Hotmail Account Hijacked - Need Help in Security http://www.dslreports.com/forum/r12306603 en Tue, 01 Dec 2009 10:10:12 EDT Tue, 01 Dec 2009 10:10:12 EDT Re: Hotmail Account Hijacked - Need Help http://www.dslreports.com/forum/remark,12306633 b_zen : Thanks Cudni,

We will report it, however, should we cut the account off, we'd most likely loose any threads or future IP info, hence losing all chances of finding the person.

Do you have information on how to find the physical address of the computer used? What we really want is to send the Cops knocking at his/her door.
--

UWB over Wire is the future!
]]> http://www.dslreports.com/forum/remark,12306633 Thu, 06 Jan 2005 06:31:25 EDT Re: Hotmail Account Hijacked - Need Help http://www.dslreports.com/forum/remark,12306619 Cudni : report it
»lc1.law13.hotmail.passport.com/c···info.asp
"...
If you have received abusive, harassing, or threatening e-mail messages from an MSN Hotmail account, follow the steps below to report it. To report junk e-mail, please see the "Report junk e-mail to MSN Hotmail" section above.

1. Turn on full message headers. MSN Hotmail will need this information to identify the true origin of the abusive message you received:
* If you have an MSN Hotmail account, click Options in the upper-right corner of any page. Click Mail on the left side, and then click Mail display settings. Next to Message headers, click Full, and then click OK.
* If you do not have an MSN Hotmail account, consult your e-mail program's online Help to determine how to view full message header information.
2. Forward a complete copy of the abusive message (including the full message header) to abuse@hotmail.com...."

Cudni]]> http://www.dslreports.com/forum/remark,12306619 Thu, 06 Jan 2005 06:23:45 EDT Hotmail Account Hijacked - Need Help http://www.dslreports.com/forum/remark,12306603 b_zen : Hello all,

My friend's hotmail account has been hijacked and the password changed.

The culprit keeps sending emails to all members of a mailing list my friend's on.
By getting access to hotmail's password and then changing it, my friend's locked out and what's worse, the culprit has and is using his MSN Messenger account to do a little social engineering. You can imagine the mess.

However, the culprit's latest message was sent yesterday Jan. 5th, and I asked to have a copy, opened the headers to full and got this.
After doing a tracert and using any and all DNS / Whois / tools at my disposal, and my limited knowledge, I am stuck at the IP of the service provider.

I know that we can send a mail to the provider's abuse dept. but since we are in Turkey, it can take ages for the provider to respond; service is null here.

What we wish is to find out the exact location of the computer these messages are sent from. How can we do this?

Here is message header:

Message-ID: <BAY16-F74A9F7EF1690429D904B0CA920@phx.gbl>
Received: from 85.97.129.79 by by16fd.bay16.hotmail.msn.com with HTTP;
Wed, 05 Jan 2005 08:57:09 GMT
X-Originating-IP: [85.97.129.79]
X-Originating-Email: [(edited for privacy)@hotmail.com]
X-Sender: (edited for privacy)@hotmail.com
From: "" <(edited for privacy)@hotmail.com>
To: (edited for privacy)@hotmail.com (they were many more addresses)
Subject: abcdefg (edited for privacy).
Date: Wed, 05 Jan 2005 08:57:09 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-Stn-Info:  
 
(message)

This is the IP trace results:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum:      85.97.128.0 - 85.97.191.255
netname:      TurkTelekom
descr:        Turk Telekom ADSL-200K_2
country:      tr
admin-c:      TTBA1-RIPE
tech-c:       TTBA1-RIPE
status:       ASSIGNED PA
mnt-by:       as9121-mnt
notify:       ipg@telekom.gov.tr
changed:      ipg@telekom.gov.tr 20041214
source:       RIPE
route:        85.97.128.0/17
descr:        TurkTelecom
origin:       AS9121
mnt-by:       AS9121-MNT
changed:      ipg@turktelekom.com.tr 20041130
source:       RIPE
role:         TT Administrative Contact Role
address:      Turk Telekom
address:      Bilisim Aglari Dairesi
address:      Aydinlikevler
address:      06103 ANKARA
phone:        +90 312 313 1950
fax-no:       +90 312 313 1949
e-mail:       abuse@ttnet.net.tr
admin-c:      BADB3-RIPE
tech-c:       ZA66-RIPE
tech-c:       ZA196-RIPE
tech-c:       LA109-RIPE
tech-c:       NO638-RIPE
nic-hdl:      TTBA1-RIPE
notify:       ipg@turktelekom.com.tr
mnt-by:       AS9121-MNT
changed:      ipg@telekom.gov.tr 20000608
changed:      ipg@telekom.gov.tr 20001020
changed:      ipg@telekom.gov.tr 20010615
changed:      ipg@turktelekom.com.tr 20040903
source:       RIPE

I know whoever is doing this is using Turk Telekom ADSL services. As a user myself, I know we have DYNAMIC IP's only, so the IP may have changed already...

How can we trace X-Originating-IP: [85.97.129.79] to find the physical location?

What are the solutions?

Thanks for any help, input you can give,

B_ZEN

--


UWB over Wire is the future!
]]> http://www.dslreports.com/forum/remark,12306603 Thu, 06 Jan 2005 06:17:56 EDT