Someone has copies of emails that I send to a third party…and has forwarded the messages as if they were sent by me to them. Here is a header I was able to retrieve from one of them, not sure if it's been altered, other than me changing to "myemail" Can you tell me if it's legitimate? I was in Japan on 6/30, on a mac, with no access to the internet. Could this have originated from me, maybe by some strange fluke such as forwarding? Or has it been forged? How can you tell? What do the IP addresses tell you? Unless I can come up with another explanation, maybe this person, accessed the person's bellsouth.net's account, to get copies of these msg's. I did not send them to this person, and I don't have email forwarding enabled. Also, 2 different email addresses are referred to - roadrunner in the header, but hotmail in the "from" field. Can you help me sort this out? Trying to figure out how these emails made it to someone else… and I don't understand the info provided in the headers. My primary concern is possible unauthorized access of someone's email account. thanks, 7:55 AM Received: from cdptpa-omtalb.mail.rr.com ([75.180.132.120]) by isp.att.net (frfwmxc05) with ESMTP id <20080630051829M05007o2mse>; Mon, 30 Jun 2008 10:51:29 +0000 X-Originating-IP: [75.180.132.120] Received: from [192.168.0.104] (really [66.57.21.218]) by cdptpa-omta02.mail.rr.com with ESMTP id <20080630051828.UIE2063.cdptpa- omta02.mail.rr.com@[192.168.0.104]> for <toomuchcandy@msn.com>; Mon, 30 Jun 2008 10:51:29 +0000 Mime-Version: 1.0 (Apple Message framework v753.1) To: <toomuchcandy@msn.com> Message-Id: <DEEE190D-A933-4F26-B6A2- 9FEBFBA6521B@nc.rr.com> Content-Type: multipart/alternative; boundary=Apple- Mail-7-13493837 From: <myemail@hotmail.com> Subject: FW Date: Mon, 30 Jun 2008 10:51:29 -0400 X-Mailer: Apple Mail (2.753.1)

The email originated from a user on rr.com and was sent to a user on msn.com I don't see where anything was forged. The subject was FW which is forward. I don't see anything about a bellsouth account at all unless the person with the msn address is on bellsouth.

Sorry, yes, the other 2 people involved use Bellsouth (msn). Problem with the header is that the "from" says myemail@hotmail.com, but the header refers to roadrunner. I didn't send the email at all to the person who ended up with it. I believe she hacked into the receiver's account, then put together this header. But I can't prove it. And I can't prove that I did NOT send it, although I had no internet service during this time. This has happened to dozens of emails - why I think she has accessed his account. But I don't want to accuse without proof. Any ideas into what to look for next?

Looking at your original post again, you wanted to know if the headers were forged. They don't look forged to me. You also said, that you have a Mac and the last few lines of the header show exactly that. (Apple Mail) From: <myemail@hotmail.com> Subject: FW Date: Mon, 30 Jun 2008 10:51:29 -0400 X-Mailer: Apple Mail (2.753.1) So nothing looks forged to me. The RR IP matches the RR mail server. The subject is FW. Fowarded emails will have the original senders name in the header. Does your friend think that his account was accessed illegally? Has he changed his password just in case? Was the content of the email something that was supposed to remain confidential?

Yes, the content was confidential. And, we can think of only one way that she accessed the email - for her to gain access to his account. She has read email from me to him, that I've sent from 3 different accounts, so that helps rule out her accessing mine. He has now deleted the email accounts, but she has emails that go back months. the confusing thing for me is that YES, i have a mac. But I was in Tokyo for 3 days, with no access to internet. His email appears to be the culprit, because she has email that I sent from work... to him. I know there is no automatic forwarding going on there behind the scenes. I just want to know how I can further protect my emails, to find out if they are being automatically broadcast anywhere, and how to find out if she really got into his mailbox, then forwarded back to him *pretending* to come from me. Don't want to accuse, but YES, the circumstances point to her gaining access to his email. She had the opportunity. Not the permission, but the opportunity. She had access to his pc, working on it. He has deleted those email accounts, and created new ones, but unless we know what happened, I'm not confident that it's not still going on. Sure, I know emails aren't secure by nature... but I do want to find out what happened. Or, he could have forwarded my emails, pretending they were from me, and sent me this header. I doubt that though. Just wish I could get some answers.

Now the situation is a clearer. Yes, your friends PC may have been compromised then and may still be compromised. If a keylogger was installed, all the password changes mean nothing because she can see the changes. I would recommend encrypting your emails that you send to your friend but he needs to secure his PC first, otherwise, that's worthless too.

She still has the pc. He's using a different one now. So I guess there's no way really for me to know for sure if she accessed his email. Or whether he forwarded the emails to her, making them look like they were from me.