"Faking mail is *very* easy to do and is not easy to trace. I'm a non-techy and have no problem doing this. I do not, however, fake mail from real people and real addresses." True, but examining the header, I see the following : > Received: from gatekeeper.us.oracle.com by hqsun1.us.oracle.com (5.59.9/37.7) > id AA02018; Mon, 12 Oct 92 09:43:08 PDT > Received: from pucc.Princeton.EDU by gatekeeper.oracle.com (Oracle 1.12/37.7) > id AA10595; Mon, 12 Oct 92 09:43:08 PDT > Message-Id: <[log in to unmask]> > Received: from PUCC.PRINCETON.EDU by pucc.Princeton.EDU (IBM VM SMTP V2R2) > with BSMTP id 9628; Mon, 12 Oct 92 12:35:43 EDT > Received: from PUCC.BITNET by PUCC.PRINCETON.EDU (Mailer R2.08 ptf043) with > BSMTP id 6462; Mon, 12 Oct 92 12:32:28 EDT And this tells me that it came to me from pucc.princeton.edu, and arrived at pucc.princeton.edu from PUCC.BITNET, probably a gateway machine. If this is all true - and it's not impossible that some of it is faked, but somewhere in the header there's a place where the fake lines were delivered to a real mail delivery agent that added its own, real lines to the header ... and they also, in most cases, logged this transaction - and where it came from. The timestamps make finding this data a lot easier. (-: Iff it came from within Princeton, I might be able to select a small set of LSTOWN subscribers whom were likely candidates for such a thing, but this is not proof by itself, since there is are other issues, like security and email articles being shared. The bottom line is that with logging and cooperative administrators it is trivial to identify where the connection came from. And if that system has logs ... well, believe me, the FBI would consider it a cakewalk. -- richard ===== -- richard childers [log in to unmask] 1 415 506 2411 oracle data center -- unix systems & network administration Klein flask for rent. Inquire within.