EarthLink Forensics: Discovering & Examining Weak Links

MailXaminer | June 4th, 2020 | Forensics

Emails are one of the preferred communication medium used by both small-scale and large-scale organization. Throughout these years, there has been a rapid increase in different email applications, which are developed to meet the different needs of diverse users.

EarthLink emerged as one of the email services providing completely a different webmail experience. EarthLink stores email files in its proprietary (DAT) file format. Moreover, these files can be exported from EarthLink Mailbox to CSV format. However, the CSV file will not include attachments and image files, if any. EarthLink webmail is also vulnerable to various email attacks. Here in this blog, we will discuss EarthLink forensics in an elaborated way.

Understanding All About EarthLink Webmail

EarthLink is a webmail-client, which is not so typical and has an interface that resembles the UI of a desktop email client. It offers a basic emailing service with remarkable additional options.

Working with EarthLink is an experience no different from browsing the web. However, it doesn’t carry out even a single action without having to refresh the webpage completely. As it is quite a disturbing act especially during login as it may lead to loss of information. Following are some of the features incorporated in EarthLink webmail.

  • User account data is stored on web servers, hence no control to end-user is provided.
  • Provides anti-spam and anti-virus protection services featured for protection from phishing/spamming.
  • Anonymous mailing feature promotes a possibility of spamming and phishing if misused.
  • One account can be linked up to a minimum of 8 accounts with different user profiles.

Role of EarthLink Webmail in Digital Forensics

EarthLink has been involved in eDiscovery cases both as a victim client and as a culprit in an act. A detailed study of the web service reveals that EarthLink can be used to conduct cybercrime for financial gain, etc. Below mentioned are some upgraded set of features as well as shortcomings of the EarthLink webmail service. It proves to be responsible for conducting suspicious acts via email communication.

EarthLink as the Victim
Technology may be powerful but is not perfect. The proof of it is its shortcomings and failure in fulfilling certain user requirements.

EarthLink is no exception and has been in the news several times for cases related to the compromise of security.

Reason: The webmail service does not use “TLS level encryption” during the login procedure on the POP3 services. Therefore, its privacy can be easily attacked by intercepting the wireless connection in use.

EarthLink as the Culprit
EarthLink is utilized not only for good purposes but also it can be used for illegal purposes. EarthLink is also involved in cybercriminal acts as the culprit too.

Following is an account of the features responsible for such consequences and misuse of the webmail service.


  • Anonymous emails can be activated by the user on their EarthLink profile to hide their original identity (email address) from the recipient.
  • A single user account is allotted the permission to generate a minimum of up to 8 separate email accounts.

From the above-described reasons, it can be understood that the anonymous emailing option indirectly promotes spamming and has the potential to be used for illegal purposes. Secondly, the allotment of multiple profiles to a single user account can again be used for spamming, email bombing & various other email attacks.

Countermeasures of EarthLink Webmail Service

It is possible to encrypt the login in EarthLink via IMAP configuration or through its default web interface. Nevertheless, it is not enabled by default yet can be customized into usage by user preference.

If the account has recovered after being hacked once, always ensure that the email settings have not been manipulated. The hacker can receive all your emails via email forwarding that may have been set during the period of hacking. Post recovery of a compromised account, make sure to check all the settings. Also, apply a stronger password along with session encryption enabled besides just login encryption.

Challenges of Executing EarthLink Forensics

Following are some major challenges often faced by the investigating officers while performing EarthLink forensics.

  • The service is hosted on web interface automatically poses a common investigative challenge, i.e. there will be no control over the profile data. You do not own the profile data or control it as it is stored on the webserver and not on local storage.
  • Secondly, most of the users retain or erase deleted emails from the trash based on the retention period set by the user. By default, this limit is set to a certain duration, which can be extended according to the user preference. The emails could be deleted by the user from the trash, which results in permanent loss of potential evidence.

Do You Know?

MailXaminer is one of the proficient Email Forensics Software that lets investigators to deeply analyze the email files. The software is designed with powerful features such as advanced search options, various analytics options, geolocation mapping, etc. Moreover, it is efficient enough to support 20+ email file formats from both web-based and desktop-based email applications.

Time to Wind Up

EarthLink Forensics emerges as a complicated platform to examine from a certain investigative point of view due to session encryption, web access, and multiple account correlation. However, MailXaminer helps surpass the challenges with the help of its key features enabling the investigators to swiftly examine the email data files.