traceing dodgy message
Discussion
_Dobbo_ said:
Depends if yahoo has any way of showing the full message headers. If so post them up here (or PM them to me through my profile if you prefer) and I'll tell you where it came from.
has come from our network as it has our external ip on it but thats about as much as we can tell
Reply to it with an HTML message containing an embedded image hosted on a server inside your network, then watch the logs...
Practice first - you might only get one shot, so you'll want to get it right first time.
(Be sure whatever tool you use doesn't embed a copy of the image, or you won't learn anything. I'd use Perl or Tcl or something to generate the message myself)
Practice first - you might only get one shot, so you'll want to get it right first time.
(Be sure whatever tool you use doesn't embed a copy of the image, or you won't learn anything. I'd use Perl or Tcl or something to generate the message myself)
If your network does Network Address translation which I can only assume it does, then unless your NAT device logs traffic then you probably can't do much.
Other than the above proposed (very good) idea of embedding an image on a webserver somewhere on the local LAN, then reply to the email.
When the sender reads the reply, the PC they use will retrieve the image, and the web server log will log which internal IP address accessed the image. Then you have your culprit.
A lot of hassle, so I guess it depends how dodgy is "dodgy"!
Other than the above proposed (very good) idea of embedding an image on a webserver somewhere on the local LAN, then reply to the email.
When the sender reads the reply, the PC they use will retrieve the image, and the web server log will log which internal IP address accessed the image. Then you have your culprit.
A lot of hassle, so I guess it depends how dodgy is "dodgy"!
_Dobbo_ said:Indeed.
Ooooh! Exciting.
So, what did you use as the embedded image? The subtle option would be a single pixel transparent GIF, but I think I would have gone for:
Embedded image said:
If you can read this, it's time to start clearing your desk...
Did you send an actual reply, or did you use another address? Can you be sure they'll read it and not just delete it?
Let us know how it goes.
chrisjl said:
If you want any help with my suggestion, give me a shout (can't do much during the day, but could probably knock something together this evening).
That's really quite cunning - I like it!
The more obvious approach would be to check the firewall/proxy log, but this is far more devious
well we're still not certain! they read it and even replied to it ( the dum sh*ts! ) but the logs contradict our web filtering software so we have replied to her again with the image still there to make 100% sure!
yes it was tempting to put something along the lines of thanks for opening this please pack yer bags! but just sent a random smiley face saying hello. will see on monday!
yes it was tempting to put something along the lines of thanks for opening this please pack yer bags! but just sent a random smiley face saying hello. will see on monday!
billb said:
...but the logs contradict our web filtering software...
If the image is hosted on a www server inside your network, surely there should be only one hit on that file, and that will be the culprit? I suppose there's potential for a default proxy getting in the way, but at least IT'S logs should also only show one hit for that file.
well we twice have the person as being on the computer identified on the log at the 2 times the mail was read. The only peculiarity is that we use surf control which is supposed to log every web site the users have been on and this person hasnt been on any mail sites like yahoo or even ones that she could get to one from. So am presuming it just hasnt recorded it - so we will question the person before accusing her totally and see if we can get a confession!! will let u know!
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff