mamuse
asked on
threatening e-mail
i received a threatening e-mail directed to me specifically at my small business and would like to find out who the domain is registered under for my protection. is there a site i can post a complaint to or way i can find out who this mail is originating from? the mail was from: rootdown1@nyc.rr.com
thanking you in advance for your help - i am so unnerved by this!
thanking you in advance for your help - i am so unnerved by this!
I suggest you contact the police. They have the authority and the means to investigate the origin of such emails.
rr.com seems to be an ISP. Chances are the email didn't come from them, but a user or hacker. It may even be that their mail server is an open-relay and someone used it to bounce the mail to you. I agree with slartibartfarst, call the police and have them investigate it.
Do remember that most things you recieve through email is a hoax so you most likely don't have anything to worry about. Be safe and report it.
Do remember that most things you recieve through email is a hoax so you most likely don't have anything to worry about. Be safe and report it.
you should post the message (and *ALL* its headers) into the spamcop header demystifier - this will give you the actual ISP of the sender. Usually the connection will be via a dialup which means only the ISP can really trace it back - but that information is awkward to obtain and never available to the general public (particularly non-customser) so it may be better to contact the abuse@ address of the ISP *and* the police (mentioning to each that you have contacted the other) which may chivvy them both along a bit. normally, the ISP will provide the information to the police if they ask. remember though, you need *full* headers from the email to establish the time the message was sent and the ip address it was sent from (from which the ISP can derive the user account and often the phone number)
Anyhow - use the www.spamcop.net tool to read the headers and move forward from there....
Anyhow - use the www.spamcop.net tool to read the headers and move forward from there....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> nyc.rr.com
btw, the NYC, New York City, also indicates an area that is frequently cracked, namely, nothing in the packets of bits at your end to track the abuser. Let the ISPs do their cooperating, they can monitor miles and miles away <heh>
btw, the NYC, New York City, also indicates an area that is frequently cracked, namely, nothing in the packets of bits at your end to track the abuser. Let the ISPs do their cooperating, they can monitor miles and miles away <heh>
If the person is clever though he may have hidden his identity my going through other servers to send the letter by simply looking up the Domain you may get no information.
I advise calling the police and having them investigate they have acess to information like this.
If you fear an Digital attack (Maybe you have sensetive information) then tighten your security in Windows make your firewall more sensetive and hope.
Your ISP may be able to help but it would be better if the copstalk to your ISP than yourself.
Good Luck
I advise calling the police and having them investigate they have acess to information like this.
If you fear an Digital attack (Maybe you have sensetive information) then tighten your security in Windows make your firewall more sensetive and hope.
Your ISP may be able to help but it would be better if the copstalk to your ISP than yourself.
Good Luck
Without seeing the full headers (and even with that), you can't really be sure even that root1 or anyone else at nyc.rr.com is the real culprit. ANY e-mail program lets the sender put ANYONE in the from line.
You can use the spam parsing services at www.spamcop.net to analyze the e-mail -- don't send the reports, though as they are intended only for spam. This will give you a reasonably good idea of the real source of the e-mail and its intermediate hops through the internet. There are other tools and services out there which allow you to analyze e-mail but this is one of my favorites.
When you report this (and I absolutely agree with the recommendations given above regarding that) -- both to ISPs and the police you want to be sure you have the complete message, including all of the message header information. It may take a little research to get that depending on your service (you may have to change some preferences, for instance). If you are using OE, just select the message and look at Properties --> Message Source. You can then copy the full message, including headers.
You can use the spam parsing services at www.spamcop.net to analyze the e-mail -- don't send the reports, though as they are intended only for spam. This will give you a reasonably good idea of the real source of the e-mail and its intermediate hops through the internet. There are other tools and services out there which allow you to analyze e-mail but this is one of my favorites.
When you report this (and I absolutely agree with the recommendations given above regarding that) -- both to ISPs and the police you want to be sure you have the complete message, including all of the message header information. It may take a little research to get that depending on your service (you may have to change some preferences, for instance). If you are using OE, just select the message and look at Properties --> Message Source. You can then copy the full message, including headers.
On your DESKTOP create a shortcut pointing to...
http://www.checkdomain.com/
rr.com is located in Herndon, Virginia
The server IP addresses are...
24.30.200.3
24.30.201.3
24.30.199.7
65.24.0.172
Now, look at the email headers with a text editor that is NOT part of your email program. Reading from the top down, the LAST Received address is the ONLY one that is NOT easily spoofed. If it shows one of the 4 server addresses above, most likely the message did originate with a customer of rr.com and they should be able to identify the culprit quickly, if YOU contact them while they still have activity logs available.
http://www.checkdomain.com/
rr.com is located in Herndon, Virginia
The server IP addresses are...
24.30.200.3
24.30.201.3
24.30.199.7
65.24.0.172
Now, look at the email headers with a text editor that is NOT part of your email program. Reading from the top down, the LAST Received address is the ONLY one that is NOT easily spoofed. If it shows one of the 4 server addresses above, most likely the message did originate with a customer of rr.com and they should be able to identify the culprit quickly, if YOU contact them while they still have activity logs available.
Mamuse... I "may" be able to assist you... please e@mail me.
sysandprog:
unfortunately, it is common practice amongst spammers to
a) add extra lines to the headers to make it look like the actual first hop was just a link in the chain and
b) attempt to relay (via such tricks as a https "connect" to port 25 on a open web relay) though a system that does not add a header line identifying their system.
note that as a special case of (b) the most popular commercial firewall package (Checkpoint's FW-1) doesn't add any headers at all to mail sent via its email security filter - thus breaking the chain (and the rfc rules too)
spamcop does a decent job of feasability-testing the lines to find the first line that is dodgy in the case of (a)
unfortunately, it is common practice amongst spammers to
a) add extra lines to the headers to make it look like the actual first hop was just a link in the chain and
b) attempt to relay (via such tricks as a https "connect" to port 25 on a open web relay) though a system that does not add a header line identifying their system.
note that as a special case of (b) the most popular commercial firewall package (Checkpoint's FW-1) doesn't add any headers at all to mail sent via its email security filter - thus breaking the chain (and the rfc rules too)
spamcop does a decent job of feasability-testing the lines to find the first line that is dodgy in the case of (a)
If you have received harassing or threatening email and are concerned for your safety, please contact the UWPD or your local law enforcement immediately. Other threatening messages should be reported to info@cac.washington.edu. Please forward the harassing message, complete with full headers so that the origin of the message can be properly determined. (Know more at http://www.washington.edu/computing/security/spam.html)
If you want to see whether the senders email id is a valid one or not, key in the eamil id at www.network-tools.com
Want to know more about where to report the threatening emails or spam, search with key words 'threatening email' at www.google.com
If you want to see whether the senders email id is a valid one or not, key in the eamil id at www.network-tools.com
Want to know more about where to report the threatening emails or spam, search with key words 'threatening email' at www.google.com
rr.com is the DSL subscriber service Road Runner. Most cable modem and DSL subscribers come from a 24.x.x.x and 64.x.x.x Class A addresses. You can get a free copy of Sam Spade (whois program) from here:
http://www.pcworld.com/downloads/file_description/0,fid,4709,00.asp
This program will tell you the owner of any specific IP.
All you can really do in this situation is to notify the ISP. They should easily be able to trace it due to the fact that they setup the email accounts for users. The only issue is that unless something has actually been done all that person is going to receive is a warning from their ISP. You can't call the police because you got a email you didn't like. I can hear them saying now "What do you want us to do about it". Unless you've been actually hacked don't bother with the police it's a waste of time. Retain a copy of the email for your records because if this idiot is actually stupid enough to hack you after he sent an email to you then you have all you need to lead the athorities straight to him. Threats like this are mostly empty anyway, I wouldn't worry about it.
http://www.pcworld.com/downloads/file_description/0,fid,4709,00.asp
This program will tell you the owner of any specific IP.
All you can really do in this situation is to notify the ISP. They should easily be able to trace it due to the fact that they setup the email accounts for users. The only issue is that unless something has actually been done all that person is going to receive is a warning from their ISP. You can't call the police because you got a email you didn't like. I can hear them saying now "What do you want us to do about it". Unless you've been actually hacked don't bother with the police it's a waste of time. Retain a copy of the email for your records because if this idiot is actually stupid enough to hack you after he sent an email to you then you have all you need to lead the athorities straight to him. Threats like this are mostly empty anyway, I wouldn't worry about it.
mamuse, can you contact me @:
*email address removed by Netminder, EE Admin* I believe I have the information that you're looking for :).
*email address removed by Netminder, EE Admin* I believe I have the information that you're looking for :).
I don't think EE rules allow solutions outside this forum.
Shadow_Hawk,
It is a violation of Experts Exchange's membership guidelines to resolve problems outside of the forum; it constitutes misuse of the point system.
Additionally, it's not wise to post your email address (which I've removed) as you'll be subject to receiving email from anyone who reads this page.
Netminder
EE Admin
It is a violation of Experts Exchange's membership guidelines to resolve problems outside of the forum; it constitutes misuse of the point system.
Additionally, it's not wise to post your email address (which I've removed) as you'll be subject to receiving email from anyone who reads this page.
Netminder
EE Admin
EE Admin,
Apologies... Acknowledged. :).
Apologies... Acknowledged. :).
Mamuse,
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
I'm curious just how does handling questions via email miss use the precious point system? Seems to me helping the user ought to be the main priority.
Mamuse,
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
D/L "Neo-Trace 3.25"... Once installed, go up to VIEW, then OPTIONS, and <set your home location> (all prompted)... then take *rootdown1@nyc.rr.com* and enter it in the TARGET window, at the top of NEO's open window (above the map)... *click* GO and Neo will <back trace> the address (informing you it's an active one).
It then places all the information you need down on the right side... Supplying you with:
Registrant, I.P. range, Server, Address of both, even Grid Coordinates (if any)... and a whole lot more...
>> With NEO-TRACE, you can actually <Direct Report> to Hackerwatch.org, who take matters of this caliber "very seriously" (their address is already installed in the app).
I hope this helps you out, good luck :).
TooKoolKris,
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.
~Shadow
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.
~Shadow
TooKoolKris,
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.
~Shadow
The *point system* here obviously *grades your answers/assistance* given to the individual requesting it... this I understand. If you "help offsite" (so to speak), the requesting individual doesn't <grade> your answer here, and EE doesn't *see how well you helped*... therefore "adding/deducting" to or from your *expertise* doesn't happen either... "Share knowledge so all can/will know", that's what it's all about.
I was just trying to avoid <broadcasting> "that particular" person's personal info (the one threatening Mamuse), that's all.
~Shadow
Yea, I see what your saying it just seems lately the more you try and help someone the more the Gestapo intervenes! Sometimes I don't know why I bother. I'm actually losing money in here sometimes because I'm not paying attention to my stock charts as closely as I should :)
TooKoolKris,
Shadow_Hawk is mostly correct. One issue is that when two people correspond to solve a problem, other Experts can't get involved. Another issue is that we can't tell if the issue is legitimate or just a way of transferring points unfairly. A third is that the resolution to the problem doesn't get posted, so the question has no value to EE as part of the PAQ. A fourth is that (potentially) Shadow_Hawk COULD have been (not WAS) soliciting business.
And if you want to see the Gestapo at work, keep up the insults; we have at least one Moderator who lost family in World War II and would no doubt take significant offense at that.
Netminder
EE Admin
Shadow_Hawk is mostly correct. One issue is that when two people correspond to solve a problem, other Experts can't get involved. Another issue is that we can't tell if the issue is legitimate or just a way of transferring points unfairly. A third is that the resolution to the problem doesn't get posted, so the question has no value to EE as part of the PAQ. A fourth is that (potentially) Shadow_Hawk COULD have been (not WAS) soliciting business.
And if you want to see the Gestapo at work, keep up the insults; we have at least one Moderator who lost family in World War II and would no doubt take significant offense at that.
Netminder
EE Admin
Well, whatever your *priorities* call for, you should do "that" :)... I'm sure you're e@mailed whenever this site is updated, therefore you "still miss nothing" :).
But as far as "this place" is concerned >>> The name, it pretty much speaks for itself *expertsXchange* -> Knowledge Sharing...
Well, I hope he can use the info I gave him, @ least.
But as far as "this place" is concerned >>> The name, it pretty much speaks for itself *expertsXchange* -> Knowledge Sharing...
Well, I hope he can use the info I gave him, @ least.
Not to mention a Director, I too lost my Grandfather there in France after taking out a machine gunners nest at Normandy.
Wes Lennon
Director of Community Services
Experts Exchange
btw-when did Roadrunner go DSL, they are primarily cable.
Wes Lennon
Director of Community Services
Experts Exchange
btw-when did Roadrunner go DSL, they are primarily cable.
"And if you want to see the Gestapo at work, keep up the insults".
How dare you scold me for using this analogy and then turn right around and use it to threaten me!!
You don't have to take my words out of context and mold them to fit your argument you knew exactly what I was saying with my comments and it had nothing to do with WWII, which my grandfather was in the Normandy invasion as well. It's your web site man, you want to turn it into a dictatorship that’s you're business. If you want to boot me from this site it will be your loss as well!
Good Day,
TKK
How dare you scold me for using this analogy and then turn right around and use it to threaten me!!
You don't have to take my words out of context and mold them to fit your argument you knew exactly what I was saying with my comments and it had nothing to do with WWII, which my grandfather was in the Normandy invasion as well. It's your web site man, you want to turn it into a dictatorship that’s you're business. If you want to boot me from this site it will be your loss as well!
Good Day,
TKK
You used your analogy to refer to Experts Exchange, the rules of this site have been here much longer than you, and if you had taken the time to read them, then you would know that email is out of bounds, period.
Odd how you would use Gestapo and dictatorship in the same thread. Using that word also offends the Germans at this site, and there are many here, amongst the 1.06 million members here.
Odd how you would use Gestapo and dictatorship in the same thread. Using that word also offends the Germans at this site, and there are many here, amongst the 1.06 million members here.
Cool it, everybody. Life is too short, and we get just one chance at the brass ring...
I suggest that you simply ignore that email. It's extermly hard to trace emails. Also, you would have to spend a lot of money after that.
E-mail address can be spoofed. I mean, you can send e-mail from any fake address. I can send you an email from admin@yahoo.com by writing a simple PHP script. Also, I can use chain of proxy for my action. One proxy in Africa. One is Asia, Another in Europe. It will be very hard to trace.
So..simply ignore the message.
Thank you,
Pratik
E-mail address can be spoofed. I mean, you can send e-mail from any fake address. I can send you an email from admin@yahoo.com by writing a simple PHP script. Also, I can use chain of proxy for my action. One proxy in Africa. One is Asia, Another in Europe. It will be very hard to trace.
So..simply ignore the message.
Thank you,
Pratik
:
:
:
what I would recommend would be to go to a search engine and type casino
type his name somehwere, highlight it, copy his email addy, and then click away signing up for all sorts of wonderful spam.
oh ya, I seriously seriously doubt this dude spoofed his email to say something like that. He sounds like an upset dope.
:
:
what I would recommend would be to go to a search engine and type casino
type his name somehwere, highlight it, copy his email addy, and then click away signing up for all sorts of wonderful spam.
oh ya, I seriously seriously doubt this dude spoofed his email to say something like that. He sounds like an upset dope.
mamuse, Is this a continuing situation?