HomeHelp DeskProductsSignupCurrent UsersE-MailsContact Us

Tracing Spam

by Randy Smith

Unsolicited commercial email, more commonly refered to as spam, is becomming more prevelent on the Internet these days. Most ISPs, including Amigo.Net, have strong policies regarding spam that can include terminiation of the account. The catch is that the ISP can't do anything about a spammer if they don't know about it. So, stopping a spammer comes down to finding his ISP and reporting him.

As almost anyone who recieves spam knows, the email addresses on the message are wrong. (That's right, the account ashjashdflas@yahoo.com does not exist. Sorry.) There is hope, however, because no matter how clever the spammer is, he still leaves a trail to follow. Being able to following that trial is the key to stopping a spammer.

The first key to following a spammer's trail is to know where to look. All email messages have standard headers prepended to them. The headers provide a kind of envelope for the message. It includes information such as who the message is from, who it's to, the subject, and the route the message took to get to you. The following is an example of headers from an actual spam message.

Return-Path: 



Delivered-To: webhombre@marvin.amigo.net

Received: (qmail 18976 invoked from network); 20 Feb 2000 14:51:24 -0000

Received: from pop.amigo.net (209.94.64.40)

  by 192.168.1.9 with SMTP; 20 Feb 2000 14:51:24 -0000

Received: from slide.hyprotech.com ([192.139.200.6]) by pop.amigo.net

          (Post.Office MTA v3.1 release PO205b ID# 0-39855U5000L500S0)

          with ESMTP id AAA3817 for 

;

          Sun, 20 Feb 2000 06:56:49 -0700

Received: from unknown (1cust184.tnt6.phoenix.az.da.uu.net [63.14.198.184]) by

	slide.hyprotech.com with SMTP (Microsoft Exchange Internet Mail Service

	Version 5.5.2650.21) id DVLPBY9J; Sun, 20 Feb 2000 06:57:52 -0700

To: any5one@mail.com

Bcc: [snip lots of email addresses. randy]

From: 



Subject: No Suit! No Commute!!!!!

MIME-Version: 1.0

Content-Type: text/plain; charset=unknown-8bit

content-length: 2390

Wow! What a mess. There is order amongst the chaos. All of the fields have pecific meanings. I'll discuss several of the fields here. See RFC 822 "Standard for the Format of ARPA Internet Text Messages" for a complete description of all of the headers. I consider this required reading for anyone who deals with the technical aspects of email or is tracing spam.

We'll start with the easy fields. I'm sure you can figure out what the fields To:, From:, Bcc:, and Subject: are. They are the same fields Netscape, Outlook Express and every other mail client on Earth let's you edit when you create a new message. The Return-Path: field contains the address to send error messages to.

These three fields deal with the MIME protocol. MIME is defined in RFC 2045 "Multipurpose Internet Mail Extenstions (MIME) Part One: Format of Internet Message Bodies." MIME-Version: is the version of MIME that this message uses. In this case 1.0. Content-length: is the size of the message in octets (i.e. bytes). Content-Type: is the MIME type that this message is. In this case, it is a plain text message encoded in an unknown, 8 bit character set.

The last field I want to discuss is the Recieved: field. Every mail server that handles the message adds another Recieved: field to the header. You can use this field to see where a message came from and where it has been. This is a good thing for all those happy spam hunters out there.

Cool, but guess what, all of these fields can be forged ... except for the Recieved: field. (Take a look at RFC 821 "Simple Mail Transfer Protocol" to learn how you to can forge email messages for fun and profit.) The Recieved: field is our trail of foot prints to trace our unsuspecting spammer. The most recent servers are listed first. This makes it very easy to follow the message back to it's point of origin. Let's start at the top and trace this message back to where it came from.

Received: (qmail 18976 invoked from network); 20 Feb 2000 14:51:24 -0000

Received: from pop.amigo.net (209.94.64.40)

  by 192.168.1.9 with SMTP; 20 Feb 2000 14:51:24 -0000

The first two Recieved: fields were generated by pop and by my Linux box marvin. The first one is my mail server (qmail) delivering the message to my mail box on marvin. The second is the transfer of the message from pop to marvin who has a local IP address of 192.168.1.9.

Received: from slide.hyprotech.com ([192.139.200.6]) by pop.amigo.net

          (Post.Office MTA v3.1 release PO205b ID# 0-39855U5000L500S0)

          with ESMTP id AAA3817 for 

;

          Sun, 20 Feb 2000 06:56:49 -0700

Received: from unknown (1cust184.tnt6.phoenix.az.da.uu.net [63.14.198.184]) by

	slide.hyprotech.com with SMTP (Microsoft Exchange Internet Mail Service

	Version 5.5.2650.21) id DVLPBY9J; Sun, 20 Feb 2000 06:57:52 -0700

The next one is an intermediate server that delivered the message to pop. (Pop, of course, then sent the message to my mailbox on marvin.) The last Recieved: is the gold mine here. You can see that the intermediate server, slide.hyprotech.com, recieved the message from an unknown server at has the IP address 63.14.198.184 and resolves to the host 1cust184.tnt6.phoenix.az.da.uu.net. Eureka! We now know where the spammer came from. In this case the spammer sent his offending message through uu.net.

The next step in the process is to report the spammer. The easiest way to do it is to forward the ENTIRE message to their ISP. (Don't forget to cut and paste the headers into your report.) I like to include a polite message stating that you recived the UCE from someone using their network. Most ISPs maintain the account abuse@cool-isp.net specifically to report spammers. You can also send the report to postmaster@cool-isp.net to report the spammer. In this case, I would send the report to abuse@uu.net.

Some Things to Consider

There a few things to keep in mind when dealing with spam.

1) Microsoft mail clients (like Outlook 98 and Outlook Express) do not include the headers of the original message when it is forwarded or replied to. There may be a few others that behave the same way. This drives me bonkers. SpamCop has a list of mail clients and how to get the full headers on their site.

2) Do not alter the headers in any way. This includes hilighting particular headers or removing others. This can interfere with an ISPs investigation of the incident.

3) A few spammers have their own domain name and mail servers to go with it. Try accessing the site www.theirdomain.com to see if the site is real ISP or the spammer's porn site. In these cases, it may be helpful to report the spammer to the next link up in the chain. Most of the time, that next link is their provider and may cancel the spammer's account.

4) Never, ever, use the "to unsubscribe" instructions in spam. By law, the spammer must remove you from their list (which they may not do). However, there are bounties on active email addresses. The spammer will probably sell your email address to all of his fellow spammers. He just made enough to pay for the signup fee for his new ISP and you get 10 times as much spam. Spammers 2; Good Guys 0.

5) I said that the Received field cannot be forged. That is true but there is nothing stopping a spammer from trying. There is software that claims to be able to mask the Received. What is does is add a Received field that says something about the sending server being masked. In reality, the true Received headers start just above that field. The moral is, don't just assume that the last Received field is the sender. Take the time to read the other headers to make sure that the spammer is not trying to fake you out.