Re: IMAP vs POP was Thunderbird vs Claws Mail

[jeremy ardley <jeremy.ardley@gmail.com>]

On 19/11/23 08:04, jeremy ardley wrote:
> On 19/11/23 01:59, Alex wrote:
> > IMAP clients will therefore keep messages on the IMAP server and not 
> > delete them unless you specifically tell them to, for example via 
> > right-click -> delete. 
>
>
> A client can also alter messages retained on a server or event insert 
> new messages. This is interesting in computer forensics.
>
> It means that if an email is on a server e.g. hotmail or gmail, it has 
> no probative value unless supported by other evidence such as server 
> records, digital signatures,  or corroborating evidence on other systems.
>
> In my professional cyber-forensic practice I have tested just how much 
> you can alter in an email on a server. The answer is essentially 
> everything. All headers, dates, content etc.
>
> Server records of email receipt are usually transient so after a few 
> months they can no longer be used as corroboration.

Incidentally, I am using gmail for this list. They have made a recent(?) 
change so that an email that is sent to the debian list automatically 
gets a 'copy' in the inbox. In fact it's just a view of the sent email.

They then drop any copy received from the list, probably based on 
matching the email ID field (?)

From a forensic perspective, gmail only ever stores one copy of an 
email based on its email ID. The altering emails on the server trick 
involves creating a modified copy with a different ID field, deleting 
the original email and so removing its ID from gmail, then altering the 
ID of the copy to the original ID.