?
Solved

threatening e-mail

Posted on 2003-03-07
35
Medium Priority
?
603 Views
Last Modified: 2010-04-11
i received a threatening e-mail directed to me specifically at my small business and would like to find out who the domain is registered under for my protection.  is there a site i can post a complaint to or way i can find out who this mail is originating from?  the mail was from:  rootdown1@nyc.rr.com

thanking you in advance for your help - i am so unnerved by this!
0
Comment
Question by:mamuse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
35 Comments
 
LVL 1

Expert Comment

by:slartibartfarst
ID: 8089029
I suggest you contact the police.  They have the authority and the means to investigate the origin of such emails.
0
 

Expert Comment

by:falban
ID: 8089112
rr.com seems to be an ISP.  Chances are the email didn't come from them, but a user or hacker.  It may even be that their mail server is an open-relay and someone used it to bounce the mail to you.  I agree with slartibartfarst, call the police and have them investigate it.

Do remember that most things you recieve through email is a hoax so you most likely don't have anything to worry about.  Be safe and report it.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8089607
you should post the message (and *ALL* its headers) into the spamcop header demystifier - this will give you the actual ISP of the sender. Usually the connection will be via a dialup which means only the ISP can really trace it back - but that information is awkward to obtain and never available to the general public (particularly non-customser) so it may be better to contact the abuse@ address of the ISP *and* the police (mentioning to each that you have contacted the other) which may chivvy them both along a bit. normally, the ISP will provide the information to the police if they ask. remember though, you need *full* headers from the email to establish the time the message was sent and the ip address it was sent from (from which the ISP can derive the user account and often the phone number)
Anyhow - use the www.spamcop.net tool to read the headers and move forward from there....
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 24

Accepted Solution

by:
SunBow earned 200 total points
ID: 8092248
You should: contact your service provider. They are there to take care of you and others in community, so they have a stake. They are also more knowledgeable - AND have better snooper capability.

rr.com is cable company, for Time-Warner which is AOL. But in short, it is direct connect public which means the owner of the EM ID is likely not knowing of the memo you refer. If there is such an ID in first place, it is spoofed, so it could be made up to be anything. Their computers can easily become zombies.  You may want to review memo and assess if it looks geared to make you send a flame back. If so, it may be real ID.  You could visit site like SamSpade to ID who's who at rr.com, the remote ISP, but here is easier solution:

Call up memo and reply, forwarding all content, to sender as listed.

Ask simple question such as:

"Did you really mean to send this to me?"

Do it in own words, with appropriate measure, level of flame.

> mail was from: rootdown1

er, ya know this ain't no human name, this is a comment, a wisecrack, for the perpetrator is claiming: "Root  Down  # 1".  Meaning, the perp broke into computer (yours?) and provided self with 'root privilege' (god-like_master) and system protection from the perpetrator is now effectively "down";  this is the go-round  "#1"  which means the crackerjack thinks there's other tools on hand that can repeat the attack if this one is stopped.

So,
Get with your ISP pronto, these actions must be stopped at earliest moment, before their conspiracy widens. A good one should involve both rr.com and law enforcement as warranted. You may find out - that they are already onto this person and appreciative of any additional evidence you can provide.


btw: did you know being flamed through internet can get you $$$$$$$$$$$$$$$$$  ?   Cash deal made in NC a couple weeks ago.  Since it was out of court, we don't know what funds are involved or how laws will be defined.  But defendants are currently caving in (while claiming they are ready to appeal - before final conviction).
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8092253
> nyc.rr.com

btw, the NYC, New York City, also indicates an area that is frequently cracked, namely, nothing in the packets of bits at your end to track the abuser. Let the ISPs do their cooperating, they can monitor miles and miles away <heh>
0
 
LVL 1

Expert Comment

by:migit03
ID: 8097927
If the person is clever though he may have hidden his identity my going through other servers to send the letter by simply looking up the Domain you may get no information.

 I advise calling the police and having them investigate they have acess to information like this.

If you fear an  Digital attack (Maybe you have sensetive information) then tighten your security in Windows make your firewall more sensetive and hope.

Your ISP may be able to help but it would be better if the copstalk to your ISP than yourself.

Good Luck
0
 
LVL 7

Expert Comment

by:jimwasson
ID: 8098432
Without seeing the full headers (and even with that), you can't really be sure even that root1 or anyone else at nyc.rr.com is the real culprit.  ANY e-mail program lets the sender put ANYONE in the from line.

You can use the spam parsing services at www.spamcop.net to analyze the e-mail -- don't send the reports, though as they are intended only for spam.  This will give you a reasonably good idea of the real source of the e-mail and its intermediate hops through the internet.  There are other tools and services out there which allow you to analyze e-mail but this is one of my favorites.

When you report this (and I absolutely agree with the recommendations given above regarding that) -- both to ISPs and the police you want to be sure you have the complete message, including all of the message header information.  It may take a little research to get that depending on your service (you may have to change some preferences, for instance).  If you are using OE, just select the message and look at Properties --> Message Source.  You can then copy the full message, including headers.

0
 
LVL 5

Expert Comment

by:sysandprog
ID: 8098726
On your DESKTOP create a shortcut pointing to...

http://www.checkdomain.com/

rr.com is located in Herndon, Virginia

The server IP addresses are...

 24.30.200.3
 24.30.201.3
 24.30.199.7
 65.24.0.172

Now, look at the email headers with a text editor that is NOT part of your email program.  Reading from the top down, the LAST Received address is the ONLY one that is NOT easily spoofed.  If it shows one of the 4 server addresses above, most likely the message did originate with a customer of rr.com and they should be able to identify the culprit quickly, if YOU contact them while they still have activity logs available.
0
 

Expert Comment

by:Shadow_Hawk
ID: 8102330
Mamuse... I "may" be able to assist you... please e@mail me.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8102518
sysandprog:
unfortunately, it is common practice amongst spammers to
a) add extra lines to the headers to make it look like the actual first hop was just a link in the chain and
b) attempt to relay (via such tricks as a https "connect" to port 25 on a open web relay) though a system that does not add a header line identifying their system.
note that as a special case of (b) the most popular commercial firewall package (Checkpoint's FW-1) doesn't add any headers at all to mail sent via its email security filter - thus breaking the chain (and the rfc rules too)

spamcop does a decent job of feasability-testing the lines to find the first line that is dodgy in the case of (a)
0
 

Expert Comment

by:misterallno
ID: 8109292
If you have received harassing or threatening email and are concerned for your safety, please contact the UWPD or your local law enforcement immediately. Other threatening messages should be reported to info@cac.washington.edu. Please forward the harassing message, complete with full headers so that the origin of the message can be properly determined. (Know more at http://www.washington.edu/computing/security/spam.html)

If you want to see whether the senders email id is a valid one or not, key in the eamil id at www.network-tools.com

Want to know more about where to report the threatening emails or spam, search with key words 'threatening email' at www.google.com
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8117161
rr.com is the DSL subscriber service Road Runner. Most cable modem and DSL subscribers come from a 24.x.x.x and 64.x.x.x Class A addresses. You can get a free copy of Sam Spade (whois program) from here:

http://www.pcworld.com/downloads/file_description/0,fid,4709,00.asp

This program will tell you the owner of any specific IP.

All you can really do in this situation is to notify the ISP. They should easily be able to trace it due to the fact that they setup the email accounts for users. The only issue is that unless something has actually been done all that person is going to receive is a warning from their ISP. You can't call the police because you got a email you didn't like. I can hear them saying now "What do you want us to do about it". Unless you've been actually hacked don't bother with the police it's a waste of time. Retain a copy of the email for your records because if this idiot is actually stupid enough to hack you after he sent an email to you then you have all you need to lead the athorities straight to him. Threats like this are mostly empty anyway, I wouldn't worry about it.

0
 

Expert Comment

by:Shadow_Hawk
ID: 8125245
mamuse, can you contact me @:
*email address removed by Netminder, EE Admin*   I believe I have the information that you're looking for :).
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 8134034
I don't think EE rules allow solutions outside this forum.
0
 
LVL 5

Expert Comment

by:Netminder
ID: 8134550
Shadow_Hawk,

It is a violation of Experts Exchange's membership guidelines to resolve problems outside of the forum; it constitutes misuse of the point system.

Additionally, it's not wise to post your email address (which I've removed) as you'll be subject to receiving email from anyone who reads this page.

Netminder
EE Admin
0
 

Expert Comment

by:Shadow_Hawk
ID: 8135838
EE Admin,

Apologies... Acknowledged. :).
0
 

Expert Comment

by:Shadow_Hawk
ID: 8135901
Mamuse,
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8136343
I'm curious just how does handling questions via email miss use the precious point system? Seems to me helping the user ought to be the main priority.
0
 

Expert Comment

by:Shadow_Hawk
ID: 8136430
Mamuse,
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
0
 

Expert Comment

by:Shadow_Hawk
ID: 8136495
TooKoolKris,
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.

~Shadow
0
 

Expert Comment

by:Shadow_Hawk
ID: 8136645
TooKoolKris,
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.

~Shadow
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8136703
Yea, I see what your saying it just seems lately the more you try and help someone the more the Gestapo intervenes! Sometimes I don't know why I bother. I'm actually losing money in here sometimes because I'm not paying attention to my stock charts as closely as I should :)
0
 
LVL 5

Expert Comment

by:Netminder
ID: 8137601
TooKoolKris,

Shadow_Hawk is mostly correct. One issue is that when two people correspond to solve a problem, other Experts can't get involved. Another issue is that we can't tell if the issue is legitimate or just a way of transferring points unfairly. A third is that the resolution to the problem doesn't get posted, so the question has no value to EE as part of the PAQ. A fourth is that (potentially) Shadow_Hawk COULD have been (not WAS) soliciting business.

And if you want to see the Gestapo at work, keep up the insults; we have at least one Moderator who lost family in World War II and would no doubt take significant offense at that.

Netminder
EE Admin
0
 

Expert Comment

by:Shadow_Hawk
ID: 8137858
Well, whatever your *priorities* call for, you should do "that" :)... I'm sure you're e@mailed whenever this site is updated, therefore you "still miss nothing" :).
But as far as "this place" is concerned >>> The name, it pretty much speaks for itself  *expertsXchange* -> Knowledge Sharing...
Well, I hope he can use the info I gave him, @ least.
0
 

Expert Comment

by:WesLennon
ID: 8137864
Not to mention a Director, I too lost my Grandfather there in France after taking out a machine gunners nest at Normandy.

Wes Lennon
Director of Community Services
Experts Exchange

btw-when did Roadrunner go DSL, they are primarily cable.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8137939
"And if you want to see the Gestapo at work, keep up the insults".

How dare you scold me for using this analogy and then turn right around and use it to threaten me!!

You don't have to take my words out of context and mold them to fit your argument you knew exactly what I was saying with my comments and it had nothing to do with WWII, which my grandfather was in the Normandy invasion as well. It's your web site man, you want to turn it into a dictatorship that’s you're business. If you want to boot me from this site it will be your loss as well!

Good Day,

TKK
0
 

Expert Comment

by:WesLennon
ID: 8138049
You used your analogy to refer to Experts Exchange, the rules of this site have been here much longer than you, and if you had taken the time to read them, then you would know that email is out of bounds, period.

Odd how you would use Gestapo and dictatorship in the same thread.  Using that word also offends the Germans at this site, and there are many here, amongst the 1.06 million members here.
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 8140055
Cool it, everybody.  Life is too short, and we get just one chance at the brass ring...
0
 

Expert Comment

by:pratik20
ID: 8141827
I suggest that you simply ignore that email. It's extermly hard to trace emails. Also, you would have to spend a lot of money after that.

E-mail address can be spoofed. I mean, you can send e-mail from any fake address. I can send you an email from admin@yahoo.com by writing a simple PHP script. Also, I can use chain of proxy for my action. One proxy in Africa. One is Asia, Another in Europe. It will be very hard to trace.

So..simply ignore the message.

Thank you,
Pratik
0
 
LVL 3

Expert Comment

by:cduke250
ID: 8193322
:
:
:


what I would recommend would be to go to a search engine and type casino


type his name somehwere, highlight it, copy his email addy, and then click away signing up for all sorts of wonderful spam.


oh ya, I seriously seriously doubt this dude spoofed his email to say something like that.  He sounds like an upset dope.
0
 
LVL 3

Expert Comment

by:cduke250
ID: 8193327
oh ya, an easy tracing tool is samspade.

www.samspade.org

he's even got online tools.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8225961
mamuse, Is this a continuing situation?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Let's recap what we learned from yesterday's Skyport Systems webinar.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question