I would also inspect your institutions appropriate use policy. Also there is usually, and abuse e-mail address for reporting abuse of all kinds of networking resources. as for the teaching part, my approach would be to use it as an example in class, with the student you know's permission, iow, play hamlet, and see who the uncle might be. If nothing else, it will show that you generally disapprove of such things. You could also speak about appropriate use policies, the ability to discern who a user is from the internet, etc. it is amazing what you can do with just an ip number and logs, the ip number might be had from msn, but could be any number for demonstration purposes, and from there with the proper connections in the right places, you can track even things as miniscule as the stream of addressed packets along the backbone with tools like http://eyeball.sourceforge.net/ (written by an old philosophy colleague, who moved into IT during the boom). This would go far to remove the individuals assumptions of anonymous nature of the internet. To me, this seems not to be a major problem, it seems harmless, but for me the problem lies in the assumptions that the person has involving risk, anonymity, identity, etc. So, i think it is important to get him or her to think about their actions, even if they never admit to what they did, they at least might begin to realize that things might not be as they thought they were and that next time it might not be a wise thing to pursue. on another note, it is quite easy to spoof a hotmail address without ever applying for that address. Most people who are inclined to do things like this, could do this through open relays and/or broken scripts, or other exploits without ever touching a hotmail server. The majority of the spam that I get have hotmail or yahoo send addresses, but did not originate from that domain. In this case though, it would be interesting to know how the postcard sending system works. Does one have to have an account to send a postcard from it, or can one type in any address? If the latter, then the address may be entirely spurious, though you can still check the webserver or application logs and retrieve the connection information which would allow you to find the host that connected to the server, though that might be a dead end. If the former, then you have a closer link that could be traced. In any case, one rule of thumb for this type of forensic work or really for nearly anything related to identity is never to 'trust' an e-mail address for a wide variety of reasons. This is why we have digital signatures, public keys, etc. for establishing identities for many processes. jeremy hunsinger jhuns@vt.edu on the ibook www.cddc.vt.edu www.cddc.vt.edu/jeremy www.dromocracy.com