What *legal* means exist to discover the identity behind an email address?

[hansel]

Short of a subpoena, I mean.

One of the users at my workplace received a vaguely threatening, anonymous email that was sent to, but not addressed to him personally. It’s a webtv address, and due to his history, it causes him some worry, and I’ve been asked to look into it.

It’s nothing worth calling the lawyers over, but I’m curious about how much can be uncovered (without breaking the law by hacking into webtv’s system). The headers of the message clearly identify the origin as webtv’s mailservers, and the sender’s email as a webtv address. Beyond tracerouting the mailservers, I’m not sure what else I can do.

[hansel]

I searched on deja.com and several search engines for the email address and came up with nothing, so the sender hasn’t posted to newsgroups under that identity or made a web page that’s in the directories.

[minty_green]

Send a message to the administrator of webtv and find out what their policy is. I doubt they’ll give your coworker the user’s identity, but it’s worth a shot.

If the threat seems at all serious, take it to the police. It’s a criminal matter, after all.

[hansel]

I did place a call to webtv, and discovered that they have a special phone number for lawyers and law-enforcement personel delivering subpoenas, so I don’t think they’ll offer anything.

[wring]

Sending threats via e-mail, is I would believe, an ‘abuse’ of the e-mail priveleges, hence, I’d think that the folks at web tv would be interested in checking it out themselves. so, I’d notify them (the admins or their abuse line)

[minty_green]

I did place a call to webtv, and discovered that they have a special phone number for lawyers and law-enforcement personel delivering subpoenas, so I don’t think they’ll offer anything.

So find out if it is in fact their policy that they only reveal identities upon subpoena. And as wring says, report the threatening email to the webtv admin. Regardless of whether they’ll tell you who it is, webtv will likely want to take action themselves.

[Alphagene]

If you are receiving harassing messages from a WebTV user, please forward the full, unedited message with the full, unedited headers, and a brief description of the issue to abuse@webtv.net. You will want to forward only the most offensive example, as additional messages take valuable time to examine and hamper our ability to deal with the situation in a timely manner.

The Terms of Service for WebTV are apparently only accessible to people with the service, but I can’t imagine that they wouldn’t consider harassment an account terminating offense. In theory, anyway.

[Spiny_Norman]

• please, please at least inform webTV about this.

You’ll probably never be told what happens in the case, but there’s a fair chance that the sender of the message will lose his account with webTV PDQ.

The ISP stands to lose if it doesn’t react when its services get abused. Lots of organizations filter out any mail from disreputable ISPs and mailhosts due to spam & abuse - no ISP is interested in ending up on that black list, so with a bit of luck the asshole gets the boot and webTV is happy.

And if the threat merits it, hand the case to the police. No reason not to.

S. Norman

[Powers106]

I wonder if the best option isn’t really just a choice of these:
[list=A]
[li]Determine that it is a valid threat, go to some law enforcement and then report it seriously along with suggested names of the sender (since your friend has reason to “worry”), or[/li]
[li]Just forget about it. I would think that going to WebTV and getting the user’s account shut down would definitely raise the stakes and piss him/her off even more. They’d have to be a real idiot to not be able to put 2 and 2 together (let’s see, I sent a threatening email and then WebTV shut me down for sending threatening emails…gosh, I wonder who would have reported it?).[/li][/list=A]

If you want a real answer, spend $100 and ask a P.I. to tell you if any of your “guesses” have that email address. Probably only take a few hours to get an answer…(I don’t vouch for that being legal but I think it is…)

[handy]

First of all, I can use ANY reply email address I want with my email program.

Thus, just cause it looks like it comes from Webtv, does not mean it was.

I could write you an email & the header would say its from Webtv when actually its from hotmail or msn…etc

One shouldn’t read email from people they don’t know anyway.

Unless you post the full complete header for us to look at there is nothing we can do.

[Gozu_Tashoya]

*Originally posted by handy *
**
I could write you an email & the header would say its from Webtv when actually its from hotmail or msn…etc
**

That’d be a neat trick, changing headers and all. How would you go about doing this, short of using an anonymizer or other rerouting proggie?

[hansel]

It did come from webtv. Here’s the relevant portions of the headers from a second email, received last night, with letters removed to prevent identification of the party on our end or the sender. I’ve bolded relevant bits.

Received: from smtpgate.execpc.com ([169.207.3.90]) by [*our mail server*].[*our domain name*].com with
        SMTP ([*the software our mail server is running*])
	id DBA7YPD4; Wed, 24 Jan 2001 01:05:52 -0600
Received: from mailsorter-105-1.iap.bryant.webtv.net (mailsorter-105-1.iap.bryant.webtv.net [209.240.198.119])
	by smtpgate.execpc.com (8.9.2/8.9.3) with ESMTP id UAA30296
	for <[*user*]@[*our domain name*].com>; Tue, 23 Jan 2001 20:06:39 -0600 (CST)
Received: from storefull-218.iap.bryant.webtv.net (storefull-218.iap.bryant.webtv.net [209.240.199.39])
	by mailsorter-105-1.iap.bryant.webtv.net (WebTV_Postfix) with ESMTP id 4F1EF10E4
	for <[*user*]@[*our domain name*].com>; Tue, 23 Jan 2001 23:09:13 -0800 (PST)
Received: (from **production@localhost**) by **storefull-218.iap.bryant.webtv.net** (8.8.8-wtv-d/mt.gso.26Feb98)
        id XAA10343; Tue, 23 Jan 2001 23:09:13 -0800 (PST)
**X-WebTV-Signature**: 1
	ETAtAhQEPiXJD/NEIhjm7wIser8/b1rYowIVAJ6Fnh8j2zKwe0YzBsmv/4LvBhD+
From: [*our company's name*]@webtv.net (N.I.O.)
Date: Wed, 24 Jan 2001 01:09:13 -0600 (CST)
To: [*user*]@[*our domain name*].com
Subject: DO YOU KNOW WHO TO TRUST?
**Message-ID: <306-3A6E7F99-7937@storefull-218.iap.bryant.webtv.net>**
Content-Disposition: Inline
Content-Type: Text/Plain; Charset=US-ASCII
Content-Transfer-Encoding: 7Bit
**MIME-Version: 1.0 (WebTV)**

There’s a couple things to notice:

[ul][li]The message originates from “production@localhost”, which is presumably the computer/webtv set-top box on which the email was typed and sent.[/li][li]From the originating computer, it goes straight to “storefull” at bryant.webtv.net, which is located in California at the corporate headquarters for webtv (determined by traceroute and whois).[/li][li]From storefull, it goes to mailsorter, and from there to execpc’s mail server, which is our upstream provider.[/li][li]The header contains the line “X-WebTV-Signature”, presumably placed there by the originating webtv unit, though this could be forged.[/li][li]The message I.D. was attached by mailsorter.bryant.webtv.net, which I’ve established is a real mail-server in use by webtv.[/li][li]The MIME type of the message is (webtv);[/ul][/li]
I don’t know which of these headers could be reliably forged, but I’m reasonably certain that the transit headers can’t be, since they’re added en-route by each handling mailserver.

I spoke to our lawyers about this, and was informed that a subpoena would cost around $1000 to file a complaint and get a subpoena. However, webtv may have a standard legal response that requires $10,000 in lawyers fees to get past (as our lawyer put it, an 800 page brief citing first amendment arguments, etc., that’s a standard response to any subpoena), just to prevent frivolous subpoenas. Until a threat becomes more apparent, we won’t go that route.