spoofed email tracing

[efluential]

I have a client who is receiving death threats by a pretty savvy cyberwiz using AOL' choose your own ISP...spoofed every step of the way...private use, black holes...can't get back farther than the proxy server?

ANY HELP/tips???

[Info Tech Geek]

Contact the authorities, they may have someone who can assist you with collecting the information you need and the steps to go about reporting it. The main information you are looking for should be stored in the header and all e-mails should be forwarded to abuse@thereISP.com. If you think this is just a prank or someone harrassing him, I would just block all emails from this individual.

[MrLinus]

..who is receiving death threats by a pretty savvy cyberwiz using AOL' choose your own ISP...

Perhaps there is something I don't quite understand but why not file a complaint with AOL? I would suspect that it is against their AUP and they should be able to help especially if you get law enforcement involved.

[The Duck]

So far what were your techniques to go about trying to trace him? My advice is to look at the header of the email and get the IP. Then do a WHO IS lookup and a tracert in the command prompt on the IP address. If you get two different ISP's, which was my problem when tracking down spammers, go to both of the ISP's websites and look for contact information and send a complaint with an attachment of the email the moron sent you to both ISP's. They will tell you if they need any more info or whatever in order for them to do anything.
Hope this helped

[Tedob1]

here i sent a message from aol to myself. neither the ipaddress of the computer or the account im using appear in the header. only thr user name im using and the domain are there. there is also a Message-ID: <79.2748ceae.2db421b9@aol.com> wich im sure aol could use to id the account this came from at that given time.


Received: from imo-m27.mx.aol.com ([64.12.137.8]) by myserver.COM with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 18 Apr 2004 14:30:20 -0400
Received: from myhomeaolaccount@aol.com
by imo-m27.mx.aol.com (mail_out_v37_r1.2.) id 2.79.2748ceae (4206)
for <myaccount@myserver.com>; Sun, 18 Apr 2004 14:23:53 -0400 (EDT)
From: myhomeaolaccount@aol.com
Message-ID: <79.2748ceae.2db421b9@aol.com>
Date: Sun, 18 Apr 2004 14:23:53 EDT
Subject: Fwd: Microsoft Security Bulletin Re-releases, April 2004
To: myaccount@myserver.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="part1_79.2748ceae.2db421b9_boundary"
X-Mailer: 8.0 for Windows sub 6024
Return-Path: myhomeaolaccount@aol.com
X-OriginalArrivalTime: 18 Apr 2004 18:30:20.0608 (UTC) FILETIME=[34890C00:01C42573]

<names have been changed to protect whoever>


BUT...if this were a bogus/stolen account, which i would think it would be, your chance of aol catching them is slim to none. it would be to cost prohibitive. you could call the fbi and if your life is important enought they could query their handy dandy stick their E-ears into everyones messages database, match it to intel's non existant id tag then see where else that non existant tag appears. hypothetically speaking of course.

let me ask...do they respond to replys?

[The Duck]

Isnt that IP address yours in the "received from" line? Yeh, I think it is, when you type "ipconfig/all" in the command prompt, you get your computers ip address, so if you are trying to match that IP address with the IP address in the header it wont match. But your computer's IP address is not important in this case. We want your routers IP address, which is shown in the header you just showed us. Tracing that IP address would still lead you to a valid ISP.

[OverdueSpy]

You may find these sites helpful.
The first lists a slew of different e-mail clients and how to display the associated header information. http://www.abika.com/Reports/Samples...eaderguide.htm
This one is a quick overview of deciphering an e-mail headder.
http://www.usus.org/elements/tracing.htm

[11001001]

Question: If it's spoofed the whole way down, can you be sure it's originating from an AOL account?

If you can verify that they are using AOL, contact the local law enforcement. They can get subscriber information from AOL, and find out who owns the screen name. (Billing logs)

[PM8228]

Like everybody else here said, report this to law enforcement. I have a feeling you won't really catch who did it if they know what they are doing. That AOL account could very well be stolen and with plenty of exploitable SMTP servers and proxies it could be a while or never. Maybe if your friend changed their account and avoided posting the new account in connection with their name.

-Cheers-

[thehorse13]

My experience with the fine folks at the AOL NOC has been nothing short of useless. The *only* time they get their asses in gear is if a request comes in from federal, state, or local law enforcement. The sad reality here is that if you pursue this as a private citizen, you'll be ignored. I have several contacts inside AOL's northern VA facility and all of them have the same story. AOL receives *thousands and thousands* of complaints a day and they run them through a home grown script that applies some criteria checks to the e-mails. If a hit occurs, it gets kicked off to an analyst. Now, if you are law enforcement, you have a private phone# and e-mail address that is serviced immediately.

Anyway, not much help in tracking down your spoofer but I do want you to know that your chances of finding the person are stacked heavily against you.

Sorry I don't have better news.



--TH13