Spam Reviews: How to track spammers

Unless you're the type who likes finding out how to seduce women subliminally, lose 30 pounds in less than six hours, or earn $5,000 a month while sleeping, you face the daily accumulation of offal appearing in your inbox and wonder if there isn't something you can do besides simply deleting it. There is, but you'll have to do some detective work and learn a few things about e-mail headers.

There are a few tools that you'll need before you launch your anti-spam campaign:

1. nslookup, which translates an IP address into a domain name,
2. whois, which gives you domain address and contact information, and
3. traceroute, which tells you the path by which your machine reaches another.

How Do We Start?

First, we need to determine the proper places to send our complaint. Forget about sending a nastygram directly to the sender. That information is easily forged, and there is a better than average chance that your nastygram will result in your being added to another mailing list. (While I'm on the subject, never respond to the "do this to remove your name" offer. All that will do is verify your address and get you on more mailing lists.)

All e-mail, even that from spammers, must enter the Internet someplace. It's our job to figure out where that happens. Most Internet services providers dislike spam almost as much as we do since it bogs down system resources, and most will take action against an offender as soon as we tell them about it.

We start by examining the header, that arcane mess that precedes the actual message body. To do that, you'll have to set your mail reader to display the full header info, rather than the four-line default. Check your mail program's manual or online help to learn how.

Before we begin, it is necessary to learn a bit about where e-mail comes from. Although many people think that a message goes directly from my computer to yours, a typical piece of email goes through at least four different computers during its journey. For example, suppose I drop Computer Bits editor Paul Heinlein a note. When it leaves my desk, the header looks something like this: To: Paul Heinlein <editor@computerbits.com> From: Gary Shuster <papabear@ix.netcom.com> Subject: Possible anti-spam article

By the time Paul gets it, the header will look somewhat different: Return-Path: <papabear@ix.netcom.com> Received: from dfw-ix13.ix.netcom.com (dfw-ix13.ix.netcom.com [206.214.98.13]) by macbeth.computerbits.com (8.8.5/8.8.5) with ESMTP id KAA22220 for <editor@computerbits.com>; Mon, 17 Nov 1997 10:57:12 -0800 Received: (from smap@localhost) by dfw-ix13.ix.netcom.com (8.8.4/8.8.4) id MAA19835 for <editor@computerbits.com>; Mon, 17 Nov 1997 12:56:49 -0600 (CST) Received: from prt-or4-29.ix.netcom.com (207.220.32.157) by dfw-ix13.ix.netcom.com via smap (V1.3) id rma019807; Mon Nov 17 12:56:45 1997 Message-Id: <3.0.5.32.19971117105643.007ac3b0@popd.ix.netcom.com> X-Sender: papabear@popd.ix.netcom.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 17 Nov 1997 10:56:43 -0800 To: Paul Heinlein <editor@computerbits.com> From: Gary Shuster <papabear@ix.netcom.com> Subject: Possible anti-spam article In-Reply-To: <3.0.32.19971114160055.00a67bb0@macbeth.computerbits.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"

Each computer which handled my message added something to the header, and it is this additional info we can use to help track spam back to its source. We'll be paying particular attention to the Received: lines. These lines show, in reverse order, the domains through which an e-mail went getting from sender to recipient. In fact, the Received: lines are the only parts of the header useful to us since spammers can easily forge everything else.

A good rule of thumb is never to believe any part of the header other than Received: lines, and never believe any Received: line you can't verify. Just assume everything else is forged.

Received: lines use a distinct syntax: Received: from <one system> by <the next system> on <date and time> (time expressed in hours from GMT). The rest of the verbiage contained in the Received: line can be ignored.

In our example, the top Received: line is pretty typical: Received: from dfw-ix13.ix.netcom.com (dfw-ix13.ix.netcom.com [206.214.98.13]) by macbeth.computerbits.com (8.8.5/8.8.5) with ESMTP id KAA22220 for <editor@computerbits.com>; Mon, 17 Nov 1997 10:57:12 -0800.

Demystified, this says that a mail server called macbeth at computerbits.com received a message from a mail server calling itself dfw-ix13.ix.netcom.com on Mon, 17 Nov 1997 at 10:57:12 local time, which is eight hours behind GMT, or PST.

Notice I said "calling itself." We don't know yet if the domain is real or bogus. Have a look at the phrase in parentheses. The receiving computer automatically logs the IP address of the sender, and some will also do a reverse lookup to verify the domain name. If the two agree, you can be reasonably certain that the domain is legitimate. In this case, it says that the IP address logged really is a server at Netcom. In cases where the IP address resolves to something else, always believe the IP address.

Now is a good time to note that the actual domain name is ix.netcom.com. The dfw-ix13 is a specific computer within the domain, and may be ignored for our purposes.

If the mail handler doesn't have the automatic lookup feature, you'll have to track this information down yourself using nslookup. nslookup will handle either domain names or IP addresses, and when we run it on 206.214.98.13, we get

Host name: dfw-ix13.ix.netcom.com
IP address: 206.214.98.13
Alias(es): None

In other words, that Received: line wasn't lying: 206.214.98.13 really is dfw-ix13.ix.netcom.com.

A Word About Relaying

Before the Net became as all-encompassing as it is today, it was considered good netiquette for a server to relay messages from a domain on one network to a domain on another. Because relaying is no longer needed, many ISPs, especially those in the US, have blocked access to that facility (They are "closed," to use industry parlance.)

However, there are still "open" servers elsewhere in the world, and once spammers have located such a server, they route their trash through it, in a process known as either hijacking or pirating.

Hijacked servers are easy to spot, because they have no relationship to either the sender or the recipient. Legitimate e-mail generally goes from one mail handler to another in a fairly organized process, which is easily followed by looking at the Received: lines. If you are examining a header and run across a line which says it was sent to you from hauptstadt.penzberg.de or some such, you can be pretty sure that the server was hijacked.

Let's Get Serious

The header information for a typical unsolicited message looks something like this: Return-Path: <scarevi78@msn.com> Received: from marketbiz.com ([207.159.141.4]) by ixmail1.ix.netcom.com (8.8.7-s-4/8.8.7/(NETCOM v1.01)) with ESMTP id KAA08287; ; Sun, 7 Dec 1997 10:52:42 -0800 (PST) From: scarevi78@msn.com Received: from marketbiz.com (port15.plea.prodigy.net 204.237.182.15]) by marketbiz.com (8.8.7/8.8.5) with SMTP id KAA07188; Sun, 7 Dec 1997 10:51:42 -0800 (PST) Received: from mailhost.webtrak.com(alt1.delphi.com(218.2.61.29)) by delphi.com (8.8.5/8.6.5) with SMTP id GAA05357 for ; Sun, 07 Dec 1997 13:43:41 -0600 (EST) Date: Sun, 07 Dec 97 13:43:41 EST To: Friend@public.com Subject: Make $$$ Fast Message-ID: <71940249278.SWA08874@delphi.com> X-PMFLAGS: 34078848 0 X-UIDL: n67dc78bvc34fv90mbaz67kn3cx5vs28 Comments: Authenticated sender is <ritz78654@delphi.com>

The first Received: line can't be forged since it's added by the receiving computer. Thus, the message really did originate from a computer whose IP address is 207.159.141.4. Whether or not it really is marketbiz.com remains to be seen.

Running a DNS Lookup tells us that 207.159.141.4 is really something called lightrealm.net. So let's use whois to see if marketbiz.com is real or not:

ACS Hi-Tech Media MARKETBIZ-DOM
3615 Halekipa Place
Honolulu, HI 96816
US

Domain Name: MARKETBIZ.COM

Administrative Contact:
Cabanilla, Flor M FMC12 funix@JUNO.COM
808-737-3064
Technical Contact, Zone Contact:
DNS Administrator DA352-ORG dns@LIGHTREALM.COM
tel.: 206-827-0900 fax.: 206-827-8244 http://www.lightrealm.com
Billing Contact:
Cabanilla, Flor M FMC12 funix@JUNO.COM
808-737-3064

So it is a real domain after all, and appears to have something of an incestuous relation ship with lightrealm.com.

The second Received: line says that Lightrealm got the message from Prodigy. This, too, checks out when you run DNS Lookup.

However, the third Received: line is a phony. You can tell quickly by looking at the timestamp. "-0600 (EST)" is incorrect. EST is five hours behind GMT, so it should say, "-0500 (EST)." You can safely ignore the rest of the header, since once you find one forged line its a safe bet that all lines below it are phony. (By the way, any IP address containing a number greater than 255 is also a phony.)

So, what do we know? We know that this piece of mail went from Prodigy to Lightrealm to me. What we don't know is whether or not Lightrealm is guilty of complicity or simply an innocent bystander. Let's find out.

A good place to start is the domain's Web site. (Use http://www.domain.name, in this case http://www.lightrealm.com/.) Most mainstream providers will have stated in their Policies and Procedures that spamming is grounds for termination. Lightrealm appears to have no such policy, which may mean that as far as it's concerned, spam is OK.

What about marketbiz.com? Hmm, it doesn't appear to have a Web site. Now what?

Using traceroute

traceroute tells you the Internet route by which one computer can contact another. It should be used only on the domain which actually passed the message to your server. A traceroute from my computer back to Lightrealm provides the following information:

Trace 207.159.141.4 ...

165.236.129.1 RTT: 144ms TTL: 0 (prt-or-gw1.netcom.net)
165.236.138.57 RTT: 169ms TTL: 0 (h0-024-stl-wa-gw1.netcom.net)
163.179.232.54 RTT: 306ms TTL: 0 (h4-0-1-scl-ca-gw3.netcom.net)
163.179.232.62 RTT: 189ms TTL: 0 (h4-0-mae-west.netcom.net)
198.32.136.11 RTT: 182ms TTL: 0 (sl-mae-w-F0/0.sprintlink.net)
144.228.10.45 RTT: 183ms TTL: 0 (sl-bb2-stk-2-0-T3.sprintlink.net)
144.232.4.69 RTT: 172ms TTL: 0 (sl-bb11-stk-4-2-155M.sprintlink.net)
144.232.8.30 RTT: 181ms TTL: 0 (sl-bb4-sea-5-0-0.sprintlink.net)
144.228.90.6 RTT: 196ms TTL: 0 (sl-gw4-sea-0-0.sprintlink.net)
144.228.96.6 RTT: 197ms TTL: 0 (sl-televar-1--T3.sprintlink.net)
207.159.128.17 RTT: 202ms TTL: 0 (sea-core1-f500.lightrealm.net)
207.159.141.4 RTT: 216ms TTL:242 (No rDNS)

What we can tell from that information is that Lightrealm connects to the Internet using Sprint (hence the many hops though sprintlink.net).

This means that our complaints should go to three places:

1. Prodigy, the message's earliest legitimate point of origin

2. Lightrealm, the administrative contact for Marketbiz, and

3. Sprint, the company providing Internet access to Lightrealm.

Sending a Complaint

Once you're ready to complain, for a list of complaint addresses. If you don't find the domain you're after, address your complaint to postmaster@the-domain. All domains must have a monitored address called postmaster so if you get an undeliverable message bounce-back from the first letter of complaint, send the second to postmaster. You can also run whois and notify the administrator.

Make sure that you forward the entire header. Without it, the ISP can do nothing. You can safely delete the message body, although if the spammer has included a Web reference or contact e-mail address, you should pass it along. (In spite of arguments to the contrary, junk mailers are human. I have seen spam in which the mailer took great pains to disguise the header -- then used his real e-mail address in the body.)

A couple of notes on getting a helpful response to your complaint:

1. Be polite. It's possible the domain to which you're complaining is also an innocent victim, and it won't do your cause any good to talk disparagingly about his ancestry or eating habits.

2. Be patient. Many ISPs are inundated with spam complaints, and replies can be spotty. Sometimes you'll get an automatic reply; sometimes nothing. Sometimes you'll get a personal note that the offender's account has been terminated. That makes all the extra work worthwhile.

All articles and reviews are copyright 2004, Spam Reviews. All Rights Reserved.

Spam Reviews(http://www.SpamReviews.com) delivers objective news and reviews about the best and the worst spam filtering products.