Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Death threat

3 views
Skip to first unread message

Barry Punchard

unread,
Dec 19, 2009, 2:28:34 AM12/19/09
to
Can someone please explain the various IP addresses that appear in email
headers. Please don't criticise where I have posted. This is a very very
serious situation of threats that has occurred and I need to know if I can
link a mail to a person from whom I have had normal mails. Do any of the
IP addresses identify the computer or internet connection it came from?
TIA.
--
__ ___
//_)) //__))
//__))arry //unchard mailto:barry.p...@btinternet.com
____________________

David Pitt

unread,
Dec 19, 2009, 3:53:59 AM12/19/09
to
On 19/12/2009 07:28, Barry Punchard wrote:
> Can someone please explain the various IP addresses that appear in email
> headers. Please don't criticise where I have posted. This is a very very
> serious situation of threats that has occurred and I need to know if I can
> link a mail to a person from whom I have had normal mails. Do any of the
> IP addresses identify the computer or internet connection it came from?
> TIA.

An instance of an abusive email was reported a few days ago on an
Iconbar forum. That was reported to the police.

A google with the terms - email identify sender IP - came up with some
info on headers, which may or may not help.

Normally the sender's IP would be in the first 'Received: from' header.
I have just checked that out here with an email sent to myself and it
does have my IP address. 'whois' does not give much away, it just says
the IP is assigned by my ISP. In any case I am on a static IP, many
accounts use a dynamically allocated IP address which means the user has
a different IP assigned on each log in.

--
David Pitt

Simon Willcocks

unread,
Dec 19, 2009, 5:22:10 AM12/19/09
to
In message <PqWdnRd5SLM6CbHW...@brightview.co.uk>
David Pitt <ne...@pittdj.co.uk> wrote:

> On 19/12/2009 07:28, Barry Punchard wrote:
> > Can someone please explain the various IP addresses that appear in email
> > headers. Please don't criticise where I have posted. This is a very very
> > serious situation of threats that has occurred and I need to know if I can
> > link a mail to a person from whom I have had normal mails. Do any of the
> > IP addresses identify the computer or internet connection it came from?
> > TIA.
>
> An instance of an abusive email was reported a few days ago on an
> Iconbar forum. That was reported to the police.

http://www.iconbar.com/forums/viewthread.php?threadid=11281&page=3#112301

There's a good link in one of the responses:

http://www.acpo.police.uk/asp/policies/Data/Stalking%20and%20Harassment.pdf

> A google with the terms - email identify sender IP - came up with some
> info on headers, which may or may not help.
>
> Normally the sender's IP would be in the first 'Received: from' header.

The last one, on the ones I have. As the e-mail gets closer to its
destination, new Received headers seem to be added at the beginning of the
mail header.

That said, RFC 1869 just says that the SMTP server has to add the header
field annotation, but not where. However, each one states the address it's
received from and the machine it was received by, so you can follow the
chain back to its source by finding the only address the message was sent
from but not received by. (It's probably possible for the original sender
to add a few lines to the original header, to look at first glance like it
comes from somewhere else, though.)

The police are a better bet for working it out; they have access to much
more information than you do and I expect a couple of policemen appearing on
their doorstep would encourage the sender to think twice before doing it
again, even if it doesn't get to court. Also, if they make a habit of it,
the police can't tell unless they've been informed.

> [...] many

> accounts use a dynamically allocated IP address which means the user has
> a different IP assigned on each log in.

Broadband connections don't get logged in all that often, so probably don't
change addresses all that frequently (and when they do, the first byte or
two probably won't change at all).

--
ROLF - The RISC OS Look and Feel on Linux.
http://stoppers.drobe.co.uk
http://ro-lookandfeel.blogspot.com/

Message has been deleted

Vince M Hudd

unread,
Dec 19, 2009, 6:25:42 AM12/19/09
to
Barry Punchard <barry.p...@btinternet.com> wrote:

> Can someone please explain the various IP addresses that appear in email
> headers. Please don't criticise where I have posted. This is a very very
> serious situation of threats that has occurred and I need to know if I can
> link a mail to a person from whom I have had normal mails. Do any of the
> IP addresses identify the computer or internet connection it came from?
> TIA.

When things are nice and easy, yes. The Received lines should, in theory and
in an ideal world, be the path from the sender('s ISP) to you(r ISP). These
are listed from the bottom upwards - so the first Received line that was
inserted into the headers is the last one reading from the top down, and
it's the bottom-most one that you should be looking at.

However, it's not an ideal world - especially when death threats are being
issued by email. There are a number of things the sender can do to make the
above explanation useless, and quite probably did (unless they're really,
really stupid - which is possible).

--
Vince M Hudd - Soft Rock Software
http://www.softrock.co.uk
http://misc.vinceh.com

David Pitt

unread,
Dec 19, 2009, 6:47:22 AM12/19/09
to
Simon Willcocks <simon.w...@t-online.de> wrote:

> In message <PqWdnRd5SLM6CbHW...@brightview.co.uk>
> David Pitt <ne...@pittdj.co.uk> wrote:
>
> > On 19/12/2009 07:28, Barry Punchard wrote:
> > > Can someone please explain the various IP addresses that appear in
> > > email headers. Please don't criticise where I have posted. This is a
> > > very very serious situation of threats that has occurred and I need to
> > > know if I can link a mail to a person from whom I have had normal
> > > mails. Do any of the IP addresses identify the computer or internet
> > > connection it came from? TIA.
> >
> > An instance of an abusive email was reported a few days ago on an
> > Iconbar forum. That was reported to the police.
>
> http://www.iconbar.com/forums/viewthread.php?threadid=11281&page=3#112301
>
> There's a good link in one of the responses:
>
>
http://www.acpo.police.uk/asp/policies/Data/Stalking%20and%20Harassment.pdf

I too made the mistake of assuming the offence was committed in the UK. (I
managed to erroneously send a private reply, as one does, or as I do
anyway!)

>
> > A google with the terms - email identify sender IP - came up with some
> > info on headers, which may or may not help.
> >
> > Normally the sender's IP would be in the first 'Received: from' header.
>
> The last one, on the ones I have. As the e-mail gets closer to its
> destination, new Received headers seem to be added at the beginning of the
> mail header.

By first I meant first in time.

[snip]


>
> > [...] many accounts use a dynamically allocated IP address which means
> > the user has a different IP assigned on each log in.
>
> Broadband connections don't get logged in all that often, so probably
> don't change addresses all that frequently (and when they do, the first
> byte or two probably won't change at all).
>

ISP's have ranges of addresses to allocate, as I understand it. If the
router is turned off over night then different addresses may be issued on a
daily basis.

--
David Pitt

MessengerPro on iMac, Snow Leopard

Derek.Moody

unread,
Dec 19, 2009, 7:27:41 AM12/19/09
to
In article <87a9fbcb50.b...@barry.btinternet.com>, Barry Punchard

<URL:mailto:barry.p...@btinternet.com> wrote:
> Can someone please explain the various IP addresses that appear in email
> headers. Please don't criticise where I have posted. This is a very very
> serious situation of threats that has occurred and I need to know if I can
> link a mail to a person from whom I have had normal mails. Do any of the
> IP addresses identify the computer or internet connection it came from?
> TIA.

Any good sysop will be able to give you a first approximation. I imagine
you are cagey about opening publicly the emails of your suspect in case you
turn out to be wrong and in so doing wrong him/her in turn.

If you like I will take a look at the headers and give you a first opinion
(which you should check elsewhere in case I'm the perpetrator in disguise.)

Copy the complete headers, down to the first character of the mail body, to
this address using the subject of this posting and I'll get back to you.

(I'll be watching for the subject line - this addy gets lots of spam.)

Cheerio,

--
>> derek...@clara.net

Kevin Wells

unread,
Dec 19, 2009, 8:26:00 AM12/19/09
to
In message <mpro.kuwe2y000...@pittdj.co.uk>
David Pitt <pit...@pittdj.co.uk> wrote:

>> Broadband connections don't get logged in all that often, so probably
>> don't change addresses all that frequently (and when they do, the first
>> byte or two probably won't change at all).
>>
>ISP's have ranges of addresses to allocate, as I understand it. If the
>router is turned off over night then different addresses may be issued on a
>daily basis.
>

But the ISP should be able to say who had what at what time and date.


--
Kev Wells http://riscos.kevsoft.co.uk/
http://kevsoft.co.uk/ http://kevsoft.co.uk/AleQuest/
ICQ 238580561
Bring me my bow of burning gold!

Tim Hill

unread,
Dec 19, 2009, 10:26:43 AM12/19/09
to
In article <PqWdnRd5SLM6CbHW...@brightview.co.uk>, David
Pitt <ne...@pittdj.co.uk> wrote:
[snip]

> many accounts use a dynamically allocated IP address which means the
> user has a different IP assigned on each log in.

Though this can happen it often does not. Even my nasty cheap router
keeps track of which IP addresses its DHCP server has allocated and to
which MAC address. If that same device re-connects, it is given the same
address. This does expire after a while and the 'Lease Time' is
configurable so a changing IP address will only usually happen if a
device is disconnected for some time. My DHCP server is set by default to
72 hours. I told my new neighbour they can use my network until they sort
out broadband and I see that their Mac and iPhone have been given
addresses which haven't changed in a week's absence, despite this
setting. Nothing else seems to have connected to the DHCP server in this
time.

I assume, of course, that upstream DHCP servers are configured similarly
and their behaviour seems to bear this out, though a fixed IP address
must be linked to the phone line, not to MAC Addesses as a change in a
user's router does not caused a fixed IP address to change.

--
Tim Hill
...................................................
tjrh.eu

... "The private wound is deepest" Two G of V, Act v, Sc.4

Brian Howlett

unread,
Dec 19, 2009, 10:40:08 AM12/19/09
to
On 19 Dec, Tim Hill wrote:

> I assume, of course, that upstream DHCP servers are configured
> similarly and their behaviour seems to bear this out, though a fixed
> IP address must be linked to the phone line, not to MAC Addesses as a
> change in a user's router does not caused a fixed IP address to
> change.

Static IP addresses are usually allocated per user name, IME, although
not all systems are configured in that way.
--
Brian Howlett - Email to From: address deleted unseen
----------------------------------------------------------------
Had this been an actual emergency, we would have fled in terror,
and you would not have been informed...

Rob Kendrick

unread,
Dec 19, 2009, 11:12:50 AM12/19/09
to
On Sat, 19 Dec 2009 13:26:00 GMT
Kevin Wells <kevin...@talktalk.net> wrote:

> But the ISP should be able to say who had what at what time and date.

But, a) many don't, because it's actually a lot of data,
b) if done via a mobile phone, all customers are NATed through a
handful of addresses, so email headers will be essentially
useless, and
c) none of it might matter anyway if there was an open or cracked
AP connected.

IP addresses are a dreadful way of finger-pointing.

B.

Barry Punchard

unread,
Dec 19, 2009, 3:07:03 PM12/19/09
to
On 19 Dec kevin...@talktalk.net wrote:

> In message <mpro.kuwe2y000...@pittdj.co.uk>
> David Pitt <pit...@pittdj.co.uk> wrote:
>
> >> Broadband connections don't get logged in all that often, so probably
> >> don't change addresses all that frequently (and when they do, the first
> >> byte or two probably won't change at all).
> >>
> >ISP's have ranges of addresses to allocate, as I understand it. If the
> >router is turned off over night then different addresses may be issued on a
> >daily basis.
> >
>
> But the ISP should be able to say who had what at what time and date.
>

Thanks, that may help.

Barry Punchard

unread,
Dec 19, 2009, 3:20:52 PM12/19/09
to

And this was from a gmail address, and they seem to all go via the States
and back. I am hoping that the content of the message will confirm fairly
conclusively the identity of the person.

Andrew Hodgson

unread,
Dec 19, 2009, 4:24:06 PM12/19/09
to
On Dec 19, 10:22 am, Simon Willcocks <simon.willco...@t-online.de>
wrote:
> In message <PqWdnRd5SLM6CbHWnZ2dnUVZ8jKdn...@brightview.co.uk>

>           David Pitt <n...@pittdj.co.uk> wrote:
>
> > On 19/12/2009 07:28, Barry Punchard wrote:
> > > Can someone please explain the various IP addresses that appear in email
> > > headers. Please don't criticise where I have posted. This is a very very
> > > serious situation of threats that has occurred and I need to know if I can
> > > link a mail to a person from whom I have had normal mails. Do any of the
> > > IP addresses identify the computer or internet connection it came from?
> > > TIA.
>
> > An instance of an abusive email was reported a few days ago on an
> > Iconbar forum. That was reported to the police.
>
> http://www.iconbar.com/forums/viewthread.php?threadid=11281&page=3#11...
>

Yes, that was the ones I got. I shot the whole lot including the
server logs of to the police. They came back yesterday with an IP
range for a company, which happened to confirm who I thought it was.

A couple of things I would suggest. First send a copy to the police.
Second remove any private information on the internet, ie change
facebook prefs to friends only. (This is where the person got my
information.) Third have a word with Dave Moore from Stairway to hell.
He gets them quite often and knows how to deal with them.
If you feel there is a real danger, seriously talk to the police.

Lastly, Seek support. Mine turned out to be relativity harmless, but
it put the wind up me for several days, and I only now feel better
about the whole thing thanks to my wife.

Good luck and I hope it works out well for you.

Dave Plowman (News)

unread,
Dec 19, 2009, 7:00:05 PM12/19/09
to
In article
<0c3855ea-a145-4f22...@21g2000yqj.googlegroups.com>,

Andrew Hodgson <andyho...@googlemail.com> wrote:
> Lastly, Seek support. Mine turned out to be relativity harmless, but
> it put the wind up me for several days, and I only now feel better
> about the whole thing thanks to my wife.

Think many will have received this sort of thing by email. Some can get
very cocky when separated by a computer - and seem to write things they'd
not do in a letter. The good news is it would be a very foolish person who
would warn in this way and therefore leave clues before carrying out the
act.

--
*If you must choose between two evils, pick the one you've never tried before

Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.

Chris Evans

unread,
Dec 21, 2009, 8:22:24 AM12/21/09
to
In article <3c5e42cc50.b...@barry.btinternet.com>, Barry Punchard

<URL:mailto:barry.p...@btinternet.com> wrote:
> On 19 Dec nn...@rjek.com wrote:
>
> > On Sat, 19 Dec 2009 13:26:00 GMT
> > Kevin Wells <kevin...@talktalk.net> wrote:
> >
> > > But the ISP should be able to say who had what at what time and date.
> >
> > But, a) many don't, because it's actually a lot of data,
> > b) if done via a mobile phone, all customers are NATed through a
> > handful of addresses, so email headers will be essentially
> > useless, and
> > c) none of it might matter anyway if there was an open or cracked
> > AP connected.
> >
> > IP addresses are a dreadful way of finger-pointing.
> >
> > B.
> And this was from a gmail address, and they seem to all go via the States
> and back. I am hoping that the content of the message will confirm fairly
> conclusively the identity of the person.

AIUI

emails sent via a webmail server will probably only include the webmail
servers IP address, the police would then need to ask (get court order?) of
the ISP / gmail / hotmail / whoever ... details of the account holder and
the ip address he connected from. I wonder if the US police would be
bothered to investigate for a UK resident!


Chris Evans

--
CJE Micro's / 4D 'RISC OS Specialists'
Telephone: 01903 523222 Fax: 01903 523679
ch...@cjemicros.co.uk http://www.cjemicros.co.uk/
78 Brighton Road, Worthing, West Sussex, BN11 2EN
The most beautiful thing anyone can wear, is a smile!

druck

unread,
Dec 21, 2009, 10:25:34 AM12/21/09
to
On 21 Dec 2009 Chris Evans <ch...@cjemicros.co.uk> wrote:
> emails sent via a webmail server will probably only include the webmail
> servers IP address, the police would then need to ask (get court order?) of
> the ISP / gmail / hotmail / whoever ... details of the account holder and
> the ip address he connected from. I wonder if the US police would be
> bothered to investigate for a UK resident!

Anyone can get a court order, not just the police.

---druck

--
The ARM Club Free Software - http://www.armclub.org.uk/free/
32 bit Conversions Page - http://www.armclub.org.uk/32bit/

Chris Evans

unread,
Dec 21, 2009, 11:54:11 AM12/21/09
to
In article <ant21132...@client.cjemicros.co.uk>, Chris Evans

<URL:mailto:ch...@cjemicros.co.uk> wrote:
> In article <3c5e42cc50.b...@barry.btinternet.com>, Barry Punchard
> <URL:mailto:barry.p...@btinternet.com> wrote:
> > On 19 Dec nn...@rjek.com wrote:
> >
> > > On Sat, 19 Dec 2009 13:26:00 GMT
> > > Kevin Wells <kevin...@talktalk.net> wrote:
> > >
> > > > But the ISP should be able to say who had what at what time and date.
> > >
> > > But, a) many don't, because it's actually a lot of data,
> > > b) if done via a mobile phone, all customers are NATed through a
> > > handful of addresses, so email headers will be essentially
> > > useless, and
> > > c) none of it might matter anyway if there was an open or cracked
> > > AP connected.
> > >
> > > IP addresses are a dreadful way of finger-pointing.
> > >
> > > B.
> > And this was from a gmail address, and they seem to all go via the States
> > and back. I am hoping that the content of the message will confirm fairly
> > conclusively the identity of the person.
>
> AIUI
>
> emails sent via a webmail server will probably only include the webmail
> servers IP address, the police would then need to ask (get court order?) of
> the ISP / gmail / hotmail / whoever ... details of the account holder and
> the ip address he connected from. I wonder if the US police would be
> bothered to investigate for a UK resident!

I was wrong most/all? web mails do seem to include the IP Address of the
equipement [1] connecting to the webserver

[1] Your static IP address or you dynamic one as appropriate.

Rob Kendrick

unread,
Dec 21, 2009, 11:59:51 AM12/21/09
to
On Mon, 21 Dec 2009 16:54:11 +0000
Chris Evans <ch...@cjemicros.co.uk> wrote:

> > emails sent via a webmail server will probably only include the
> > webmail servers IP address, the police would then need to ask (get
> > court order?) of the ISP / gmail / hotmail / whoever ... details of
> > the account holder and the ip address he connected from. I wonder
> > if the US police would be bothered to investigate for a UK resident!
>
> I was wrong most/all? web mails do seem to include the IP Address of
> the equipement [1] connecting to the webserver

Some do. And this is easily defeated (sometimes even accidentally) via
web proxies, load balancers, and web anonymisers (like Tor). Again, IP

0 new messages