If a particular spammer annoys you beyond your ability to control your emotions, or if you are an anti-spam crusader and wish to spend some time chasing spammers, this section is for you. We do not advocate retribution in any hostile sense, such as mail bombs, but we do believe that abusers of the system should pay the price—generally through losing their ISP account. Recipients of spam are encouraged to work within the system to achieve their desired result. Most ISPs have a policy against spam and will assist you if you contact them with the appropriate information. This section describes how you can go about collecting that information.

It is the rare spammer that sends bulk email from a legitimate email address. Those that do find their accounts flooded with requests to unsubscribe, abusive descriptions of their lineage, and mail bombs. You would think that they would get the message, but most have avoided this problem by simply lying about their return address. It is therefore difficult to use information in the From or Reply-To headers of a spam message to track the sender.

Most spammers do leave a trail, however, in the Received headers. You may recall from Chapter 2, Simple Text Messages, that these headers are written by receiving MTAs along the message’s path to its final destination. Each MTA in turn adds a Received header. Careful analysis of these headers can help determine where the message originated, in spite of the spammer’s attempt to hide her tracks.

The following is an actual spam, received by the author during the writing of this chapter. Let’s dissect it so that we can tell that it is spam and where it originated:

Return-Path: <[email protected]>
Received: from loca1host (mai1@loca1host [127.0.0.1])
        by morris.staff.plugged.com.au (8.8.7/8.8.7) with ESMTP id EAA25927
        for <dwood@loca1host>; Sat, 23 Jan 1999 04:06:31 +1000
From: [email protected]
Received: from mai1host.plugged.net.au
        by fetchmail-4.6.2 POP3
        for <dwood/localhost> (single-drop); Sat, 23 Jan 1999
        04:06:33 EST
Received: from chihlee.chihlee.edu.tw (chihlee.chihlee.edu.tw [140.131.77.33])
        by mailhost.plugged.net.au (8.8.8/8.8.8) with ESMTP id EAA20189
        for <[email protected]>; Sat, 23 Jan 1999 04:04:59 +1000
Received: from www.chihlee.edu.tw (www [140.131.77.44])
        by chihlee.chihlee.edu.tw (8.9.1/8.9.1) with SMTP id BAA03328;
        Sat, 23 Jan 1999 01:37:09 +0800 (CST)
Received: from usa.net by www.chihlee.edu.tw (SMI-8.6/SMI-SVR4)
        id BAA11220; Fri, 23 Jan 1998 01:24:31 +0800
Date: Fri, 23 Jan 1998 01:24:31 +0800
Message-Id: <[email protected]>
To: [email protected]
Subject: Web Site Hosting
Status:  O
x-Mozilla-Status: 8001

Online Professional,

We offer great service and selection for all your internet needs.
Tired of paying insane charges for every web hosting extra?, then
you need our service. At only a dollar per meg per month(in inc. of 10)
you will have your own cgi-bin with access to many free scripts and our
assistance with any tech question you may have. Want your site
submitted to 1000+ search engines and directories?  Ok   sure   no charge.
Need help registering your domain name?   Ok  sure   no charge. Need
a few extra POP email accounts?  Ok   sure   no charge.  Pay for a year
in advance and get 10% off. We just don't want to rip you off like many
others charging insane amounts for add-ons, having hourly tech fees,
ect. Need something else?, we probally offer it.
please telephone our toll-free voice mailbox:
1-888-352-5445

Your friends at,
Networks Internet Tools
1-888-352-5445

Further transmissions to you by the sender of this email may be stopped at
no cost to you by replying to this message with the subject "REMOVE"
Your address will be added to a global remove list used by thousands of
email marketing professionals.

This message has all of the hallmarks of spam:

This message also promises to remove the recipient from the mailing list if you reply with a Subject of “REMOVE”. This is almost always a scam in itself, since most spammers have been shown not to respect these remove lists. It is quite possible to “remove” yourself from hundreds of lists and actually see an increase in the spam that you receive. This may be because by replying, you have proven that your email address is valid and actually reached a human being.

Although this is circumstantial evidence, it makes one highly suspect of the motives of the people involved. Some spammers even sell remove lists as lists of people who actually read their mail!

In this case, it would be useless to reply to the email, since the return address is bogus. This is convincing proof that the offer to remove you from their list is just chaff, to confuse you into thinking that you have a choice and that they are honest business people.

We know who caused the message to be sent: Networks Internet Tools. They can be reached by a U.S. telephone number, 1-888-352-5445. They are the perpetrator, but they are probably not the spammer themselves. In many cases, legitimate businesses with no understanding of the Internet are sold spamming services by full-time spammers. It is the spammers that we are trying to find.

While waiting for the message to the spammer’s return address to bounce, we tried to determine by other means whether it was a legitimate address. The Bigfoot directory (http://www.bigfoot.co.uk), which maintains a list of email addresses and allows you to search the directory via a Web interface, did not list the address.

We might note at this point that the bogus mail address was in the usa.net domain. That domain is a large free email service provider in the U.S. The spammer could have been faking this address entirely, so we need to check it out more thoroughly. We see in the bottom-most Received header that the mail was received by a mail server called www.chihlee.edu.tw from usa.net. We know for sure that www.chihlee.edu.tw was the first SMTP server to receive the message, since the Message-Id header shows us that the message identification is from that machine. Depending on how reliable the MTA is on www.chihlee.edu.tw, the usa.net part of the Received header could have been faked.

First, we need to determine where www.chihlee.edu.tw is and if it is likely that the operators are part of the problem. The trailing .tw shows that the machine is probably in Taiwan. We could use any number of network utilities to determine what and where this machine is, like the whois or whois+ services available at the various regional Network Information Centers. In fact, a whois search shows that the machine is operated by the Taiwanese Ministry of Education Computer Center. Since this machine name starts with www, however, it is probably a Web server. We can just go look. Looking at the URL http://www.chihlee.edu.tw does. in fact, show a Web page for the Chih Lee College of Business in Taiwan. It is not likely that our “friends” at Networks Internet Tools, or those who sent the spam for them, really know anyone at Chih Lee College of Business, nor that the college is involved in organized spammings. It is far more likely that the college operates an MTA that is improperly configured; it may allow anyone to connect directly to it and send mail to anyone on the Internet, as opposed to accepting mail only for addresses for which it is responsible. This is known as SMTP relaying. Operators of MTAs should disable SMTP relaying, as we discuss in the section “Service Provider Approaches,” later in this chapter, to avoid assisting spammers.

Connecting to port 25 of www.chihlee.edu.tw shows us what we need to know. The server accepts mail from anyone for anyone. It checks the incoming packets for an IP address and performs a reverse domain name service lookup on them to determine where we are coming from; therefore, we can be assured that the spam that we received really did come from a machine at usa.net.

[lovelace]$ telnet www.chihlee.edu.tw 25
Trying 140.131.77.44... 
Connected to www.chihlee.edu.tw.
Escape character is '^]'.
220 www.chih1ee.edu.tw Sendmai1 SMI-8.6/SMI-SVR4 ready at
 Fri, 23 Jan 1998 10:15:53 +0800
EHLO usa.net
250-www.chih1ee.edu.tw He11o in.plugged.net.au [203.20.51.50],
 pleased to meet you
250-EXPN
250-SIZE
250 HELP
MAIL FROM: [email protected]
250 [email protected]... Sender ok
RCPT TO: [email protected]
250 [email protected]... Recipient ok
DATA
354 Enter mail,  end with "." on a line by itself
Test of bogus mail relayed through www.chihlee.edu.tw.
.
250 KAA25898 Message accepted for delivery
quit
221 www.chih1ee.edu.tw closing connection
Connection closed by foreign host.

Even though we told the mail server that we were coming from the domain usa.net, it recognized that we were not. The Received header in our spam message can be trusted when it says that the message came from the usa.net domain.

Fairly often, inexperienced spammers will send bulk email from a dial account. In this case, the reverse DNS lookup will capture the name of their machine as it was when it was connected. For example, the machine name slip166-72-182-182.nc.us.ibm.net was used in a recent spam attack. Machines with names starting with slip, dial, ppp, isdn, or the like are often dynamically assigned by service providers when a machine connects via a modem. This information is important and, combined with an ISP’s access logs, can help to identify a spammer.

When we received the mail that we sent via www.chihlee.edu.tw, the headers looked just like the spam message, with the exception of the domain in the last Received header, just as we expected.

We now know which service provider the spammer used (usa.net), and we have also identified a mail server on the Internet that is inadvertently helping spammers by relaying messages for them. We can send two mail messages: one to [email protected], informing them of abuse by one of their customers (although we’ll try to gather more information first), and another to [email protected], informing them that their MTA (identified as sendmail Version 8.6) is misconfigured. We can also tell them that by allowing relaying, they have inadvertently assisted a spammer and request that they configure their mail server so that it will not accept mail from those outside of its own domain.

After that, the message headers don’t tell us much. We can see that the message was forwarded by www.chihlee.edu.tw to it soutgoing SMTP server, chihlee.chihlee.edu.tw, and then on to us. We are still left with the questions of who the spammer really is and how to find him.

At this point, we have options: we can forward the entire spam message to [email protected] and ask them to track down the spammer. The spammer is their customer, after all. However, it would be helpful to give them more information to facilitate their identification of the person responsible. It is possible to use online services such as search engines, email directories, the AOL NetFind service, and others to ferret out the identity of many. The string “tillweb” in the spam message’s From header is any interesting one: it may include meaningful information when combined with information freely available on the Web. Also, a direct contact with the spammer’s customer (Networks Internet Tools) may yield the identity of the spammer directly or provide further clues to identity. We have chosen not to follow this further in print for reasons that should be obvious.

Sometimes going to the spammer’s ISP does no good. Some ISPs facilitate spammers’ activities. The best thing to do in such a case is to send a message to the ISP’s upstream provider, or backbone ISP. Most ISPs and most backbone ISPs will take this very seriously. Spam costs them more than it costs an individual recipient. There should be no problem with usa.net; a quick check of their service contract on their Web site shows that spamming is prohibited by their members.