email issue

[Buddha]

Hey peeps.

Question: One of the ladies in our dept is getting emails from an address @ yahoo.co.uk and they are obviously from some1 in the area that can see her. they are pretty scary.. and well we need to find this sick **** and check whats happening.

Any suggestions to tracking this ****er down?

was thinking about installing loggers in all the machines and viewing them afterhours...

what are your thoughts?

-buddha

 

[ubercal]

- Look at the mail headers
- Identify Source IP
- Map IP to Network (eg MTN , SAIX , Vodacom , Iburst , Telkom )
- Phone the Network Operator and get them to map the IP to username

Most likely they wont reveal the clients details.But try

Cheers

 

[Buddha]

Hey Ubercal,

Microsoft Mail Internet Headers Version 2.0

Received: from web28108.mail.ukl.yahoo.com ([217.146.182.128]) by MY COMPANY.co.za with Microsoft SMTPSVC(6.0.3790.1830);

Fri, 15 Dec 2006 10:17:22 +0200

Received: (qmail 22285 invoked by uid 60001); 15 Dec 2006 08:11:42 -0000

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.co.uk;

h=X-YMail-OSG:Receivedate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;

b=sYsfaKc/12OT/3u+SPYhgTbk5g7k/XqGdnoL9f9nrg0IpS+eA/v6c/vAxdVRMcOYYZEnCg3a9ulUl/M7DwDvrITlK6z3iqGo0+IpNYovH11V57+CkFY/zCui7jMw+86YTlfgavJCKXARCRnOYT2lNG0qt3I3mJJDBsJujjbHPis=;

X-YMail-OSG: T1agRaYVM1n.oXMUBcG37Ubxu5BTY0rgDjI09SWo7brbLlvlSK7nvU7awaXlIs.UuWfFEBBhhPJF6Rwqzd_CvoLGyG._lf3gUtlQXrk59wbS_Da8AoxOHy8gV1CXQgWn.4m0

Received: from [196.207.40.213] by web28108.mail.ukl.yahoo.com via HTTP; Fri, 15 Dec 2006 08:11:41 GMT

Date: Fri, 15 Dec 2006 08:11:41 +0000 (GMT)

From: Tony Montana <[email protected]>

Subject: Thats'ok if you ignore

To: [email protected]

MIME-Version: 1.0

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 8bit

Message-ID: <[email protected]>

Return-Path: [email protected]

X-OriginalArrivalTime: 15 Dec 2006 08:17:22.0515 (UTC) FILETIME=[7230AA30:01C72021]


OK.. now what? how do i go by using this?

the 2 IP's are: 217.146.182.128 and 217.146.182.121 but i fear that that is yahoo.co.uk's address.

-buddha

 

[noswal]

Try writing to [email protected]

For
Received: from [196.207.40.213] by web28108.mail.ukl.yahoo.com via HTTP; Fri, 15 Dec 2006 08:11:41 GMT

http://www.dnsstuff.com/tools/whois.ch?ip=!NET-196-200-0-0-1&server=whois.arin.net

 

[Bernie]

I'm no network expert, but in the headers, it looks like the originating IP address is 196.207.40.213, which has the following details: (see below)

So it looks like who ever is doing this is probbaly using a 3g Card from vodacom.

I stand to be corrected here.

inetnum: 196.207.32.0 - 196.207.47.255
netname: VODA-GPRS1
descr: Vodacom
descr: PO Box 7243
descr: Roggebaai
descr: Cape Town
descr: 8012
country: ZA
org: ORG-VA67-AFRINIC
admin-c: JVA8-AFRINIC
tech-c: JVA8-AFRINIC
status: ASSIGNED PI
mnt-by: AFRINIC-HM-MNT
mnt-lower: AFRINIC-HM-MNT
changed: [email protected] 20050707
source: AFRINIC
parent: 196.207.0.0 - 196.207.255.255

organisation: ORG-VA67-AFRINIC
org-name: Vodacom
org-type: LIR
country: ZA
address: PO Box 7243
address: Rogebbai
address: Cape Town
address: 8012
phone: +27 11 653 5285
fax-no: +27 11 653 5940
e-mail: [email protected]
admin-c: JVA8-AFRINIC
tech-c: JVA8-AFRINIC
mnt-ref: AFRINIC-HM-MNT
notify: [email protected]
mnt-by: AFRINIC-HM-MNT
changed: [email protected] 20050309
source: AFRINIC

person: Jan van der Merwe
address: Private Bag x9904
address: Sandton
address: Gauteng
address: 2146
address: ZA
phone: +27 11 653 5285
fax-no: +27 11 653 5940
e-mail: [email protected]
nic-hdl: JVA8-AFRINIC
changed: [email protected] 20030327
changed: [email protected] 20030327
changed: [email protected] 20050221
source: AFRINIC

 

[cisco_trouble]

you probably have to report it to the local police, then yahoo will reveal...but even, internet addy's are virtual untraceable

 

[cisco_trouble]

i hope u never left ur info here...u might just get sued

 

[Buddha]

shoit thanks!

will let u know how it turns out

-buddha

 

[Buddha]

i hope u never left ur info here...u might just get sued

what do you mean?

-buddha

 

[andres101]

you are posting very personal information (IP address) here. I think you should edit your post and delete it!

A nice (free) tool to investigate DNS/Domain issues is Domain Dossier.

Just open it, paste the IP in and select "Network Whois record". The page will tell you which ISP the IP belongs to. Usually there is a "abuse address" listed. Send an email to them explaining the issue with a copy of the original email including the header.

If you have any trouble, please PM me and I will gladly assist.

 

[mancombseepgood]

nothing personal here afaik - all public domain info...

 

[Buddha]

nothing personal here afaik - all public domain info...

AFAIK thats right... all the info is public info. the only details i removed was the details of the person getting the mail and our company details. the rest is public.

Anyway gotten hold of VodaCom and getting some forms. Thanks for the help people!

-buddha

 

[ubercal]

How can those IP addresses be personal info.There is a reason why they are called "Public IPs" , lol

 

[kilo39]

Good trace there Bernie - go to the top of the class -

 

[Syndyre]

I seriously doubt an IP address can be considered private, especially considering its a dynamic one!

 

[Kloon]

Just check for someone that is using a 3g card, vodacom to be exactly, in you office if you think its someone from your office.

 

[Kloon]

or maybe even a cellphone. Know its gonna be hard to find someone using their cellphone. Oh and the the privacy issue, well its not private, if it was you'd be able to sue every website that offers a whois service on the net.

 

[Pitbull]

Did you find the culprit yet ?