RE: Hunting for Mr Badmouth

["Zachary Mutrux" <zmutrux () compumentor org>]

Messages he posted should contain the originating IP address in the headers.
If you can obtain email copies of the messages he sent, you can determine
this information.

> From there you may be able to discern some information about his location
and/or identity. For example, the IP address may belong to a university or
business. If it belongs to a large, commercial ISP, you will probably have
to contact that entity for further assistance.

Yahoo may be responsive (although slow) to requests for assistance.

You can search on Google for phrases contained in his posts. He may have
posted similar messages elsewhere and left other clues. Also search for his
email address on Google.

If the email address was not made up just for the purpose of sending these
messages to the message board, you might be able to trick him into revealing
more information about himself. I'm not sure what the legal ramifications
are, so you might want to consult with counsel before attempting this. :)
For example, you could send an email message purporting to be a long-lost
acquaintance. He may respond with "who are you again?" or something like
that. If you can engage him in some kind of conversation he may give up
information about himself. If he doesn't check the mailbox or if it was
created only for sending messages to this message board, then obviously that
won't work.

You might also send a message saying, "I agree totally with what you are
saying. That company is the spawn of Satan." You might lure him out into a
conversation.

Try popping the Yahoo address into Yahoo Messenger. There is a slim chance
than he might use it. If he comes online you can try to engage him in a
conversation. Be vague and draw him out.

Zac



-----Original Message-----
From: Bob Walker [mailto:bobwalker8 () comcast net]
Sent: Tuesday, August 26, 2003 4:46 PM
To: security-basics () securityfocus com
Subject: Hunting for Mr Badmouth



I'm hoping this board can help me.  I've been tasked with trying to
track down an individual who posted some comments to a yahoo message
board defaming a company.  Is there any way to track this individual,
short of a court order to yahoo?  His profile is private, and (duh!)
he's not responding to postings to email.

Any ideas on a direction to look or a tool to use would be greatly
appreciated.

Bob


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------