Re: Distressing, possibly life threatening emails from free accounts (yahoo, hotmail

["KoRe MeLtDoWn" <koremeltdown () hotmail com>]

Hi there Stephen,
What you need to do first off evaluate the is look at the email header, and 
look for the IP address that sent the email. Once it is determined which IP 
address created the email, do a reverse DNS on that IP address. This can be 
done quickly and effieciently at http://remote.12dt.com/rns/ without any 
hassles.
if for example your reverse dns reveals a hostname of 
210-54-108.dialup.xtra.co.nz then you would visit xtra.co.nz and  determine 
weither or not they are an ISP. After this, you can gather contact email 
addresses for the ISP.
You would then write to the ISP; though calling it if it is local may 
produce better results and inform them of the incident, including an EXACT 
dialog, the time it took place, informing them that it was one of your users 
that was the target, and give them a little reminder that what has taken 
place is highly illegal and needs to be acted apon internally or you have 
the right to take legal action. From here; your ISP is not legally oibliged 
to give you the information of the account holder that was using the said IP 
at the time the email was sent; HOWEVER they are legally abliged (in most 
civilised countries at least) to give contact details to law enforcement if 
such a request is to be made of them. If they refuse to give you the 
information personally (and they will) then your only other option of 
finding out who is responsible is to phone the police; whom will take 
criminal action against the offender. This would involve the usual cyber 
crime task forces etc tracking the person - they would essentially do what 
Ihave just explained, and possibly a little more :)

If you have any problems with any of the email header stuff drop me a line 
and I will get the information you need.
Good Luck.

Kind regards,


Hamish Stanaway

Absolute Web Hosting / -= KoRe WoRkS Internet Security
Owner/Operator
Auckland
New Zealand

http://www.webhosting.net.nz/
http://www.buywebhosting.co.nz/
http://www.koreworks.com/





> From: "steve baker" <stephenbbaker () hotmail com>
> To: security-basics () securityfocus com
> Subject: Distressing, possibly life threatening emails from free accounts 
> (yahoo, hotmail
> Date: Tue, 27 May 2003 12:38:58 -0400
> MIME-Version: 1.0
> X-Originating-IP: [167.199.152.207]
> X-Originating-Email: [stephenbbaker () hotmail com]
> Received: from outgoing2.securityfocus.com ([205.206.231.26]) by 
> mc6-f42.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 28 May 
> 2003 10:00:56 -0700
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> 354EA8F4EC; Wed, 28 May 2003 10:18:49 -0600 (MDT)
> Received: (qmail 5892 invoked from network); 27 May 2003 16:12:02 -0000
> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Message-ID: <BAY8-F117HfbBfbEc7m00018422 () hotmail com>
> X-OriginalArrivalTime: 27 May 2003 16:38:58.0943 (UTC) 
> FILETIME=[78DFA0F0:01C3246E]
> Return-Path: 
> security-basics-return-19744-koremeltdown=hotmail.com () securityfocus com
>
> One of our users has received questionable and possibly life threatening
> emails from a yahoo account that was created recently.  They have 
> approached
> us to find out as much as we can pertaining to the person sending it.
>
> Of course, we are not YAHOO so we cannot determine anything about the mail
> other than the content.
>
> How can we find out who sent this?
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus


---------------------------------------------------------------------------
----------------------------------------------------------------------------