Tracking down anonymous e-mail

From: Harvey Newstrom (
Date: Fri Jul 13 2001 - 07:44:01 MDT

Here is a nice example follow-up for my Extro-5 speech. It describes how
anonymous e-mail was traced back to the original sender.

Harvey Newstrom <> <>

------------------------------ RISKS-LIST: Risks-Forum Digest Thursday 12 July 2001 Volume 21 : Issue 50

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <URL:> and by anonymous ftp at, cd risks .

Date: Wed, 27 Jun 2001 09:44:16 -0700 From: <> Subject: Risks in inept election fraud

Several news outlets are reporting on the recent "No Contest" plea on June 14th by Christine Gunhus, wife of former U.S. Senator Rod Gram (Republican, Minnesota) on criminal violations of Minnesota election code. Here is the posting from, which reads suspiciously like a RISKS posting ;)

The wife of a U.S. senator who unsuccessfully ran for re-election in 2000 plead "no contest" on Thursday to charges of using a pseudonym to send email messages that disparaged her husband's Democratic rival.

Minnesota prosecutors charged Christine Gunhus, who married former Republican senator Rod Grams after working on his campaign, with violating state criminal laws. Grams' rival, Democratic-Farmer-Labor candidate Mike Ciresi, had filed a complaint under the Minnesota Fair Campaign Practices Act.

The risks of using technology you don't completely understand and that could leak your identity are worth noting:

* Gunhus is accused of using a Hotmail account (Katie Stevens -- to send the disparaging email messages, which talked about how Ciresi had represented corporate polluters and anti-union companies. But Hotmail includes an X-Originating-IP: header that shows the IP address of the sender -- a problem if you're typing it from the opposing campaign's computer!

* Prosecutors say they traced the IP address back to an AT&T WorldNet user who repeatedly used the "Katie Stevens" Hotmail account by connecting from Gunhus' home number. (Guess they keep Caller ID logs.) Apparently the person using the "Katie Stevens" pseudonym was smart at first, sending the mail from a Kinko's store, but then got sloppy.

* The email attacks included Microsoft Word attachments, which a Ciresi aide investigated. The aide found that Word listed the document authors as Grams staffers including -- you guessed it -- Christine Gunhus.

* Democratic researchers reported that they found Globally Unique Identifiers (GUIDs) in the Word documents. The GUID includes the Ethernet MAC address. Prosecutors last August obtained a search warrant to seize Gunhus' computer, from which they could extract the MAC address if the Ethernet card was still the same.

Cluebot story (with links):

Minnesota Public Radio story on original affidavit:


This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 14:39:48 MDT