Spam Wars - Example of the Battle

If you have time, and you're starting to get fed up with a repeating spammer who seems to be sending more and more garbage your way, you can try to find out where the messages are really coming from and get in contact with the people in control of the systems responsible for the spammers account. Sometimes the people responsible for a system don't know that they have a spammer in their midst and will most likely remove the spammer's account. If they don't remove it, they may at least get them to be a bit more selective about who they mail junk to.

The methods described below are somewhat simple to use, provided you can find the information you need, and you prepare ahead a little.

Start by composing a generic note that you can send to the ISP(s) that a spammer may be operating from. Use a simple text editor which you can use to copy your message and then paste it into an email message quickly. Note that your audience will be the people who are in charge of the spammer's site rather than the spammer himself - you're asking them to get their user under control. Use polite language, if possible, but be stern and brief about not wanting any more junk email from this spammer. You may want to consider creating a series of letters that can fit most situations if just one won't work. This way, you won't have to spend too much time being creative each time you decide to take to battle to the spammer. Keep this (these) letters available on disk for use when the time comes. Here is a very short example.
When you do get some spam, you need to obtain key addresses of who to send your complaint note to. This does not include the spammer, but rather those people responsible for the system they use. Key information can be found in the junk mail itself :

First, get to the complete header of the email, as described above. You're looking to see if you can find out where the spam really came from:

In the header, you'll find the complete routing of the email as far as it has been recorded as a series of Received: lines. They look something like this example from a C|NET article about spam:

Received: from ez0.ezlink.com (ftp.ezlink.com [199.45.150.1]) by central.cnet.com (8.8.5/8.8.5) with ESMTP id UAA23577; Mon, 27 Oct 1997 20:03:42 -0800 (PST)
Received: from 199.45.150.1 (PPP05.omn.com [204.144.174.56]) by ez0.ezlink.com (8.8.5/8.8.4) with SMTPid UAA09342; Mon, 27 Oct 1997 20:24:11 -0700

At present, spammers can't alter the dimension of time - it's controlled by the settings of the servers that route their email - so the chronological order of the routing of the email message will be revealed by the Received: lines. Look for the oldest Received: line, usually at the bottom of a stack of lines, to best determine the origin of the email. Beware of forged lines, which usually don't fit in chronological order. As servers route email through the net, they usually attach their routing information to the top of the list. The oldest line usually indicates the origin of the email. Don't trust anything outside of the parenthesis. Look at the information inside them. In the example above, this piece of email came from PPP05.omn.com.

If you have access to the traceroute program (also known as the command tracert under Windows 95, Windows NT, and by the same name or a variant under Unix, etc.) as well as the program nslookup, you can attempt to trace the IP address within the parenthesis to see if the domain traced matches the one you found. A trace of the IP address of 204.144.174.56 would yield results something like:

*** Trying to Trace Route to host: 204.144.174.56
1 143 ms [204.133.28.254] dialup.example.net
2 138 ms [205.169.234.254] x7505.example.net
3 130 ms [204.131.250.42] x7505-x7505.sl.example.net
4 130 ms [4.0.208.253] denver-cr1.bbnplanet.net
5 132 ms [4.0.208.253] denver-cr1.bbnplanet.net
6 133 ms [4.0.52.6] denver-cr2.bbnplanet.net
7 175 ms [199.45.132.172] gw58.boulder.co.coop.net
8 155 ms [199.45.133.250] not available
9 148 ms [192.168.2.1] not available
10 143 ms [199.45.150.11] gw0.ezlink.com
11 144 ms [192.168.1.1] not available
12 144 ms [199.45.150.129] worf.omn.com
13 146 ms [204.144.174.7] miles.omn.com
14 289 ms [204.144.174.56] PPP05.omn.com
*** Done.

The first few items listed are usually information about the network you're initiating your search from (not the spammer), the middle ones are usually domain name lookup systems (also not the spammer), and the last few are parts of the network where the spam originated from. If the traceroute program doesn't hang up and say something line "address not found", and makes it to the same IP address as was found in the spam, then you've located the machine where the email came from. In the example, we got back PPP05.omn.com again. Traceroute could have also yielded another name for the same IP address, which might indicate a parent ISP is renting out space to the spammer's ISP.

With the proliferation of sites where anybody can go to register a domain name, spammers are registering names by the thousands. Often, these sites are hosted by a larger ISP who lease space on their servers for up to hundreds of domains at a time. The nslookup tools is used to determine if this is a genuine domain, or if it is hosted by someone else. In the example, nslookup returns:

Header:
   ID=55511, QR=Response, Opcode=QUERY, RCODE=NAME ERROR
   Authoritative Answer=Yes, Truncation=No
   Recursion Desired=Yes, Recursion Available=Yes
   QDCOUNT=1, ANCOUNT=0, NSCOUNT=1, ARCOUNT=0
Question:
   Name=56.174.144.204.IN-ADDR.ARPA, QTYPE=ALL, QCLASS=1
Authority Records Section:
- Name=174.144.204.in-addr.arpa
    Type=SOA, Class=1, TTL=604800 (7 Days), RDLENGTH=43
    Name Server=ez0.ezlink.com, Mailbox=alan.ez0.ezlink.com
    Serial=19990615
    Refresh=86400 (1 Day)
    Retry=3600 (1 Hour)
    Expire=3600000 (41 Days 16 Hours)
    Minimum TTL=604800 (7 Days)
---

The data from nslookup appears to indicate that ezlink.com is actually the ISP from whence the spam came. To verify this, the whois tool can be used to determine who owns the pool of IP addresses containing the address of the machine that was used to send out the spam. Since whois is largely a network based tool, and isn't always included in some operating systems, a web-based version is supplied below and the the tools page. In our example, the data returned for a whois search on IP address 204.144.174.56 yields the following:

EZ Link (NETBLK-EZLINK2-NET-1)
        304 Westward Dr
        Fort Collins, CO 80521
        US

Netname: EZLINK2-NET-1
Netblock: 204.144.174.0 - 204.144.174.255

        Coordinator:
           Wendt, Alan (AW58-ARIN) alan@EZLINK.COM
           970-482-0807

Domain System inverse mapping provided by:

NS1.XOR.COM 192.108.21.1 192.225.33.1
COOPNEWS.COOP.NET 199.45.255.1

Record last updated on 19-May-1998.
Database last updated on 10-Jan-2000 17:24:40 EDT.

     The ARIN Registration Services Host contains ONLY Internet
     Network Information: Networks, ASN's, and related POC's.
     Please use the whois server at rs.internic.net for DOMAIN related
     Information and nic.mil for NIPRNET Information.

The results of the search indicate that EZ Link hosts the range of IP addresses 204.144.174.0 - 204.144.174.255 and our spammers IP address falls within this range. What to do with is information is described below, after a brief discussion of some web-based versions of the tools described above...

If you don't have access to the tools described above, go to my Spam Wars - The Tools page and use the web-based tools to do the job. In most cases they're just as fast as what you would find in the software that you could run on your machine, and many will provide more information than you'll get from the computer-based programs.

I used to have the same tools as on Spam Wars - The Tools here on this page, but the tediousness of trying to keep both sets up to date as the search engines changed from time to time really got to be annoying. I've described the tools in detail here, and then provided links that will take you directly to the tool in question should you need it.

Consumer.Net has a considerable suite of web-based tracing tools, including the Traceroute and Enhanced Trace Tool. Five servers are available should one be down. There is something new that spammers are trying to use to hide the identities of the servers they are using to spam from, or the true names and/or IP addresses of the web sites that they may be advertising. They are using what's called base 10 conversion of their IP addresses, which takes an ordinary IP address, such as 206.156.18.130 and converts it to 3466334850 which appears to be a meaningless number. Consumer.net's tools have the ability to reverse-translate a base 10 number back to the proper IP address, thus giving you the information you need for your spammer hunt. If you run across one of these numbers, just click the "convert base 10" checkbox to have the server address translated.

If you just want to know who owns the block of servers that a spammer is using, you can perform a Network Lookup search using the IP address where the spam originated. The search engine once again uses Consumer.Net's resources to perform a reverse-network lookup to determine the owner of a block of IP addresses which contains the one the spammer used. See above for what the "convert base 10" checkbox does. (Enter an IP or base 10 address only)

Spam Wars - The Tools / Consumer.Net search engines

If the Consumer.Net engines aren't working as smoothly as they could be, the IPW lookup routine, from E-Scrub Technologies, Inc. does the Network Lookup portion of the above, and some of the InterNIC Registry Searching, like the Andover search engine, further below. Consider this as a backup, or redundant source of information if either of the others are down for some reason. Us Aerospace engineers like to have redundant systems...

Spam Wars - The Tools / E-Scrub NSLookup search engine

And now back to the example we were looking at...

Based on the traceroute and nslookup information which usually reveals the true source ISP of the spam, you can now start addressing your email complaint. Almost every system has a representative or group designated as the postmaster or email abuse handler of their system, who handle complaints and inquiries about email for the system.

I've created a list of email addresses of ISP's which are apparently popular with spammers. For an ISP to have gotten on this list, I would have had to complain to these ISPs two or more times at work, or would have had to have received junk mail only once from them at home. The table was getting to big to keep here or on the "Tools" page, so the link previously mentioned will open a new window with the table included, and further explanation of the list of ISP's.

If the ISP isn't listed in my table, you might try the list of ISP's who don't tolerate spam at spam.abuse.net for an email address where you can send a complaint, and add it to your list of addressee's as well.

While you're looking at the detailed header information, look for other useful data, such as a different From: or Originator: address than the one shown in the message when you're not looking at the header. For example, some spam shows up from someone identifying themselves as eat@louies.com, but upon inspecting the detailed header information you find a different sender's address listed as spamdude@spamco.com. The domain name spamco.com provides another piece of information that can be used in a domain name search to obtain even more names to send the complaint to. You may find ominous messages hidden in the headers, such as something that says that the email didn't originate from the address you just traced. These are generally stuck in to throw you off-track, and can be ignored.

To recap, your list of people to send your complaint to includes the postmaster of his system, the people responsible for keeping the records straight with the InterNIC for the site, and any complaint addresses listed for the domain name of the site that the spammer is sending stuff out from. The list also includes any postmaster of a parent ISP, their associated responsible contacts as listed in the InterNIC records, and any complaint addresses found for them. The list does not include the spammer - as mentioned earlier, sending mail to the spammer indicates to them that you read their junk mail and they assume you want more.

One more place to search for information, if you're willing to spend the time and have the patience doing it, is to look through the content of the junk email for such things as more email addresses, and web sites that may go along with the garbage their selling. If you find more email addresses at different domain names, do the appropriate searching, etc. to determine who their service providers and contacts, etc. are, as above. The E-Scrub nslookup tool can be used to determine the true name of an ISP hosting a website listed in a piece of spam by entering the domain name instead of an IP address in the search engine form.

Now you can compose your return message:

Fire up your email software and address a message to the contacts found above.

Copy your complaint message that you've prepared ahead of time and paste it into your message, or compose a more specific one if that's what's required.

Copy the entire contents of the spam including the complete header information and paste this below your complaint.

Optional: Copy and paste information obtained from any InterNIC database searches and add it to the message. That way, if your complaint address list contains the addresses of those listed in the InterNIC databases, they'll know why they got added to your list.

Send it. You may receive some return mail stating that one or two of the addresses don't exist, but the message will almost certainly get to at least the postmaster if you've added them to the list of addressees, the people you found using the nslookup database search, and any complaint addresses found at spam.abuse.net. Usually that's enough. If you do get return mail from the mail server of a particular site, take a look through it as well for more information about your spammer.

The next page has additional sites & links to software that deal with spam control...

The Net	Top Page	More Computer Stuff

Introduction...	Additional Stuff...	The Tools

This page last updated May 22, 2000