Attempts have been made in this section to detail how to do the functions described on your computer, with alternatives listed at the appropriate points.
First, please make sure that it is indeed spam and that you didn't subscribe yourself to a list and ended up forgetting about it. This is more common than you might think -- ever fill out one of those web forms and forget to check whether the "Send me Info" box was checked or unchecked? It's usually set on by default.
Also make certain that it's not from someone you met or corresponded with briefly, and have since forgotten. (It's happened to me!)
Here's a list of things to look for:
To elaborate, you don't need to. If it looks like spam and smells like it (be sure to check the headers for signs of forgery), it's best to complain to the ISPs involved and let them make that determination. If yours is the only complaint they have received, then perhaps it wasn't a spam at all. If however the ISP receives hundreds of complaints, they can then conclude that their client did spam and take appropriate action against them.
An e-mail message is divided into two parts, the headers and the body. The headers contain all the technical information, such as who the sender and recipient are, and what systems it has passed through. The body contains the actual message text. The headers and body are separated by a blank line. In some mail programs, the headers are shown separately.
What follows are instructions for viewing headers with some of the more popular mail clients:
Do note, however, that sometimes Hotmail has to press some previous generation mailservers into service, and messages sent through those mailservers won't show any headers no matter what. :-(
This depends on your mail reading program. Most programs have an option that will display all the headers of the message. Another technique is to read your e-mail with a standard text editor as opposed to an e-mail program. Check the docs that come with your email reader or read the online help. You could also contact your ISP for assistance or talk to your help desk if this takes place at work.
You'll know that you're viewing the headers when you see several lines that start with the word "Received: ". These lines are very important to tracking the source of a spam, as you'll see later.
"Forging" means trying to disguise where the message came from. Spammers do this a lot so that you won't know whom to complain to. It can be done by a variety of methods, from simply placing deliberately erroneous information in their email program, to manually sending mail using Telnet to an SMTP server (port 25). This requires fairly intimate knowledge of the SMTP protocol, which is, unfortunately, not hard to understand. (RFC 821. A slightly more readable version is available at the faqs.org site).
Forging e-mail headers is not presently illegal in the US. Some argue that it should be.
Telnet is the name of both a program and a part of the TCP/IP protocol suite which allows you to remotely access a computer. In the case of services such as mail, which run on port 25, you can telnet into that port and interact with the service manually. You can also do this to webservers on port 80 or finger daemons on port 79. It's kinda neat. :-)
Anyway, to access telnet if you are on a UNIX system, just type
telnet hostname <port>, where the port number is
optional. If you are on Windows 95/98/NT, choose "Run" from the start
menu and type
telnet hostname <port> from there.
Otherwise, searching Tucows for a Telnet program would be a good thing (NiftyTelnet for Macintosh is pretty good).
In a typical spam, there are two different kinds of systems involved:
Look in the headers and you will find a series of lines starting with the line "Received:". One of these is added for every system the e-mail passes through.
The synopsis for a Received: header is:
Received: from <one system> by <the next system> <the current date>
Therefore, the following example headers:
--------QUOTED HEADERS------------- Received: from hermes.ntview.com by oasis.ot.com (8.7.6/8.7.3) with ESMTP id CAA26482 for <firstname.lastname@example.org>; Tue, 28 Jan 1997 02:25:42 -0500 (EST) -------END QUOTED HEADERS----------demonstrate that the original message was sent by hermes.ntview.com.
The Received: headers are added at the top of the message by each MTA (Mail Transport Agent), so that your own system's Received: line should be the first you read, and the spammer's will be somewhere down the list. The list should form an unbroken path (i.e. from B by A, from C by B, from D by C). If the path is broken somewhere, it is often a sign that the rest of the Received: lines are forged.
One other way to get an idea of the sending system is to look for the first occurence of a PPP or SLIP hostname, or something similar indicating a dialup connection. Spammers don't relay through dialups very much. :-)
Some of the newer spamming programs put in fake Received: headers in order to prevent users from finding the first ones. This is rather foolish, as most spammers don't understand the net and put in wildly bogus values.
Here are a few things that let you know a header has been forged:
Received: from email@example.com by firstname.lastname@example.org (8.8.5/8.6.5) with SMTP id GAA02084 for <email@example.com>; Thu, 26 Jun 1997 10:52:37 -0600 (EST) Received: from lconn.net (alt1.lconn.net(188.8.131.52)) by lconn.net (8.8.5/8.6.5) with SMTP id GAA06154 for <firstname.lastname@example.org>; Wed, 25 Jun 1997 23:00:38 -0600 (EST)Back to Top
If your ISP has a firewall, or you have some sort of forwarding from another e-mail address, there may be one or more extra sets of Received: headers present. Please mention this when reporting a spam to the list.
For example, if I have an e-mail address of email@example.com which forwards e-mail to the address firstname.lastname@example.org, there will be an extra Received: header put in by forwarder.com:
Received: from forwarder.com (forwarder.com [184.108.40.206]) by myhost.com (8.8.7/8.8.7) with ESMTP id SAA02629 for <email@example.com>; Thu, 18 Sep 1997 18:31:46 -0400 (EDT)
When there is stuff in a set of parentheses, it is due to the receiving host adding in the IP address (and possibly a reverse DNS as well) of the host which sent them the e-mail. This prevents the sending host from lying about its name (A Good Thing).
--------QUOTED HEADERS------------- Received: from q.qqq.com (ppp-206-171-250-20.vntrcs.pacbell.net [220.127.116.11]) by mail.themall.net (8.8.5/8.8.2/IIAM 1.0 (DCH)) with SMTP id IAA00719; Wed, 5 Mar 1997 08:40:22 -0800 (PST) -------END QUOTED HEADERS----------mail.themall.net did a reverse DNS and determined that this mail really came from pacbell.net as opposed to qqq.com, which is really in the Netherlands. Whoever sent this lied about their origin, but the system did a "callback" of sorts.
Just a note though, a forged header could have a forged "reverse DNS" lookup as well.
The point of injection is usually the second host in the mail path (i.e. the second bottom-most Received: line); the first is usually the spammer's machine. Remember, if the spammer is trying to cover their tracks, they won't use their own ISP's mailserver.
--------QUOTED HEADERS------------- Received: from smtp.gte.net (radius3.gte.net [18.104.22.168]) by oasis.ot.com (8.7.6/8.7.3) with SMTP id SAA18708 for <firstname.lastname@example.org>; Wed, 5 Mar 1997 18:41:30 -0500 (EST) Received: from r9892423 (Cust118.Max60.Los-Angeles.CA.MS.UU.NET [22.214.171.124]) by smtp.gte.net (SMI-8.6/) via SMTP id QAA16410; Wed, 5 Mar 1997 16:31:34 -0600 -------END QUOTED HEADERS----------The spammer set their relay to smtp.gte.net, an innocent system. Also, as you can see, smtp.gte.net did a reverse DNS, which is good as the spammer put a bogus name in for their system (r9802423).
Sometimes, they're an attempt by the spammer to conceal the host's name. If you're lucky, you can find out the host's name just by running an nslookup or similar. However, not all hosts have a human-readable name; if the host you want to investigate only has an IP number, you can at least try to find out who owns the netblock via whois. See below.
The single big number is a special case of a raw IP address. All Internet addresses (IPv4) are really 32-bit numbers (between 0 and roughly 4.2 billion) but they're conventionally broken up into 8-bit pieces with periods between them. If you are familiar with hexadecimal notation, this should be fairly easy to understand: 3735928559 is equal to 0xdeadbeef which, if you insert periods between the octets, is 0xde.0xad.0xbe.0xef, which is 126.96.36.199. (This is not really an existing host address, at the time of this writing.)
Many, many hosts are badly configured so that there is no reverse DNS for looking them up by IP number, even though there is a host name associated with that IP number. Sometimes you can find a host's name by probing it a little bit. For example, telnetting to port 25 will get you a standard SMTP greeting which contains a host name, if that host is running an SMTP (mail) server. (Of course, the host name there could still be forged or incomplete.)
Most sysadmins do not like it when another user sends out hundreds of thousands or even millions of pieces of e-mail through their system without their permission. Therefore, they will appreciate you telling them that their system was/is being abused in such a manner.
Secondly, it is also a theft of service to use another system for sending your e-mail. When Cyberpromo sends out its 2 million bulk e-mails, all they send to the innocent mailhost is the text of the message and a list of the recipients. This poor system now has to create one copy of the message for every address on that list and deliver them, which is a huge waste of resources on that system. At this point, the sysadmin may want to sue the spammer.
Traceroute is a UNIX tool (there are versions for other OSes) for determining the path that your data packets take from one system to another. In the case where a spammer has their own domain, you can use it to determine who their ISP is and complain to them directly.
The synopsis of the traceroute command on UNIX is:
$ traceroute whitehouse.gov traceroute to whitehouse.gov (188.8.131.52), 30 hops max, 40 byte packets 1 milo.ot.net (184.108.40.206) 2 slab.ot.net (220.127.116.11) 3 ucsc2-gw-hssi1-0.phl.prep.net (18.104.22.168) 4 ucsc1-gw-fddi-1-0.phl.prep.net (22.214.171.124) 5 border2-hssi1-0.WestOrange.mci.net (126.96.36.199) 6 core1-fddi-1.WestOrange.mci.net (188.8.131.52) 7 somerouter.sprintlink.net (184.108.40.206) 8 sl-pen-18-P4/0/0-155M.sprintlink.net (220.127.116.11) 9 18.104.22.168 (22.214.171.124) 10 sl-dc-17-F0/0.sprintlink.net (126.96.36.199) 11 sl-eop-1-S0-T1.sprintlink.net (188.8.131.52) **The upstream** 12 whitehouse.gov (184.108.40.206)As you can see, whitehouse.gov has sprintlink.net as an ISP, also known as their "Upstream Provider".
Yes. Most operating systems, including Win 3.x, Win95, and WinNT, have a traceroute tool. On Windows systems, open a DOS session and use the command
This tool is present on most Win95 and WinNT machines, and on Windows for Workgroups 3.11 with the TCP/IP-32b drivers installed. (Hint: Try it. If it doesn't work, it's probably not installed. Easier than figuring out the gibberish above) ;-)
On the Macintosh, you can use the shareware product called IPNetMonitor, which has a full suite of I.P. tools, including Trace Route, Whois, NS Lookup & Ping. It is available at: http://www.sustworks.com. Also available is AGNet Tools, which can be found at Lycos (Tucows).
The rest of the information on traceroute applies. Note that you may not have this program installed, especially if you use a third-party TCP/IP stack. In this case, see the section on web based traceroutes for Web-based gateways to traceroute.
You probably have chosen a mail alias -- a system that handles mail for a given Internet domain. Use the nslookup command to search for MX records and run traceroute to the resulting system(s).
The synopsis for using nslookup is:
nslookup -q=mx <hostname>
Although nslookup's output is verbose and a bit cryptic to the neophyte, you should be able to glean some good host names from the list you get.
dmuth:~$ nslookup -q=mx ot.com Server: ns.ot.com Address: 220.127.116.11 ot.com preference = 10, mail exchanger = mail.ot.com ot.com nameserver = ns.ot.com ot.com nameserver = dns-east.prep.net mail.ot.com internet address = 18.104.22.168 ns.ot.com internet address = 22.214.171.124 dns-east.prep.net internet address = 126.96.36.199In this case, the mail alias for ot.com is mail.ot.com, which you could then do a traceroute to.
Since traceroute does a reverse DNS on every host it encounters, there may be a DNS server not responding that prevents traceroute from finishing the trace. Try a "traceroute -n" to display only the IP addresses. You can use nslookup later to determine the host names.
This means that the host you're trying to reach didn't respond. This may indicate that the spammer has been disconnected! (Joy!)
Of course, it could be that the system is just down for a while, such as a dialup host which is not currently dialed up to the net.
Point your web browser to http://www.traceroute.org for a list of traceroute servers you can use.
'Whois' specifies a protocol by which a whois client (link to whois clients) can query a 'Whois' server for information regarding domain names, IP ranges or people.
In general, the syntax of the Whois command (under Unix) is:
Certain whois clients are installed to query a particular whois server (normally whois.internic.net) by default.
Usually when querying a particular whois server, you can always ask for 'help' .
Before using 'whois' randomly, it pays to understand a certain hierarchy in the organisation of domain names. Historically, the InterNIC handled all domains under .com, .net, .edu, and .org . Recent changes have forced this system to be split up into a Registry (the core database) and many Registrars (organisations which register domains into the Registry ).
To query the Registry for domains within the .com, .net .edu, and .org TLD (Top Level Domains), first query the InterNIC Registry:
This will return a *redirection* to the database of the appropriate Registrar. ( Formerly, Network Solutions was both the Registry (as InterNIC) and Registrar ), ie:
Sometimes you will want to find out information about domains that are not in the traditional international .com, .net, .org, .edu etc TLDs.
These are usually handled by the Registry for that specific country, identified by the ISO3166 Two Letter code for that country.
As there are far too many to list here, you can usually get away with using 'XX.whois-servers.net' where 'XX' is the two-letter country code (ie, 'au.whois-servers.net' for domains within .au, Australia) for the whois server, ie:
Geektools will happily query the appropriate whois server for you, via the box below:
Historically, the former InterNIC managed (under the auspices of IANA ) the allocation of IP numbers to ISPs and other organisations. This changed somewhat when the Regional Internet Registry system was started, with the creation of three Regional Internet Registries (RIRs) around the world, each managing the allocation of IP addresses to organisations within differing physical areas. ( See also RFC2050, http://ftp.isi.edu/in-notes/rfc2050.txt )
This means that there is no central whois database for IP numbers, or ASNs.
Each RIR maintains an authoritative Whois database detailing these allocations. The current RIRs, their whois servers and regions are:
These areas are currently handled by ARIN and the RIPE NCC respectively.
The RIRs sometimes allocate large IP ranges to particular countries (specifically to the National Internet Registry of that country) which usually runs another database. Be careful to fully read the output of any whois search.
Note that ARIN took over the former InterNIC's role in managing IP
numbers, and a large number of whois clients point by default to
whois.ARIN.net. The other two RIRs have placed redirection
notices in the ARIN database informing users to go query the
Sending spam complaints to the Regional Internet Registries tends to be
an excercise in futility, as the RIRs have no authority to deal with spam
complaints, limited resources, and dearly wish that people would use the
appropriate databases rather than continually mistakenly claiming that
the RIRs hide/are spammers. If you see a reference to another database,
follow the reference. Don't annoy the Happy Fun RIRs.
Sending spam complaints to the Regional Internet Registries tends to be an excercise in futility, as the RIRs have no authority to deal with spam complaints, limited resources, and dearly wish that people would use the appropriate databases rather than continually mistakenly claiming that the RIRs hide/are spammers. If you see a reference to another database, follow the reference. Don't annoy the Happy Fun RIRs.
The IP ranges for each RIR are detailed at:
Autonomous System numbers (ASNs) are detailed at:
An ASN is used by an Autonomous System (ie, an ISP) as an identifier when they announce their routes to the rest of the Internet world. It is a numeric 16bit number, from 1 to 65535. In most cases, you won't need to know about this.
If you find this confusing, try to find a whois program which will sort out the complexities for you. Look at e.g. Sam Spade or IPW in the Tools section.
Yes. While it's not an offical standard, many sites, including big companies like Netcom and PSI have begun implmenting the username "abuse" for network abuse issues. So if you got spam from a psi.net user, writing to <email@example.com> is the recommended course of action.
Of course, since it's not required, not all sites support the abuse
address. If you get a bounce, it's recommended that you write to
"postmaster" instead. Since every site is required
to have such an address by
RFC 822, that will most likely work for you. (See alternatively
RFC 822 at faqs.org.)
Sometimes spammers with their own sites intentionally do this to deflect
complaints, sometimes it's a result of extreme cluelessness on the part
of the site owner. At any rate, you have several options at this point,
Sometimes spammers with their own sites intentionally do this to deflect complaints, sometimes it's a result of extreme cluelessness on the part of the site owner. At any rate, you have several options at this point, which include:
An IP address is divided into two parts, the address of the network, and the address of the machine. Which is which depends on what the first number of the IP address is:
dmuth:~$ whois firstname.lastname@example.org [rs.internic.net] UUNET Technologies, Inc. (NET-UUNETCUSTB) 3060 Williams Drive Fairfax, VA 22031 US Netname: UU-153-34 Netblock: 188.8.131.52 - 184.108.40.206 Maintainer: UU Coordinator: Uunet, AlterNet [Technical Support] (OA12) help@UUNET.UU.NET +1 (800) 900-0241 Alternate Contact: UUNET Postmaster (UUPM) email@example.com 703-206-5440 Domain System inverse mapping provided by: HUGIN.UU.NET 220.127.116.11 MUNIN.UU.NET 18.104.22.168 AUTH60.NS.UU.NET 22.214.171.124Another interesting note is that you can find groups of netblocks with whois. Type <whois firstname.lastname@example.org> will give you a listing of all of the class B networks from 153.0 to 153.255.
Note, however, that the listed owner might have leased out portions of their bigger netblock to clients of theirs. UU.NET is a good example -- some of their netblocks are leased out to customer ISP:s whom you should probably contact about spam you received from them.
Nslookup will perform DNS and reverse DNS queries for you. DNS is the Domain Name System, which is what associates human-friendly host names ("www.ot.com") with IP numbers (subject to change -- at the time of writing, www.ot.com is 126.96.36.199).
When a mailhost in the Received: header has only an IP address listed, you may want to do a DNS query to find out what host name the IP number corresponds to.
The synopsis for nslookup is:
nslookup (IP address|machine name) [dns server]
Here's a reverse DNS example:
$ nslookup 188.8.131.52 Server: ns.ot.com Address: 184.108.40.206 Name: www.ot.com Address: 220.127.116.11Your server: and address: lines will vary as per your ISP but the resulting name and address will be the same.
Here's a DNS example:
$ nslookup ans.net Server: ns.ot.com Address: 18.104.22.168 Non-authoritative answer: Name: ans.net Address: 22.214.171.124The "non-authoritative answer" is because I used my ISP's DNS server (ns.ot.com) instead of one of ans's servers. Here, I correct that and use ns.ans.net as my DNS server:
nslookup ans.net ns.ans.net Server: ns.ans.net Address: 126.96.36.199 Name: ans.net Address: 188.8.131.52You can find out the name of an authoritative server from the whois info for a domain, or with the -q=ns option to nslookup.
If you don't have access to any of the afore mentioned tools (maybe you are using a public terminal at a library), you could use Sam Spade, which can be found at http://www.samspade.org. Sam Spade can do a nslookup, whois, traceroute, and find out who owns the netblock of the machine.
This tool will benefit novices the most.
Since mail servers usually reside on port 25, you need to telnet to port 25 of the host that you suspect to be relayable. Once connected, you should see something like this:
220 relay.com ESMTP Sendmail 8.8.7/8.8.7; Sun, 4 Jan 1998 17:54:11 -0500 (EST) ^^^^^^^^^^^^^^^^^^^^Take note of the MTA and its version number. To start, type:
HELO somesite.comwith whatever domain name you want. While the name doesn't matter, I like to use "forged" or something similar so I can tell apart this e-mail when I get it. This value will appear in the Received: header that the site generates.
mail from: addresswith whatever address you want. This is the address that will appear in the From_ header at the start of the e-mail.
rcpt to: your e-mail addressThis will tell the system where to send the e-mail. Note that you can type this line multiple times with multiple e-mail addresses. This is how a spammer sends an e-mail to thousands of people at once.
DATAAt this point, you can enter in your e-mail message. I would suggest putting in at least a Subject: header, with a space after the colon and separating the headers from the body by an empty line. However, no headers are necessary.
To finish the e-mail, type a period at the start of a line and hit enter. If you made it this far and the server returned a message saying that the message was accepted for delivery, then it is very likely that the server allows relaying, at least from your particular IP address.
However, Stephen J Friedl warns that some servers use front ends which accept SMTP connections on port 25, then pass the e-mail to another server or program which does the real processing. In these cases, your message may not be relayed even though it appears otherwise. The only way to make certain that a particular server does do relaying is to see if you actually get the e-mail that you sent.
Also, to see if the server logs the original IP address and does a reverse DNS on your host, check the Received: header that the server generated.