Re: [Emerald] Help finding Spammer...

Jeff Woods ( )
Mon, 13 Dec 1999 10:19:16 -0500

Yes, this can be done. This isn't the forum, however.

Please Email me privately, a couple (only a couple, please) complete
examples, with full headers, and I'll let you know if it really did come
from you. I need to know what IP's you have allocated to you by your
upstream (or permanent blocks by ARIN), your domain name, etc.

To find out who was online at the time, you have to do an SQL query in
MSSQL directly -- Emerald won't search on that criteria. Find the IP
number in question, then go to SQL Query tool, and on the Emerald DB
perform this search:

Select AcctStatusType, CallDate, UserName, FramedAddress from Calls
Where FramedAddress = "www.xx.yyy.zz" // the IP in question
And CallDate >= "12/11/99"
Order By CallDate

It will then give you a report that looks like this (my calls from home in
December, with IP addresses altered):

AcctStatusType CallDate UserName FramedAddress
-------------- --------------------- --------- ----------------
1 Dec 4 1999 11:55AM jeff
2 Dec 4 1999 12:24PM jeff
1 Dec 6 1999 9:59AM jeff
2 Dec 6 1999 9:59AM jeff
1 Dec 6 1999 10:03AM jeff
2 Dec 6 1999 10:13AM jeff
1 Dec 9 1999 9:28PM jeff
2 Dec 9 1999 9:34PM jeff
1 Dec 11 1999 1:44PM jeff
2 Dec 11 1999 1:45PM jeff
1 Dec 12 1999 11:54AM jeff
2 Dec 12 1999 12:05PM jeff

(12 row(s) affected)

In the first column, 1 = log on time, 2 = log off time. Thus, you can
tell that I was online on IP from 11:55 am to 12:24 pm on
December 4th, etc.

Now, since I have a static IP, they were all *me* in my query, but you'll
get a plethora of different users, and can match up the times spam was sent
to the user who happened to be on that IP at the time, and
WHAMMO. Cancelled account(s).

At 07:19 AM 12/13/99 -0600, you wrote:
>Is there a way to pull information like which customer was logged on at
>what time and using what IP?
>The reason I ask is we evidently had someone spamming from our site over
>the weekend using bogus info on the headers... our IPs were associated with
>MindSprings servers... now, I'm not real good at deciphering headers but
>looks like I may have to learn.
>Anyway, I've got PLENTY of headers that were sent back to us over the
>weekend so I can determine the time and have the IPs associated from the
>If there's no way to do this how would I go about setting up so we can tell
>when a customer was logged on and on what IP...
>Thanks for your help.
>For more information about this list (including removal) go to:

For more information about this list (including removal) go to: