POP and IMAP client forensics

Different POP and IMAP clients have different characteristics, and some of these characteristics have forensic implications.

Popman is a lightweight email client for Windows. POP and IMAP are both supported, with and without SSL. A Portable Apps version is available, making it ideal for use on untrusted computers.

Using POP, mail can be checked without marking it on the server as read. Deleting a message in Popman deletes the message on the server. There may be a setting in Popman to alter this behavior.

Websites offering access to all your email accounts via a webmail interface. Sometimes WAP or other special interfaces are offered. If the mail server does not offer the features you require, you can point your favorite mail client to a universal webmail service that does and obtain your mail indirectly with the features you want.

Aside from being a mail service in its own right, Gmail also allows you to use POP (but not IMAP) to obtain messages from other servers. SSL and HTTPS are available and should normally be used.

Gmail can be configured to leave a copy of retrieved messages on the server. It does not instruct the server to mark fetched mail as read. Some servers, such as Yahoo Mail, will do so anyway, but this is a server issue. Being POP, deleting a message in Gmail does not delete the message on the server.

Mail2web is a universal webmail service. POP and IMAP are both supported, with and without SSL. HTTPS is available and should normally be used.

The WAP interface indicates an unread message by displaying its message number in bold. It does not have a means to manually mark it as read or unread. Messages cannot be copied or moved in the WAP interface.

On the web interface, a star icon indicates an unread message.

Accessing an email account from mail2web is logged as coming from a Canadian IP address.

Using POP, merely logging in and viewing your inbox sometimes marks the messages on the server as read. This behavior is intermittent.

Using IMAP, mail2web functions as expected.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

2 Responses to POP and IMAP client forensics

  1. anonymous says:

    Anonymous writes:If I check my email on my Iphone will it mark it "unread" on a basic mail2web account? I've been doing this and it was working, now only certain messages are showing as read when I've checked all of them?

  2. wpost says:

    I'm not an iPhone user so I'm not qualified to answer that. You might want to consult mail2web's help pages:https://mail2web.com/help/When you do so, be sure to clarify whether you are talking about POP or IMAP, and what the source account is (Yahoo Mail, Gmail, whatever).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s