Hi guys,

It looks like my Mums work webmail account has been hacked into and an email sent in her name.The only way she knows this has occurred is due to an automated reply from the recipient. The reply has a .dat as an attechment and not much else really.

Is there a way of tracing the computer it was originally sent from? I've got a possible IP address but it ay be from the auto reply not the original sender. She has a pretty good idea but needs solid proof. No point asking IT as they don't have an IT dept. on site and the off site guys aren't that good.

Cheers,
Andy

Not sure about tracing it back without knowing the network config, who manages the firewall/network security, they may have logs of http traffic which might help trace back to the sending IP...

Just make sure she changes the password of the account if she hasn't already and next time don't select the remember login/password options when logging in

why does she need to know?

Just change the password and be done with it.

why does she need to know?
If done when at work someone might be responsible and needs to pay :smt072

why does she need to know?

Just change the password and be done with it.

She needs to know as it's an email that has been sent in her name to an important person in the organisation, expressing several opinions that are not her views about a very sensitive case.

I've just got her to change the password now, but shes concerned other emails may have been sent that she doesn't know about. I suggested a broadcast email saying that her account may have been hacked into and to report any unusual emails originating from my mums account.

It might not have come from her account at all. Its possible to "spoof" an email address to make it look like its come from a different account.

If its been done from her webmail account can the I.T. department at her work help ? I'm not skilled enough with email to help, but if she has a copy of the mail that was sent with the email headers that might help somebody with some more more knowledge than I've got point oyu i the right direction.

If its damning enough its a matter for the Police. That will ensure the IT dept get someone in who can trace it back, or the Police's own IT investigation people who are very good, will sort. For whatever reason the CPS really go to town on this sort of thing and whoever did it could end up with a massssssssive fine - I think it comes under the Telecomms Act 2003 but I'm a bit rusty on telecoms stuff

If it has been hacked it comes under the computer misuse act. But as others have said it is very easy to spoof an address (It is as simple as changing a line in a mail client config although for simple spoofing I just telnet to the target port 25 and have a little smtp dialogue) , You need to look at the rest of the mail headers to see where it has come from and what servers it has been through etc. Access to server logs will show you the device that actually connected to the mail server to deliver it. but useless normally with the huge number of open relays

If it has been hacked it comes under the computer misuse act. But as others have said it is very easy to spoof an address (It is as simple as changing a line in a mail client config although for simple spoofing I just telnet to the target port 25 and have a little smtp dialogue) , You need to look at the rest of the mail headers to see where it has come from and what servers it has been through etc. Access to server logs will show you the device that actually connected to the mail server to deliver it. but useless normally with the huge number of open relays

All I read was "blah blur blab goop durj".

I'm sure it made sense to everyone else. :)

You may have gathered I don't actually have any usable input into this thread.

OK don't do this with the work mail system

from a dos/cmd/shell prompt

telnet (insert the name of your mail server here) 25
helo
mail from: <insert the spoof address, eg, boss@mycompany.com> note the requirement for the <>
rcpt to: <insert the recipient, ie sexylady@mycompany.com>
data
I have been watching you from afar, would you like to accompany me to a 3 day seminar in Dubai?

The boss
.

Note the dialogue is terminated by a single period and she gets a mail from the boss.

This relies on badly set up mail servers that do not enforce domains and sources etc.

OK don't do this with the work mail system

from a dos/cmd/shell prompt

telnet (insert the name of your mail server here) 25
helo
mail from: <insert the spoof address, eg, boss@mycompany.com> note the requirement for the <>
rcpt to: <insert the recipient, ie sexylady@mycompany.com>
data
I have been watching you from afar, would you like to accompany me to a 3 day seminar in Dubai?

The boss
.

Note the dialogue is terminated by a single period and she gets a mail from the boss.

This relies on badly set up mail servers that do not enforce domains and sources etc.

and if it does get through a badly set up mail server, most mail clients and almost any spam filter will junk it

Just tell your Mum to make sure the boss knows your Mum didn't send the email and forget about it. You've said it's a webmail service and not told us which one, your Mum probably doesn't even know to tell you, so we can't even tell you how to display the mail headers. There's very little the org IT bods can do to help you in this instance. Forget about it.