Ever wonder when you receive an e-mail if the actual person displayed in the FROM header is really the Sender? Throughout the years, while working on matters to structure comprehensive searches or preparing privilege logs, we often encounter unknown “display names” that are completely different from that of the actual sender. For example, let’s say that we have email messages from John Smith in a custodian’s data set. There is no question that the email came from his account because John works for the same organization as our custodian. However, after examining the content of some of John’s emails, it becomes apparent that his e-mail address had been spoofed. Parts of the e-mail header had been altered to appear that the e-mail originated from John’s usual account but in fact he was a victim of e-mail spoofing or phishing. Email addresses have two parts, the actual e-mail address: firstname.lastname@example.org and the display name: “John Smith”, which in turn make up what is seen by the recipient, “John Smith <email@example.com>”. E-mail spoofing is a SPAM technique to send junk or unsolicited messages. The spoofed messages appear personal or private which invitingly encourages you to open the message and often avoids being discarded by SPAM filters.
While it is legal to change one’s display name as long as an e-mail sender can be clearly identified, e-mail forging is definitely not. The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) ACT of 2003, enforced by the United States Federal Trade Commission bans false and misleading header information. The “FROM” and “TO” fields of an e-mail should contain both a domain name and address, which is required to be accurate when identifying a sender. Other highlights of the CAN-SPAM Act include the use of misleading subject lines, identifying advertisements, and providing your physical postal address in each e-mail. However, spammers deliberately spoof e-mail addresses to deter SPAM recipients from tracking e-mail origination, thus escaping the penalties of anti-spam laws.
Extracted metadata has proven to be an invaluable source of information to case teams aside from actual visible document content. However, precautions should be taken with respect to custodian data in the case of e-mail spoofing. When undergoing a data preservation and collection effort, e-mail spoofing can prove to cause issues when identifying sources of electronically stored information. Data collection and identification efforts can result in the omission of entire data sets belonging to key custodians disguised under a spoofed display name. Similarly, key custodians’ e-mails and files can be inadvertently omitted from document review preparation when searching to cull down data populations. Since e-mail spoofing involves the altering of display names, it is important that they alone are not used as inclusion or exclusion criteria. Careful analysis of senders, recipients, subjects and email content should drive decisions for focused collection, review and production.