Article Surfing Archive

Spam will continue spreading as far as it makes profit. If nobody buys from spammers or acts upon their scams, spam will end. This is the obvious and easiest way to fight spam. You can ignore and delete spam emails you receive. But you can also take vengeance on the spammer by complaining to the spammer's Internet Service Provider (ISP). The ISP will block their connection and maybe impose a fine (depending on the ISP's acceptable usage policy). Spammers beware of such complaints and try to disguise their messages. That's why finding the right ISP is not always easy.

Let's look inside a spam message. Every email message includes two parts, the body and the header. The body is the actual message text and attachments. The header is a kind of the envelope of the message. The header shows the address of the message sender, the address of the message recipient, the message subject and other information. Email programs usually display these header fields:

From: shows the sender's name and email address.
To: shows the recipient's name and email address.
Date: shows the date when the message was sent.
Subject: shows the message subject.

The From: field usually contains the sender's email address. This lets you know who sent the message and allows you easily reply. Spammers, of course, don't want you to reply and don't want you to know who they are. Therefore, they put forged email addresses into the From: lines of their emails. So the From: field won't help you if you want to determine where the spam email comes from.

Tip! With G-Lock SpamCombat you can easily preview not only the message text but also all the fields of the message header . You can choose the preview format by yourself. You can view the message as HTML, decoded message, or message source.There are also several Received: fields in the header of every message. Email programs don't usually display the Received: lines but the Received: lines can be very helpful in tracing the spam origin.

Just like a postal letter goes through a number of post offices before it's delivered to the recipient, an email message is processed by several mail servers. Each mail server adds a line to the message header ' a Received: line ' which contains

- the server name and IP address of the machine the server received the message from and
- the name of the mail server itself.

Each Received: line is inserted at the top of the message header. If we want to reproduce the message's path from sender to recipient, we start from the topmost Received: line and walk down until the last one, which is where the email originated.

Just like the From: field the Received: lines may contain forged information to fool those who would want to trace the spammer. Because every mail server inserts the Received: line at the top of the header, we start the analysis from the top.

The Received: lines forged by spammers usually look like normal Received: fields. We can hardly tell whether the Received: line is forged or not at first sight. We should analyze all the Received: lines chain to find out a forged Received: field.

As we mentioned above, every mail server registers not only its name but also the IP address of the machine it got the message from. We simply need to look what name a server puts and what the next server in the chain says. If the servers don't match, the earlier Received: line is forged.

The origin of the email is what the server immediately after the forged Received: line says about where it received the message from.

Let's see how determining of the spam email origin works in real life. Here is the header of a spam message we've recently received:

**************************************************
Return-Path:
Delivered-To: press@mydomain.com
Received: from unknown (HELO 60.17.139.96) (221.200.13.158) by mail1.myserver.xx with
SMTP; 7 Nov 2006 10:54:16 -0000
Received: from 164.145.240.209 by 60.17.139.96; Tue, 07 Nov 2006 05:53:35 -0500
Date: Tue, 07 Nov 2006 12:48:35 +0200
From: Pharmacy

Reply-To: umceqhzjmndfy
X-Priority: 3 (Normal)
Message-ID: <15216897.20061108040652@hawaiicity.com>
To: press@mydomain.com
Subject: Cheap Med's V!agra Many Med_s QnNXpRy9
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
**************************************************

At first, look at the forged From: field. The email address in the From: and Reply-To: lines doesn't exist. So, the spammer took care about directing bounced messages and all the indignant replies people may send to a non-existing email account.

Secondly, the Subject: line. It contains the variations of the 'Meds' and 'Viagra' words that are known to be met in spam messages. Plus, the subject contains a range of random characters. It's obvious that the subject line is skillfully tailored to fool anti-spam filters.

Lastly, let's analyze the Received: lines. We start from the oldest one - Received: from 164.145.240.209 by 60.17.139.96; Tue, 07 Nov 2006 05:53:35 -0500. There are two IP addresses in it: 60.17.139.96 says it received the message from 164.145.240.209.

We check if the next (and last in this case) mail server in the chain confirms the state of the first Received: line. In the second Received: field we have: Received: from unknown (HELO 60.17.139.96) (221.200.13.158) by mail1.myserver.xx with SMTP; 7 Nov 2006 10:54:16 -0000.

mail1.myserver.xx is our server and we can trust it. It received the message from an "unknown" host, which says it has the IP address 60.17.139.96. Yes, this confirms what the previous Received: line says.

Now let's find out where our mail server got the message from. For this purpose, we look at the IP address in brackets before the server name mail1.myserver.xx. It is 221.200.13.15. This is the IP address the connection was established from, and it is not 60.17.139.96. The spam message originates from 221.200.13.15. It's important to note that it's not necessarily that the spammer is sitting at the computer 221.200.13.15 and sending spam over the world. It may happen the computer's owner doesn't even suspect of being sending spam. The computer may be hijacked by a Trojan, which is spreading spam without the machine's owner knowing it.

We hope this information will help you identify the spammer's ISP and report them about spam so they can take proper measures.