Email Harassment

[henfactor]

Hey TR,

I recently began getting harassing emails from an anonymous individual. They started slowly at first, but then began to grow in both numbers and subject, to the point of bringing a recently deceased family member into it. They were personal attacks (the culprit knows me fairly well), and then other family members began receiving these messages as well. At that point, I called the police. They sent a warning email out, threatening legal action, and the emails stopped.

But I still don't know who did it. Because the emails stopped, the police will not investigate further. I have 18 emails (from multiple addresses), and would love a way to narrow this down. I've already tried eMailTracker, which has told me the emails originated in three places (seemingly domain independent). About a third of them come from around where I live.

Is there any way to come to a definitive conclusion based on the data I have? I don't have any enemies to my knowledge (well, now one apparently), which is why I find this as perplexing as it is vexing.

Thanks in advance for any insight!

[notfred]

I don't think you'll find a piece of general software to do this. You'll need the original emails and look at the headers on them (which can be forged to some degree). You can then trace back to which ISP they were sent from, then subpoena that ISP for records of who had that IP at that time and then take that info to the police or civil court. You might not get anywhere as this has stopped now and the ISP probably doesn't keep records for too long.

[just brew it!]

Yeah, your best bet is to look at the full headers of the e-mails. If they were sent from a webmail account you won't be able to tell much, but if they came from an e-mail client running on a local PC you should be able to get an IP address. If you suspect it is someone you've corresponded with in the past you may even be able to correlate the IP address and/or host name the e-mail originated from with other saved e-mails.

[henfactor]

I don't think you'll find a piece of general software to do this. You'll need the original emails and look at the headers on them (which can be forged to some degree). You can then trace back to which ISP they were sent from, then subpoena that ISP for records of who had that IP at that time and then take that info to the police or civil court. You might not get anywhere as this has stopped now and the ISP probably doesn't keep records for too long.

Interesting. I hadn't thought of going to the ISP about it, but that makes sense, as the local IP addresses are all the same. How often do IP addresses change?

Also, the majority of the others seem to originate at a location a few thousand kms away. Does this imply another person might be sending them? Or that the program I used simply isn't clever enough to figure out where it was routed?

[just brew it!]

If they were sent from a webmail account the originating IP address will be that of the webmail server, not the computer the web browser was running on.

[henfactor]

Yeah, your best bet is to look at the full headers of the e-mails. If they were sent from a webmail account you won't be able to tell much, but if they came from an e-mail client running on a local PC you should be able to get an IP address. If you suspect it is someone you've corresponded with in the past you may even be able to correlate the IP address and/or host name the e-mail originated from with other saved e-mails.

If they were sent from a webmail account the originating IP address will be that of the webmail server, not the computer the web browser was running on.

Ah, your distinction between web-based and local client probably explains the difference between the IP address locations. Riddle one solved So assuming this is true, follow the procedure that notfred described and hope for the best?

[redavni]

Reply back with a subtle image or a link to a web server where you have full access to the logs. You can set up a web server on your home machine to do it even. If the senders email client is configured to load images automatically, all he needs to do is open it and you have his IP address as long as he is not behind a proxy. A geolocation lookup on the IP should give approximate location.

If you have a Facebook, this guy is probably visiting it. I don't do Facebook, but I believe they allow external content now through their API. So, if you are really determined, you can expand on the same technique there to try and pin down an identity.

[blitzy]

If the offending emails were sent via webmail (gmail, hotmail, yahoo mail etc.) then it is fairly anonymous, I imagine it would be hard work convincing e.g. gmail to send you the IP details of the sender of a particular mail.

If the mails were sent from an ISP mail server, there may be more chance to track it down. e.g. mrpickle@comcast.net . That's because ISPs are more used to dealing with those type of information requests, and they may even be able to identify who the mail account belongs to (usually it is harder to make an email address with a fake name, than if you made a webmail account with a fake name, but probably not impossible).

[henfactor]

Reply back with a subtle image or a link to a web server where you have full access to the logs. You can set up a web server on your home machine to do it even. If the senders email client is configured to load images automatically, all he needs to do is open it and you have his IP address as long as he is not behind a proxy. A geolocation lookup on the IP should give approximate location.

If you have a Facebook, this guy is probably visiting it. I don't do Facebook, but I believe they allow external content now through their API. So, if you are really determined, you can expand on the same technique there to try and pin down an identity.

Now that sir, is a clever idea. All the accounts are web-based, made exclusively for this purpose. The only part I'm fuzzy on is the home server bit... Any good guides out there for hosting your own content?

[UberGerbil]

They may know you strictly from things they've found on the internet, considering how much personal information "leaks" out onto the net these days (often indirectly -- you may be diligent about what you put out there, but you have no control over what your friends and family and co-workers stick on Facebook, etc). This might be someone you've never met and doesn't live near you, but you've simply flipped some switch in their fevered brain by some relatively innocuous comment you've made on a site somewhere. I mean, mentally healthy people simply don't engage in vicious email harassment, so it's quite likely that whatever you did to get on this person's had side is something rather minor.

Reply back with a subtle image or a link to a web server where you have full access to the logs. You can set up a web server on your home machine to do it even. If the senders email client is configured to load images automatically, all he needs to do is open it and you have his IP address as long as he is not behind a proxy. A geolocation lookup on the IP should give approximate location.

Yes, the "web bug" trick. This is why most modern email clients, and most webmail clients, now don't load images by default in mail from unknown senders and require you to explicitly click something to view them. For this reason, it would probably be better to not try to "hide" the image but instead make it something your harasser would want to see --

Code: Select all

Your mail makes me like this:
     unahppyface.gif

where that gif is on a server that gives you access to its logs. Though a dumb harasser might just load everything anyway, even if there's just a little "bug" picture in your signature or whatever. You could just buy a minimal hosting account somewhere -- a lot of web hosts are under $5 a month for a basic setup, and most offer a 30 day trial or money-back guarantee, so you could be in and out without any (or minimal) money out of pocket. You wouldn't even need a domain.

HOWEVER: the harassing emails have now stopped. I personally would rather remain in the dark than kick the hornet's nest. Moreover, if this incites a new round of harassment you probably won't get as sympathetic a response from the police this time since things were quiet until you stirred them up again. So I'd keep this little maneuver in your back pocket and only bring it out if the harassment starts again.

[just brew it!]

Now that sir, is a clever idea. All the accounts are web-based, made exclusively for this purpose. The only part I'm fuzzy on is the home server bit... Any good guides out there for hosting your own content?

Well... to do this with a home server, you either need an IP that doesn't change (fully static, or at least a dynamic address that only changes rarely), or you need to set up an account with a free dynamic DNS service. Also, if your ISP blocks incoming HTTP requests you're SOL. Assuming you've cleared those hurdles, you install web server software on a PC on your network (there are a number of free alternatives, Apache being a popular one), and tell your firewall to forward port 80 to it. That's pretty much it... though I've obviously glossed over the details of configuring whatever web server it is you've chosen to use.

HOWEVER: the harassing emails have now stopped. I personally would rather remain in the dark than kick the hornet's nest. Moreover, if this incites a new round of harassment you probably won't get as sympathetic a response from the police this time since things were quiet until you stirred them up again. So I'd keep this little maneuver in your back pocket and only bring it out if the harassment starts again.

That is a VERY good point.

[henfactor]

They may know you strictly from things they've found on the internet, considering how much personal information "leaks" out onto the net these days (often indirectly -- you may be diligent about what you put out there, but you have no control over what your friends and family and co-workers stick on Facebook, etc). This might be someone you've never met and doesn't live near you, but you've simply flipped some switch in their fevered brain by some relatively innocuous comment you've made on a site somewhere. I mean, mentally healthy people simply don't engage in vicious email harassment, so it's quite likely that whatever you did to get on this person's had side is something rather minor.

Reply back with a subtle image or a link to a web server where you have full access to the logs. You can set up a web server on your home machine to do it even. If the senders email client is configured to load images automatically, all he needs to do is open it and you have his IP address as long as he is not behind a proxy. A geolocation lookup on the IP should give approximate location.

Yes, the "web bug" trick. This is why most modern email clients, and most webmail clients, now don't load images by default in mail from unknown senders and require you to explicitly click something to view them. For this reason, it would probably be better to not try to "hide" the image but instead make it something your harasser would want to see --

Code: Select all

Your mail makes me like this:
     unahppyface.gif

where that gif is on a server that gives you access to its logs. Though a dumb harasser might just load everything anyway, even if there's just a little "bug" picture in your signature or whatever. You could just buy a minimal hosting account somewhere -- a lot of web hosts are under $5 a month for a basic setup, and most offer a 30 day trial or money-back guarantee, so you could be in and out without any (or minimal) money out of pocket. You wouldn't even need a domain.

HOWEVER: the harassing emails have now stopped. I personally would rather remain in the dark than kick the hornet's nest. Moreover, if this incites a new round of harassment you probably won't get as sympathetic a response from the police this time since things were quiet until you stirred them up again. So I'd keep this little maneuver in your back pocket and only bring it out if the harassment starts again.

Thanks for the 'How To'. Your thoughts mirror mine at the end as well; I don't WANT to talk to this guy again. I was hoping with the piles of data I have from him already, I'd be able to apply some interwebs magic and track him down CSI style. Alas, apparently that's not quite a thing (yet?). I am still going to call my ISP and see what I have to do to get them to give me access to this exact location, using the IP addresses I already have. This will probably fail for a number of reasons, but I will still give it a try.

I would also like to believe you're right about this just being an internet creep, but again, an exact local would put my mind to easy indefinitely.

[redavni]

Now that sir, is a clever idea. All the accounts are web-based, made exclusively for this purpose. The only part I'm fuzzy on is the home server bit... Any good guides out there for hosting your own content?

Simplest way would be to grab Mongoose. It's a self contained web server, no install. Just make a folder on your desktop, stick mongoose in it and launch. That folder becomes your root directory. You can then go to http://127.0.0.1:8080/some_image.jpg (defaults to port 8080), but you need your public facing ip for others to see it. Get that via ipconfig. You need to get the mongoose.conf file to start logging though. Uncomment the access_log_file line and add a filename after it.

I just set it up on my machine, let's see if it works. If you see an image below, I have your IP address, and Cox doesn't filter port 8080 heh.

[UberGerbil]

Well, depending on how careful your harasser was and what is in the mail headers, it might be possible to triangulate things somewhat, it's hard to say. Like almost everything else you see on the forensic cop shows, the ease and speed of this kind of process is grossly exaggerated -- if the requirement to wrap up the storyline in ~40 minutes demands that the "good guys" get a name and address from an email with 5 seconds of clicking on a "Minority Report"-looking UI, that's what they'll do. That said, it's also true that law enforcement get cooperation (friendly or through legal action) from ISPs that an ordinary citizen can't expect or demand. If you were getting harassing phone calls from a cell phone, the police could get tower location information but good luck getting that from (say) Verizon yourself. (Though the cell companies have actually sometimes done this for family in missing persons cases)

Well... to do this with a home server, you either need an IP that doesn't change (fully static, or at least a dynamic address that only changes rarely), or you need to set up an account with a free dynamic DNS service. Also, if your ISP blocks incoming HTTP requests you're SOL. Assuming you've cleared those hurdles, you install web server software on a PC on your network (there are a number of free alternatives, Apache being a popular one), and tell your firewall to forward port 80 to it. That's pretty much it... though I've obviously glossed over the details of configuring whatever web server it is you've chosen to use.

That's why I suggested a web hosting service: unless you already know how to do this, or want to learn, it's just more trouble than it's worth. Plus if you're hosting the image from your own machine, a savvy harasser now has some information about you, and might be tempted to launch a DoS attack (or worse) against you. I'd much rather keep things at arm's length using a professional hosting service (which probably also is much better secured against those sorts of attacks, and also has more clout in getting authorities involved if a dumb harasser launches one against their servers).

[just brew it!]

That's why I suggested a web hosting service: unless you already know how to do this, or want to learn, it's just more trouble than it's worth. Plus if you're hosting the image from your own machine, a savvy harasser now has some information about you, and might be tempted to launch a DoS attack (or worse) against you. I'd much rather keep things at arm's length using a professional hosting service (which probably also is much better secured against those sorts of attacks, and also has more clout in getting authorities involved if a dumb harasser launches one against their servers).

Very good point. There are enough hosting options out there that this could be done fairly inexpensively; the only thing a home-based solution has going for it is that it can be done for free. I believe a number of the cloud hosting providers charge by the day, or even by the hour... so you could set the server up, gather your data, and take it down before incurring significant hosting charges.

[Buub]

If they were sent from a webmail account the originating IP address will be that of the webmail server, not the computer the web browser was running on.

But the mail provider (for example Yahoo) will have the IP address of the machine that was used to send the webmail. They keep that sort of thing. But they don't archive it forever, and they won't give it to you unless you can prove definitively that you are entitled to receive it.

[TravelMug]

I was hoping with the piles of data I have from him already, I'd be able to apply some interwebs magic and track him down CSI style.

I think you will need Visual Basic for that: http://www.youtube.com/watch?v=hkDD03yeLnU

[cheesyking]

There are email tracking services that allow you to do this without having to set up your own webserver / write your own code. I'm all for doing it the techie way but just thought I'd mention that there is an easy option.

I'm also with Uber on the not stirring things up again... Especially after I watched that Talhotblond documentary last night

[Derfer]

If they had any idea what they were doing they probably went war driving. How careful they were probably depends on how much attention they were expecting to draw. Were they just trying to annoy or was it something serious like threats/blackmail?