.

URGENT HELP NEEDED

<<

archer

Newbie
Newbie

Posts: 4

Joined: Wed Apr 04, 2007 5:49 am

Post Wed Apr 04, 2007 6:08 am

URGENT HELP NEEDED

Hello friends,
a desperate try on google brought me to this site.
i need very URGENT help regarding one issue, i really hope you understand the situation and i guess you surely will.

i'm not trying to hack/break any privacy nor trying to have any fun with cracking things. trust me.


Someone has sent one controversial e-mail regarding one of my friends, to HUGE number of people on their email addresses.

The email ID from which the email was sent is a fake ID, probably only created for the purpose of mass mailing.

The letters of the email id contains the name of a person who is also a friend of us. and as he said, he didnot email anyone nor it is his email address.

We have managed to to get the headers and the ip address from which the mail was sent. but not been able to locate the place as ISP says it is a dynamic IP.

Need to ask you guys, How can you help me in finding the exact location of that IP, on the same date and time the mail was sent.


Please respond.
eagerly awaiting your reply.

thank you,
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Wed Apr 04, 2007 7:54 am

Re: URGENT HELP NEEDED

Hi Archer,

If you could find this individual, what would you do? If the contents of the email are such that they warrant legal action, I would strongly suggest involving a lawyer or the police and letting them take care of it. If you just want to find out "who dun it" and confront them, it's probably a bad idea...I realize that you and your friend are probably pretty ticked off at this point, but in my experience it's usually better to leave well enough alone.

You probably aren't going to be able to find who this is without a legal battle anyway, and even then proving for sure who sent this email is going to be difficult. I don't have much forensic expertise so take this at face value, but:

1) Email headers can be spoofed, so it's possible that the email didn't originate from the IP address listed in the email.

2) Even if the IP listed is the real one, since it is a dynamic IP address, you aren't going to be able to prove who sent the email without records from the ISP. Even if the ISP has a list of all the subscribers who have used that IP address in the last X amount of days/weeks/months, they probably aren't going to turn that information over to anyone without a court order, and certianly not to you.

3) Even if you get the name, address, phone number, whatever of the customer who was using that IP address at that time, you still have to prove that THEY sent it. If they have a wireless network at home, an unauthorized person could have been using their Internet connection to send the email. They could have been infected with some sort of trojan or malware that sent the email without their knowledge. You would really need to get some forensics experts to verify this, and proving that someone did or didn't use their wireless connection is very difficult.

In short, if it isn't something serious enough to involve the authorities, then leave it alone; taking matters into your own hands will only make things worse for you and your friend, especially if you go beating down the wrong person's door. If you decide to take legal action, be prepared for a long investigation and court battle. Maybe someone else here can give you more/different guidance, but that's my 2 cents.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Apr 04, 2007 9:11 am

Re: URGENT HELP NEEDED

Agreed. Well said.
<<

LSOChris

Post Wed Apr 04, 2007 10:14 am

Re: URGENT HELP NEEDED

that door you go beat on will probably be some dude with an unsecured WAP and will have no idea what the heck you are talking about.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Apr 04, 2007 10:14 am

Re: URGENT HELP NEEDED

heffnercj's point #2 is correct. The ISP will have records as to which customer was using the dynamic IP, but:

1. They won't give it to you personally. The authorities and/or a lawyer must get involved.
2. Doesn't prove it was the customer. IE - Stolen wireless access as mentioned.

So what do you do?

How about sending an email to everyone in his address book quickly explaining that the offensive message was not from him. Add an apology for any misunderstanding or inconvenience, then let it go.

Honestly, if there were no monetary damages or other more significant consequences, the authorities are unlikely to get involved in such a small case. If it is an issue of slander and your friend has the money, get a lawyer.

But to answer your question directly, there's not much we can do to "find the exact location of that IP on the same date and time the mail was sent." A private IP address means nothing. Only the ISP has that info, and for the protection of their own customers, won't give it to you for the reasons above.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Wed Apr 04, 2007 5:14 pm

Re: URGENT HELP NEEDED

OK, I used to manage shifts at the NOC of an ISP, so I'll tell you how it goes;
1. The source address of the e-mail should be the one next to the bottom most "Received from:" line in the header. Once you have that address you should run a whois search to find out who the ISP is and also how to contact their Abuse department.
2. When working in the NOC I would get abuse incidents from 2 sources; the police and from the Abuse department manager. No one else is allowed to approach the NOC with an abuse related issue.
3. If the incident was opened by the Abuse department manager all information would be passed on to him, and he deal with the blue-tape.
4.  If the incident was opened by the police, we would give them a call back. We had a list of specific officers with whom we could deal and they all belonged to 1 specific unit. Only those officers could approach us. If a lawyer, judge or even a high ranking police officer from a different unit approached us directly, they would just be referred to the specific unit we were allowed to deal with.
5. We were not allowed to give any information away with out receiving a court order signed by a judge first, even if the incident was life threatening. The Abuse department manager would have to be notified first before giving any information away.
6. Finding the perpetrator is quite easy - just run grep on the RADIUS, and then correlate the info with subscriber details from the CRM.
7. Once the information had been given it was out of our hands. We have no way of knowing if the said subscriber is actually guilty of the said crime. If need be the Abuse department would then work together with the Fraud department and Legal Counsel if the case would go to court.

In general the only things that ever got priority was suicide threats on forums and chat rooms. Spam and malicious mails etc. got dealt with but  not so urgently.

P.S. the Abuse department does monitor mail sending rates to pin point possible spammers. In 99% of the cases, the spammers are usually uneducated users that have been infected unwittingly by some malware, and are only guilty of there own ignorance.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

archer

Newbie
Newbie

Posts: 4

Joined: Wed Apr 04, 2007 5:49 am

Post Thu Apr 05, 2007 1:40 pm

Re: URGENT HELP NEEDED

Hello :)

I really appreciate and thank you heffnercj, venom77, ChrisG, don, Negrita for your quick and very valuable replies.

i would like to key in few points here which might help us put some light on the issue.

I'm from India. And unless we have a physical evidence with us we cannot have a warrant issued against the culprit.
we had lodged a police complaint and also were able to trace to the computer and the owner of the internet connection. but looks like the address provided to us is not very precise.

we're sure that the person who sent the email is not a very intelligent regarding the hiding ip or similar activities.
we also do not want to enter inside the email from which the mail was sent (if that is going to very impractical)

the email that was sent is bad enough to ruin the friends life and career. similar incident took place with the same friend last year as well but unfortunately we couldn't do anything about it. the email id that is used this time is in the similar pattern that was used last time.

i very well understand your views regarding this in your replies and many things are now added in my knowledge.

now, something more i would like to ask is
if i give you the header information can you guys help me find out that at which place/city that IP was in use when the email was sent. without the user information and the exact address.

i think getting even this information can help us find the person.

looking forward for your replies.

thank you :)
have a nice time.
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Thu Apr 05, 2007 1:46 pm

Re: URGENT HELP NEEDED

A Google search will come up with several IP locator sites that will give you a general location of where the IP address is registered, although accuracy can vary.
<<

archer

Newbie
Newbie

Posts: 4

Joined: Wed Apr 04, 2007 5:49 am

Post Thu Apr 05, 2007 2:06 pm

Re: URGENT HELP NEEDED

i did.
but i shows very vague results.
but then again it doesn't give me as per the time, date specified.

can you tell me which ones to use?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Apr 05, 2007 2:09 pm

Re: URGENT HELP NEEDED

Try this:

http://www.dnsstuff.com/

Go to this site, scroll down and you will see a number of places to put an IP address and get a wealth of information.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Thu Apr 05, 2007 4:32 pm

Re: URGENT HELP NEEDED

archer, feel free to send me the e-mail header and I'll gladly help you out. If you need help getting the header I can help you with that too, just tell me which mail client you are using (Thunderbird, Kmail, Outlook, Outlook Express, Apple Mail, etc.).
Send it to negrita1 <at> gmail <dot> com.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Thu Apr 05, 2007 7:26 pm

Re: URGENT HELP NEEDED

I like using www.whois.sc for looking up websites and IP addresses.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

archer

Newbie
Newbie

Posts: 4

Joined: Wed Apr 04, 2007 5:49 am

Post Sat Apr 07, 2007 12:11 pm

Re: URGENT HELP NEEDED

Thank you so much again heffnercj, don, Negrita, slimjim100 for your replies . .  :)

Negrita . . . i have sent you the mail. kindly review it and please do update me if anything is possible.

have a nice time everyone.
cheers.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Sat Apr 07, 2007 7:51 pm

Re: URGENT HELP NEEDED

archer, please see my reply mail with all the relevant information. That's as much as I could find in the short time I checked.  :)

P.S. I wouldn't trust the geolocation very much as the tools are very inaccurate.
Last edited by Negrita on Sat Apr 07, 2007 7:54 pm, edited 1 time in total.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Return to News Items and General Discussion About EH-Net

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software