"Faking mail is *very* easy to do and is not easy to trace.  I'm a non-techy
 and have no problem doing this.  I do not, however, fake mail from real
 people and real addresses."
 
 
True, but examining the header, I see the following :
 
 
> Received:  from gatekeeper.us.oracle.com by hqsun1.us.oracle.com (5.59.9/37.7)
> 	id AA02018; Mon, 12 Oct 92 09:43:08 PDT
> Received:  from pucc.Princeton.EDU by gatekeeper.oracle.com (Oracle 1.12/37.7)
> 	id AA10595; Mon, 12 Oct 92 09:43:08 PDT
> Message-Id: <[log in to unmask]>
> Received: from PUCC.PRINCETON.EDU by pucc.Princeton.EDU (IBM VM SMTP V2R2)
>    with BSMTP id 9628; Mon, 12 Oct 92 12:35:43 EDT
> Received: from PUCC.BITNET by PUCC.PRINCETON.EDU (Mailer R2.08 ptf043) with
>  BSMTP id 6462; Mon, 12 Oct 92 12:32:28 EDT
 
 
And this tells me that it came to me from pucc.princeton.edu, and arrived at
pucc.princeton.edu from PUCC.BITNET, probably a gateway machine. If this is
all true - and it's not impossible that some of it is faked, but somewhere
in the header there's a place where the fake lines were delivered to a real
mail delivery agent that added its own, real lines to the header ... and they
also, in most cases, logged this transaction - and where it came from.
 
The timestamps make finding this data a lot easier.	(-:
 
Iff it came from within Princeton, I might be able to select a small set of
LSTOWN subscribers whom were likely candidates for such a thing, but this is
not proof by itself, since there is are other issues, like security and email
articles being shared.
 
 
The bottom line is that with logging and cooperative administrators it is
trivial to identify where the connection came from. And if that system has
logs ... well, believe me, the FBI would consider it a cakewalk.
 
 
-- richard
 
=====
-- richard childers		[log in to unmask]		1 415 506 2411
         oracle data center  --  unix systems & network administration
 
                    Klein flask for rent. Inquire within.