Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Avatar for Username

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Learn More

Dieses Thema wurde archiviert. Bitte stellen Sie eine neue Frage, wenn Sie Hilfe benötigen.

Importing edited Mbox file from Gmail - Manipulation test

  • 1 Antwort
  • 1 hat dieses Problem
  • 11 Aufrufe
  • Letzte Antwort von Matt

bwbeachbar
bwbeachbar
more options

I am testing the theory behind manipulated emails and what forensic evidence can be obtained.

I notice that when Google Takeout is used to export emails from a Gmail account and are subsequently edited (in this case, the body text), SPF alters from "PASS" to "NONE with IP 0.0.0.0" and DKIM completely disappears in the "Original Message" view, however the headers remain unchanged with the exception of the edits to the body text.

The unedited email indicates SPF as "Pass" and DKIM as "Pass" (first image). This changes in the second image once any alteration is applied to the original email.

Before importing the email via Thunderbird, I delete the original email in Gmail (including the trash) and then load the manipulated email to Thunderbird and subsequently to the Gmail inbox.

Is there an explanation for the change in SPF and disappearance of DKIM to the manipulated email?

I am testing the theory behind manipulated emails and what forensic evidence can be obtained. I notice that when Google Takeout is used to export emails from a Gmail account and are subsequently edited (in this case, the body text), SPF alters from "PASS" to "NONE with IP 0.0.0.0" and DKIM completely disappears in the "Original Message" view, however the headers remain unchanged with the exception of the edits to the body text. The unedited email indicates SPF as "Pass" and DKIM as "Pass" (first image). This changes in the second image once any alteration is applied to the original email. Before importing the email via Thunderbird, I delete the original email in Gmail (including the trash) and then load the manipulated email to Thunderbird and subsequently to the Gmail inbox. Is there an explanation for the change in SPF and disappearance of DKIM to the manipulated email?
Angefügte Screenshots

Alle Antworten (1)

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

Details on the SPF standard can be found here. https://datatracker.ietf.org/doc/html/rfc7208 and DKIM here https://datatracker.ietf.org/doc/html/rfc6376

Both of these are server side technologies and well beyond the scope of this forum.