Forensics
Determining that someone is not the author of an offensive email May 28 2007 07:45PM
Flavio Silva (flavioabs gmail com) (4 replies)
Re: Determining that someone is not the author of an offensive email Jun 01 2007 05:30AM
Alan Parks (alan mojohosting com) (1 replies)
Re: Determining that someone is not the author of an offensive email Jun 02 2007 01:11AM
Flavio Silva (flavioabs gmail com)
Hi Alan! Thank you for your message.

On 6/1/07, Alan Parks <alan (at) mojohosting (dot) com [email concealed]> wrote:
> Hey Flavio, I don't have a great deal of advise to give, but I am curious
> about a few things:
>
> I know literally nothing about Brazilian law, but how is it against the law
> to send an offensive email?

Yes, I understand what you mean. The prosecution was started basing in
a defaming accusation.

> And even if it is, how in the world do you get
> a search warrant for 12 people with no evidence directly linking any of them?

It is some kind of regulation of our justice. The ISP gave the
information that the IP number sending the message was attending the
building and the judge signed the order to search all the apartments
using the common ADSL.

> > There were 12 apartments connected to that ADSL line. All them had
> > false IP numbers (198.162.???.???).
>
> This was pointed out once before, but 192.162.x.x is very real (public)
> ip-space. 192.168.x.x is private (fake, if you will), I assume this is what
> you meant?

Yes.

> Do you know if the NAT router has wireless capabilities, or if ANY of the 12
> people had a wireless access point? If so ANYONE could have attached to it
> and sent the message. There is also the possibility of one of their
> computers being compromised, in which case a remote attacker could have sent
> it through them.

I'm trying to verify this possibility.

> > The message was forwarded by four mail servers:
> > - Hotmail, timestamp 22:20 -0000
> > - MSN. timestamp 22:20 -0000
> > - a brazilian provider (BP), timestamp (16:20 -0300)
> > - a brazilian company (BC), timestamp (16:20 -0300)
>
> These times don't add up if -0300 is correct, just convert them to all to UTC:
>
> Hotmail, timestamp 22:20 -0000
> MSN. timestamp 22:20 -0000
> brazilian provider (BP), timestamp (19:20 -0000)
> brazilian company (BC), timestamp (19:20 -0000)
>
> For this to be true MSN must have sent the message back in time 3 hours. It
> is more likely that 19:20 -0300 is correct, then the times match perfectly.

I don't understand what you say here. Hotmail was the 1st. email
server to manipulate the email. BC was the last one. BP and BC can not
append lines to the header 3 hours "before" Hotmail and MSN. Both must
have expected times 22:20 plus something.

This is one reason I think the email is fake in some way. If it is
true, then it is possible that the origin IP is also fake.

Thank you for your thoughts.

Regards

Flavio

[ reply ]
Re: Determining that someone is not the author of an offensive email May 29 2007 04:13PM
Gleyson Melo (gleysonmelo gmail com)
RE: Determining that someone is not the author of an offensive email May 29 2007 03:46PM
Glenn Dardick (gdardick dardick net) (1 replies)
Re: Determining that someone is not the author of an offensive email May 30 2007 02:15AM
Flavio Silva (flavioabs gmail com) (1 replies)
Re: Determining that someone is not the author of an offensive email May 31 2007 09:11PM
AdityaK (aditya1010 gmail com)
Re: Determining that someone is not the author of an offensive email May 29 2007 03:07PM
Justin Alcorn (justin jalcorn net)


 

Privacy Statement
Copyright 2010, SecurityFocus