First, a bit of background…

Last Tuesday evening (a week ago), I was playing around on MySpace when a friend of mine (who we’ll call “Betty Lou”) sent me a message. After a number of messages back and forth, I sent her a final message telling her that I was leaving (and on my way to her house). It was right about 8pm when I got there and probably between 9.15 and 9.30pm when I left to come back home.

At 1.27am, Betty Lou sent me a message saying “so i just got word that u were sending $idiot a mssg that said uwere on ur way to my house …..well, that was earlier supposedly. true or not? AND DONT LIE!!!!!!!”

Okay, couple of things…

First, $idiot is a friend of Betty Lou’s and doesn’t like me. Boo fuckin’ hoo, get over it. Second, there were exactly two people that knew that I went to her house that night: her and I. 1.27am is when she sent me that message, I have no idea when it was that $idiot talked to her and said I told him I was coming. Something was up…

Last Thursday afternoon, Betty Lou stopped by my office at work. While we’re talking, she mentions that she thinks that someone is reading her MySpace mail. Now, for those of you who don’t use MySpace, your messages have a “status” similar to standard e-mail (“unread”, “read”, “replied”, etc.). The main difference is that once a message is “read”, you can’t make it “unread” anymore. Betty Lou said that she would log in to check her mail and see “read” messages that she had never read.

So, a red flag goes up in my head and $idiot immediately comes to mind. It’s time for a trap.

With MySpace, you can enter certain HTML tags in your messages. <img src …> is one such tag. A plan quickly formulated in my head. Enter Google.

One Google image search later and I’m staring at an image of George W. Bush flippin’ the bird. Perfect! I upload it to my web server and pull it up in Firefox to make sure it’s accessible. It is.

As Betty Lou stands and watches, I send her a message (click here to see it) on MySpace with a subject line of “your nudie pics” Surely someone who was reading her mail would read this one, right? devious grin. I instruct her that she is NOT to open it. She agrees. We talk, she leaves, life goes on…

By the way, $idiot goes to Indiana State University, which is about an hour away…

So, later that night, we end up hanging out and I leave her house around 9.30pm to come home. At 11.50pm, Betty Lou sends me a message saying, in part, “someone read that mssg. and it wasnt me.” I was in bed then, however, and she called me a bit later. She told me on the phone that the message had been read.

I felt around for the laptop and booted up. I SSH into the server running Apache and head for the logfiles. A quick grep for the filename of the image I specified in the <img src…> tag turns up two hits:

x.x.x.x – - [28/Sep/2006:17:33:52 -0400] “GET /images/bushmiddlefinger.png HTTP/1.1″ 200 90003 www.jeremygaddis.com “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7″ “y.y.y.y”

…and…

139.102.249.199 – - [28/Sep/2006:21:42:30 -0400] “GET /images/bushmiddlefinger.png HTTP/1.1″ 200 90003 www.jeremygaddis.com “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” “-”

The first hit, represented by IP address “x.x.x.x” was me. “x.x.x.x” is my proxy server at work (“y.y.y.y” is the IP address of my XP workstation, if you’re wondering).

The second IP address, 139.102.249.199, wasn’t me. It’s also not in any of the netblocks that would’ve showed up had Betty Lou accessed it Since I didn’t leave her place until around 9.30pm anyways, and it would’ve been physically impossible for her to make it to ISU in 10 minutes, it couldn’t have been her anyways… hmm, wonder who it belongs to then:

[jlgaddis@apollo ~]$ whois 139.102.249.199 [Querying whois.arin.net] [whois.arin.net]

OrgName: Indiana State University OrgID: ISU-1 Address: Office of Information Technology Address: Rankin Hall Address: 218 N 7th St. City: Terre Haute StateProv: IN PostalCode: 47809 Country: US

NetRange: 139.102.0.0 – 139.102.255.255 CIDR: 139.102.0.0/16 NetName: INDSTATE NetHandle: NET-139-102-0-0-1 Parent: NET-139-0-0-0-0 NetType: Direct Assignment NameServer: GATE.INDSTATE.EDU NameServer: CCTS.INDSTATE.EDU NameServer: WASHINGTON.IND.NET Comment: RegDate: 1990-02-25 Updated: 2003-09-24

RTechHandle: CE56-ARIN RTechName: Edwards, Champe RTechPhone: +1-812-237-2961 RTechEmail: cchampe@isugw.indstate.edu

OrgTechHandle: CE56-ARIN OrgTechName: Edwards, Champe OrgTechPhone: +1-812-237-2961 OrgTechEmail: cchampe@isugw.indstate.edu

ARIN WHOIS database, last updated 2006-10-04 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

[jlgaddis@apollo ~]$

I’ll be damned, it’s allocated to Indiana State University, the same school that $idiot goes to. Coincidentally enough, it’s only an hour away from the .edu that I work at, and I know some people in I.T. there…

dials phone

So, to skip the details of a phone conversation and avoid incriminating anyone in the OoIT at ISU, I now know 100% without a doubt who that IP is assigned to. Yep, $idiot.

I sent him a few MySpace messages after that, but he never answered. Weird.

Ironically enough, apparently Betty Lou had mentioned to $idiot that she thought someone was reading her messages and he, of course, acted dumb and innocent. He also told her something to the effect of “…why don’t you get your computer geek friend to find out who it was?”

And she did. Isn’t that beautiful? =)

Oh, and in case you’re wondering who $idiot is… feel free to check his MySpace profile or Facebook profile.

Damn I’m good.