Re: Distressing, possibly life threatening emails from free accounts (yahoo, hotmail

[Juan Velasquez <Juan () EvolutionH com>]

heh.
   thats funny.
The IP that will appear at the top of the email headers will be a Yahoo 
Web server.
Since it was after all,  a Yahoo Web Server which sent the email on the 
behalf of a yahoo web serfer.

The police can get an 'Administrative Subpoena' against yahoo to get the 
IP address of the offender.
Then some 1 month later, when the police get the IP from yahoo,  they 
can get another administrative subpoena against the ISP of the IP which 
sent the email.

I had a client whom was getting harashed in this same way.
We are located in Hawaii and the police said,  "its not worth it to us 
to go get an administrative subpoena against some company on the 
mainland for such a misdomenor hassrasment charge."

So I had to devise a method of getting the Offenders IP address without 
the help of the police or yahoo.
I was successful in my methods,  which were easy.

Once I had the offenders IP address, which turned out to be from a local 
hawaii ISP, the police gladly got an administrative subpoena against the 
ISP here, and caught the guy.


If you like,  you can pay me for 3 hours of my time, to attempt to get 
the IP address of the offender.
I will charge $50/hour. so $150.
If you are skilled hack0r, the idea is simply.  maybe you can do it 
yourself.
heres a hint:
   Content-Type: text/html
   <img 
src="myserver.com/images/file.jpg?034950934850394785908347598374598347">



got to run. see j0.




KoRe MeLtDoWn wrote:

> Hi there Stephen,
> What you need to do first off evaluate the is look at the email 
> header, and look for the IP address that sent the email. Once it is 
> determined which IP address created the email, do a reverse DNS on 
> that IP address. This can be done quickly and effieciently at 
> http://remote.12dt.com/rns/ without any hassles.
> if for example your reverse dns reveals a hostname of 
> 210-54-108.dialup.xtra.co.nz then you would visit xtra.co.nz and  
> determine weither or not they are an ISP. After this, you can gather 
> contact email addresses for the ISP.
> You would then write to the ISP; though calling it if it is local may 
> produce better results and inform them of the incident, including an 
> EXACT dialog, the time it took place, informing them that it was one 
> of your users that was the target, and give them a little reminder 
> that what has taken place is highly illegal and needs to be acted apon 
> internally or you have the right to take legal action. From here; your 
> ISP is not legally oibliged to give you the information of the account 
> holder that was using the said IP at the time the email was sent; 
> HOWEVER they are legally abliged (in most civilised countries at 
> least) to give contact details to law enforcement if such a request is 
> to be made of them. If they refuse to give you the information 
> personally (and they will) then your only other option of finding out 
> who is responsible is to phone the police; whom will take criminal 
> action against the offender. This would involve the usual cyber crime 
> task forces etc tracking the person - they would essentially do what 
> Ihave just explained, and possibly a little more :)
>
> If you have any problems with any of the email header stuff drop me a 
> line and I will get the information you need.
> Good Luck.
>
> Kind regards,
>
>
> Hamish Stanaway
>
> Absolute Web Hosting / -= KoRe WoRkS Internet Security
> Owner/Operator
> Auckland
> New Zealand
>
> http://www.webhosting.net.nz/
> http://www.buywebhosting.co.nz/
> http://www.koreworks.com/
>
>
>
>
>
> > From: "steve baker" <stephenbbaker () hotmail com>
> > To: security-basics () securityfocus com
> > Subject: Distressing, possibly life threatening emails from free 
> > accounts (yahoo, hotmail
> > Date: Tue, 27 May 2003 12:38:58 -0400
> > MIME-Version: 1.0
> > X-Originating-IP: [167.199.152.207]
> > X-Originating-Email: [stephenbbaker () hotmail com]
> > Received: from outgoing2.securityfocus.com ([205.206.231.26]) by 
> > mc6-f42.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 
> > 28 May 2003 10:00:56 -0700
> > Received: from lists.securityfocus.com (lists.securityfocus.com 
> > [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> > 354EA8F4EC; Wed, 28 May 2003 10:18:49 -0600 (MDT)
> > Received: (qmail 5892 invoked from network); 27 May 2003 16:12:02 -0000
> > X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
> > Mailing-List: contact security-basics-help () securityfocus com; run by 
> > ezmlm
> > Precedence: bulk
> > List-Id: <security-basics.list-id.securityfocus.com>
> > List-Post: <mailto:security-basics () securityfocus com>
> > List-Help: <mailto:security-basics-help () securityfocus com>
> > List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> > List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> > Delivered-To: mailing list security-basics () securityfocus com
> > Delivered-To: moderator for security-basics () securityfocus com
> > Message-ID: <BAY8-F117HfbBfbEc7m00018422 () hotmail com>
> > X-OriginalArrivalTime: 27 May 2003 16:38:58.0943 (UTC) 
> > FILETIME=[78DFA0F0:01C3246E]
> > Return-Path: 
> > security-basics-return-19744-koremeltdown=hotmail.com () securityfocus com
> >
> > One of our users has received questionable and possibly life threatening
> > emails from a yahoo account that was created recently.  They have 
> > approached
> > us to find out as much as we can pertaining to the person sending it.
> >
> > Of course, we are not YAHOO so we cannot determine anything about the 
> > mail
> > other than the content.
> >
> > How can we find out who sent this?
> >
> > _________________________________________________________________
> > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
> > http://join.msn.com/?page=features/junkmail
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > ---------------------------------------------------------------------------- 
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
> http://join.msn.com/?page=features/virus
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 

--
Juan Velasquez
Juan () EvolutionH com
808-934-9440




---------------------------------------------------------------------------
----------------------------------------------------------------------------