Mental Health #12 - or so

[adjusterjack]

cbg, are you familiar with how email headers work?

Might be something you can build into your story.

What is an Email Header?

 

[cbg]

I am sort of vaguely aware of the fact that email headers exist and what is included in them. I may need to know more about them as I progress; I'm not sure yet. At this stage I did need to know whether the type of fake email I needed to have sent existed as the story line requires that Person A and Person B each receive a fake email with some false information, each that supposedly comes from the other but which actually comes from Person C. It was obvious that if Person C has access to Person A's email (which given the story line can be made to happen quite easily) she can send the letter to Person B, but Person C has no access to Person B's email other than through Person A. There's no way to adapt the story line so that Person C has access to both emails; it can be one or the other but not both. If she could not send an email to person A that would look as if it came from Person B, with only the information obtained by using Person A's email, I would have to re-write a major part of the story since that fake information receipt sets up the entire plot. I'm not sure yet how she gets caught so I may yet be coming to you with questions about the hows and wherefores. Thanks, Jack, this gives me a head start. One thing I am not, is Josephine Computer.

 

[Zigner]

It is not difficult for a person to send an email to another that appears to come from a third party. Spammers do it all the time, right? Of course, with a basic amount of due diligence, the receiver can figure out the ruse. But, if you were to send an email to my wife or my father-in-law that appears to come from a person they know and is more-or-less "in character" for that person, it's entirely possible they'd be fooled.

Like, if my aunt was arriving on a flight on Thursday and my father-in-law was picking her up, I could easily fake an email from her telling him that my flight was changed to Friday and he'd buy it. However, if I tried to send an email to my father-in-law that appeared to come from my aunt telling him that he had to send her $5,000 right away, it's less likely to work.

 

[adjusterjack]

These two stories are true. Actually happened to me.

1 - I got an email from a local friend of mine recommending an ED enhancement product. I called him up. Told him thanks but I didn't need one. Turns out his email had been hacked and all his contacts got the same email.

2 - I have a friend back in NYC who I went to college with back in the Stone Age. We've kept in touch, emailed regularly and visit when I go to NY. I got an email from him one day saying that he and his wife (he does have one) were stranded in the Philippines, having lost passports, phones, luggage and money. He asked me to send him $2500. He's enough of a friend that I would gladly have sent money to. I thought about it for a few minutes and figured if it was real he would have just called me up. I sent him a fresh email with a copy of the text to try to confirm it. I didn't get a response for several days and I started thinking maybe he really was stranded. Then he called me up. His email had been hacked and everybody in his contacts list got the same email and he'd been spending days calling everybody up.

There you have it. Can happen and often does. I think the scam is called "spoofing."

 

[cbg]

The fake information kind of walks the line between Zig's two scenarios. It's closer to the second in that both of them really should have known that it was fake. But it's close enough to the first so that it's believable, and a subsequent event that they both misinterpret seems to verify it (Had the fake information not been sent, the subsequent event would never have happened.) When I know more about the "villain reveal" I'll figure out then how much I need to know about the process. I may be back. You all rock, the three of you.

 

[Tax Counsel]

Okay, maybe I'm not making myself clear. Let me ask the question again. There is only one scenario I am asking about.

Assuming that Person C had access to Person A's email and that Person A and Person B correspond by email, would Person C have enough information to send Person A an email that purported to be from Person B but which Person B didn't know about?

That is a Yes or No question.

It is possible that Person C could send an e-mail to Person A that purported to be from Person A and there are several ways that might be done. However, if your question is whether Person C would have enough info to do that just because Person C has obtained access to Person A's computer or e-mail account the answer is no. Simply having access to Person A's computer and e-mail would not give Person C the information needed to spoof Person B's e-mail account. All that access to Person A's account would give to Person C is knowledge of Person A's correspondence with Person B, which would be useful in making the e-mails that Person C wants to send seem more legitimate because the e-mails may refer to things only Person B should know. But there is still the problem of making the e-mail appear as though it is coming from Person B's account.

 

[cbg]

Well, that wasn't news I wanted to hear, Tax, but it's news I needed to hear. It only has to appear superficially as if it came from Person B's account; it doesn't really matter how easy it would be to break the facade and see that it's a fake. But it does have to at least at a quick glance appear to be from Person B's account.

 

[Tax Counsel]

Well, that wasn't news I wanted to hear, Tax, but it's news I needed to hear. It only has to appear superficially as if it came from Person B's account; it doesn't really matter how easy it would be to break the facade and see that it's a fake. But it does have to at least at a quick glance appear to be from Person B's account.

Well then it depends on how sophisticated Person A is and who hosts Person B's e-mail account. Person C might be able to create an email account with an address that is very close to Person B's account such that Person A wouldn't notice a difference unless Person A really looked at it.

 

[cbg]

Now that just might do it. Thank you, Tax, you rock too! But then, you knew that.

 

[welkin]

It's not at all hard or complicated to spoof an email if you understand the anatomy of an email. The problem is that email clients like AOL or Gmail, or Outlook don't give you access to the part of the email where you can change the sender's address. That would be the envelope.

When you compose an email you are filling in the data portion of the mail. That contains the recipient, the sender, the date, the content. That is the content portion of the mail. The email client fills in the envelope based on what the content is.

Simply put, all you have to do is change the envelop with a sender email address that you want the email to appear it came from. To do that you can use free software available or an SMTP (Simple Message Transfer Protocol) server.

This is a very good article that will explain it.

Any reply to the email will come back to the account that sent it and not the sender in the envelope.

 

[cbg]

Thank you, Welkin. That may be very helpful as I go deeper into the story.

 

[cbg]

And as it turns out, another friend gave me an alternate idea so that when Person C gives Person A the fake information, Person B will automatically respond to Person A in the way that Person C wants her to. So the email headers will all be correct; only the information contained in the email purported to be from Person A will be fake. Person B is manipulated into giving the answer that Person C wants her to give so that's a "legit" email.

 

[cbg]

And since August, the story has evolved to where most of the above isn't necessary at all. Person C manages to alter an email that Person A is sending to Person B, and then puts Person B on Person A's blocked list. Some of you helped me work that out in another thread.

But writing is taking more time than I have just now. It is Open Enrollment, aka Hell Week.

When it is not Open Enrollment, my entire team of six might not take more than 50 calls in a day. This morning, I took 36 before lunch. Just me.

When it is not Open Enrollment, I get nervous if my open tickets go into double digits, and certainly if they pass 15. At one point today, I had 93. I'd gotten it down to 70 after working a 12 hour day.

Tomorrow is the last day. And may God have mercy on all our souls.

 

[hrforme]

Yep, in the middle of our OE too....luckily only 100 employees and most have been through it enough to know how and what to do.....probably about 15 questions so far. But we have a large OE kickoff meeting that seems to help with keeping the # of questions to mostly system usage ones (how do I...? or can you reset my password)

I think I've gotten more isues/questions on our new training LMS than OE (Why did we decide to do both in the same month?)

We can make it through!

 

[cbg]

I love the idea, but it's hard to find a even a virtual conference room big enough for 19,000 employees and 5,000 retirees. Might need to do them in batches. :