Where do you want to go next?here's for you :)about homeopathyassorted rantsVB and subclassingVB, screensavers and security concernsLet the Skriptkiddiots play...VB and pointersVB and the Windows shellVB and multitaskingVisual Basiclibrariessnakeoil and blatant liesZoneAlarmeSafefirewall basicsabout harmful codeIn Commerce' Service - sniffersabout spywarecookie jarabout PGPabout privacymain page

Reading an email-header isn't very difficult, you just have to make yourself familiar with it once.


When an email is sent, a certain protocol is followed. You can see what conventions a header must follow in the appropriate RFCs.

RFC == Request For Comment is a generic name for a collection of documents posted to the internet-community for review. All standards that are used today began as humble RFC :)

There are plenty of sources for RFCs, just do a search in the engine of your choice. One good collection is at LookSmart

Here are the topics:

Flavours of Spam

A sample header

To whom to complain

How to complain

Special complaints


Different Flavours of Spam

Spam comes in different flavours. Some try to get you to reply to the spam to verify the address they harvested is a real one, others try to sell you a product.

Spam Flavour 1: is that address a real one?

Spam that verifies addresses usually asks you either to reply to it or go to a special URL where you're asked to enter your email-address. This might be to "opt-out" or to get more information (such as in the spam mentioned below). Whatever you do, _don't_ reply to spam or go to such an URL. They're just there to find out that you're a living being and not a dead account to trip spammers.

Spam Flavour 2: buy this product.

The other kind of spam that advertises a product... Well, most of the time that product's snakeoil anyway. If you want to find out, whether this is the case, look at the website the spam advertises - but don't mail them :)

Sometimes such a website looks like that of a decent company. In that case you can consider sending them a mail. If you do so, inform them that spamming is a surefire way to discourage potential customers. Yet, if the company ordered the spam (which is possible), they'll sell your address and you get flooded with more spam. Choose your poison :(

Spam Flavour 3: use spammer as reference

When lately those "get paid for surfing"-companies came up, another flavour of spam spawned.

Those "GPFS" (not GeneralProtectionFault, that would be GPF, but GetPaidForSurfing) splatter your desktop with advertisments for various product. They pay you to watch ads. Well, each to his/her likings...

Another way to get paid by GPFS is to refer other people. Because of that, some people took to spamming. Those spams are quite easily identified, they have something like "Get Paid" in them.

Note: This isn't directly the fault of the GPFS-company. Most of them explicitly forbid spamming as a means to get referred. Some of those companies regard it a violation of their terms of service (TOS) if they're named in spam, resulting in immediate cancellation of the referenced account in their programme.

Because of that you should consider mailing the GPFS-company and telling them of this violation.

Sample header

So here's a header I received. The spam I took it from is of flavour 2.

MIME-Version: 1.0

Date: Sat, 8 Jul 2000 10:34:08 +0000

Return-path: <send_moreinfo@yahoo.com>

Received: from s6v4u3 (169.houston-15-20rs.tx.dial-access.att.net [12.73.247.169]) by [obscured my ISP's server] (8.9.3/8.9.3) with SMTP id PAA13011 for <obscured my email>; Sat, 8 Jul 2000 15:25:42 +0200

From: "I did it" <send_moreinfo@yahoo.com>

To: <obscured my email>

cc:

Message-ID: <200007081325.PAA13011@my isp's server>

In-Reply-To:

References:

Subject: I found you this

X-Priority: 3

X-CHAOS-Read: yes

X-CHAOS-Marked: no

X-CHAOS-Size: 1388

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Please note that I obscured both my email-address and my ISP's server.


The FROM-field can be easily forged (in our example: From: "I did it" <send_moreinfo@yahoo.com>),so don't jump at it. To try it out yourself, configure your email-program to another user in that field and send yourself an email. See :)


For a spammer who uses some of the more sophisticated programs out there, it's easy to place the recipient's address in the FROM-field of the header. By that you'd seemingly get spammed by yourself.


In some cases (flavour 1 and 3) the RETURN-path (Return-path: <send_moreinfo@yahoo.com> in the example) is worth noting. If you're not sure where the spam originated, you could ask the owner of the return-path's address (yahoo.com in the example) to help you track down the spammer.


Remember: The people referenced in the RETURN-path aren't responsible for the spam. For them it looks as if a legal customer set up an account, albeit one with a lot of transfer.


Nonetheless, if this RETURN-path includes a Hotmail-address, write to their abuse-contact. Hotmail closes such accounts immediately. By that you might thwart the spammers attempt to get addresses.


What is far more interesting is the RECEIVED-field (Received: from s6v4u3 (169.houston-15-20rs.tx.dial-access.att.net [12.73.247.169]) by [obscured my ISP's server] (8.9.3/8.9.3) with SMTP id PAA13011 for <obscured my email>; Sat, 8 Jul 2000 15:25:42 +0200 in the example)


Well, most ISPs turn to name their dial-in servers in a way that they're easily discerned. Here att.net named it "dial-access". This tells us, that the spammer used a dial-in account and that att.net might be abused without their knowledge. That's a good reason to be very polite in the complaint.


Still, the _name_ (69.houston-15-20rs.tx.dial-access.att.net in the example)of the machine that received the spam out of the spammer's outbox might be forged. Therefore you should verify it to be compliant with the IP in square brackets ([12.73.247.169] in the example). How? Read on, please :)


To whom to complain?


First try to find out the real owner of the IP-address where the spam originated.


There are multiple ways to do that, the most comfortable is using SamSpade. If you don't have or want it, you can do it the long way :)


I'll describe the things for Windows, Linux-users know their tools usually well enough.


Traceroute the IP named in the RECEIVED-field. In Windows start a DOS-window and then type "tracert xxx.xxx.xxx.xxx" (note: Linux use "traceroute").


This is what I got for the IP 12.73.247.169 (I snipped out the part that shows me)


1

[...]

18 301 ms 297 ms 310 ms 169.houston-15-

20rs.tx.dial-access.att.net [12.73.247.169]


The last line (starting with 18) shows the machine that belongs to the IP. Here my first suspicion, that the posting host is indeed identical with the IP is verified.


So we know a little more :)


Not all NIC (Network Information Center) reside in the same country. Would you want to request data for a German ISP (domain ends with .de), you'd go to www.nic.de instead of www.nic.com


To avoid searching more than necessary, you could use SamSpade's online-tools, they're kind enough to route your request to the proper NIC.


Now we know that the IP is indeed owned by att.net. With this information we go to www.abuse.net and request their information about this ISP.


Abuse.net is a free service where ISPs can register their abuse-addresses. Note that such an address is not required, it's more a courtesy of the ISP.


If abuse.net hasn't got an address for the ISP, you should try some well-known adresses, such as postmaster@, root@.


Sending a complaint


Now all you have to do is sending a complaint to the proper address.


If you send your complaint, don't forget to include the _full_ headers of the mail. Without them, the abuse-contact will be unable to handle your request. Spare the ISP the full text of the spam, this will only eat up bandwidth. Quite likely the private email of the abuse-contact has been spammed, too. Even if not, in case they do need the text, they'll ask you for it.


Please be polite. The ISPs aren't the spammer.


Try something like this text:


Dear [insert ISPs name here],


I received the following spam originating from one of your machines (full headers beyond).


I'm aware that you're not responsible for the spam, but you have the means to stop this abuse.


Thank you very much :)


Regards

[insert your name here]


[insert the _full_ headers, but not the spam-text!]


Special complaints


Some spam (such as of Flavour 2) usually references another domain or an URL in the body of the spam.


If you suspect that the advertised site promotes child-pornography or other criminal things, you should forward the spam with its full headers to your country's legal authorities.


There are people that actively fight child-pornography like Condemned.org. If you want, commit the spam to them, too... That's what I'd call a LART.