Tracking Spam

The SPAM-L mailing list will be shut down as of May 11th, 2009. Please read this post for more information and an explanation.
This FAQ will be kept indefinitely for historical purposes but updates will be rare, if they are made at all.
[Edit: Some folks have set up a successor to the list at http://spammers.dontlike.us/ (SDLU). I have no current involvement with that list, but I encourage folks to check it out!]

This section deals with the technical aspects of spam, like telling where it came from. Having a UNIX shell account will be extremely helpful as a lot of the utilities are native to UNIX; however, you can perform most of these functions with other operating systems using third-party (usually shareware) tools, unlike UNIX, which comes with many of the tools mentioned already installed.

Attempts have been made in this section to detail how to do the functions described on your computer, with alternatives listed at the appropriate points.


OK, I just got spammed. Now what?

First, please make sure that it is indeed spam and that you didn't subscribe yourself to a list and ended up forgetting about it. This is more common than you might think -- ever fill out one of those web forms and forget to check whether the "Send me Info" box was checked or unchecked? It's usually set on by default.

Also make certain that it's not from someone you met or corresponded with briefly, and have since forgotten. (It's happened to me!)

Here's a list of things to look for:

  • Forged headers.
  • Sent from a throwaway account. Common ISP's that supply throwaway account include Compuserve, Prodigy, and Netcom.
  • Relayed through a third-party mailserver.
  • Promotes a webpage on another site.
  • Directs replies to an e-mail address on another system. Common examples include AOL and hotmail accounts.
If you're certain it's spam, continue on!

Back to Top

But I only got one copy. How do I know it was really sent in bulk and therefore spam?

You don't.

To elaborate, you don't need to. If it looks like spam and smells like it (be sure to check the headers for signs of forgery), it's best to complain to the ISPs involved and let them make that determination. If yours is the only complaint they have received, then perhaps it wasn't a spam at all. If however the ISP receives hundreds of complaints, they can then conclude that their client did spam and take appropriate action against them.

Back to Top

What are these "headers" you folks keep talking about?

An e-mail message is divided into two parts, the headers and the body. The headers contain all the technical information, such as who the sender and recipient are, and what systems it has passed through. The body contains the actual message text. The headers and body are separated by a blank line. In some mail programs, the headers are shown separately.

How can I view the headers with mail client X?

What follows are instructions for viewing headers with some of the more popular mail clients:

Elm, Pine, and Mutt
Press "h" from the message selection menu to view the full headers of the currently selected message.

Eudora
Open the message. Under the title bar are four options. The second from the left is a box which says "Blah, Blah, Blah." Click on that to display the full headers.

Hotmail
Go into "Options", "Preferences", and choose "Message headers". You'll want to choose the "Full" option to display Received: headers. "Advanced" will display that as well as MIME headers.

Do note, however, that sometimes Hotmail has to press some previous generation mailservers into service, and messages sent through those mailservers won't show any headers no matter what. :-(

Lotus Notes 4.6.x
Open the offending mail. Click on "Actions", then "Delivery information". Cut and paste the text from the bottom box, marked "Delivery information:".

Netscape Mail
Choose "OPTIONS" from the options menu bar. Listed as an option is "Show Headers". Choose full headers.

Outlook Express
Open the message. Choose "File" from the options menu bar. Listed as an option is "properties". Another window will open, showing two tabs. You want to choose the one titled "Details". Then cut and paste the headers into the message you want to forward.

Outlook 2000
Double click on the message to open itup, click on "View --> Options", and you will see the message headers in a box at the bottom of the window. You can copy/paste them from that window.

Pegasus
Choose "READER" from the options menu bar. Listed as an option is: "Show all Headers". This does not work for HTML messages, however. A workaround is to select the message properties, and de-selecting "Contains HTML data".

Back to Top

How do I read them?

This depends on your mail reading program. Most programs have an option that will display all the headers of the message. Another technique is to read your e-mail with a standard text editor as opposed to an e-mail program. Check the docs that come with your email reader or read the online help. You could also contact your ISP for assistance or talk to your help desk if this takes place at work.

You'll know that you're viewing the headers when you see several lines that start with the word "Received: ". These lines are very important to tracking the source of a spam, as you'll see later.

Back to Top

What does "forging" mean?

"Forging" means trying to disguise where the message came from. Spammers do this a lot so that you won't know whom to complain to. It can be done by a variety of methods, from simply placing deliberately erroneous information in their email program, to manually sending mail using Telnet to an SMTP server (port 25). This requires fairly intimate knowledge of the SMTP protocol, which is, unfortunately, not hard to understand. (RFC 821. A slightly more readable version is available at the faqs.org site).

Forging e-mail headers is not presently illegal in the US. Some argue that it should be.

Back to Top

Uh, what's Telnet?

Telnet is the name of both a program and a part of the TCP/IP protocol suite which allows you to remotely access a computer. In the case of services such as mail, which run on port 25, you can telnet into that port and interact with the service manually. You can also do this to webservers on port 80 or finger daemons on port 79. It's kinda neat. :-)

Anyway, to access telnet if you are on a UNIX system, just type telnet hostname <port>, where the port number is optional. If you are on Windows 95/98/NT, choose "Run" from the start menu and type telnet hostname <port> from there.

Otherwise, searching Tucows for a Telnet program would be a good thing (NiftyTelnet for Macintosh is pretty good).

Back to Top

What is the "point of injection"?

In a typical spam, there are two different kinds of systems involved:

  • The sending system. This is the actual machine that the spammer is on, assuming that they are using a SLIP/PPP connection. Its name usually has "dialup" or "ppp" somewhere in the name.

  • The mailing system. This is the "point of injection". Most e-mail clients (or MTAs under UNIX) allow the user to designate a "smarthost", or more commonly known as a "relay". This will take the load off of the user's machine and place it on the ISP's mailserver so the user can do other things. When forging a message, the spammer will choose another host elsewhere on the Internet so that their provider will not know what they are up to.
Back to Top

How can I track down the sending system?

Look in the headers and you will find a series of lines starting with the line "Received:". One of these is added for every system the e-mail passes through.

The synopsis for a Received: header is:

Received: from <one system> by <the next system> <the current date>

Therefore, the following example headers:

--------QUOTED HEADERS-------------
Received: from hermes.ntview.com by oasis.ot.com (8.7.6/8.7.3) with ESMTP
  id CAA26482 for <dmuth@ot.com>; Tue, 28 Jan 1997 02:25:42 -0500 (EST) 
-------END QUOTED HEADERS----------
demonstrate that the original message was sent by hermes.ntview.com.

The Received: headers are added at the top of the message by each MTA (Mail Transport Agent), so that your own system's Received: line should be the first you read, and the spammer's will be somewhere down the list. The list should form an unbroken path (i.e. from B by A, from C by B, from D by C). If the path is broken somewhere, it is often a sign that the rest of the Received: lines are forged.

One other way to get an idea of the sending system is to look for the first occurence of a PPP or SLIP hostname, or something similar indicating a dialup connection. Spammers don't relay through dialups very much. :-)

Back to Top

What about these "stealth" mailers?

Some of the newer spamming programs put in fake Received: headers in order to prevent users from finding the first ones. This is rather foolish, as most spammers don't understand the net and put in wildly bogus values.

Here are a few things that let you know a header has been forged:

  • Look for a wrong Eastern Timezone of "-0600 (EST)" (EST is normally -0500, while EDT is -0400) in conjunction with an SMTP id which will always start with "GAA..." This is perhaps the most common Stealth Mailer signature seen (an example of it appears below)

  • A new, laughably "repaired" Stealth Mailer has surfaced recently; its signature errors are an SMTP id which always starts with "XAA..." and an Eastern Timezone correction which is even more wrong than before, now listing "-0700 (EDT)"

  • Look for a spoofed address in the Received: header. A real Received: header has the address of the recipient as the address (i.e. dmuth@ot.com in the above example). If the address there isn't yours, it's a forged header.

  • Look for a spoofed SMTP id. A real one generally matches its first letter to the hour of the time the hand-off occurred; e.g., if the time listed in this header is between midnight and 1:00 a.m., its SMTP id should start with "A..."; between 1:00 a.m. and 2:00 a.m. should indicate "B..." and so on.

  • Look for IP node numbers of 0 or greater than 254. IP addresses only range from 1 to 254. (0 indicates a network address and 255 is for broadcasting).

  • Look for a system named "alt1", this can be filtered on as I have caught many spams with zero false positives in this manner.
A few examples of spoofed headers:

Received: from email4all@aol.com by email4all@aol.com (8.8.5/8.6.5) with 
  SMTP id GAA02084 for <email4all@aol.com>; Thu, 26 Jun 1997 
  10:52:37 -0600 (EST)
Received: from lconn.net (alt1.lconn.net(206.25.61.0)) by lconn.net 
  (8.8.5/8.6.5) with SMTP id GAA06154 for <gpg@lconn.net>; Wed, 25 Jun 1997 
  23:00:38 -0600 (EST)
Back to Top

A word about firewalls and forwarders

If your ISP has a firewall, or you have some sort of forwarding from another e-mail address, there may be one or more extra sets of Received: headers present. Please mention this when reporting a spam to the list.

For example, if I have an e-mail address of dmuth@forwarder.com which forwards e-mail to the address dmuth@myhost.com, there will be an extra Received: header put in by forwarder.com:

Received: from forwarder.com (forwarder.com [201.96.1.32])
        by myhost.com (8.8.7/8.8.7) with ESMTP id SAA02629
        for <dmuth@myhost.com>; Thu, 18 Sep 1997 18:31:46 -0400 (EDT)

Back to Top

What's this stuff in parentheses in the Received: header?

When there is stuff in a set of parentheses, it is due to the receiving host adding in the IP address (and possibly a reverse DNS as well) of the host which sent them the e-mail. This prevents the sending host from lying about its name (A Good Thing).

For example:

--------QUOTED HEADERS-------------
Received: from q.qqq.com (ppp-206-171-250-20.vntrcs.pacbell.net
  [206.171.250.20]) by mail.themall.net (8.8.5/8.8.2/IIAM 1.0 (DCH)) with
  SMTP id IAA00719; Wed, 5 Mar 1997 08:40:22 -0800 (PST)
-------END QUOTED HEADERS----------
mail.themall.net did a reverse DNS and determined that this mail really came from pacbell.net as opposed to qqq.com, which is really in the Netherlands. Whoever sent this lied about their origin, but the system did a "callback" of sorts.

Just a note though, a forged header could have a forged "reverse DNS" lookup as well.

Back to Top

How do I track down the point of injection?

The point of injection is usually the second host in the mail path (i.e. the second bottom-most Received: line); the first is usually the spammer's machine. Remember, if the spammer is trying to cover their tracks, they won't use their own ISP's mailserver.

For example:

--------QUOTED HEADERS-------------
Received: from smtp.gte.net (radius3.gte.net [206.124.68.25]) by 
  oasis.ot.com (8.7.6/8.7.3) with SMTP id SAA18708 for <dmuth@ot.com>; 
  Wed, 5 Mar 1997 18:41:30 -0500 (EST)
Received: from r9892423 (Cust118.Max60.Los-Angeles.CA.MS.UU.NET 
  [153.34.100.118]) by smtp.gte.net (SMI-8.6/) via SMTP id QAA16410; Wed, 5 
  Mar 1997 16:31:34 -0600
-------END QUOTED HEADERS----------
The spammer set their relay to smtp.gte.net, an innocent system. Also, as you can see, smtp.gte.net did a reverse DNS, which is good as the spammer put a bogus name in for their system (r9802423).

Back to Top

What about host names like "222.173.190.239" or even "3735928559"?

Sometimes, they're an attempt by the spammer to conceal the host's name. If you're lucky, you can find out the host's name just by running an nslookup or similar. However, not all hosts have a human-readable name; if the host you want to investigate only has an IP number, you can at least try to find out who owns the netblock via whois. See below.

The single big number is a special case of a raw IP address. All Internet addresses (IPv4) are really 32-bit numbers (between 0 and roughly 4.2 billion) but they're conventionally broken up into 8-bit pieces with periods between them. If you are familiar with hexadecimal notation, this should be fairly easy to understand: 3735928559 is equal to 0xdeadbeef which, if you insert periods between the octets, is 0xde.0xad.0xbe.0xef, which is 222.173.190.239. (This is not really an existing host address, at the time of this writing.)

Many, many hosts are badly configured so that there is no reverse DNS for looking them up by IP number, even though there is a host name associated with that IP number. Sometimes you can find a host's name by probing it a little bit. For example, telnetting to port 25 will get you a standard SMTP greeting which contains a host name, if that host is running an SMTP (mail) server. (Of course, the host name there could still be forged or incomplete.)

Back to Top

Why should I bother to track down the point of injection?

Most sysadmins do not like it when another user sends out hundreds of thousands or even millions of pieces of e-mail through their system without their permission. Therefore, they will appreciate you telling them that their system was/is being abused in such a manner.

Secondly, it is also a theft of service to use another system for sending your e-mail. When Cyberpromo sends out its 2 million bulk e-mails, all they send to the innocent mailhost is the text of the message and a list of the recipients. This poor system now has to create one copy of the message for every address on that list and deliver them, which is a huge waste of resources on that system. At this point, the sysadmin may want to sue the spammer.

Back to Top

What's Traceroute, and how do I use it?

Traceroute is a UNIX tool (there are versions for other OSes) for determining the path that your data packets take from one system to another. In the case where a spammer has their own domain, you can use it to determine who their ISP is and complain to them directly.

The synopsis of the traceroute command on UNIX is:

traceroute <hostname>

For example:

$ traceroute whitehouse.gov

traceroute to whitehouse.gov (198.137.241.30), 30 hops max, 40 byte packets
 1  milo.ot.net (199.234.240.100)
 2  slab.ot.net (199.234.240.1)
 3  ucsc2-gw-hssi1-0.phl.prep.net (129.250.201.1)
 4  ucsc1-gw-fddi-1-0.phl.prep.net (192.204.183.1)
 5  border2-hssi1-0.WestOrange.mci.net (204.70.66.5)
 6  core1-fddi-1.WestOrange.mci.net (204.70.64.33)
 7  somerouter.sprintlink.net (206.157.77.106)
 8  sl-pen-18-P4/0/0-155M.sprintlink.net (144.232.0.73)
 9  144.232.8.2 (144.232.8.2)
10  sl-dc-17-F0/0.sprintlink.net (144.228.20.17)
11  sl-eop-1-S0-T1.sprintlink.net (144.228.72.66)  **The upstream** 
12  whitehouse.gov (198.137.241.30)
As you can see, whitehouse.gov has sprintlink.net as an ISP, also known as their "Upstream Provider".

Back to Top

I don't have/use/understand UNIX. Can I still use traceroute?

Yes. Most operating systems, including Win 3.x, Win95, and WinNT, have a traceroute tool. On Windows systems, open a DOS session and use the command

tracert <hostname>

This tool is present on most Win95 and WinNT machines, and on Windows for Workgroups 3.11 with the TCP/IP-32b drivers installed. (Hint: Try it. If it doesn't work, it's probably not installed. Easier than figuring out the gibberish above) ;-)

On the Macintosh, you can use the shareware product called IPNetMonitor, which has a full suite of I.P. tools, including Trace Route, Whois, NS Lookup & Ping. It is available at: http://www.sustworks.com. Also available is AGNet Tools, which can be found at Lycos (Tucows).

The rest of the information on traceroute applies. Note that you may not have this program installed, especially if you use a third-party TCP/IP stack. In this case, see the section on web based traceroutes for Web-based gateways to traceroute.

Back to Top

Traceroute says "unknown host", now what?

You probably have chosen a mail alias -- a system that handles mail for a given Internet domain. Use the nslookup command to search for MX records and run traceroute to the resulting system(s).

The synopsis for using nslookup is:

nslookup -q=mx <hostname>

Although nslookup's output is verbose and a bit cryptic to the neophyte, you should be able to glean some good host names from the list you get.

Example:

dmuth:~$ nslookup -q=mx ot.com
Server:  ns.ot.com
Address:  199.234.240.5

ot.com  preference = 10, mail exchanger = mail.ot.com
ot.com  nameserver = ns.ot.com
ot.com  nameserver = dns-east.prep.net
mail.ot.com     internet address = 199.234.240.2
ns.ot.com       internet address = 199.234.240.5
dns-east.prep.net       internet address = 129.250.252.10

In this case, the mail alias for ot.com is mail.ot.com, which you could then do a traceroute to.

Back to Top

Traceroute hangs, now what?

Since traceroute does a reverse DNS on every host it encounters, there may be a DNS server not responding that prevents traceroute from finishing the trace. Try a "traceroute -n" to display only the IP addresses. You can use nslookup later to determine the host names.

Back to Top

I get a bunch of asterisks (**), now what?

This means that the host you're trying to reach didn't respond. This may indicate that the spammer has been disconnected! (Joy!)

Of course, it could be that the system is just down for a while, such as a dialup host which is not currently dialed up to the net.

Back to Top

Web Based Tracerouting

Point your web browser to http://www.traceroute.org for a list of traceroute servers you can use.

Back to Top

What's WHOIS, and how do I use it?

'Whois' specifies a protocol by which a whois client (link to whois clients) can query a 'Whois' server for information regarding domain names, IP ranges or people.

In general, the syntax of the Whois command (under Unix) is:

  • $ whois -h <whois.host.to.query> "search string"

Certain whois clients are installed to query a particular whois server (normally whois.internic.net) by default.

Usually when querying a particular whois server, you can always ask for 'help' .

Back to Top

Using 'Whois' for Domains (.com, .net, .edu, .org ):

Before using 'whois' randomly, it pays to understand a certain hierarchy in the organisation of domain names. Historically, the InterNIC handled all domains under .com, .net, .edu, and .org . Recent changes have forced this system to be split up into a Registry (the core database) and many Registrars (organisations which register domains into the Registry ).

To query the Registry for domains within the .com, .net .edu, and .org TLD (Top Level Domains), first query the InterNIC Registry:

This will return a *redirection* to the database of the appropriate Registrar. ( Formerly, Network Solutions was both the Registry (as InterNIC) and Registrar ), ie:

Whois Server Version 1.1

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SUCK.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Name Server: NS3.HOTWIRED.COM
Name Server: NS2.HOTWIRED.COM
Name Server: NS1.HOTWIRED.COM
Updated Date: 16-may-2000


>>> Last update of whois database: Tue, 25 Jul 00 03:43:32 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
Then, query the appropriate Registrar, ie:
$ whois -h whois.networksolutions.com suck.com (www-whois search link may change in future)

(output abbreviated)

Registrant:
The Vacuum Cleaner Company (SUCK-DOM)
c/o Wired Ventures, Inc. 660
Third Street, 4th Fl.
San Francisco, CA 94107
US

Domain Name: SUCK.COM

Administrative Contact:
Contact, Domain Administration (DAC11) domain-admin@HOTWIRED.COM
Technical Contact, Zone Contact:
Contact, Domain Technical (DTC5) domain-tech@HOTWIRED.COM
Billing Contact:
Domain Billing Contact (DBC4-ORG) domain-billing@HOTWIRED.COM

Record last updated on 16-May-2000.
Record expires on 25-May-2001.
Record created on 24-May-1995.
Database last updated on 24-Jul-2000 22:59:05 EDT.

Domain servers in listed order:

NS1.HOTWIRED.COM 204.62.131.44
NS2.HOTWIRED.COM 209.185.151.6
NS3.HOTWIRED.COM 204.62.130.122
Back to Top

Using Whois for Country-Code Top Level Domains (ccTLDs, .au, .ch etc):

Sometimes you will want to find out information about domains that are not in the traditional international .com, .net, .org, .edu etc TLDs.

These are usually handled by the Registry for that specific country, identified by the ISO3166 Two Letter code for that country.

As there are far too many to list here, you can usually get away with using 'XX.whois-servers.net' where 'XX' is the two-letter country code (ie, 'au.whois-servers.net' for domains within .au, Australia) for the whois server, ie:

$ whois -h au.whois-servers.net sofcom.com.au
Note that a lot of ccTLDs have a further hierarchy, such as 'com' for Commercial Entities, 'net' for Networks, 'org' for organisations etc etc, so the actual organisation may be on the third or fourth level of the domain name (reading from the right)

Geektools will happily query the appropriate whois server for you, via the box below:

Geektools Whois:

Back to Top

Using Whois for IP ranges and ASNs:

Historically, the former InterNIC managed (under the auspices of IANA ) the allocation of IP numbers to ISPs and other organisations. This changed somewhat when the Regional Internet Registry system was started, with the creation of three Regional Internet Registries (RIRs) around the world, each managing the allocation of IP addresses to organisations within differing physical areas. ( See also RFC2050, http://ftp.isi.edu/in-notes/rfc2050.txt )

This means that there is no central whois database for IP numbers, or ASNs.

Each RIR maintains an authoritative Whois database detailing these allocations. The current RIRs, their whois servers and regions are:

APNIC:

Asia Pacific Network Information Centre
whois.APNIC.net
www.apnic.net/
Est 1993.
Asia and Pacific Rim
 
ARIN:

American Registry for Internet Numbers
whois.ARIN.net
www.arin.net
Est 1997 .
North America, South America, Sub-Saharan Africa
 
RIPE NCC:

Réseaux IP Européens, Network Coordination Center
whois.RIPE.net
www.ripe.net
Est 1992 .
Europe and Surrounding Areas. including Northern Africa

 
LACNIC:

Latin American and Caribbean Internet Addresses Registry
whois.LACNIC.net
www.lacnic.net
Latin American and Caribbean Areas.

 
JPNIC:

Japan Internet Addresses Registry
whois.nic.ad.jp
www.nic.ad.jp
March 1997.
Japan Areas.

Language: Japanese English
Other Options: (DOM) Domain Info. (NET) Registered IP address (HOST) Host Info.(DNS etc.)


In addition, there are currently two RIRs in formation stages, to handle South America and the Carribean (LACNIC), and Africa (AFRINIC).

These areas are currently handled by ARIN and the RIPE NCC respectively.

The RIRs sometimes allocate large IP ranges to particular countries (specifically to the National Internet Registry of that country) which usually runs another database. Be careful to fully read the output of any whois search.

Note that ARIN took over the former InterNIC's role in managing IP numbers, and a large number of whois clients point by default to whois.ARIN.net. The other two RIRs have placed redirection notices in the ARIN database informing users to go query the appropriate RIR.

Sending spam complaints to the Regional Internet Registries tends to be an excercise in futility, as the RIRs have no authority to deal with spam complaints, limited resources, and dearly wish that people would use the appropriate databases rather than continually mistakenly claiming that the RIRs hide/are spammers. If you see a reference to another database, follow the reference. Don't annoy the Happy Fun RIRs.

The IP ranges for each RIR are detailed at:

http://www.iana.org/assignments/ipv4-address-space
APNIC's Prettified Version

Autonomous System numbers (ASNs) are detailed at:

http://www.iana.org/assignments/as-numbers
APNIC's Prettified Version

An ASN is used by an Autonomous System (ie, an ISP) as an identifier when they announce their routes to the rest of the Internet world. It is a numeric 16bit number, from 1 to 65535. In most cases, you won't need to know about this.

Back to Top

Huh, what was all that?:

If you find this confusing, try to find a whois program which will sort out the complexities for you. Look at e.g. Sam Spade or IPW in the Tools section.

Back to Top

I'm too lazy to use WHOIS or don't have enough time. Is there a "default" address which I can e-mail?

Yes. While it's not an offical standard, many sites, including big companies like Netcom and PSI have begun implmenting the username "abuse" for network abuse issues. So if you got spam from a psi.net user, writing to <abuse@psi.net> is the recommended course of action.

Of course, since it's not required, not all sites support the abuse address. If you get a bounce, it's recommended that you write to "postmaster" instead. Since every site is required to have such an address by RFC 822, that will most likely work for you. (See alternatively RFC 822 at faqs.org.)

Back to Top

Postmaster bounced! Now what?!?

Sometimes spammers with their own sites intentionally do this to deflect complaints, sometimes it's a result of extreme cluelessness on the part of the site owner. At any rate, you have several options at this point, which include:

  • Using WHOIS to find another contact address to complain to or a phone number to call.
  • Using traceroute to find who provides the feed to that site, then using WHOIS to complain to the upstream.
  • Going to the website to get a contact e-mail address and/or phone number.
Just remember, don't flame the ISP, I've already had postmaster bouncing from major ISPs because of new configurations which weren't fully tested at the time.

Back to Top

What are netblocks, and how are they useful?

An IP address is divided into two parts, the address of the network, and the address of the machine. Which is which depends on what the first number of the IP address is:

Class A
A class A network uses the first number as the network address, so you can have 16.7 million (2^24) nodes in that network. The network address must also be between 1 and 126. (127 is loopback). For example, net 38 is owned by psi.net.

Class B
A class B network uses the first 2 numbers as a network address which makes for 65,535 (2^16) possible nodes. Class B networks range between 128.0 and 191.255. For example, 153.34 is owned by uu.net.

Class C
Class C networks use the first 3 numbers as a network address with 256 possible nodes. Class Cs range between 192.0.0 and 223.255.255. For example, 199.234.240 is owned by Oasis Telecommunications.

Class D and Class E
Class D is for networks 224 to 239.255.255.255. Class E is for networks 240 to 255.255.255.255. Class D is for multicast messages and class E is reserved for experimentation and development. If you see one of these IP addresses in a header, you can be quite certain that the header has been forged. (Or there is a serious configuration problem somewhere.)

To do a whois on a netblock, all you need to do is type "whois <net number>@whois.arin.net". You can have zeros trailing after the net number if you like.

For example:

dmuth:~$ whois 153.34.0.0@whois.arin.net
[rs.internic.net]
UUNET Technologies, Inc. (NET-UUNETCUSTB)
   3060 Williams Drive
   Fairfax, VA 22031
   US

   Netname: UU-153-34
   Netblock: 153.34.0.0 - 153.34.255.255
   Maintainer: UU

   Coordinator:
      Uunet, AlterNet [Technical Support]  (OA12)  help@UUNET.UU.NET
      +1 (800) 900-0241
   Alternate Contact:
      UUNET Postmaster  (UUPM)  postmaster@uunet.uu.net
      703-206-5440

   Domain System inverse mapping provided by:

   HUGIN.UU.NET                 153.39.242.112
   MUNIN.UU.NET                 153.39.242.113
   AUTH60.NS.UU.NET             198.6.1.181

Another interesting note is that you can find groups of netblocks with whois. Type <whois 153@whois.arin.net> will give you a listing of all of the class B networks from 153.0 to 153.255.

Note, however, that the listed owner might have leased out portions of their bigger netblock to clients of theirs. UU.NET is a good example -- some of their netblocks are leased out to customer ISP:s whom you should probably contact about spam you received from them.

Back to Top

What's nslookup, and how do I use it?

Nslookup will perform DNS and reverse DNS queries for you. DNS is the Domain Name System, which is what associates human-friendly host names ("www.ot.com") with IP numbers (subject to change -- at the time of writing, www.ot.com is 199.234.240.8).

When a mailhost in the Received: header has only an IP address listed, you may want to do a DNS query to find out what host name the IP number corresponds to.

The synopsis for nslookup is:

nslookup (IP address|machine name) [dns server]

Here's a reverse DNS example:

$ nslookup 199.234.240.8

Server:  ns.ot.com
Address:  199.234.240.5

Name:    www.ot.com
Address:  199.234.240.8
Your server: and address: lines will vary as per your ISP but the resulting name and address will be the same.

Here's a DNS example:

$ nslookup ans.net

Server:  ns.ot.com
Address:  199.234.240.5

Non-authoritative answer:
Name:    ans.net
Address:  147.225.5.5
The "non-authoritative answer" is because I used my ISP's DNS server (ns.ot.com) instead of one of ans's servers. Here, I correct that and use ns.ans.net as my DNS server:

nslookup ans.net ns.ans.net

Server:  ns.ans.net
Address:  192.103.63.100

Name:    ans.net
Address:  147.225.5.5
You can find out the name of an authoritative server from the whois info for a domain, or with the -q=ns option to nslookup.

Back to Top

How to do some web-based spam tracking

If you don't have access to any of the afore mentioned tools (maybe you are using a public terminal at a library), you could use Sam Spade, which can be found at http://www.samspade.org. Sam Spade can do a nslookup, whois, traceroute, and find out who owns the netblock of the machine.

This tool will benefit novices the most.

How can I test a system to see if it relays e-mail?

Since mail servers usually reside on port 25, you need to telnet to port 25 of the host that you suspect to be relayable. Once connected, you should see something like this:

220 relay.com ESMTP Sendmail 8.8.7/8.8.7; Sun, 4 Jan 1998 17:54:11 -0500 (EST)
                    ^^^^^^^^^^^^^^^^^^^^
Take note of the MTA and its version number. To start, type:

        
HELO somesite.com
with whatever domain name you want. While the name doesn't matter, I like to use "forged" or something similar so I can tell apart this e-mail when I get it. This value will appear in the Received: header that the site generates.

Now type:

mail from: address
with whatever address you want. This is the address that will appear in the From_ header at the start of the e-mail.

Type:

rcpt to: your e-mail address
This will tell the system where to send the e-mail. Note that you can type this line multiple times with multiple e-mail addresses. This is how a spammer sends an e-mail to thousands of people at once.

Now, type:

DATA
At this point, you can enter in your e-mail message. I would suggest putting in at least a Subject: header, with a space after the colon and separating the headers from the body by an empty line. However, no headers are necessary.

To finish the e-mail, type a period at the start of a line and hit enter. If you made it this far and the server returned a message saying that the message was accepted for delivery, then it is very likely that the server allows relaying, at least from your particular IP address.

However, Stephen J Friedl warns that some servers use front ends which accept SMTP connections on port 25, then pass the e-mail to another server or program which does the real processing. In these cases, your message may not be relayed even though it appears otherwise. The only way to make certain that a particular server does do relaying is to see if you actually get the e-mail that you sent.

Also, to see if the server logs the original IP address and does a reverse DNS on your host, check the Received: header that the server generated.

For further information, read RFC 821 (SMTP Commands) and RFC 822(The format of e-mail). The faqs.org site has slightly more readable versions of each.

Back to Top

4
Average: 4 (1 vote)
Your rating: None