Tracing spamLet me start first by telling you how not to react to spam.
Here is a brief guide on how to find out where an e-mail message comes from. This applies to all e-mail, not just spam. The following case is a little devious (most instances of spam are easier to track), but you can learn a lot from this example. Below you can see the beginning of the message, as displayed by your mail program: Date: Wed, 22 Oct 97 13:55:24 EST From: 81884948@aol.com To: allyall@Internet.World Subject: Am I to late? Comments: Authenticated sender is <rainzzzz@aol.com> Dear online friend, [...] It does not say much about its origin, but we can be sure of one thing already: the address 81884948@aol.com is forged (do not try to send mail to this address). How can we tell? Because: Valid AOL addresses can not:
To learn more, tell your mail reader to show all headers. In Eudora, this is done by clicking the "Blah Blah Blah" button: Received: (from smap@localhost) by strix.its.uu.se (8.6.10/8.6.10) id GAA42920 for <pales@strix.its.uu.se.NOSPAM>; Thu, 23 Oct 1997 06:54:14 +0200 Received: from columba.udac.uu.se(130.238.7.10) by strix via smap (V1.3) id sma009072; Thu Oct 23 06:54:01 1997 Received: from mail.lauderdale.net ([207.120.40.7] EHLO mail.lauderdale.net ident: NO-IDENT-SERVICE [port 3129]) by columba.its.uu.se with ESMTP id <7225-36376>; Thu, 23 Oct 1997 06:53:31 +0200 Received: from mail.lauderdale.net ([208.136.6.26]) by mail.lauderdale.net (Netscape Mail Server v2.0) with SMTP id AAH628; Wed, 22 Oct 1997 13:50:36 -0400 Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) for mrin60.mail.aol.com (8.8.5/8.8.5/AOL-4.0.0) with ESMTP id LAA14140; by dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com [206.214.98.9]) by mail.earthlink.net (ip159.hackensack3.nj.pub-ip.psi.net [38.26.49.159]) (8.8.5/8.6.5) with SMTP id GAA06075 for <allyall@Internet.World>; Wed, 22 Oct 1997 13:55:24 -0600 (EST) Date: Wed, 22 Oct 97 13:55:24 EST From: 81884948@aol.com To: allyall@Internet.World Subject: Am I to late? Message-ID: 199710221321.RAA1022@mrin60.mail.aol.com X-UIDL: fb3421fad241ad2cda13c3c12dc34f8d Comments: Authenticated sender is <rainzzzz@aol.com> Dear online friend, [...] Now you have a little more information. Remember that you must send a complete copy of a spam message (including all headers) when you report spamming to the administrators of the domain of origin. The last "Received:" header is usually the one that matters. Normally, it contains the source of the message and the first host mail server which received it. However, in this case the last "Received:" header contains more than two host names, and this means the header has been forged. A valid "Received:" header has the following format: Received: from host1 (host2 [ww.xx.yy.zz]) by host3 (8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600. Reading from back to front in the forged header, we see the host which added the "Received:" header (host3); the IP address of the incoming SMTP connection (ww.xx.yy.zz); the reverse-DNS lookup of that IP address (host2); and the name the sender used in the SMTP HELO command when it connected (host1). In such a case, our best bet is the next-to-last "Received:" header. This indicates an IP address of origin within the net-block 208.136.0.0, which belongs to mci.net. We can learn this by doing: whois 208.136.10 MCI Internet Services (NETBLK-MCI-NETBLK10) 7000 Weston Parkway Cary, NC 27513 Netname: MCI-NETBLK10 Netblock: 208.128.0.0 - 208.163.255.255 Maintainer: MCI Coordinator: MCI Internet Services (MCI-IS) hostmaster@mci.net 800-977-iNOC With this information, we can forward our report to MCI. Remember to keep things simple, and do not address the administrator in less-than-polite terms. He is there to help you, and has nothing to do with the spammer. My favourite introduction is: Dear Sirs, The following spam has apparently been sent from your domain. Please investigate. From the list of reporting addresses in http:\\www.abuse.com, we obtain the address spams@mci.net, and we send our report to this address. In most cases, you will receive an automated reply saying that your complaint has been received. Sometimes, you will receive a follow-up with specific information about your report. You should neither ask nor expect to receive any personal information on the spammer - remember that your identity is being kept confidential as well. Instead, a follow-up may contain valuable technical information (this is how I collected the information presented in this page). Even if you do not receive any reply, in most cases your report has been read, and the administrator has tried to find the source of the spam and acted against it. Just keep reporting all instances of spam, and you can be sure that several spammers will lose access to their mail servers. Here are, for instance, two messages I received yesterday: Hello, Please be advised that the account used to violate our Net-Abuse Policy has been disabled by the user's ISP. If you receive any further correspondence from this source, please let us know. Thank you. Net-Abuse Team PSINet, Inc. abuse@psi.com
Thank you very much for taking the time to inform us of this situation. In accordance with BellSouth.net's Appropriate Use Policies, the Internet services account of exciting@bellsouth.net has been canceled. It may take a day or two before all offending communications from this cancelled BellSouth.net account are cleared from our servers. Therefore, it is possible that you could receive additional communications from this account during this time. Please be patient with us and rest assured that such communications should stop shortly. |