Step one is to look at all the headers of the message.
News/email readers normally show only a subset of the available
headers to avoid screen clutter. Select the option that makes the
hidden headers visible. In Netscape select
Options/Show all headers, in MSWIN
Pegasus press ^H, in Pine press
H, in VM press t and in
NewsExpress select File/ Options/ Compose/
Include Headers. Other news/email readers have similar
options.
Important headers are:
- From:
- Sender:
- X-Sender:
- Reply-To:
- Errors-To:
- Return-path:
- Message-id:
- Path:
- Received:
All contain a network host name that may give you a clue as to who
the spammer is. However, any or all of them may be faked. It is common
for spammers to send email from a throwaway account at one site and
solicit replies at other sites, so you may need to track down two or
more network locations. Make a list of all host names mentioned in
the headers and in the body of the message. These are the parts to the
right of the @ sign in email addresses, between
// and / in web links, in the last
Received: header and at the right end of
the Path: between !'s.
Path: gives the list of hosts a news item passed
through, from the poster's site at the right end to get to your site
at the left end. One or more entries on the right end may be faked so
you may need to cooperate with others to track down which host in the
Path: list the message was injected at.
Like the Path: header Received: headers
are a list of sites the message passed through in reverse order but
with only one host name per header. Again, the bottom entries (earlier
timewise) in the Received: list may be faked. It is also
possible for spammers to relay email via a third party so that the
Received: header before your site's
Received: headers may be a victim too. They're slack
though as they should've configured their mail servers not to relay
third party email. Some spammers also pretend to be innocent relay
sites by forging additional Received: headers and lying
in response to complaints; complain to the so-called `relay' site's
ISP if you suspect this is the case.
Since intermediate sites always prepend headers then those
higher in the list are much less likely to be forged than those
further down.
Even with normal, non-faked operation not all hosts or network
routers a message passes through are recorded in the
Path: or Received: headers. Use TRACEROUTE
to get a more complete
list.
Host names usually have machine name and domain name parts. For
example kryten.eng.monash.edu.au has a machine name of
kryten and domain name of eng.monash.edu.au
(engineering faculty, monash university,
education sector, australia) with larger
domains monash.edu.au, edu.au and
au. Look at your list of host names and see if you can
add some local domain names to the list by stripping machine names
from host names. This is a trial and error procedure and may not
always give a valid result.
Some of the host/domain names you've discovered may actually be
a numerical network IP address eg. kryten's
is 130.194.140.2. See in my links page how
to find a host name given an IP
address and how to find
an IP address given a host name. Add any new host/domain
names discovered to your list. IP addresses can have
zero, one or several host names. Host names can have zero, one
or several IP addresses.
Some hosts and domains designate one or more hosts to handle any
email directed to them. Use a tool like the freeware (actually postcardware) and
very good CyberKit (copyright 1996 by Luc Neijens, Luc, you are invited to dinner
by fravia+ :-)
to find out if there are any such
hosts.
DIG queries domain name servers for information
about the host/domain names you've found. It gives a mess of
information, most of which you can ignore. You're not normally
interested in addresses associated with the site where DIG was run (in
this case ?.monash.edu.au and 130.194.?.?) and you're also not
interested in the NS and other records of the name
servers that supplied the information, just the info related to the
host/domain you queried. This is in the ;; ANSWERS:
section and is the A internet IP address
records, the MX mail exchanger records and the
PTR pointer to host name records. If they don't exist
then the ;; ANSWERS: section will be empty or
non-existent. The ;; AUTHORITY RECORDS: and ;;
ADDITIONAL RECORDS: sections tell you what domain name
server[s] are responsible for the part of the domain name system (DNS)
you have queried.
Any email sent to the queried host/domain will initially go via one
of the hosts given by the MX records if they exist,
otherwise it will go to the host given by the A
record. If there are no MX and no A
records then email will normally bounce. The MX and
A host names may be in completely different domains. Add
any new domains to your list.
If an IP address has no corresponding hostname the
SOA `start of authority' record can be used to see which
hosts/domains are responsible for that part of the net.
Internic.net is responsible for unallocated addresses so
if you get this it usually means the queried IP address
is faked or in error. If there is no SOA record try doing
a DIG ipaddress->hostname on another IP address which is
in the same subnet as the one you're interested in ie. vary the last number
from 1 to 254. eg. For 130.194.140.37 you might try
130.194.140.66. Some machines are configured by accident or
by design to not reveal who is responsible for them. Alternatively,
look for the owner of the subnet by stripping off one or more right
elements (eg. 130.194.140.2 -> 130.194.140
-> 130.194 -> 130).
Use Cyberkit's WHOIS to find the administrative and
technical contacts for the hosts/domains/ip address ranges you've
discovered. This will give more contact information including email
addresses. If there is more than one WHOIS entry for the domain you've
entered you'll get a list of abbreviated entries. To get full
information use an entry's key as a query string (eg. mci.net gives
keys MCI8-HST and MCI2-DOM). Add the host/domain names of the email
addresses to your list. You may need to strip off one more left
elements of each domain before you get a domain that
WHOIS knows about (eg. eng.monash.edu.au
-> monash.edu.au -> edu.au ->
au). Similarly, you may need to strip off one or more
right elements of each IP address range before you get an IP address
range that WHOIS knows about
(eg. 130.194.140.2 -> 130.194.140 ->
130.194 -> 130). WHOIS also
knows about company names and some user names. This WHOIS
covers US non-military domains only. For other domains see
other WHOIS servers.
Use Cyberkit's TRACEROUTE to get a
list of sites handling messages between this web server host and each
of the host/domain's. This can take several minutes. Ideally it
should be from your mail host but this should
do. Alternatively, if you're running MSWindows 95 it
comes with a TRACEROUTE; run TRACERT in an
MSDOS window. The last entry in the
TRACEROUTE results list should be the host/domain you're
querying. The next-to-last should be the Internet Service Provider
(ISP) for your queried host/domain. The next-to-last for
that ISP is their ISP and so on. More than one host
at the end of the list may be owned by the spammer and so you need to
use some judgement as to whether, when you send email to one of the
hosts, you're talking to the spammer or their ISP. Add the hosts at
the end of the list together with their domains to your host/domain
list. This TRACEROUTE will have trouble if the test link
is heavily loaded (likely during Australian working hours). If so you
could try other web
TRACEROUTE's.
It is possible but rare for a spammer to forge the response to a
TRACEROUTE so that sites later in the list may be
deceptive. If you suspect this is the case you will need to complain
to all the upstream ISP's as only they can determine where the forgery
starts.
Use a web search engines to look for
references to the domain names you've found. Look for `domain'
and `www.domain' Virtually all ISP's have web sites like this
and you can use the web pages to get some idea of whether it's
actually the spammer or the ISP, together with the size, contact
addresses and the email/news policy of the ISP. In addition if it's a
.net domain try a .com domain and
vice-versa; many companies use both. Be careful though as there are
also many completely unrelated companies using domain names differing
only in the .net and .com
ending. You can check by looking at the WHOIS contact information and
the IP addresses.
You can also use a altavista
or Deja news
to find out other information about your target
spammer.
You should now have a list of hosts and domains with a fair
idea of the spammer's addresses and their ISP's addresses. Send an
email to the spammer's ISP (this may or may not have the same domain
name as the spammer themselves) using the abuse@
address and a copy to the spammer themselves.
In the message include a copy of the spam with
full headers, detail the reasons why you find the spam
unacceptable and request that they not do it again.
If abuse@ bounces send the message to
admin@, root@ or postmaster@ and additionally ask them to configure
an abuse@ address which forwards to their person
responsible for handling net abuse. If the email addresses aren't
working you could try a fax gateway
or check out the email
search FAQ.
Large ISP's will generally not reply to you because they're too
busy but if they receive enough complaints (and if they are full of spammers
they usually do) it is likely the spammer will be dealt with. Most
ISP's are good net citizens because it's in their own interest to
maintain a good reputation. If you see the spam again send another
message but this time post a copy of the spam with full
headers to the
news.admin.net-abuse.sightings newsgroup
and let the experts have a go. You may also want to email the ISP of the ISP.
You should read the
news.admin.net-abuse.* newsgroups
for a week or two to get a feel on how spammers operate and are dealt
with. Be warned that these newsgroups include plenty of argumentative
and intentionally deceptive and disruptive posts from spam supporters
in addition to posts from people trying to reduce spam. Life is fight.
enemy.htm stalking page.