| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 5127.1 | hacker@nowhere.com | CIMBAD::CROSBY | | Tue Feb 11 1997 14:47 | 10 |
| Send mail to lisa@nowhere.com and find out who hacker is. She is the
administrative contact for the domain.
nowhere.com is a domain registered in San Francisco, CA.
Go to the Internic whois service for more info.
Good luck.
gc
|
| 5127.2 | | TUXEDO::WRAY | John Wray, Distributed Processing Engineering | Tue Feb 11 1997 15:11 | 10 |
| >nowhere.com is a domain registered in San Francisco, CA.
It's trivial to forge "From:" and "Reply-to:" addresses, and it's
unlikely that someone in San Francisco would be breaking caravan
windows in South Africa. You really need to look in the SMTP logs of
the receiving machine to try to track down the IP address that sent the
mail (unless there are more "Received-from:" headers that aren't shown
in .0).
John
|
| 5127.3 | | COVERT::COVERT | John R. Covert | Tue Feb 11 1997 16:58 | 21 |
| The Received headers are, indeed the critical pieces of information.
Remember, though that any and all headers with the exception of the one
received header which got the message to your own POP server can be forged.
You need to take the message with ALL headers directly to the police and
go with a police search warrant to your internet provider and impound all
the SMTP logs and other sign-in logs for the time period affected.
Then you trace back to where the message came from given that information
(it may have originated right there, or elsewhere) and go to the next
source.
This is a time-consuming and difficult process that requires more expertise
than local police are likely to have.
If you really feel that there is a serious threat, and it sounds like there
is, you need to move first to protect lives by getting them out of all the
normal places they could be found, and worry about property later.
/john
|
| 5127.4 | | KANATA::TOMKINS | | Tue Feb 11 1997 18:00 | 10 |
| Don't fool around, report the incident to the local police, failing
their interest, try the state police and failing that, try the FBI. If
the address is a of an entity registered in another state, appearances
are that at least the threat is an interstate issue falling under the
jurisdiction of the Federal Police (aka FBI).
Remmeber the Internet bomber guy was dangerous, and someone whacking
Windows out is at least physically violent.
rtt
|
| 5127.5 | I know Canada doesn't; they have The Mounties | COVERT::COVERT | John R. Covert | Tue Feb 11 1997 18:18 | 3 |
| Does South Africa have an "FBI"?
/john
|
| 5127.6 | | BHAJEE::JAERVINEN | Ora, the Old Rural Amateur | Tue Feb 11 1997 20:03 | 6 |
| >Does South Africa have an "FBI"?
probably not... but I'm sure there's a CIA branch around ;-)
...and you didn't complain about the spelling error.
|
| 5127.6 | Header | JOBURG::HARRIS | | Wed Feb 12 1997 13:12 | 22 |
| hacker@nowhere.com@PMDF@INTERNET
RFC-822-headers:
Received: from mail13.digital.com (mail13.digital.com)
by valmts.vbe.dec.com (PMDF V5.0-7 #16475)
id <01IFC02T0TB4003D9N@valmts.vbe.dec.com> for HARRIS@JHB.MTS.dec.com;
Wed, 12 Feb 1997 15:19:00 +0100 (CET)
Received: from aztec.co.za by mail13.digital.com (8.7.5/UNX 1.5/1.0/WV)
id JAA12808; Wed, 12 Feb 1997 09:11:37 -0500 (EST)
Received: from lizard [196.3.239.42] by aztec.co.za with smtp
(Smail3.1.29.1 #2) id m0vufOz-000arLC; Wed, 12 Feb 1997 16:11 +0200
(EET)
X-Sender: fides@imed.co.za
X-Mailer: Windows Eudora Light Version 1.5.2
This is the header info,
Regards Ivan
[End of file]
|
| 5127.7 | How long is a piece of string. | JOBURG::HARRIS | | Wed Feb 12 1997 13:20 | 8 |
| re.5 I called the Police and the response was " All Investigators look
after all cases!!!!. Jack of all trades!!! I did finally get hold of a
policeman who in his private time tackles these issues. The "Offices of
Serious Economic Offences" use private companies to assist!.
What more can I say.
Regards Ivan
|
| 5127.8 | | TUXEDO::WRAY | John Wray, Distributed Processing Engineering | Wed Feb 12 1997 13:57 | 22 |
| > hacker@nowhere.com@PMDF@INTERNET
>
> RFC-822-headers:
> Received: from mail13.digital.com (mail13.digital.com)
> by valmts.vbe.dec.com (PMDF V5.0-7 #16475)
> id <01IFC02T0TB4003D9N@valmts.vbe.dec.com> for HARRIS@JHB.MTS.dec.com;
> Wed, 12 Feb 1997 15:19:00 +0100 (CET)
> Received: from aztec.co.za by mail13.digital.com (8.7.5/UNX 1.5/1.0/WV)
> id JAA12808; Wed, 12 Feb 1997 09:11:37 -0500 (EST)
> Received: from lizard [196.3.239.42] by aztec.co.za with smtp
> (Smail3.1.29.1 #2) id m0vufOz-000arLC; Wed, 12 Feb 1997 16:11 +0200
> (EET)
> X-Sender: fides@imed.co.za
> X-Mailer: Windows Eudora Light Version 1.5.2
That looks like the headers from a copy of the message that was
forwarded to you, rather than the headers from the message your sister
received. You'll have to get you sister to look at the original
headers. I don't know Eudora Light, but I'm sure there's an option to
display full headers.
John
|
| 5127.9 | Blah, Blah... | DV780::NOTOV | Danno @ Large (.com) | Wed Feb 12 1997 16:44 | 3 |
| With the Macintosh version, there is a button on the window with the
words "Blah, Blah..." If you press that button, the full header
information will appear
|
| 5127.10 | | SMURF::16.33.32.209::PSH | Per Hamnqvist -- UNIX Base OS Networking | Wed Feb 12 1997 18:07 | 4 |
| .za? Isn't that Zaire? Makes sense. At least you might be dealing with
a local weirdo.
>Per
|
| 5127.11 | | AIMT10::SMITH | Tom Smith MRO1-3/D12 dtn 297-4751 | Wed Feb 12 1997 18:07 | 3 |
| And on MS Windows, it's "Show all headers, even the ugly ones".
|
| 5127.12 | | BHAJEE::JAERVINEN | Ora, the Old Rural Amateur | Wed Feb 12 1997 18:12 | 2 |
| re .10: No, .za is South Africa. Zaire is zr.
|
| 5127.13 | no preferences yet | JOBURG::HARRIS | | Wed Feb 12 1997 19:17 | 6 |
| Re .9
I asked my sister to look for a button/heading under one of the options
called "Preferences" but so far no luck.
Ivan
|
| 5127.14 | | PADC::KOLLING | Karen | Wed Feb 12 1997 20:41 | 8 |
| If there is a Help button, she should try that and see if it tells
her how to get header info. Or can she look at the message as
a file directly? That is, is there the equivalent of UNIX's Mail/inbox
directory?
Also, she should contact her internet service provider pretty promptly.
Their syslogs may recycle once a week, and they may not back them up.
|
| 5127.15 | | AIMT10::SMITH | Tom Smith MRO1-3/D12 dtn 297-4751 | Wed Feb 12 1997 23:29 | 29 |
| In Eudora Light 1.5.4, it's under Tools|Options|Fonts & Display.
Select "Show all headers (even the ugly ones)". I think it's the same
for 1.5.2.
Or, as Karen suggested, she can look at the mailbox file directly with
a text editor. In whatever her mail directory is, there should be a set
files with an ".MBX" extension, each with a name corresponding to the
name of one of her Eudora folders (IN.MBX, OUT.MBX, etc.). If she opens
the .MBX file corresponding to the folder that message is in, the
complete message will be something like the following:
From ???@??? Wed Feb 05 17:09:14 1997
X-POP3-Rcpt: <her POP address>
Return-Path: <sender's alleged address>
[lots of Mumble: lines]
From: Sender Name <sender address>
[more Mumble: lines]
[actual mesage]
From ???@??? .... [start of next message]
Also as Karen suggests, send the complete message *NOW* to her ISP and
to postmaster@<relay-host> and root@<relay-host> for every relay listed
in the Received headers so they can preserve the logs! At least send
the ISP the date, time, sender, recipient, and Message ID (if you have
it) even if you can't figure out immediately how to get the entire
message.
-Tom
|