Email, screenshots, and trust
Recently, the Half-Life community has fallen victim to screenshot based email spoofing. A conversation is usually posted via screenshot, usually with something blurred out, showing a random community member exchanging words with someone important. Almost always1, these emails provide something akin to confirmation of the existence of a god.
How to spoof email
If you want to spoof an email from Gabe Newell, you have a couple different options.
You could photoshop it. Email exchanges are always posted as screenshots, so just photoshopping text is trivial. Since you’re going to blur out your email address anyway (it’s a big secret), you have plausible deniability if anyone ever questions why the screenshot has photo editing EXIF data, or why it has compression artifacts, or why it looks fake. It was just a side effect of editing out my precious email address, and/or name!
You could use the element inspector and just change a random email in your inbox to be from who you want, containing whatever text you want. It’s going to be pixel perfect, and feel free to go back to photoshop to blur your email – for fun!
Forwarded email cannot be trusted, either
It’s very trivial to “forward” an email to anyone else. Just copy and paste the forward header, add “Fwd: [subject]” as the subject line, and presto.
Can email be trusted?
No. There are a couple exceptions, but the vast majority of the time, no. A random email from someone important posted as fact on a forum, be that Reddit, Imgur, or Something Awful, cannot be trusted.
The exceptions are pretty clear cut. If the email was sent to a member of the press2, who confirmed the originating headers, then the answer is likely yes. If the email was sent, and signed with a known PGP key, the answer is also yes3.
Imagine if someone posted the most mundane email spoof ever. Subject: “Gabe Newell repaints kitchen.” I bet everyone would call that fake for being too trivial. ↩
While writing this post, @Vacoze provided a link which shows an example of this type of validation. Mark Laidlaw sent an email to a Reddit user, who posted it on /r/Half-Life. The validation of the email’s authenticity only came when the external source Kotaku independently validated that the email was legitimate. ↩
PGP keys should be validated against some form of public record. If they aren’t validated against a known key previously used with a contact, they also can’t be trusted. If I email you a PGP key, and then sign something with that key, the chain of trust still doesn’t establish my identity. ↩