GW header info and email threats

[UncleCisco]

I work in a school where a teacher has been receiving threatening emails from a hotmail account. I look at the email properties but there is not a lot of info that is useful. Is there a way to use the Mail Envelope Properties number to help? Is there anywhere else I could look to see useful info (i.e. ip address from host composing email, proof for hotmail that it was one of their users and not somehow relayed... etc.)

Hotmail wants header info, but the one they receive from us does not seem to be useful.

Any clues how to proceed would be appreciated.

Thanks!

MV

 

[BigGuySmall]

If you check the GWIA and MTA and POA logs some more info might show up.

 

[ITsmyfault]

You should contact hotmail (msft) and involve the proper authorities #1
#2 you can see the extended mime headers by going to view-->attachment window and then opening the mime.822 file

still not much there to investigate with. If your gwia is logging is set to verbose (if not, set it now!) you will see some info - proving time of reception and from whom basically. A normal reception looks a little like this: (the sending server here does not resolve bc it's an internal relay - yours will probably resolve to something useful)

12-23-04 11:32:07 7 DMN: MSG 123169 Accepted connection: [192.168.0.47] ()
12-23-04 11:32:07 7 DMN: MSG 123169 Receiving file:
GW:\GWIA\WPGATE\GWIA\receive\7bcaac14.794
12-23-04 11:32:13 7 MSG 123170 Processing inbound message:
GW:\GWIA\WPGATE\GWIA\receive\7BCAAC14.794
12-23-04 11:32:13 7 MSG 123170 Sender:
administrator@somedomain.com
12-23-04 11:32:13 7 MSG 123170 Recipient: user@mydomain.com
12-23-04 11:32:13 7 MSG 123170 Queuing to MTA
12-23-04 11:32:13 7 MSG 123170 File: GW:\GWIA\WPGATE\GWIA\wpcsin\4\41caacbd.ku1 Message Id: (41CAF30D.025:2:61477) Size: 1.9 Kb

again, nothing that's going to break the case wide open, but you will know the sending server, sender, recipient and time message was received. You should get your servers syncing to NTP time if they are not already so that all of your logs will have correct time to the second and all your servers, clients etc will agree on the time. this is key in investigations from what I am told.

Definitely contact the police and get advice on proper next steps. This kind of thing is somewhat common in schools but needs to be taken 100% seriously. Once you can ID the sender, time and server whcih sent it, the hotmail folks should be able to locate the corresponding records on thier end to show how that mail originated. They will likely only be able to give info to the local police as minors are protected in these cases (rather than protecting the teachers who typically don't bring the guns to school.. go figure) so then hotmail would give up whatever registration info they might have to the police, maybe they get a host IP and then you ahve to track that to the ISP involved and hope it's a broadband connection where a DHCP address has been given out with a long lease. Then you can ID the culprit easily. Again, the ISP will probably only cooperate with the cops for obvious reasons.