IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

About spam and Tracing Spam

by Enrico Savazzi


Part I About Spam

Probably you have received e-mail from individuals or organisations you have never heard of. Likely, you have received a lot of this e-mail. Most often, this e-mail contains proposals of a commercial nature. Some contain unsolicited religious or political propaganda, and a few are proposals to carry out illegal activities (pyramid schemes are one such example). Most of these proposals cannot possibly interest you, and several do annoy you. This e-mail is called SPAM.

The bad news is: spam is on the rise. This is so because (1) spammers use automated means to collect e-mail addresses and to send their e-mail, and (2) because you as a recipient (or your ISP, which is pretty much the same thing) pay for the delivery of spam.

The good news is: you can fight back, and it won't take you much longer than reading and deleting all your spam. In most cases, you can report spammers to their ISPs. A few spammers forge e-mail domains and make unauthorised use of other ISPs servers in order not to be caught. However, this cuts both ways: doing so is a criminal offence (as opposed to using a server to which they have legal access, which may arguably not be a criminal offence), and their actions can be traced by the abused ISP. Your part in this consists in reporting all instances of spam to the concerned ISPs. You can do this either in person, or through an anti-spam organisation. To learn how to do this, follow these links:

www.abuse.net has a lot of information, and a large list of spam-reporting addresses.

spam.abuse.net also has a lot of information, this is their index.

You can read here my introduction on how you can trace spam and report it. 

On this site, [http://esavazzi.pal.uu.se/] I have a collection of false e-mail addresses (at present one and a half million) generated by a little program written by a friend. All addresses are fake (although most of them look undistinguishable from real ones, because this is what the program is designed for). There are many individuals and organisations that use robots to comb the Web and collect e-mail addresses to sell to spammers, or to use for spamming. Adding my fake addresses to their lists pollutes them and makes them much less valuable (they call fake addresses web poison, but a more appropriate name is spammer bait). About 95% of the traffic on my web server consists of robots downloading my address lists on a daily basis. And the lists on my server are refreshed automatically every day with a million and a half new addresses…

Are you curious to know how I generated these e-mail addresses? Do you want to have similar address lists on your site? Here is a readme file about the program, or download the program itself (it runs on Windows 95/98/NT), complete with source code.

In case you wonder what I do about spam, I report each and every instance of spamming to the ISP's of the domain of origin. So, if you are thinking of adding my e-mail address to a spam list, go ahead, make my day.

Part II Tracing Spam

Where does this spam come from?

How do I report it?

What next?

Let me start first by telling you how not to react to spam.

  • Don't reply to the spammer in angry or offensive terms. Most of the time, the spammer is using a forged e-mail address, and your message will simply be returned to you as undeliverable. Therefore, you will be the only one to read your reply.
  • Don't spam, nntp-flood, www-flood, syn-flood, etc. the domain of origin. This would turn the administrators against you: remember that you can't do anything against the spammer without their co-operation.
  • Some spams carry a post-script saying "if you do not wish to receive further messages from us, send mail to this address with this and this header, or fill in this form on our www site". Too late. By sending you a spam they have already violated netiquette. I never send "unsubscribe" messages and the like. I report all spammers to their ISP's instead. Besides, "unsubscribe" messages most of the time come back as undeliverable. Often, "unsubscribe" messages are logged as a source of confirmed-good e-mail addresses to be used for further spamming.

Here is a brief guide on how to find out where an e-mail message comes from. This applies to all e-mail, not just spam. The following case is a little devious (most instances of spam are easier to track), but you can learn a lot from this example.

Below you can see the beginning of the message, as displayed by your mail program:

Date: Wed, 22 Oct 97 13:55:24 EST
Subject: Am I to late?
Comments: Authenticated sender is <rainzzzz@aol.com> 

Dear online friend,

It does not say much about its origin, but we can be sure of one thing already: the address 81884948@aol.com is forged (do not try to send mail to this address). How can we tell? Because:

Valid AOL addresses can not:
- be shorter than 3 or longer than 10 characters
- begin with numerals
- contain periods, underscores, dashes or other punctuation characters
(the above information was provided by AOL)

To learn more, tell your mail reader to show all headers. In Eudora, this is done by clicking the "Blah Blah Blah" button:

Received: (from smap@localhost) by strix.its.uu.se (8.6.10/8.6.10) id GAA42920 for <pales@strix.its.uu.se.NOSPAM>; Thu, 23 Oct 1997 06:54:14 +0200
Received: from columba.udac.uu.se( by strix via smap (V1.3) id sma009072; Thu Oct 23 06:54:01 1997
Received: from mail.lauderdale.net ([] EHLO mail.lauderdale.net ident: NO-IDENT-SERVICE [port 3129]) by columba.its.uu.se with ESMTP id <7225-36376>; Thu, 23 Oct 1997 06:53:31 +0200
Received: from mail.lauderdale.net ([]) by mail.lauderdale.net (Netscape Mail Server v2.0) with SMTP id AAH628; Wed, 22 Oct 1997 13:50:36 -0400
Received: from relay1.smtp.psi.net (relay1.smtp.psi.net []) for mrin60.mail.aol.com (8.8.5/8.8.5/AOL-4.0.0) with ESMTP id LAA14140; by dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com []) by mail.earthlink.net (ip159.hackensack3.nj.pub-ip.psi.net []) (8.8.5/8.6.5) with SMTP id GAA06075 for <allyall@Internet.World>; Wed, 22 Oct 1997 13:55:24 -0600 (EST)

Date: Wed, 22 Oct 97 13:55:24 EST
From: 81884948@aol.com
To: allyall@Internet.World
Subject: Am I to late?
Message-ID: 199710221321.RAA1022@mrin60.mail.aol.com
X-UIDL: fb3421fad241ad2cda13c3c12dc34f8d
Comments: Authenticated sender is <rainzzzz@aol.com> 

Dear online friend,

Now you have a little more information. Remember that you must send a complete copy of a spam message (including all headers) when you report spamming to the administrators of the domain of origin.

The last "Received:" header is usually the one that matters. Normally, it contains the source of the message and the first host mail server which received it. However, in this case the last "Received:" header contains more than two host names, and this means the header has been forged. A valid "Received:" header has the following format:

Received: from host1 (host2 [ww.xx.yy.zz]) by host3 (8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600.

Reading from back to front in the forged header, we see the host which added the "Received:" header (host3); the IP address of the incoming SMTP connection (ww.xx.yy.zz); the reverse-DNS lookup of that IP address (host2); and the name the sender used in the SMTP HELO command when it connected (host1).

In such a case, our best bet is the next-to-last "Received:" header. This indicates an IP address of origin within the net-block, which belongs to mci.net. We can learn this by doing:

whois 208.136.10

MCI Internet Services (NETBLK-MCI-NETBLK10)
7000 Weston Parkway
Cary, NC 27513
Netname: MCI-NETBLK10
Netblock: -
Maintainer: MCI
MCI Internet Services (MCI-IS) hostmaster@mci.net

With this information, we can forward our report to MCI. Remember to keep things simple, and do not address the administrator in less-than-polite terms. He is there to help you, and has nothing to do with the spammer. My favourite introduction is:

Dear Sirs,
The following spam has apparently been sent from your domain. Please investigate.

From the list of reporting addresses in http:\\www.abuse.com, we obtain the address spams@mci.net, and we send our report to this address.

In most cases, you will receive an automated reply saying that your complaint has been received. Sometimes, you will receive a follow-up with specific information about your report. You should neither ask nor expect to receive any personal information on the spammer - remember that your identity is being kept confidential as well. Instead, a follow-up may contain valuable technical information (this is how I collected the information presented in this page). Even if you do not receive any reply, in most cases your report has been read, and the administrator has tried to find the source of the spam and acted against it. Just keep reporting all instances of spam, and you can be sure that several spammers will lose access to their mail servers. Here are, for instance, two messages I received yesterday:

Please be advised that the account used to violate our Net-Abuse
Policy has been disabled by the user's ISP. If you receive any
further correspondence from this source, please let us know.
Thank you.
Net-Abuse Team
PSINet, Inc.

Thank you very much for taking the time to inform us of this situation.
In accordance with BellSouth.net's Appropriate Use Policies, the
Internet services account of exciting@bellsouth.net has been canceled.
It may take a day or two before all offending communications from this
cancelled BellSouth.net account are cleared from our servers. Therefore,
it is possible that you could receive additional communications from this
account during this time. Please be patient with us and rest assured that
such communications should stop shortly.

A (very) few ISP's (Internet Service Providers) do not co-operate with users in trying to limit spam. One major ISP, for instance, is knowingly and openly hosting a number of large-volume commercial spammers. If you run into one of these, take the next step in fighting spam: install a filter in your e-mail program to automatically trash all messages which come from their domain. Tell your computer administrator to ban the IP addresses of the offender ISP from the servers of your company/university/ISP. The most effective way to hurt irresponsible ISP's is by denying them access to large portions of the Internet. As soon as customers will realise that their ISP's are banned from reaching a good slice of the Internet, they will bring their user accounts - and money - elsewhere.

This page was last updated November 5, 1997.

(Courtesy of
Enrico Savazzi http://esavazzi.pal.uu.se/)