A PhoneBoy Primer On: Tracking Down Spammers
While not comprehensive, this should give you an idea of how to track down the ISPs of spammers. There are two things you need to find out:
- Where the spam came from (e.g. who sent it)
- Which mail relay they used to send the spam
To find out which SMTP server was used to send the spam (or at least get a good idea), look at the received headers. Usually on the line you find the spammer’s actual IP address, you also find out the SMTP server that they used.
For example, look at this recent spam I received:
From [email protected][email protected] Fri May 15 23:55:55 1998
Received: from proxy2.ba.best.com ([email protected] [184.108.40.206])
by shell3.ba.best.com (8.8.8/8.8.BEST) with ESMTP id XAA05666
for <[email protected]st.com>;
Fri, 15 May 1998 23:55:54 -0700 (PDT)
From: [email protected][email protected]
Received: from tor-vs1.nbc.netcom.ca (tor-vs1.nbc.netcom.ca [220.127.116.11])
by proxy2.ba.best.com (8.8.8/8.8.BEST) with ESMTP id XAA08688
for <[email protected]>; Fri, 15 May 1998 23:54:48 -0700 (PDT)
Received: from netrepreneur.mymail.net (9.west-palm-beach-01.fl.dial-access.att.net [18.104.22.168])
by tor-vs1.nbc.netcom.ca (8.8.5/8.8.8) with SMTP id CAA09763;
Sat, 16 May 1998 02:45:27 -0400 (EDT)
Date: Sat, 16 May 1998 02:45:27 -0400 (EDT)
Received headers get appended to the top of a message as they go through each mail server. The “last” Received header you will see is usually the originator of the mail. This rule doesn’t always work since these headers can be “forged.” My rule of thumb is to look discrepencies between what the originator ‘reports’ his mailserver to be (netrepreneur.mymail.net) and what the SMTP server says it is 9.west-palm-beach-01.fl.dial-access.att.net). I try and find the first SMTP server that is truly “resolvable” and go from there.
In this case, the perpetrator (22.214.171.124, an att.net address) is using some mail relay at netcom.ca. Big surprise as Netcom has open SMTP relays and has ignored repeated requests by the net at large to close them.
There are new types of spam programs that, instead of going through intermediate SMTP servers, the email is directed right to your ISPs mail server. In this case, about the only thing you can do is report the problem to the provider who the mail came from. In this case, that would be att.net.
Each provider has it’s own email address used to report spam. You may be able to find this information on the providers website. In many cases, it is [email protected] In all cases, [email protected] should work, or at least tell you where the complaint should be directed to. If all else fails, you can use an “whois” utility to take the domain of the provider and send email to the technical contact for the domain in question. To check the “whois” of a domain, you can use InterNIC’s Web Interface to Whois.
On a different piece of spam, I checked out the mail headers:
Received: from proxy2.ba.best.com ([email protected] [126.96.36.199]) by shellx.best.com (8.8.3/8.8.3) with ESMTP id JAA21453; Fri, 22 Nov 1996 09:26:48 -0800 (PST) From: [email protected] Received: from yoda.globaltech2000.com (haljr.globaltech2000.com [188.8.131.52]) by proxy2.ba.best.com (8.8.3/8.7.3) with SMTP id JAA21951; Fri, 22 Nov 1996 09 :21:20 -0800 (PST) Received: by yoda.globaltech2000.com from localhost (router,SLMAIL95 V2.2); Fri, 22 Nov 1996 00:36:14 Central Standard Time Received: by snappy from somewhere.com (0.0.0.0::mail daemon; unverified, SnappyMail V0.1,alpha 1); Subject: 4 Internet Addresses To: [email protected];ultragrafix.com;; Date: Fri, 22 Nov 1996 00:36:14 Central Standard Time Message-Id: <[email protected]>
Look at the Received: lines here. You can tell that a bulk of the mail processing happens on globaltech2000.com (the Received: lines listed last are good indications of where the mail came from). A whois on globaltech2000.com tells me:
Ultragrafix (GLOBALTECH3-DOM) P.O. Bx. 170955 Arlington, TX 76003 USA Domain Name: GLOBALTECH2000.COM Administrative Contact, Billing Contact: Canady, Glenn (GC768) [email protected] (817)557-4139 Technical Contact, Zone Contact: DFW Internet Serices, Inc (ID54) [email protected] 817) 332 - 5116 Record last updated on 16-May-96. Record created on 14-Apr-96. Domain servers in listed order: NS1.DFW.NET 184.108.40.206 DFW.DFW.NET 220.127.116.11 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.
Doing a whois on dfw.net nets a dead-end… their Domain servers and technical contacts all terminate at DFW Internet, which probably means their ISP is spammer-friendly and your complaints are likely to fall on deaf ears. The last thing you can do is a traceroute on one of the nameservers for the domain. Here’s what this tells me:
traceroute to ns1.dfw.net (18.104.22.168), 30 hops max, 40 byte packets 1 core-fddi3-0.mv.best.net (22.214.171.124) 14 ms 36 ms 2 ms 2 core1-hssi3-0.san-francisco.best.net (126.96.36.199) 5 ms 6 ms 5 ms 3 188.8.131.52 (184.108.40.206) 5 ms 5 ms 5 ms 4 border3-fddi-0.Denver.mci.net (220.127.116.11) 31 ms 32 ms 32 ms 5 border3-fddi-0.Denver.mci.net (18.104.22.168) 30 ms 29 ms 29 ms 6 dfw-internet-service.Denver.mci.net (22.214.171.124) 76 ms 113 ms 124 ms 7 ns1.dfw.net (126.96.36.199) 100 ms 80 ms 86 ms
My provider (best.com/best.net) goes off to MCI’s routers and makes it to dfw.net, which gives globaltech2000.com their Internet access.
Once You’re Tracked Down Their ISP…
- Send the entire message sent to you, complete with headers. These the the electronic ‘fingerprints’ needed to track down the spammers.
- Be polite and courteous. This is to insure your complaints do not fall on deaf ears.