew Leach Feb 08 '17 at 22:15
  • 2
    If you really need it in court, Google might still have some info for you. It's probably worth your while to reach out to them, @LeahG. – Shokhet Feb 09 '17 at 06:19
  • 1
    @LeahG: Probably your **computer** itself is infected. You **cannot** trust any device you previously owned or any subsequent device that you connect to any of them. If you use them to access your gmail account, you run a high risk of getting it hacked **again**. 2FA does not prevent a malware that resides and runs on your compromised device from doing things when you are logged in to your gmail account. – user21820 Feb 09 '17 at 15:06
  • Also contact Google as Shokhet suggested. If their logs show that the only activity comes from your devices, then my hypothesis is the only possible one (unless the hacker hacked Google). – user21820 Feb 09 '17 at 15:09
  • Yes, I suppose there may be a keylogger so any password might be transmitted to the hacker (but 2FA will help there). Macs are *less* prone to infection and backdoor compromise than Windows devices -- although it's not unknown -- but it is possible, even likely, that a determined scammer who has struck in the past is using some sort of phishing/social engineering to get access to email accounts. If part of that has allowed a backdoor to be installed, then logs will show only access from your machine. – Andrew Leach Feb 09 '17 at 16:46
  • @LeahG. Your computer is also evidence. If you still have it, stop using it. Consider handing it to the police. Now, you said you're a woman in a documented conflict with a large, muscular man, you've had legally documented dealings with him already with you in the victim's position, and now he's saying he's psychologically damaged by your threats of doing him physical harm. He has "proof" for one of 49 alleged mails. I'm sure that any sane court will take the context into account and come to the right conclusions. If you didn't send the mails, I bet there's more evidence for you than for him. – Out of Band Feb 11 '17 at 01:37
  • @Pascal I wrote some of the emails, he edited them to his own interest and brached again to delete those (the original) mails. I still have 2 or 3 where I can show the Court how he did it. But the rest is gone. Not in my mail anymore... In the beginning, I though he did make all those mails by himself, but now I am sure he did it trough my mail. Next Monday I will be in Court with my lawyer to go through his "evidence" and ask for copies to send to experts. – Leah G Feb 11 '17 at 17:04
  • @LeahG I assure you, the rest is not gone. There are ways of using digital forensics to recover what was written on a system. Don't believe the whole Mac is secure and protects your data nonsense :P. Mac is just like any other system.....aside from not liking you to be able to upgrade your own stuff. – NZKshatriya Feb 12 '17 at 04:20
8

Due to the nature of electronic mails, anyone can send a mail with any name from NASA to FBI to your neighbour. You need to raise the court's attention to this.

Get the court release the full emails, including its headers. The headers will tell that the emails did not go through your mail server (or the mail server you use). If you are using an email giant like Google, Yahoo, etc., like 99% of other people use, it's pretty easy to prove you're right, because the absence of DKIM is a clear sign of spoofing. If not, you might have to prove that you did not have access to the server the mail is originated from.

P.S.: Modern email providers automatically use DKIM and SPF for validating authority, and some of them (Gmail for example) constantly mark emails as spam whose senders don't use these. I think it's by now a widely accepted standard, and exchanging mails without these techniques is just like regular mail where you claim to be yourself just by writing your name on the envelope.

Peter Mortensen
  • 885
  • 5
  • 10
Rápli András
  • 2,144
  • 1
  • 11
  • 24
  • 3
    While you're right, it's still trivial to fake an email including all its headers, DKIM/SPF notwithstanding. – Lightness Races in Orbit Feb 06 '17 at 18:58
  • 3
    @LightnessRacesinOrbit - Yup. If it was (allegedly) sitting on the guy's computer, he could have easily done *anything* with it, including write the whole thing himself. – T.E.D. Feb 06 '17 at 21:20
  • 2
    Heck, you can fake [a whole lot more than e-mail headers](https://security.stackexchange.com/q/137098/2138). – user Feb 06 '17 at 21:26
  • 3
    `...including its headers.` And "the court" should actually access the server and e-mails. And the server should be verified. Printed or text-file copies can have anything in them with no logical relationship to whatever might have been "sent". – user2338816 Feb 07 '17 at 10:15
  • @LightnessRacesinOrbit SPF would be pretty worthless because they could write whatever origin IP is approved by SPF in the header. DKIM is pretty secure though... – trognanders Feb 07 '17 at 10:40
7

It is actually very easy to send an email and to enter the email you would like it to show as sent from.

Here is one that i found on a quick google search

I do believe it is a scam like all the others said. But it is very possible for someone to send emails that appear to come from you.

INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
  • https://anonymousemail.me/mobile/ this website works. The point that i whanted to make was that you can send an email from an external website that shows from other emai – werner van deventer Feb 07 '17 at 14:45
  • @ werner van deventer, please do it and share the results. I have to prove that i did not send those mails, or provide to the Court information about how it can be done without beeing me. – Leah G Feb 07 '17 at 17:53
3

This this is on security, I'll ignore the legal questions and go to the e-mail issue:

It is absolutely trivial to fake e-mail. Even making a reasonably good fake that stands up to surface scrutiny is not very hard. Inspecting headers may or may not be worth the effort, they can be faked, too. Especially if you have no access to the original mail resting on the original server that is not under the control of the person making the claim, then an e-mail is basically just a text that I can just as well fabricate wholesale.

In short: Someone claiming to have mails from you that you didn't send does not mean your mail was hacked. If it had been sent through your (hacked) account, you would most likely find them in the outbox or in the trash can. (of course, the attacker could clean up after himself, but why should he? the mail actually being there makes his case stronger, and you claiming you didn't send it when it's in your outbox is a weak defense)

tl;dr: Most likely, nobody hacked your mail, someone just forged one or made up the whole thing.

Tom
  • 10,201
  • 19
  • 51
  • Original mails are gone from my email account. Not in trash, nor sent... (Yes I sent him some mails and I've commented before, he edited it to his own interest and came back to delete the original ones, so I could not provide them to Court to show they were edited.) – Leah G Feb 11 '17 at 17:10
  • @Tom Catch up on the other comments here, it *does* appear to be a pretty legit case of alleged hackery. – Jason C Feb 12 '17 at 05:56
  • @LeahG that is a new piece of evidence that changes the story, yes. – Tom Feb 14 '17 at 13:07
2

I cannot help you much with the current issue, other than advising you as others did, that if indeed he broke it your account, and you have to ask the provider, you will have to go to court for the provider to give data about IP addresses.

I would also ask gmail if they could produce a backup of that deleted email via the court order. I also suspect that you do not even need to prove it was the actual guy hacking your email, and it will be enough creating a reasonable doubt wether your email account was hacked at that time.

As your comments talk about Google, you can edit a history of what devices accessed your account, and it says the make of the device, and the City used.

Go to "My Account"->Device activity & notifications" and under "Recently used devices" select "REVIEW DEVICES". Select the suspect device in case it is there.

gmail

For the future, I advise you to activate double factor auth, 2FA, which obliges a device to use a token.

I also ask you, how was that individual able to hack you multiple times? It it possible that in a point in the past he planted some spy software in your computer? Have you answered to emails "Your account is due to be closed, please confirm your username and password?" The details about your account be compromised seem fishy, to say the least. The easiest way for the guy to go about it, would be to create an email very similar to yours, and use 1 true email together with 48 edited emails from that account...

Obviously this is all for problems in the short term. In the long term of things, most providers are only require to save IP addresses and usage by law for 2 years at least.

Beware also that some other emails (2 years +), are harder to locate in Gmail inboxes.

I would also not wait for him delivering the emails to the court; he has a vested interested on only delivering them at the last minute. Ask through the court for a list of IP addresses, emails and time from google exchanged between your address and the address of the guy.

On the producing of proofs,beware of bureaucracy. In my case, they summoned me for "a simple meeting", and the court did not do the paperwork on the Citius database, they refused to give data about it to my lawyer over the phone, you yourself as non-lawyer cannot have a look at your own process, and I had to send my lawyer to another city for browsing the physical files, and only them we find out they had another type of complaints behing the "meeting", and even had arranged witnesses to give a fake account of the facts.

As other said, try to hire a competent legal aid familiar with this field.

Rui F Ribeiro
  • 1,736
  • 9
  • 15
  • 1
    Let´s also put the compensation in perspective... often someone hit by a car only get 6-10 months of the minimum salary, and that guy is asking for 3.5 years of the raw minimum salary, or better yet, what he would save working 10 years? Seems crazy. It seems more values for the level of salaries/pensions in the UK and not exactly for Portugal. – Rui F Ribeiro Feb 12 '17 at 10:35