Pocomail Mailbox Forensic Analysis

Creative Team | December 25th, 2014 | Forensics

Even though email service providers like Pocomail email client have resolved the issues pertaining to spams and denial of Service attacks at least to their own satisfaction still there are several litigation cases involving spam messages and network intrusions. Here, one party accuses the other party for illegally spoofing the IP addresses of email messages and wasting its important data stored in the system.

Normally, in such kind of judicial procedures, organizations whose valuable data has been forged due to network intrusion instigated by outside parties claim a large sum of money for tampering its valuable email messages. When there is a contravention in email-security within an organization, a thorough investigation is required to determine the reason for unlawful forwarding of email. Let us first acquire a brief understanding about Pocomail email client then proceed to forensic implication which can help an investigator to resolve the different forgery techniques applied by the hacker to tamper an email message.

Exploring Pocomail Email Client

Pocomail is considered as one of the most dependable email client designed specifically for Microsoft Windows OS. It has its own inbuilt scripting features known as pocoscript to prevent spam and provide protection to email messages from hackers. On installing the Pocomail client and successfully synchronizing it with the Gmail account, one can notice all the data gets saved in the Mail folder present in the folder update.

The path location for locating the messages is given below


All the messages in the Pocomail get saved in an MBX file format.



Manipulation of Data on Pocomail Email Client

When a Pocomail email client installed on the user’s machine is synchronized with Gmail account presented in the Gmail server then there is a possibility that a remote attacker spoof the IP address of the email data. The attacker is able to access the Gmail server by synchronizing through Pocomail email client and is able to forge and embed messages.

An attacker can employ spam messages to instigate an attack on the Pocomail email account. By delivering many, bulk spam messages to the Pocomail account, they can exhaust the user’s quota of sending or receiving email messages. Thus, indirectly affecting the Gmail account located on the server. Generally, such kind of attacks is known as Denial –of – Service attacks.

How Denial –Of –Service Attacks Takes Place?

In case of Denial –of-service attack, a hacker strives to avert users from approaching their data. It usually targets the user’s system and its related network connection, or the websites which the Pocomail user is trying to browse. In doing so, it prevents the user from accessing web pages, online accounts, or email messages.

The most predictable pattern of DoS attack happens when a hacker floods a network with data. In such a case, when a user enters an URL to view a specific website from the browser, it will send a response to that particular site’s system server. The server has the capability to forward only a limited number of requests at one time. Therefore, when the hacker strains the server with repeated requests at a time, the server is not able to process requests. This is when the user is unable to access the site.




Forensic Implications Related To Network Intrusions in Pocomail

Whenever cases related to network intrusions are identified in Pocomail, the very first step which is adopted by the user is to identify the attacker and the type of attack initiated by a hacker to forge an email message. After finding out the pattern of attack, then a forensic investigator can adopt appropriate methods to obtain the domain name.

Attacker Identification

When the forensic investigator examines most of the attacks, his major concern is not to recognize the culprit, but adopting methods to ensure that such kind of attacks is put to halt and forensically analyze the Pocomail emails information from the system.  If attacks such as Denial of service are going on, organizations may be interested to relate the IP address which was employed by the culprit in order to stop the attack. However, the process is not as simple as it seems to be.

Types of Attacks

The hackers devise different techniques to conduct an attack by means of IP addresses. Some of which are discussed below:

  1. Spoofed IP Address: Some hackers make use of deceptive IP address. Generally spoofing becomes difficult to execute attacks which need connections to be set up. Therefore, it is used when there is no requirement to establish a connection
  2. IP Addresses Targeted from Many sources: Sometimes it can be noticed that the attacker uses many different source IP addresses. Such as in case of DDoS attacks which depends on a number of machines that has been taken over for executing an integrated attack.
  3. Legitimacy of an IP Address: Often IP addresses are allocated vigorously. In such a case, the machine which is operating with a specific IP address may not be the same system which was there when the attack happened.
  4. IP Trackback: The IP trackback approach includes the method of recognizing the origin of the attack packets. Some of the tracking approaches involve inquiring network routers about the traffic, which they forward, developing an effectual overlay network by employing mechanism related to logging for tracking selective flow of packet data and making out the path of the attacker by reformation, employing an IP packet initiated by routers in the course of attacking.


Retracing of Attacks and Reformation

These days internet attacks related to worms and viruses have become widespread in organizations. Often, the viruses or worms do not require any user connection to proliferate as they are self-propagating and self-sustaining blocks of generated code. Tracking the origin of such kind of worms has become important as a part of network forensic activity.

Here, the figure below shows a simple illustration of path traced between two nodes in a network. The node A is the source and node E is the destination. If a malignant stream of code is identified at node E, then node E looks for its table maintained for the incoming flow of data in order to identify the source of the vicious flow of data. Then Node E can employ a request protocol to figure out the source of the malignant bit stream. The details of data flow can be appropriately stored in network routers rather than the user’s system so as to eliminate the possibility of any alteration of data to end users.




The different approaches discussed above explicitly shows how the tampered messages in Pocomail could be dealt forensically. But often, investigator’s needs a solution which can help them to easily locate, view and analyze Pocomail messages with least efforts. One such third party tool that offers such kind of convenience to examine the emails forensically is MailXaminer. It supports 80+ email clients and more than 20 email formats to view messages efficiently.