If you accessed this page from a URL other than the top level Spam Patrol page, you will get a JavaScript error. Please go to the top level Spam Patrol page to avoid this error on this and other Spam Patrol pages |
TRACKING SPAM TO ITS SOURCE
TOPICS
Understanding email headersLocating system administratorsSpoof headersInsecure mail serversReverse phone number lookupsWho to contact and what to sayThis page contains a lot of information. Tracing a spam to its real origin may take considerable detective work, and a number of tools may be necessary. Knowing who to notify with what you discover, or knowing to whom to send a spam for investigation and action is yet another issue, and not necessarily an altogether simple one. I do not investigate spam for other people. You will need to determine for yourself what is the appropriate action to take and whom to notify.
| UNDERSTANDING HEADERS | TOP |
A lot of the headers sent with spam mail are invalid, or "spoofed". Your task is to determine what the mail headers mean, which ones are valid and which ones are spoofed. To understand headers, it's necessary to understand how SMTP mail service works.
When SMTP (Simple Mail Transfer Protocol) was developed, many people didn't have mail programs to handle their mail. They would simply telnet to an SMTP server and engage the server in a dialog, in the process of which they would enter their address, the address of the intended recipient, any extra headers they needed, such as a subject, and the body of the message. This can still be done. The standard service port for SMTP is port 25. A dialog with a SMTP server might look something like this. First I telnet from a Unix shell prompt to the mail server.
$ telnet mail.foobar.com 25The telnet software connects, and the mail server responds with...
Trying 204.251.174.179...
Connected to mail.foobar.com.
Escape character is '^]'.
220 mail.foobar.com ESMTP Sendmail 8.8.3/8.6.12 ready at Mon,
21 Apr 1997 17:52:32 -0500
At this point I'm connected to the mail server, which now requires a
formal greeting, complete with the name of my system. I enter...HELO fmp.comThe mail server will reply with...
250 mail.foobar.com Hello lindsay@xx.fmp.com [204.244.177.031],
pleased to meet you
Note that the mail server knows exactly who I am, even though I
haven't identified myself personally. We'll get back to this later. I'm now ready to
proceed with my message. The next command required by the server is the
MAIL command, telling it who the mail is from. I enter...MAIL From: lindsay@fmp.comThe server likes my address, and tels me so...
250 lindsay@fmp.com... Sender okNext I use the RCPT command to tell the server who should receive the mail. I enter the following line...
RCPT To: bigboy@foobar.comThe mail server likes the recipient, and tells me so...
250 bigboy@foobar.com... Recipient okThe server now has everything it needs to send mail from me to bigboy@foobar.com. From now on, everything I'll send to the server will formally be content. I tell the server...
DATATo which the server replies...
354 Enter mail, end with "." on a line by itselfI could, at this point, just enter my message followed by a "." on a line by itself and be done with it, however within the body of the message, I will want to place some additional headers which will help identify the message and control how it's handled. After these headers, I leave a blank line and enter the real content of the post. I enter...
Subject: Useless mail to your account From: mr_spammer@dont.write.me.ill.write.you.com To: joe_user@ten.thousand.addresses.org Reply-to: useless@nowhere.in.the.world.com Fax me your money! Get rich quick on the Internet. Don't think, do it now, chump! To be removed from this list, send a reply with REMOVE in the subject to remove_me@dev.null.com .The message is done. The server announces...
250 RAA01500 Message accepted for deliveryNotice that the To: and From: headers which I placed in the body of the message were not the same as the ones I used when talking to the server. I could have used anything for these headers. On many servers, I could even have used a fake system name in my HELO and a fake address in my FROM. The only way the server has any hope of identifying me is by what is called an identd authentication check. The server asked my machine "who is talking to me" and my machine said "the users name is lindsay". The server, of course, knew my IP address and was able to look it up using Domain Name Service to get my complete email address.
An authentication check is only possible if the calling machine allows it. If the calling machine is running Unix, it must be running a program called identd for an authentication check to succeed. Most Windows machines don't run any software which will identify the caller, and since a lot of email gets handled by Windows mail programs, the authentication check has to be optional. If the mail server had been unable to identify me personally, it would have settled for identifying the machine I'm using.
When bigboy@foobar.com gets my email, he'll see something similar to the following:
Received: from fmp.com (lindsay@xx.fmp.com [204.244.177.031]) by mail.foobar.com (8.8.3/8.6.12) with SMTP id RAA01500 for bigboy@foobar.com; Mon, 21 Apr 1997 17:53:13 -0500 Date: Mon, 21 Apr 1997 17:53:13 -0500 From: mr_spammer@dont.write.me.ill.write.you.com Message-Id: <199704212253.RAA01500@xx.fmp.com> To: joe_user@ten.thousand.addresses.org Subject: Useless mail to your account Reply-to: useless@nowhere.in.the.world.com Fax me your money! etc...Note that just about every address in the headers of the received message above is, or could have been faked, or "spoofed", so we may know very little about who really sent this message. Note, however, the Received: header on the first line of the message, actually continued over several lines in this example. This header was inserted by mail.foobar.com and contains the results of the authentication check done by the server. If my machine had not identified itself, this line would have contained at least my correct machine address. Mail may be routed through several servers in succession. Each server will insert its own Received: header and you may see several such headers. The topmost one is always the most recent, showing receipt of the mail by your mail server, and each previous server which handled the email is listed in each following Recieved: header. Spammers will often spoof Received: headers, and if you look closely, you'll often see IP addresses such as "500.202.999.352" or "000.000.000". Nonetheless, the topmost Received: header is always genuine, and each one below it should be examined to determine whether or not it contains valid or spoofed information. If a Received: header is obviously spoofed, then all the Received: headers below it will also be spoofs.
Note that the Recieved: header in the above message starts with "Received: from fmp.com". This is the name with which I said HELO, and I might have spoofed this name. Following this in parentheses, however, is the information which the server itself determined to be true - my username, my machine name and my IP address. This information is generally more trustworth than the former, and when they differ, it may be because of a spoof, or it may simply be that an IAP is using the mail facilities of a contract service whose true information appears in parentheses.
| LOCATING SYSTEM ADMINISTRATORS | TOP |
One of the best tools for reaching the appropriate system admins on systems involved in spam is the Network Abuse Clearinghouse. Use of their services to redirect your spam complaints requires registration and agreement to their very generous terms (you have to agree not to use their facilities to distribute spam) and once registered, you can send your spam notices and complaints to domain.name@abuse.net and the abuse.net system will try to remail your post to the correct administrators at domain.name. The Network Abuse Clearinghouse has developed a fairly sizable database, and using their facilities can save you time and misdirected email. You can also access their database without registration to locate spam complaint addresses using whois. Just specify the whois server as whois.abuse.net.
Remember that you're likely to find the most reliable address in parentheses in the topmost Recieved: header. All other headers should be viewed with some suspicion, although in some cases they will contain valuable information. Subsequent Received: headers may contain valid information, but you will need to investigate them carefully. Reply-to: headers are almost always spoofed - something which can be done even the simplest mail client.
If a Received: header contains an IP address but no domian name associated with it, you should first verify that the IP address is valid. You can use the traceroute utility on fmp to try to get test traffic to the address. If traceroute takes more than 30 seconds to return information, you probably have an invalid IP address. Remeber that a valid IP address always contains 4 sets of numbers separated by dots and these numbers will never be higher than 254. If it appears that an IP address is valid, you can address email to a user at that address by enclosing the numeric portion in square brackets, as in postmaster@[207.174.179.25].
| SPOOF HEADERS | TOP |
| "INSECURE" MAIL SERVERS | TOP |
Received: from fake.domain.com by firewall1.cslab.blso.com (SMI-8.6/SMI-SVR4) id VAA02491; Mon, 21 Apr 1997 21:11:44 -0500The server which accepted this mail did an identd lookup on the the client requesting service, but never bothered to include this information in the Received: header which it generated, accepting at face value the spoofed domain following the HELO greeting.
Spammers absolutely love servers such as this, since sending email via such a server makes them completely invisible and hence immune to flame email from angry admins and users who have been inconvenienced or annoyed by their junk email. Every SMTP server on the Internet should be configured to adhere to the following guidelines:
Once you understand the issues here, you should be on the lookout for mail hosts and relays which don't authenticate, especially if you receive spam email through them. You should notify the postmasters of such systems of the potential for abuse and possible legal liability which they are inviting by essentially running an "anonymous remailer".
At some point I will be setting up a private registry for email servers which fail to authenticate, and the Spam Patrol will act as a clearing house for reports of such servers.
| REVERSE PHONE NUMBER LOOKUPS | TOP |
Since every spam is ostensibly a sales pitch, the spammer must provide some method for prospective customers to get in touch. The contact point may be an email address set up to filter out flames and only accept serious inquiries. It may be a mailing address - or it may be a phone number. If the spammer is incautious enough to give a listed phone number as a contact point, you have a good chance of blowing his or her cover. Both PC411 and SearchAmerica provide reverse phone number lookups. The latter charges a nominal fee of 25 to 35 cents for each successful search. I have used PC411 with good results, but have never used SearchAmerica and don't know if its database is more complete or current than that used by PC411. I would guess that both draw on fairly complete lists of published phone numbers and are probably nearly equivalent.
If you are able to positively identify a spam advertiser in this manner, the next step is to obtain as much information about the person as possible. Four11 (not to be confused with PC411) is a good source of general information on people on the Internet. Four11 will help you look up real email addresses for the advertiser, along with other phone numbers and possibly a physical address. You may wish to contact the advirtiser directly using these email addresses, or place a call and try to talk to the person responsible for the spams. By all means, when writing to postmasters and administrators of sites deduced from deciphering headers, include all the information you've gathered.
If a spammer is clever and provides an unlisted phone number, a shielded email account or some other means of getting back in touch, you can generally obtain more information by "taking the bait" and replying to the ad as if you were a prospective customer. If replying by email, don't include the original spam, be polite and indicate an interest in buying whatever the spam offers for sale. Contact accounts generally have a fairly severe filter to look for keywords and filter out flames. If the spammer replies back, generally the reply will contain a real email address or some other item of information which will allow you to dig deeper and uncover fairly complete information - enough to be of real help to others affected by the spam who are trying to locate the person.
| WHO TO CONTACT AND WHAT TO SAY | TOP |
The correct response to spam email is to notify the system administrators whose systems received and transferred each piece of spam you've received, as discussed above in the section on understanding headers. In order of importance, these will generally be:
Be polite and informative when writing to everyone, unless, of course, you've uncoverd a valid and unblocked email address for a spammer, in which case, flame away to your hearts content! This can be very emotionally satisfying. It's very important in forwarding spam to system administrators to include the full headers from the offending email since this is where investigative pay-dirt lies for both you and others trying to locate and stop a spammer. Set the subject line of your post to something like "Spam from your system" followed by the original subject of the spam, in quotes or parentheses (I use both). If the spam is quite long, you need not send all of it. Leave enough text to clearly demonstrate that the email is useless trash which no one in their right mind would want to receive. Be sure not to edit out any of the text containing URLs, phone numbers, addresses (email or postal) or any other information which might help in tracking down the spammer.
Insert a short note before the headers and text of the spam, clearly and politely indicating that this email is unsolicited and unwelcome. I also generally include a short notice on the illegality of spam. Here's the boilerplate text of my standard note which should give you some ideas about what to say.
Ladies and Gentlemen:
The enclosed spam mail is being forwarded to you because your system name or that of a system for which you are a listed system admin appears in the headers or as a reference in the text. As you are doubtless aware, this sort of electronic junk mail is completely contrary to established guidelines for use of the Internet email service. Please take whatever steps are necessary to see that this person sends out no more of these, and that this practice is curtailed on your system.
By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation.
If you are writing to a system admin whose domain name you really suspect
was used in a spoof (e.g. the name was in a Reply-to: or From:
header), you may wish to include a sentence or two noting that you know that
they probably had no involvement in this spam, but that they should know
that their domain name is being used inappropriately. They probably already
know this, so be gentle, and if you have any relevant information to share
on the identity of a spammer, be sure to include it. A single email can
be addressed to multiple recipients by separating recipient addresses with
commas.
An excellent alternative to digging up the names of administrative and abuse
accounts for a given domian name is to use the services of the Network Abuse
Clearinghouse. This service maintains a database of appropriate
administrative accounts to which to report spam for a large number of
domains. The service requires one to register to use it, but it's free, and
once you're registered, email to, for example, spammer.com@abuse.net
will be redirected by abuse.net to all the appropriate admin accounts at
the domain spammer.com.
I've made many positive contacts with system admins whom I've helped to
track down spammers. Not long ago I received a spam with what I assumed was
probably a spoof domain plastered all through the headers. I had determined
that the domain was valid, so I wrote my standard letter to the postmaster
at the domain. A short while later I received a short and rather sarcastic
note from the mail admin at the domain thanking me for sending him
additional spam. I replied with a friendly note saying that I was sorry to
add to his load, but that I send out notices as a matter of course to every
valid domain in spam headers, and that I'd be glad to help if I could. I
received in reply a short note from the admin apologizing for his
abruptness, saying that he'd been swamped with flame email and that his
company's ISP wasn't very agile in helping him stop the flood. I went back
to the spam and found in it a fax phone number for replying to the spam
which I looked up in PC411's database. I wrote the harried admin back
again, giving him the full name and address of the office whose fax phone
number was listed in the spam. He wrote me back a short while later,
telling me that he had looked up the voice phone of the spammer's office (an
oilfield equipment service), made a few phone calls, obtained the spammers
true email address, and settled the matter to everyone's satisfaction - with
the exception of the spammer who probably ended up with a cancelled email
account, and hopefully a good lesson in Netiquite!