Tracing spam

Let me start first by telling you how not to react to spam.

  • Don't reply to the spammer in angry or offensive terms. Most of the time, the spammer is using a forged e-mail address, and your message will simply be returned to you as undeliverable. Therefore, you will be the only one to read your reply.
  • Don't spam, nntp-flood, www-flood, syn-flood, etc. the domain of origin. This would turn the administrators against you: remember that you can't do anything against the spammer without their co-operation.
  • Some spams carry a post-script saying "if you do not wish to receive further messages from us, send mail to this address with this and this header, or fill in this form on our www site". These "unsubscribe" messages often come back as undeliverable. Frequently, "unsubscribe" messages are logged as a source of confirmed-good e-mail addresses to be used for further spamming. In either case, opting-out takes time, and even if it works, for every list you opt-out of you are likely to be opted-in automatically to twenty others, now that they know that someone reads e-mail sent at your address.
  • At present I recommend reporting spam that clearly proposes activities violating the law, and to filter automatically all other spam (see my recommendations).

Here is a brief guide on how to find out where an e-mail message comes from. This applies to all e-mail, not just spam. The following case is a little devious (most instances of spam are easier to track), but you can learn a lot from this example.

Below you can see the beginning of the message, as displayed by your mail program:

Date: Wed, 22 Oct 97 13:55:24 EST

From: 81884948@aol.com

To: allyall@Internet.World

Subject: Am I to late?

Comments: Authenticated sender is

<rainzzzz@aol.com> 

Dear online friend,

[...]

It does not say much about its origin, but we can be sure of one thing already: the address 81884948@aol.com is forged (do not try to send mail to this address). How can we tell? Because:

Valid AOL addresses can not:

  • - be shorter than 3 or longer than 10 characters
  • - begin with numerals
  • - contain periods, underscores, dashes or other punctuation characters
    (the above information was provided by AOL)

To learn more, tell your mail reader to show all headers. In Eudora, this is done by clicking the "Blah Blah Blah" button:

Received: (from smap@localhost) by strix.its.uu.se (8.6.10/8.6.10) id GAA42920 for <pales@strix.its.uu.se.NOSPAM>; Thu, 23 Oct 1997 06:54:14 +0200

Received: from columba.udac.uu.se(130.238.7.10) by strix via smap (V1.3) id sma009072; Thu Oct 23 06:54:01 1997

Received: from mail.lauderdale.net ([207.120.40.7] EHLO mail.lauderdale.net ident: NO-IDENT-SERVICE [port 3129]) by columba.its.uu.se with ESMTP id <7225-36376>; Thu, 23 Oct 1997 06:53:31 +0200

Received: from mail.lauderdale.net ([208.136.6.26]) by mail.lauderdale.net (Netscape Mail Server v2.0) with SMTP id AAH628; Wed, 22 Oct 1997 13:50:36 -0400

Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) for mrin60.mail.aol.com (8.8.5/8.8.5/AOL-4.0.0) with ESMTP id LAA14140; by dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com [206.214.98.9]) by mail.earthlink.net (ip159.hackensack3.nj.pub-ip.psi.net [38.26.49.159]) (8.8.5/8.6.5) with SMTP id GAA06075 for <allyall@Internet.World>; Wed, 22 Oct 1997 13:55:24 -0600 (EST)

Date: Wed, 22 Oct 97 13:55:24 EST

From: 81884948@aol.com

To: allyall@Internet.World

Subject: Am I to late?

Message-ID: 199710221321.RAA1022@mrin60.mail.aol.com

X-UIDL: fb3421fad241ad2cda13c3c12dc34f8d

Comments:

Authenticated sender is <rainzzzz@aol.com> 

Dear online friend,

[...]

Now you have a little more information. Remember that you must send a complete copy of a spam message (including all headers) when you report spamming to the administrators of the domain of origin.

The last "Received:" header is usually the one that matters. Normally, it contains the source of the message and the first host mail server which received it. However, in this case the last "Received:" header contains more than two host names, and this means the header has been forged. A valid "Received:" header has the following format:

Received: from host1 (host2 [ww.xx.yy.zz]) by host3 (8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600.

Reading from back to front in the forged header, we see the host which added the "Received:" header (host3); the IP address of the incoming SMTP connection (ww.xx.yy.zz); the reverse-DNS lookup of that IP address (host2); and the name the sender used in the SMTP HELO command when it connected (host1).

In such a case, our best bet is the next-to-last "Received:" header. This indicates an IP address of origin within the net-block 208.136.0.0, which belongs to mci.net. We can learn this by doing:

whois 208.136.10

MCI Internet Services (NETBLK-MCI-NETBLK10)

7000 Weston Parkway

Cary, NC 27513

Netname:

MCI-NETBLK10

Netblock: 208.128.0.0 - 208.163.255.255

Maintainer: MCI

Coordinator:

MCI Internet Services (MCI-IS) hostmaster@mci.net

800-977-iNOC

With this information, we can forward our report to MCI. Remember to keep things simple, and do not address the administrator in less-than-polite terms. He is there to help you, and has nothing to do with the spammer. My favourite introduction is:

Dear Sirs,

The following spam has apparently been sent from your domain. Please investigate.

From the list of reporting addresses in http:\\www.abuse.com, we obtain the address spams@mci.net, and we send our report to this address.

In most cases, you will receive an automated reply saying that your complaint has been received. Sometimes, you will receive a follow-up with specific information about your report. You should neither ask nor expect to receive any personal information on the spammer - remember that your identity is being kept confidential as well. Instead, a follow-up may contain valuable technical information (this is how I collected the information presented in this page). Even if you do not receive any reply, in most cases your report has been read, and the administrator has tried to find the source of the spam and acted against it. Just keep reporting all instances of spam, and you can be sure that several spammers will lose access to their mail servers. Here are, for instance, two messages I received yesterday:

Hello,

Please be advised that the account used to violate our Net-Abuse Policy has been disabled by the user's ISP. If you receive any further correspondence from this source, please let us know.

Thank you.

Net-Abuse Team

PSINet, Inc.

abuse@psi.com

 

 

Thank you very much for taking the time to inform us of this situation.

In accordance with BellSouth.net's Appropriate Use Policies, the Internet services account of exciting@bellsouth.net has been canceled. It may take a day or two before all offending communications from this cancelled BellSouth.net account are cleared from our servers. Therefore, it is possible that you could receive additional communications from this account during this time. Please be patient with us and rest assured that such communications should stop shortly.