SpamCop free spam-reporting: an example  

Note: this page is kept mainly for historical reasons. Some of the information provided herein no longer applies to current methods for tracing and fighting spam.
Note: some "adult", "sex-related", "dirty" words are present in URLs names shown on this page. All these examples are real and based on spam I actually received and reported to spam-fighting sites, so I see no need to censor them. After all, it is a fact that the pornography industry is one of the largest financers of e-mail spam.

SpamCop offer a variety of free and paid anti-spam services. In order to use their free service, you have to register first at the above address. Then, every time you want to report an instance of spamming, you forward the spam to an e-mail address provided individually to you by SpamCop. The SpamCop server replies within seconds (or a couple of minutes if busy) with an automated reply containing a link to a web page containing a detailed report (see below). This page contains also a button to send the report to the appropriate domain managers, plus a few options you can set.

When preparing to submit a report to SpamCop, there are three things you must be especially careful about:

  1. Make sure the e-mail you are reporting is really spam, and not something you have signed up to receive voluntarily. Don't report as spam any other type of e-mail, regardless of whether you are offended by its contents (an abusive e-mail sent to you individually, for instance, is not spam, but a different form of offence that has to be dealt with in a different way).
  2. Include all the headers (including hidden ones) in the message you are forwarding. In Eudora, you have to press the "Blah Blah Blah" button to see all headers. Other e-mail software has different ways of doing this. Hidden headers are indispensable to trace the spam, and if you don't display them, they are not included in the forwarded e-mail.
  3. If the original e-mail contains HTML code (i.e., displays fancy formatting and colors, and/or pictures), you cannot just forward it, or copy-and-paste it, without losing essential information. In Eudora, you have to do the following (other e-mail clients may require a different procedure):

First of all, in Tools -> Options -> Viewing Mail, uncheck the box "Use Microsoft's viewer" (you need to do this only once, unless you need to check this box again for other purposes).

a) Press the "Blah Blah Blah" button to display hidden headers.
b) Select and copy (Ctrl+C) all headers.
c) Paste (Ctrl+V) the headers into an empty e-mail message addressed to your individual spam-reporting address.
d) Press "Enter" twice at the end of the headers, in order to add at least one blank line (SpamCop needs one blank line in order to understand where the end of the headers lies).
e) In the original message, right-click anywhere on the HTML portion of the text and choose "View source". A new window will open, containing the HTML code of the message (but not the headers, which you have already copied).
f) Select all (Ctrl+A) HTML code and copy it (Ctrl+C).
g) Paste it (Ctrl+V) into the e-mail message addressed to your individual spam-reporting address, below the headers.

So far my experience with this service has been exceptionally good. Within hours of signing up I had already provided them with the address of a previously unknown open e-mail relay, and reported a few instances of fresh spam. At present I am using SpamCop for my personal spam reporting.

Below is an example of how much information you can get by using the free version of SpamCop. The following report was generated automatically by the SpamCop web site as a result of one real instance of spamming I reported today. I blanked out with XXX information about my user account (which obviously should not be made publicly available) and about the spammer's web sites (which would receive free publicity by being published on this page). In addition to trying to identify the source of the spam, the report includes all web links contained in the e-mail, thus exposing the likely originator of the spammer (spam is useless unless it leads potential customers to an Internet-based business, and the business therefore is the most likely originator of the spam). This principle is well-known to investigators by the Latin expression "Cui prodest?" (To whom is it of advantage?). Please note that most of the links included in the report don't work, because of the obfuscation described above.

Collecting this much information by yourself without automatic tools would take a significant amount of time. In addition, the SpamCop report includes the option of submitting spam reports to all the addresses listed in the last part of the report by just pressing a button.

Does this sound too good to be true for a free service? Not really. The information about spammers that you supply to SpamCop is stored and used by them also in their commercial products, thus keeping their spammer lists continuously updated. This means that you and SpamCop are really helping out each other in making life difficult for spammers, which is your purpose in this matter. In addition, if your ISP is using one of SpamCop's commercial services, you will have immediate returns in the form of stopping all further spam from the sources you report.

I have not tested SpamCop's pay services and can say nothing about their quality, but if you are interested, you can check them out at http://spamcop.net/.

---------------- start of report quotation ----------------

SpamCop version 1.3.3 (c) Julian Haight, Joel Martin 1998-2002 All Rights Reserved
 

Saved email:
This page may be saved for future reference:
http://spamcop.net/ sc?id=z37485551z56294bdf
XXXXXXd803402d1faddcdfbcz
 

Parsing header:

Received:  from sponsa (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 91AAA40B8 for <
XXXXXX@uria.its.uu.se>; Thu, 9 May 2002 05:37:30 +0200 (MSZ)
127.0.0.1 discarded

Received:  from sponsa.its.uu.se(127.0.0.1) by sponsa.its.uu.se via virus-scan id s53256; Thu, 9 May 02 05:37:13 +0200
no auth from
127.0.0.1 discarded

Received:  from moonbase.moonfish.com (unknown [195.226.49.50]) by sponsa.its.uu.se (Postfix) with ESMTP id 5779D407D for <
XXXXXX.XXXXXX @pal.uu.se>; Thu, 9 May 2002 05:37:13 +0200 (MSZ)
Possible spammer: 195.226.49.50
[show] "nslookup moonbase.moonfish.com" (checking ip) ip not found; moonbase.moonfish.com discarded as fake.
[show] "dig moonbase.moonfish.com mx" (digging for mail exchanger) Can't find mailserver.
[show] "dig moonfish.com mx" (digging for mail exchanger) Found mailserver:relay.star.co.uk. = 62.231.131.67
[show] "dig mx moonbase.moonfish.com" (digging for mail exchanger) 195.226.49.50 is not MX for moonbase.moonfish.com
[show] "nslookup moonbase.moonfish.com" (checking ip) moonbase.moonfish.com not 195.226.49.50 discarded as fake.
[show] "dig -x 195.226.49.50 soa" (digging for start of authority) - dns@xtml.co.uk
ips don't match; moonbase.moonfish.com discarded as fake
Taking name from IP...
[show] "nslookup 195.226.49.50" (getting name) no name
Received line partially untrusted

Received:  from mx1.mail.yahoo.com ([62.31.194.137]) by moonbase.moonfish.com with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 9 May 2002 02:15:34 +0100
[show] "nslookup 195.226.49.50" (getting name) no name
Possible spammer: 62.31.194.137
[show] "nslookup mx1.mail.yahoo.com" (checking ip) ip = 64.157.4.85
[show] "dig mx mx1.mail.yahoo.com" (digging for mail exchanger) 62.31.194.137 is not MX for mx1.mail.yahoo.com
[show] "nslookup mx1.mail.yahoo.com" (checking ip) mx1.mail.yahoo.com not 62.31.194.137 discarded as fake.
[show] "dig -x 62.31.194.137 soa" (digging for start of authority) - hostmaster@blueyonder.co.uk
ips don't match; mx1.mail.yahoo.com discarded as fake
Taking name from IP...
[show] "nslookup 62.31.194.137" (getting name) 62.31.194.137 = 'pc-62-31-194-137-tf.blueyonder.co.uk'
[show] "nslookup pc-62-31-194-137-tf.blueyonder.co.uk" (checking ip) ip = 62.31.194.137
   Chain test:moonbase.moonfish.com =? 195.226.49.50
[show]    "nslookup moonbase.moonfish.com" (checking ip) ip not found; moonbase.moonfish.com discarded as fake.
[show]    "dig moonbase.moonfish.com mx" (digging for mail exchanger) Can't find mailserver.
[show]    "dig moonfish.com mx" (digging for mail exchanger) Found mailserver:relay.star.co.uk. = 62.231.131.67
[show]    "dig mx moonbase.moonfish.com" (digging for mail exchanger) 195.226.49.50 is not MX for moonbase.moonfish.com
[show]    "nslookup moonbase.moonfish.com" (checking ip) moonbase.moonfish.com not 195.226.49.50 discarded as fake.
[show]    "dig -x 195.226.49.50 soa" (digging for start of authority) - dns@xtml.co.uk
   ips don't match; moonbase.moonfish.com discarded as fake
[show]    "nslookup 195.226.49.50" (getting name) no name
   Chain test failed
[show] "nslookup 195.226.49.50" (getting name) no name
Routing details for 195.226.49.50
[refresh/show] Cached whois for 195.226.49.50 : mukesh.bavisi@nextra.co.uk, ripe-notify@noc.nextra.co.uk, chris.smith@nextra.co.uk, mohammed.alam@nextra.co.uk, steve.colam@nextra.co.uk, abuse@nextra.co.uk, ian.dickinson@nextra.co.uk
abuse@nextra.co.uk: abuse.net co.uk = postmaster@co.uk
abuse.net nextra.co.uk = abuse@nextra.co.uk
Using best abuse.net reporting addresses:abuse@nextra.co.uk
Whois found: abuse@nextra.co.uk
Chain error; 'moonbase.moonfish.com' != '' or '' or '195.226.49.50'; received line discarded
 

Tracking message source:195.226.49.50:
[show] "nslookup 195.226.49.50" (getting name) no name
Routing details for 195.226.49.50
[refresh/show] Cached whois for 195.226.49.50 : mukesh.bavisi@nextra.co.uk, ripe-notify@noc.nextra.co.uk, chris.smith@nextra.co.uk, mohammed.alam@nextra.co.uk, steve.colam@nextra.co.uk, abuse@nextra.co.uk, ian.dickinson@nextra.co.uk
abuse@nextra.co.uk: abuse.net co.uk = postmaster@co.uk
abuse.net nextra.co.uk = abuse@nextra.co.uk
Using best abuse.net reporting addresses:abuse@nextra.co.uk
Whois found: abuse@nextra.co.uk
[show] "nslookup 50.49.226.195.formmail.relays.monkeys.com" (checking ip) not found
[show] "nslookup 50.49.226.195.proxies.relays.monkeys.com" (checking ip) not found
 

Found link:http://www.bloodybum. XXX/index.html?id=2010XXX
[show] "nslookup www.bloodybum.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.sexhappyteens.XXX/index.html?id=2010XXX
[show] "nslookup www.sexhappyteens.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.bukkakebreakfast.XXX/index.html?id=2010XXX
[show] "nslookup www.bukkakebreakfast.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http://www.totalytaboo.XXX/index.html?id=2010XXX
[show] "nslookup www.totalytaboo.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http://www.sodomycity.XXX/index.html?id=2010XXX
[show] "nslookup www.sodomycity.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http://www.gangbangcity.XXX/index.html?id=2010XXX
[show] "nslookup www.gangbangcity.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.unitednymphos.XXX/index.html?id=2010XXX
[show] "nslookup www.unitednymphos.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.supadelux.XXX/ index.html?id=2010XXX
ISP believes this issue is resolved http://www.supadelux.XXX/index.html
[show] "nslookup www.supadelux.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http://www.supadelux.XXX/index.html?id=2010XXX
http://www.supadelux.XXX/index.html?id=2010XXX has been appealed previously.
 

Found link:http:// www.cumfest2002.XXX/index.html?id=2010XXX
[show] "nslookup www.cumfest2002.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.toonpoon.XXX/ index.html?id=2010XXX
ISP believes this issue is resolved http://www.toonpoon.XXX/index.html
[show] "nslookup www.toonpoon.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http://www.toonpoon.XXX/index.html?id=2010XXX
http://www.toonpoon.XXX/index.html?id=2010XXX has been appealed previously.
 

Found link:http:// www.uncut-amateurs.XXX/index.html?id=2010XXX
[show] "nslookup www.uncut-amateurs.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.wristdeep.XXX/ index.html?id=2010XXX
[show] "nslookup www.wristdeep.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http://www.sphinctersex.XXX/index.html?id=2010XXX
ISP believes this issue is resolved http://www.sphinctersex.XXX/index.html
[show] "nslookup www.sphinctersex.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http:// www.sphinctersex.XXX/ index.html?id=2010XXX
http:// www.sphinctersex.XXX/ index.html?id=2010XXX has been appealed previously.
 

Found link:http:// www.stuffherholes.XXX/index.html?id=2010XXX
[show] "nslookup www.stuffherholes.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.fullcream.XXX/ index.html?id=2010XXX
[show] "nslookup www.fullcream.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Found link:http:// www.asscave.XXX/ index.html?id=2010XXX
ISP believes this issue is resolved http://www.asscave.XXX/index.html
[show] "nslookup www.asscave.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http://www.asscave.XXX/index.html?id=2010XXX
http://www.asscave.XXX/index.html?id=2010XXX has been appealed previously.
 

Found link:http://www.torridtoons.XXX/index.html?id=2010XXX
ISP believes this issue is resolved http://www.torridtoons.XXX/index.html
[show] "nslookup www.torridtoons.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http://www.torridtoons.XXX/ index.html?id=2010XXX
http://www.torridtoons.XXX/ index.html?id=2010XXX has been appealed previously.
 

Found link:http://www.celebritysnude.XXX/index.html?id=2010XXX
ISP believes this issue is resolved http://www.celebritysnude.XXX/index.html
[show] "nslookup www.celebritysnude.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
ISP has already taken action against the account:http://www.celebritysnude.XXX/ index.html?id=2010XXX
http://www.celebritysnude.XXX/ index.html?id=2010XXX has been appealed previously.
 

Found link:http://www.entertheasian.XXX/index.html?id=2010XXX
[show] "nslookup www.entertheasian.XXX" (checking ip) ip = 207.153.XXX.78
 

Tracking ip 207.153.XXX.78:
[show] "nslookup 207.153.XXX.78" (getting name) no name
Routing details for 207.153.XXX.78
[refresh/show] Cached whois for 207.153.XXX.78 : noc@dn.net
noc@dn.net: abuse.net dn.net = abuse@dn.net
abuse.net dn.net = abuse@dn.net
Using best abuse.net reporting addresses:abuse@dn.net
Whois found: abuse@dn.net
 

Please make sure this email IS spam:
From: spyglasst8408@yahoo.com (What's in there for you? MPSF)
<x-html>
<html>
View full message

 

Report Spam to:
 

Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
Using abuse#dn.net@devnull.spamcop.net for statistical tracking.
 

Re:195.226.49.50 (Administrator of network where email originates)
abuse@nextra.co.uk (Notes)
 

---------------- end of report quotation (portions of the original report are omitted) ----------------


web counter