Our daughter has had her Hotmail account hacked. The person has somehow gained access and has sent an email with a vicious message attached. The person has emailed everyone on my daughters mailing list which is the reason why I received it at work.

The message is quite violent in its content and this has cause considerable angst amongst those who have received it.

Obviously we are trying to assure people that my daughter would not have sent the email as she was at school at the time. I don't believe the school would give unsupervised access to computers.

Is there any way to check which computer the email has originated from? Doesn't every computer have a number i.e. 123.456.789.0 and can it be traced?

After finding out what was going on, our daughter has been bullied by this person for about the last two years. We are devastated.

Its a sad world we live in if we have to deal with this crap :(

What email program do you use, Lyndon?

With Outlook, you can right click on the message (no need to open it), select Options, then look at internet headers. It will look something like this:

Return-Path: <graymail@graysonline.com.au>
Received: from graysonline.com.au (graysonline.com.au [202.58.37.241] (may be forged))
by mail17.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n0KLGL0X010869;
Wed, 21 Jan 2009 08:16:21 +1100
Received: from graysonline.com.au (localhost.localdomain [127.0.0.1])
by graysonline.com.au (Throo.To(R)) with ESMTP id 202AF306366;
Wed, 21 Jan 2009 08:16:21 +1100 (EST)
Received: (from graymail@localhost)
by graysonline.com.au (8.13.8/8.13.8/Submit) id n0KLGKLM030671;
Wed, 21 Jan 2009 08:16:20 +1100
Date: Wed, 21 Jan 2009 08:16:20 +1100
Message-Id: <200901202116.n0KLGKLM030671@graysonline.com.au>
To:
From: "GrayMail" <graymail@graysonline.com.au>
Content-Type: text/html
Subject: Grill up a storm


I don't know if that will help.

After finding out what was going on, our daughter has been bullied by this person for about the last two years. We are devastated.

Bullying by girls is not uncommon. Our daughter was, too. :mad:

A girl at her school was also bullied and, one day, knelt down on the pedestrian crossing in front of an approaching train where I work. The driver had no chance.... :(

Unfortunately, schools don't seem able to do anything about it.

As Ron says that should give you the IP address of the machine that sent it. where you go from there though I am not sure.

Do you or your daughter have access to an email sent from the bullier that you could compare the IP address from?

Hi Lyndon,

Firstly, sorry to hear what your daughter and your family are going through. This must be very dissapointing.

You can to a certain degree, do what you're asking. If you have an original copy of the message you should be able to view the email headers. This will show the originating IP number of the sender.

There is a problem though.

Hotmail, as a web based service, will only show you which of their servers sent the message (giving you only part of the trail). What you need to do is report the account abuse to Microsoft. This can be done by going to the following link, and searching for the term 'abuse' in the search box:

Windows Live ID and Account Management. (https://support.live.com/eform.aspx?productKey=wlid&ct=eformts&scrx=1)

I would also strongly recommend that your daughter changes her account password asap. Using the above link, search for 'password' to do that.

In most cases, there is little chance of securing a prosecution for this sort of thing because of the complications of cross-boarder services, crimes etc. If you did want to go that way though, you would have to request access/session logs from Microsoft (who operate Hotmail/Windows Live) that would reveal the source IP of the user who sent the email. That information could then to cross referenced with ISP logs to identify the account holder who connected to their service and hacked your daughters account. This sort of information is typically only released under legal request.

Good luck,

Mark

First of all I would be changing your daughters pass word, then I would contact the school and make a report as more than likely the person doing this crap in some one from school. The school may not be able to do anything right now but they maybe able to in the future as this is probably not the first time this person has done this sort of thing. I would also be reporting this to the police because if this continues they have the best resources to track this person down. As Ron pointed out there is alot of kids that have taken there own lives over bullying and it needs to be stopped before it goes to far.

Jeff

I sympathise (my grand daughters have had to change schools because of bullying, although not internet), but the problem with hotmail and similar accounts is that the trail will not go back to the computer, but only to the server as suggested, and legal problems arise to go further, as stated.

However, as suggested, the culprit is almost certainly someone from the school and hence the incident should be reported to them - it may be the last straw to do something, as it is quite possible they may have a good idea who is responsible, even lacking any proof. Whether anything is done will depend on the school though.

John

depends how clued in the bully is.

hotmail is dead easy to hack but it is more likely your daughter used a simple password that they have guessed.

hotmail maybe able to find session logs if you can forward them the full headers of the original message etc to their abuse account.

but, if our hero is clued in he will have used an anon proxy site which will leave no trail of any use, i doubt that would be the case tho...

ditch hotmail, use another service.

make sure you always use a password that isnt a dictionary word, and ensure it contains letters and numbers with at least one capitol letter.

All very good advice.

I would report it as far & wide as you can to the appropriate people. This means the school, and police as a starting point.

If there is a record of the incident with them, it will certainly make it easier in the future should the need arise to take matters further.

Many a legal case has been won, (or lost) because someone was able to show that a particular event was not isolated, but was rather, a single event in a chain of many similar events.

Lets hope things don't go that far, but it is best to be on the safe side.


As far as the email goes, yep - change the password ASAP. But then use a different mail service, such as Yahoo or if using Vista, Windows Mail. If you have explained the circumstances of the original email to all of the recipients, then hopefully, they will be understanding and supportive of you & your daughter.

Thanks for all your support and thankyou for the good advice.

I have taken control of all her accounts i.e. de-activated or changed passwords on all the 'Messenger/Facebook' type accounts. The passwords appear to have been fairly easy to crack. My daughter has most likely let it slip as well. I am supervising all accounts to see if there are any further issues. The passwords now used are only known to me.


I have found the string......

Received: from strontium.mailguard.com.au ([67.15.52.7]) by ntpdc. ith SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id 1ZBARAPA; Fri, 13 Feb 2009 13:34:43 +1100
Received: from promethium.mailguard.com.au (promethium.mailguard.com.au [70.86.21.242])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by strontium.mailguard.com.au (Postfix) with ESMTP id 55B4016C2EF
for Fri, 13 Feb 2009 13:34:42 +1100 (EST)
Received: from promethium.mailguard.com.au (localhost [127.0.0.1])
by promethium.mailguard.com.au (Postfix) with ESMTP id 553B741C251
for >; Fri, 13 Feb 2009 13:34:41 +1100 (EST)
Received-SPF: pass (promethium.mailguard.com.au: domain of hotmail.com designates 65.55.34.15 as permitted sender) client-ip=65.55.34.15; helo=col0-omc1-s5.col0.hotmail.com;
Received: from col0-omc1-s5.col0.hotmail.com (col0-omc1-s5.col0.hotmail.com [65.55.34.15])
by promethium.mailguard.com.au (Postfix) with ESMTP id 1BBD341C22D
for < Fri, 13 Feb 2009 13:34:29 +1100 (EST)
Received: from COL110-W29 ([65.55.34.7]) by col0-omc1-s5.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 12 Feb 2009 18:34:30 -0800
Message-ID: <COL110-W2994B82D0CE68992A5A0AFF8B80@phx.gbl>
Content-Type: multipart/alternative;
boundary="_9e683a56-642c-474f-8479-a97964c0c892_"
X-Originating-IP: [203.94.135.138]
From:


Sbject: FW:
Date: Fri, 13 Feb 2009 13:04:29 +1030
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Feb 2009 02:34:30.0117 (UTC) FILETIME=[98D61950:01C98D83]
X-SpamGuard-Score: 0.002
X-MailGuard-ID: 4994dc361c4f3c
X-Filtered: by MailGuard - visit MailGuard - Home (http://www.mailguard.com.au)
--_9e683a56-642c-474f-8479-a97964c0c892_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_9e683a56-642c-474f-8479-a97964c0c892_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_9e683a56-642c-474f-8479-a97964c0c892_--



I have deleted all the addresses that I believe have nothing to do with the origination. From what I can work out I think the address is the 'X-Originating-IP: [203.94.135.138]


Now if I match this to other emails received by our bully would you say that this is adequate evidence?

Unfortunately this is one of my mates kids and we(my wife & I) would like not to lay blame but to rectify the situation and make sure they are aware of what is going on.

I am unable to get my head around all this false world facebook stuff. We gave our daughter a little space to see if she could cope with the pressures of life as her life is now appoaching the teen years. She is a very intelligent girl, high distinctions in Maths, English for a number of years. She has so much potential but also so impressionable & vulnerable.

I am concerned.

Entering the IP into Whois gives this info


(Asked whois.apnic.net:43 about 203.94.135.138)
inetnum: 203.94.128.0 (http://samspade.org/whois?query=203.94.128.0;server=auto) - 203.94.159.255 (http://samspade.org/whois?query=203.94.159.255;server=auto)
netname: UECOMM-AU
descr: Uecomm
descr: Broadband fibre network service
country: AU
admin-c: UN10-AP (http://samspade.org/whois?query=UN10-AP;server=whois.apnic.net)
tech-c: UN10-AP (http://samspade.org/whois?query=UN10-AP;server=whois.apnic.net)
mnt-by: APNIC-HM (http://samspade.org/whois?query=APNIC-HM;server=whois.apnic.net)
mnt-lower: MAINT-AU-UECOMM (http://samspade.org/whois?query=MAINT-AU-UECOMM;server=whois.apnic.net)
changed: hostmaster@apnic.net
20000607
changed: hostmaster@apnic.net
20010618
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net
20031111
changed: hm-changed@apnic.net
20070718
changed: hm-changed@apnic.net
20071017
source: APNIC
person: Uecomm NOC
nic-hdl: UN10-AP (http://samspade.org/whois?query=UN10-AP;server=whois.apnic.net)
e-mail: innov8@uecomm.com.au

address: Building 8 658 Church St
address: Richmond Vic 3121
phone: 61 1800 707 447
country: AU
changed: adgriffiths@uecomm.com.au
20071016
mnt-by: MAINT-AU-UECOMM (http://samspade.org/whois?query=MAINT-AU-UECOMM;server=whois.apnic.net)
source: APNIC


It doesn't really mean much to me but maybe others can give more info.

For passwords I like to think of a sentence and use the first letters etc

ie

I Used To Own A 1976 Range Rover would become
Iutoa1976RR for instance - once you have entered it a few times it becomes easy to remember.

With regard to the police, my daughter received some particularly nasty SMS for a while. The police were quite helpful and the messages soon stopped after they became involved (maybe the culprits just got scared when they new we had reported it)


Martyn

I'm not sure how the Vic system works, but in NSW if the email was sent from school, the student would have logged into the DET portal.

Both the school and the DET have a surprising amount of access to information about who did what on school computers.

There are a few ifs and buts in this, but if it seems that the bullying was done using school resources, then schools take the issue very seriously and do have ways of monitoring activity.

most likely hacked from somewhere else in the world.
Best just report it to Hotmail and change password.

depends how clued in the bully is.

hotmail is dead easy to hack but it is more likely your daughter used a simple password that they have guessed.

hotmail maybe able to find session logs if you can forward them the full headers of the original message etc to their abuse account.

but, if our hero is clued in he will have used an anon proxy site which will leave no trail of any use, i doubt that would be the case tho...

ditch hotmail, use another service.

make sure you always use a password that isnt a dictionary word, and ensure it contains letters and numbers with at least one capitol letter.

too right blow hotmail off go for gmail or another server but not yahoo

If the hacker is pre teen male/female known to you a big scare by police may solve problem, unfortunatly sometimes it makes it worse. I have two daughters and have had SMS problems in the past but a friendly chat by the locals sorted it out in both cases. The culprits never think anybody will find them.

I have deleted all the addresses that I believe have nothing to do with the origination. From what I can work out I think the address is the 'X-Originating-IP: [203.94.135.138]

Now if I match this to other emails received by our bully would you say that this is adequate evidence?

Unfortunately this is one of my mates kids and we(my wife & I) would like not to lay blame but to rectify the situation and make sure they are aware of what is going on.



I work in IT Security at a University, and in my role I've had a lot of experience in compiling and interpreting digital evidence.

I say this because the information you've found identifies the computer that was used to send a message, not the person who sent it.

Sometimes ISP's allocate temporary IP addresses to clients, so they can change. It may also be that someone else used that computer etc.

Anyway, what I'm saying is that I would not reccommend you approach the other family and identify a member. If you do want to speak to them, it'd be better to say you think someone using their computer may have been involved.

If you want to report this though, I would not speak to the other family at all and just provide the evidence you've found as part of a complaint to Police. It's always better to let the professionals handle the work, approaches, interviews etc.