Hi Steve,
Ive been involved in quite a few law enforcement investigations involving internet
traffic and email. The first thing you need to do is take a look at the header of the
message, here is an example (somewhat sterilized):
MAIL From:<[EMAIL PROTECTED]>
RCPT To:<some1@somewhere>
Received: from baylink.MOZCOM.COM
([208.142.140.**])
by victim.some.org; Sat, 27 May 1900 17:44:14 -0700
Received: from - [202.110.81.19] by baylink.MOZCOM.COM with ESMTP
(SMTPD32-4.06) id A001111011E; Sun, 28 May 1900 08:49:21 DT
From: "[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Hope that hurt asshole...
To: <nCAop1V****DUo7.2AYGHmZ.com>
X-Mailer: Microsoft Outlook Express 4.05.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V��D.1712.3
Mime-Version: 1.0
Date: Sun, 28 May 1900 07:38:46 +0800
Content-Type: multipart/mixed; boundary="----=_NextPart_000_007F_01BDF6C7.FABAC1B0"
Content-Transfer-Encoding: 7bit
Reading from the top down, the FIRST IP address you see is the closest thing you have
to the perp's physical location, so you can goto http://www.arin.net/whois/index.html
or http://www.ripe.net/cgi-bin/whois or http://www.apnic.net/apnic-bin/whois.pl,
depending on which country the IP address is registered in, to find out who, what,
where. With this information you have enough to secure your first subpeona (depending
on the severity of the offense).
Next you can subpeona all the ISP's who's mail accounts provide evidence in the
investigation, i.e., HOTMAIL (Microsoft), Yahoo, AOL etc etc, to get user information.
This could (and usually does) result in nothing because these accounts can be created
annonomously. If the crime was severe enough you may have to subpeona telephone
company records to find out where the perp dialed up from (assuming they used a PPP
connection).
Needless to say you are in way over your head (unless you have government style
deep-pockets) and should relegate yourself to reporting it to the ISP's abuse
department and/or filtering the source at your border router.
cheers..
Marc..
+++++++++++++++++++++++
Marc Renner - Director http://ci.marysville.wa.us
Network Operations Dept. Mailto:[EMAIL PROTECTED]
City of Marysville, Wa. (360) 651-5000
ISSA Member # 10281 http://www.issa.org
+++++++++++++++++++++++
>>> "Lodin, Steven {IT S~Indianapolis}" <[EMAIL PROTECTED]> 05/31/00 11:16AM >>>
Good day!
If I have an email-based attack happening from Hotmail, how can I get more
information about the owner of the Hotmail account, IP addresses of the
people using that account, etc... in order to facilitate my investigation?
Does the [EMAIL PROTECTED] service work?
Thanks for your advice!
Steve
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
