NOTICE

If you accessed this page from a URL other than the top level Spam Patrol page, you will get a JavaScript error. Please go to the top level Spam Patrol page to avoid this error on this and other Spam Patrol pages

TRACKING SPAM TO ITS SOURCE


SPAM PATROL HOME
TOPICS

* Understanding email headers
* Locating system administrators
* Spoof headers
* Insecure mail servers
* Reverse phone number lookups
* Who to contact and what to say

This page contains a lot of information. Tracing a spam to its real origin may take considerable detective work, and a number of tools may be necessary. Knowing who to notify with what you discover, or knowing to whom to send a spam for investigation and action is yet another issue, and not necessarily an altogether simple one. I do not investigate spam for other people. You will need to determine for yourself what is the appropriate action to take and whom to notify.

UNDERSTANDING HEADERS TOP


The place to start your investigation is the set of mail headers which accompany the spam you've received. You will work with the full mail headers. Most email readers display only the To:, From: and Subject: headers and perhaps a couple more by default. Your mail reader should have a setting, a button, a command, a switch or some method of displaying the full set of headers which came the spam you received. You will need to access these headers before you can proceed further.

A lot of the headers sent with spam mail are invalid, or "spoofed". Your task is to determine what the mail headers mean, which ones are valid and which ones are spoofed. To understand headers, it's necessary to understand how SMTP mail service works.

When SMTP (Simple Mail Transfer Protocol) was developed, many people didn't have mail programs to handle their mail. They would simply telnet to an SMTP server and engage the server in a dialog, in the process of which they would enter their address, the address of the intended recipient, any extra headers they needed, such as a subject, and the body of the message. This can still be done. The standard service port for SMTP is port 25. A dialog with a SMTP server might look something like this. First I telnet from a Unix shell prompt to the mail server.

$ telnet mail.foobar.com 25
The telnet software connects, and the mail server responds with...
Trying 204.251.174.179...
Connected to mail.foobar.com.
Escape character is '^]'.
220 mail.foobar.com ESMTP Sendmail 8.8.3/8.6.12 ready at Mon, 
      21 Apr 1997 17:52:32 -0500
At this point I'm connected to the mail server, which now requires a formal greeting, complete with the name of my system. I enter...
HELO fmp.com
The mail server will reply with...
250 mail.foobar.com Hello lindsay@xx.fmp.com [204.244.177.031], 
      pleased to meet you
Note that the mail server knows exactly who I am, even though I haven't identified myself personally. We'll get back to this later. I'm now ready to proceed with my message. The next command required by the server is the MAIL command, telling it who the mail is from. I enter...
MAIL From: lindsay@fmp.com
The server likes my address, and tels me so...
250 lindsay@fmp.com... Sender ok
Next I use the RCPT command to tell the server who should receive the mail. I enter the following line...
RCPT To: bigboy@foobar.com
The mail server likes the recipient, and tells me so...
250 bigboy@foobar.com... Recipient ok
The server now has everything it needs to send mail from me to bigboy@foobar.com. From now on, everything I'll send to the server will formally be content. I tell the server...
DATA
To which the server replies...
354 Enter mail, end with "." on a line by itself
I could, at this point, just enter my message followed by a "." on a line by itself and be done with it, however within the body of the message, I will want to place some additional headers which will help identify the message and control how it's handled. After these headers, I leave a blank line and enter the real content of the post. I enter...
Subject:  Useless mail to your account
From: mr_spammer@dont.write.me.ill.write.you.com
To: joe_user@ten.thousand.addresses.org
Reply-to: useless@nowhere.in.the.world.com

Fax me your money!  Get rich quick on the Internet.
Don't think, do it now, chump!

To be removed from this list, send a reply with REMOVE in the
subject to remove_me@dev.null.com
.
The message is done. The server announces...
250 RAA01500 Message accepted for delivery
Notice that the To: and From: headers which I placed in the body of the message were not the same as the ones I used when talking to the server. I could have used anything for these headers. On many servers, I could even have used a fake system name in my HELO and a fake address in my FROM. The only way the server has any hope of identifying me is by what is called an identd authentication check. The server asked my machine "who is talking to me" and my machine said "the users name is lindsay". The server, of course, knew my IP address and was able to look it up using Domain Name Service to get my complete email address.

An authentication check is only possible if the calling machine allows it. If the calling machine is running Unix, it must be running a program called identd for an authentication check to succeed. Most Windows machines don't run any software which will identify the caller, and since a lot of email gets handled by Windows mail programs, the authentication check has to be optional. If the mail server had been unable to identify me personally, it would have settled for identifying the machine I'm using.

When bigboy@foobar.com gets my email, he'll see something similar to the following:

Received: from fmp.com (lindsay@xx.fmp.com
[204.244.177.031]) by mail.foobar.com (8.8.3/8.6.12) with SMTP id 
RAA01500 for bigboy@foobar.com; Mon, 21 Apr 1997 17:53:13 -0500
Date: Mon, 21 Apr 1997 17:53:13 -0500
From: mr_spammer@dont.write.me.ill.write.you.com
Message-Id: <199704212253.RAA01500@xx.fmp.com>
To: joe_user@ten.thousand.addresses.org
Subject:  Useless mail to your account
Reply-to: useless@nowhere.in.the.world.com

Fax me your money! etc...
Note that just about every address in the headers of the received message above is, or could have been faked, or "spoofed", so we may know very little about who really sent this message. Note, however, the Received: header on the first line of the message, actually continued over several lines in this example. This header was inserted by mail.foobar.com and contains the results of the authentication check done by the server. If my machine had not identified itself, this line would have contained at least my correct machine address. Mail may be routed through several servers in succession. Each server will insert its own Received: header and you may see several such headers. The topmost one is always the most recent, showing receipt of the mail by your mail server, and each previous server which handled the email is listed in each following Recieved: header. Spammers will often spoof Received: headers, and if you look closely, you'll often see IP addresses such as "500.202.999.352" or "000.000.000". Nonetheless, the topmost Received: header is always genuine, and each one below it should be examined to determine whether or not it contains valid or spoofed information. If a Received: header is obviously spoofed, then all the Received: headers below it will also be spoofs.

Note that the Recieved: header in the above message starts with "Received: from fmp.com". This is the name with which I said HELO, and I might have spoofed this name. Following this in parentheses, however, is the information which the server itself determined to be true - my username, my machine name and my IP address. This information is generally more trustworth than the former, and when they differ, it may be because of a spoof, or it may simply be that an IAP is using the mail facilities of a contract service whose true information appears in parentheses.

LOCATING SYSTEM ADMINISTRATORS TOP


The appropriate action to take when you get spam email is to contact the mail or abuse administrator of the system on which the mail originated or of the system which was used to relay the spam - or both, if you can. The first part of this job is determining which addresses in headers are spoofed and which are real. For this, it's often useful to use whois to find out if a domain is registered with the InterNIC. A whois lookup will not only tell you whether or not a domain is registered, it will also often give you the email address of one or more contact people responsible for the domain name. For smaller comapnies which aren't directly in the Internet business, these are often the same people who administer email. Once you've determined that a domain name is valid, email to postmaster@that.domain.name is almost sure to reach a real person. Major ISPs such as Netcom, UUNet and others also maintain an "abuse" address at abuse@domain.name which handles spam complaints. You may also want to write to the DNS contacts, particularly the administrative and technical contacts, as shown in a whois lookup.

One of the best tools for reaching the appropriate system admins on systems involved in spam is the Network Abuse Clearinghouse. Use of their services to redirect your spam complaints requires registration and agreement to their very generous terms (you have to agree not to use their facilities to distribute spam) and once registered, you can send your spam notices and complaints to domain.name@abuse.net and the abuse.net system will try to remail your post to the correct administrators at domain.name. The Network Abuse Clearinghouse has developed a fairly sizable database, and using their facilities can save you time and misdirected email. You can also access their database without registration to locate spam complaint addresses using whois. Just specify the whois server as whois.abuse.net.

Remember that you're likely to find the most reliable address in parentheses in the topmost Recieved: header. All other headers should be viewed with some suspicion, although in some cases they will contain valuable information. Subsequent Received: headers may contain valid information, but you will need to investigate them carefully. Reply-to: headers are almost always spoofed - something which can be done even the simplest mail client.

If a Received: header contains an IP address but no domian name associated with it, you should first verify that the IP address is valid. You can use the traceroute utility on fmp to try to get test traffic to the address. If traceroute takes more than 30 seconds to return information, you probably have an invalid IP address. Remeber that a valid IP address always contains 4 sets of numbers separated by dots and these numbers will never be higher than 254. If it appears that an IP address is valid, you can address email to a user at that address by enclosing the numeric portion in square brackets, as in postmaster@[207.174.179.25].

SPOOF HEADERS TOP


Beyond the system address contained in parentheses in the first Received: header, all other domain names, usernames and full addresses should be considered supsect. Most easily spoofed is the Reply-to: address which can be set arbitrarily in most mail clients. In mail from spammers sophisticated enough to use spamming programs, all headers, with the exception noted above, are probably fake.

"INSECURE" MAIL SERVERS TOP


Not all mail servers work the same. Some, from older, quieter days on the Internet, don't bother with with ident authentication, or if they do, they don't bother to include it in header information. Consider the following header...
Received: from fake.domain.com by firewall1.cslab.blso.com
(SMI-8.6/SMI-SVR4) id VAA02491; Mon, 21 Apr 1997 21:11:44 -0500
The server which accepted this mail did an identd lookup on the the client requesting service, but never bothered to include this information in the Received: header which it generated, accepting at face value the spoofed domain following the HELO greeting.

Spammers absolutely love servers such as this, since sending email via such a server makes them completely invisible and hence immune to flame email from angry admins and users who have been inconvenienced or annoyed by their junk email. Every SMTP server on the Internet should be configured to adhere to the following guidelines:

  1. A mail server should always place at least the IP address of the system requesting mail service in the Received: headers of email. If further information is available, such as the resolved machine and domain name or the results of an ident authentication request, this information should also be included. The client IP address is always available, so there's really no excuse for not including this information.

  2. A mail server should accept email for handling only if it the client requesting service is in the servers domain or in a trusted domain, or if the recipient address is in the server's domain or a trusted domain.

While item 1 is a reality on many mail servers, item 2 is still the exception rather than the rule, and until the number of mail servers which adhere to these two guidelines approaches 100%, there will still be openings for spammers to operate anonymously.

Once you understand the issues here, you should be on the lookout for mail hosts and relays which don't authenticate, especially if you receive spam email through them. You should notify the postmasters of such systems of the potential for abuse and possible legal liability which they are inviting by essentially running an "anonymous remailer".

At some point I will be setting up a private registry for email servers which fail to authenticate, and the Spam Patrol will act as a clearing house for reports of such servers.

REVERSE PHONE NUMBER LOOKUPS TOP


A rather different tack on tracking spam involves going after the advertiser rather than the spammer. This requires some old fashioned detective work with an Internet twist, and you can ignore mail headers for the time being.

Since every spam is ostensibly a sales pitch, the spammer must provide some method for prospective customers to get in touch. The contact point may be an email address set up to filter out flames and only accept serious inquiries. It may be a mailing address - or it may be a phone number. If the spammer is incautious enough to give a listed phone number as a contact point, you have a good chance of blowing his or her cover. Both PC411 and SearchAmerica provide reverse phone number lookups. The latter charges a nominal fee of 25 to 35 cents for each successful search. I have used PC411 with good results, but have never used SearchAmerica and don't know if its database is more complete or current than that used by PC411. I would guess that both draw on fairly complete lists of published phone numbers and are probably nearly equivalent.

If you are able to positively identify a spam advertiser in this manner, the next step is to obtain as much information about the person as possible. Four11 (not to be confused with PC411) is a good source of general information on people on the Internet. Four11 will help you look up real email addresses for the advertiser, along with other phone numbers and possibly a physical address. You may wish to contact the advirtiser directly using these email addresses, or place a call and try to talk to the person responsible for the spams. By all means, when writing to postmasters and administrators of sites deduced from deciphering headers, include all the information you've gathered.

If a spammer is clever and provides an unlisted phone number, a shielded email account or some other means of getting back in touch, you can generally obtain more information by "taking the bait" and replying to the ad as if you were a prospective customer. If replying by email, don't include the original spam, be polite and indicate an interest in buying whatever the spam offers for sale. Contact accounts generally have a fairly severe filter to look for keywords and filter out flames. If the spammer replies back, generally the reply will contain a real email address or some other item of information which will allow you to dig deeper and uncover fairly complete information - enough to be of real help to others affected by the spam who are trying to locate the person.

WHO TO CONTACT AND WHAT TO SAY TOP


First, the correct response to spam email is not mail bombs, flames, flood mail or other forms of hostility directed to anyone. These acts are just as destructive to the Internet as is junk email and generally serve only to make other people as mad at you as you are at spammers. Be patient, dig up facts, notify the right people, and the end result will often be the termination of the spammers accounts.

The correct response to spam email is to notify the system administrators whose systems received and transferred each piece of spam you've received, as discussed above in the section on understanding headers. In order of importance, these will generally be:

In addition to postmaster@domain.com, many major ISPs maintain the addresses abuse and sometimes fraud or spam for the purpose of reporting spam. The good folks at the Network Abuse Clearinghouse also maintain a database of known abuse reporting addresses for most major and many minor ISPs and online systems. You can look up a domain in question on their whois server. Use FMP's whois page using a Whois server of 'whois.abuse.net'.

Be polite and informative when writing to everyone, unless, of course, you've uncoverd a valid and unblocked email address for a spammer, in which case, flame away to your hearts content! This can be very emotionally satisfying. It's very important in forwarding spam to system administrators to include the full headers from the offending email since this is where investigative pay-dirt lies for both you and others trying to locate and stop a spammer. Set the subject line of your post to something like "Spam from your system" followed by the original subject of the spam, in quotes or parentheses (I use both). If the spam is quite long, you need not send all of it. Leave enough text to clearly demonstrate that the email is useless trash which no one in their right mind would want to receive. Be sure not to edit out any of the text containing URLs, phone numbers, addresses (email or postal) or any other information which might help in tracking down the spammer.

Insert a short note before the headers and text of the spam, clearly and politely indicating that this email is unsolicited and unwelcome. I also generally include a short notice on the illegality of spam. Here's the boilerplate text of my standard note which should give you some ideas about what to say.

Ladies and Gentlemen:

The enclosed spam mail is being forwarded to you because your system name or that of a system for which you are a listed system admin appears in the headers or as a reference in the text. As you are doubtless aware, this sort of electronic junk mail is completely contrary to established guidelines for use of the Internet email service. Please take whatever steps are necessary to see that this person sends out no more of these, and that this practice is curtailed on your system.

By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation.

If you are writing to a system admin whose domain name you really suspect was used in a spoof (e.g. the name was in a Reply-to: or From: header), you may wish to include a sentence or two noting that you know that they probably had no involvement in this spam, but that they should know that their domain name is being used inappropriately. They probably already know this, so be gentle, and if you have any relevant information to share on the identity of a spammer, be sure to include it. A single email can be addressed to multiple recipients by separating recipient addresses with commas.

An excellent alternative to digging up the names of administrative and abuse accounts for a given domian name is to use the services of the Network Abuse Clearinghouse. This service maintains a database of appropriate administrative accounts to which to report spam for a large number of domains. The service requires one to register to use it, but it's free, and once you're registered, email to, for example, spammer.com@abuse.net will be redirected by abuse.net to all the appropriate admin accounts at the domain spammer.com.

I've made many positive contacts with system admins whom I've helped to track down spammers. Not long ago I received a spam with what I assumed was probably a spoof domain plastered all through the headers. I had determined that the domain was valid, so I wrote my standard letter to the postmaster at the domain. A short while later I received a short and rather sarcastic note from the mail admin at the domain thanking me for sending him additional spam. I replied with a friendly note saying that I was sorry to add to his load, but that I send out notices as a matter of course to every valid domain in spam headers, and that I'd be glad to help if I could. I received in reply a short note from the admin apologizing for his abruptness, saying that he'd been swamped with flame email and that his company's ISP wasn't very agile in helping him stop the flood. I went back to the spam and found in it a fax phone number for replying to the spam which I looked up in PC411's database. I wrote the harried admin back again, giving him the full name and address of the office whose fax phone number was listed in the spam. He wrote me back a short while later, telling me that he had looked up the voice phone of the spammer's office (an oilfield equipment service), made a few phone calls, obtained the spammers true email address, and settled the matter to everyone's satisfaction - with the exception of the spammer who probably ended up with a cancelled email account, and hopefully a good lesson in Netiquite!


PROMOTE RESPONSIBLE NET
COMMERCE