eMailTrackerPro and VisualRoute
Background: How
to track e-mails back to the sender |
| Jerry jlastname - owner of jcompany,
selling jproduct Bill blastname - http://www.bsite.com web site owner Carrie blastname - Bill's wife Mike mlastname - Bill's former business partner |
From: Joe Bob [joebob@atmail.nl]
To: support@jcompany.com
Subject: jproduct hacked
http://www.bsite.com/artists/
They have reversed, modified, recompiled your patented jproduct.
--- Sent via @Mail http://www.atmail.nl
6:15 AM - Jerry finds modified code: Jerry visits the URL mentioned above
and finds that his software does not respond to key presses to display company
name, product version, copyright, and other notices. Jerry downloads the
software component, performs an analysis of it, and discovers his program with
small code changes, but changes with significant effect.
The type of changes made do not just happen with a simple binary edit of the
software file (like finding '© aaaa' and changing it to '© bbbb'), as Jerry's
software refuses to run when it detects that type of modification to significant
messages.
The only possible conclusion is that someone reverse engineered to source code,
modified the code and recompiled it. Apparently 'Joe Bob' knew what he was
talking about because identifying company, copyright, patent notices, and
anti-modification code were all removed from the product. Finally, to top it
off, the product name, which typically displays as the
product loads, was replaced with a new company name:
blastname mlastname, LLC
These are not innocent changes. Removing notices. Relabeling the product.
Removing anti-modification code.
Someone has taken and altered Jerry's software, claiming ownership of it by
placing their name on it, a theft of trade secret
information under 18
USC 1832. They have also clearly copied copyrighted materials for financial
gain since no license fees will be paid for usage, a very serious willful
violation and criminal offense under copyright law 17
USC 506(a)(1).
Copyright law automatically protects computer software. Violators of the copyright holder are normally only liable to the extent of profits made, or damages caused. However, if the computer software has been registered with the U.S. Copyright Office, the copyright holder is eligible to recover statutory damages and attorney's fees, normally "not less than $750 or more than $30,000" per infringement. However, if the infringement was "willful", the top end increases to $150,000 (17 USC 504). Jerry's software is registered.
6:30 AM - Contacting the web site owner: After searching the offending
web site for a phone number to call and not finding one, Jerry performs a
VisualRoute trace to the web site and uses the popup WHOIS feature in
VisualRoute to obtain registration information for the domain (by simply
clicking on the web site name in a trace), which lists the owner's name,
address, and phone number. Since the information looks valid, Jerry calls the
phone number listed, and the owner of the domain, Bill, answers!
After talking with Bill, it quickly becomes apparent that something strange is
going on. Bill said he was going to be calling Jerry sometime today because he
had already received this e-mail from Jerry yesterday:
From:
To: <contactus@bsite.com>
Subject: Question from bsite.com
You are using software on your site to display your moving art which is not licensed. jproduct is a patented technology, and all rights to this software are owned by jcompany. Please pay for all occurrences of this software, or remove all portfolio.class files from your site. This message serves as my only notice.
-Jerry jlastname
But Jerry never sent any e-mail to Bill! So, this
e-mail was a fraud and someone was now impersonating Jerry.
It was apparent to both Bill and Jerry, that there was now a third party
involved who was trying to make trouble for Bill. After talking with Bill some
more, it seems likely that the third party is Mike, Bill's former business
partner. They had just split up a couple of months earlier.
Given the company name in the modified software of both last names, things are
starting to make sense.
6:45 AM - Tracking Jerry's e-mail to the sender: Jerry quickly ran
eMailTrackerPro on the 'Joe Bob' e-mail that he had received, which up until
this moment, had looked sincere. eMailTrackerPro said the e-mail had originated
from the 'Americas' and not the Netherlands, as the e-mail address 'joebob@atmail.nl'
implied, because it ends in NL. eMailTrackerPro then identified the sender as:
From: IP address 68.46.XX.YY, host name 'pcp679442pcs.city01.ks.comcast.net'
Clicking on the VisualRoute link within eMailTrackerPro to obtain more detailed tracking information, VisualRoute immediately pinpointed the location of IP Address 68.46.XX.YY:
City, KS, USA - in network 'Comcast Cable Communications, Inc'
Bill said 'that is the city where Mike lives!'
In fact, Bill said that Mike was the technical person between the two of them
and that Mike had provided the software used on his web site. Both Jerry and
Bill were now convinced that Bill's former business partner, Mike, was trying to
make trouble for Bill, and that Mike was responsible for sending both e-mails.
But could that be proved?
7:24 AM - Confirming Mike as the sender: Luckily, Jerry recognized the
"Comcast" network name and knew that this probably meant that Mike was
using a cable modem for Internet connectivity. And, using a cable modem implies
that the IP address changes infrequently or not at all. Jerry needed to
immediately find the IP Address that Mike was using at this moment.
If Jerry could somehow convince Mike to innocently reply to his e-mail, he could
then use eMailTrackerPro to discover the IP Address that Mike was currently
using. And if that matched the IP Address in the e-mail that Jerry received from
Joe Bob just hours previously, it would prove to Jerry that the 'Joe Bob' e-mail
really came from Mike.
So, Bill provided Mike's e-mail address. Luckily it was a Yahoo e-mail address.
As most people feel more comfortable and hidden behind a Yahoo e-mail address,
the chances of coaxing a reply from Mike were increased.
But Jerry could not send an innocent e-mail to Mike as himself because then Mike
would obviously see who the e-mail was from and figure out what was going on.
So, Jerry also created a Yahoo e-mail account and sent the following e-mail to
Mike under an alias:
From: "Sarah yonker" <sarah_yonker@yahoo.com>
To: <mike_mlastname@yahoo.com>
Subject: Hi, are you the Mike I know?
Mike,
I knew a Mike mlastname from high school in Iowa in 1983. Are you that Mike (I hope so!)?
- Sarah
Could you resist responding to Sarah's plea? Luckily for Jerry, Mike could not! Jerry promptly received a reply from "mike_mlastname@yahoo.com", clicked on the Yahoo 'Full Headers' link, copied the headers into eMailTrackerPro and received this result:
From: IP address 68.46.XX.YY, host name 'pcp679442pcs.city01.ks.comcast.net'
An exact IP Address match! So, Joe Bob is really Mike
and not someone from the Netherlands!
Further evidence of identity: In the yahoo.com e-mail Jerry received from
Mike, eMailTrackerPro also provided this interesting clue:
'cj445936c' may be the name of the computer that sent the e-mail, providing a clue as to the true identity of the person sending the e-mail.
The tracking
e-mail tutorial explains how e-mail programs sometimes leak the Windows
networking computer name into the outgoing headers of sent e-mails. If this name
matched the leaked name from an e-mail Mike sent months ago, this would provide
yet another confirmation that the e-mail originated from Mike's physical PC.
Jerry contacted Bill and obtained the e-mail Internet Headers for an e-mail Mike
sent to Bill 53 days ago. Analysis showed that a different IP Address was used,
but that the leaked computer name "cj445936c"
matched! So, 'Joe Bob' is Mike, and this Mike is the Mike that Bill knew
as his former business partner.
Mailer Program Used: eMailTrackerPro also stated:
Mailer: The sender used 'Microsoft Outlook Express 6.00.2600.0000' to send the e-mail.
So, Mike is using Outlook Express. We can also infer that he is probably using a
Windows computer, since Outlook Express runs mostly on Windows computers.
12:37 PM - Tracking Bill's e-mail: Now, what about the e-mail that Bill
received from someone impersonating Jerry? Analysis of the e-mail headers
indicates that the e-mail message originated from Bill's own web server via a
web form. Looking at the raw Internet Headers for the e-mail, Jerry saw:
Received: from numerianus-z.mspring.net by www.bsite.com with HTTP; Wed, 06 Feb 2002 15:47:55 EST
X-Mailer: cgiemail 1.5 (action="/cgi-bin/cgiemail/artists/questions.txt")
Then, analysis of the web server log file for this time period revealed this log entry:
numerianus-z.mspring.net - - [06/Feb/2002:15:47:55 -0500] "POST /cgi-bin/cgiemail/artists/questions.txt HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
Unfortunately, this log entry did not confirm 100% that Mike was the person who
filled out the web form that sent the e-mail. Law enforcement will have to get
involved to definitively answer that question.
But, whoever this is, the log entry above tells us they are probably using
Microsoft Internet Explorer 5.5 (MSIE 5.5) on a Windows NT 4.0
computer.
The suspect: Very strong circumstantial evidence points to only one
person who had an ax to grind with Bill. Both Bill and Jerry are convinced that
Mike is the person responsible and that he is the person who modified Jerry's
software code, because Mike is the person who we have just proved without a
shadow of a doubt wrote:
They have reversed, modified, recompiled your patented jproduct.
Since Mike provided the software to Bill, he should know full well how he
obtained it and what he did to it, and he says it was reversed, modified, and
recompiled!
Mike had hoped to stay anonymous and get Bill in trouble for using the modified
software, but Mike just unknowingly ratted on himself, and now Mike is the one
in serious trouble for theft of trade secrets and copyright law violations for
producing the modified software.
Jerry phoned and discussed the situation with Mike's local Kansas Police
Department, who recommended that he file a complaint with the FBI
Internet Fraud Complaint Center.
4:05 PM - The Confession: When Mike got a hint of the proof that Bill and
Jerry had (Bill told a friend, who told Mike), Mike initiated contact with
Jerry. Mike later followed up with an e-mail confession
(which of course, tracks back to the same 68.46.XX.YY
IP Address) sent to both Jerry and Carrie in which Mike
acknowledges:
- the code changes to Jerry's product
- sending the e-mail to Jerry
- submitting the web form e-mail to Bill, impersonating Jerry
February 8, 2002: All evidence in this case, including Mike's e-mail
confession, is turned over to the FBI.
FBI Case Number: I020208231942XX
Update - February 11, 2002: The 3.0a version of Jerry's software that
Mike modified was only sold from Nov 21, 2000 to Jan 4, 2001, a 44-day time
window over a year ago. So how did Mike obtain that version? On Dec 3, 2000, a
"Mike mlastname" purchased the
smallest business license available, using up the full license on a family web
site, as per an e-mail Mike sent to Jerry on Dec 8, 2000. Is the Mike who
purchased the Mike in this case study? An eMailTrackerPro trace on the e-mails
from that time period reveals a leaked computer name of
'cj445936c'. Again, a match! So, Mike is now also responsible for violating
the product software license agreement and using a product (albeit
modified) past license limits, also known as software piracy.
Where to start your research: Specific USC Law: Reporting: Other: