Spams: What should you do with them?
Tracing Spam
Viewing Full Headers
Finding the Origin of the Spam
Forwarding the Spam
Spams: What should you do with them?
Spam is the nickname for junk mail on the Internet. Sometimes they are generated by bonified companies that want to save some money on marketing. Other times, they are scams, like pyramid schemes and such. We all get them, and most of us delete them as fast as we can. But besides deleting them, is there anything else we can do about them? Are we totally helpless against this onslaught? Not really.
The first thing you should realize is that things are not always what they seem, even on emails. The "From:" part of the email is easily faked by anybody with a home computer and PPP connection. In order to find out exactly where the spam came from, you will have to check something we call "headers."
The email headers tell the history of your email, all the steps it took from the time it was sent out by the spammer to the time it arrived on your computer. Spammers will sometimes make the email "bounce" between many computers on the Internet before reaching its final destination in order to make it harder to trace it down to the origin. With a little patience, you can sort out all this information down to the spammer.
Most reputable Internet Service Providers (ISPs) will take action against an account that was used for spamming. It is becoming a standard in the ISP community to set up a special email account called "abuse" used to gather complaints about spamming. At USF, a complaint sent to abuse@usf.edu will cause the complaint situation to be looked into, by the appropriate administrator involved in the matter. Other examples are abuse@ibm.net, abuse@netcom.com, and so on.
So, how do you figure out where the spam actually came from? The first thing to do is to find the header info.
While viewing the message, select "View" and the "Options." The full headers will be displayed on a pop-up box that appears on the screen.
On Netscape, select "View/Headers/All" to view the full headers of the message.
The following is an example of the headers from a recent spam received by USF users:
Return-Path: usa@moon.org
Received: from mail.rdu.bellsouth.net (mail.rdu.bellsouth.net [205.152.32.21]) by soleil.acomp.usf.edu (8.8.7/8.6.5) with ESMTP id IAA23137; Thu, 6 Nov 1997 08:40:12 -0500 (EST)
Received: from Default (host-32-96-56-125.rdu.bellsouth.net [32.96.56.125])
by mail.rdu.bellsouth.net (8.8.5/8.8.5) with SMTP id IAA13143;
Thu, 6 Nov 1997 08:41:13 -0500 (EST)
From: usa@moon.org
Date: Thu, 6 Nov 1997 08:41:13 -0500 (EST)
Message-Id: <199711061341.IAA13143@mail.rdu.bellsouth.net>
Subject: A Must See For College Students
Content-Type: text
Content-Length: 1551
When tracing an email, concentrate on the lines that start with "Received:". The collection of the Received lines will tell you the history of that particular piece of email. Start with the final destination, usually your email host, in this case soleil.acomp.usf.edu. The first Received line states that soleil received this spam from mail.rdu.bellsouth.net. On the next Received line, you see that mail.rdu.bellsouth.net received the spam from host-32-96-56-125.rdu.bellsouth.net. Notice that if the name outside the parenthesis (Default) is different than the one inside the parenthesis (host-32-96-56-125.rdu.bellsouth.net), you should stick with the name inside the parenthesis.
Now that you are done with the Received lines you have the origin of the email, host-32-96-56-125.rdu.bellsouth.net. The From: line has a fake address of usa@moon.org, but now you now that moon.org was not the origin.
Simple, huh? Well, things can get a little more complicated. Lately, spammers have not only faked the From: line, but also the Received: line. Here is an example:
Return-Path: 1383@Any_Domain.com
1 Received: from out5.ibm.net (out5.ibm.net [165.87.194.245]) by soleil.acomp.usf.edu (8.8.7/8.6.5) with ESMTP id KAA07781 for <doe@soleil.acomp.usf.edu>; Sat, 17 Jan 1998 10:36:19 -0500 (EST)
From: 1383@Any_Domain.com
2 Received: from 129.37.124.68 (slip129-37-124-68.fl.us.ibm.net [129.37.124.68]) by out5.ibm.net (8.8.5/8.6.9) with SMTP id PAA111414 for <abalacha@soleil.acomp.usf.edu>; Sat, 17 Jan 1998 15:36:04 GMT
Date: Sat, 17 Jan 1998 15:36:04 GMT
3 Received: (from uudp@lcllhost!) by in2.i_b_m.net (8.6.9/8.6.9) id CFF569794 for <rodney@DPAL!.com>; Sun, 18 May 1997 01:12:39 GMT
4 Received: from tomsnet!.com (mh.tomsnet!.com [100.301.57.69]) by m4.tomsnet!.com (8.6.12/8.6.12) with ESMTP id PAA21932
Received: from reb50.rs40_date.net (root@reb50.rs_date.net [289.36.1.176]) by tomsnet!.com (8.6.12/8.6.12) with ESMTP id PBA023891 for <zena@tomsnet!.com>;
Received: (from capt_domo@lclhost!) by pc.spark_er.net (8.7.3/6.7.3) id CFF34285 for planet_oreo_horizon; Sat, 17 May 2001 20:12:58 -0500 (CDT)
Received: from emoose.mail.n_bot.com (emoose.mx.n_bot.com [198.81.11.42]) by md.s#parpnet.net (8.7.4/8.7.3) with ESMTP id RAC035940 for <wayne_bobbit.com>;
Received: from clift.b89_crost.com (clift.b89_crost.com [199.3.12.256]) by dot.2_bycentric.net (8.8.5/04/01 3.26)) id LAT131787;
Received: from spr_most.bix.45neter!.com(204.332.183.71) by hars11.ix.45neter!.com via smapt (V1.3) id smr0029301;
Message-Id: <199801171034.e-mail@_gertrude.com>
To: doe@soleil.acomp.usf.edu
Reply-To: dembo2@hotmail.com
Subject: FREE LIFETIME WEBPAGES & E-MAIL
Content-Type: text
Content-Length: 2816
I have numbered the Received lines to make it a little easier to follow. Let’s start tracking the lines in the same way we did the first example. This email was received by soleil.acomp.usf.edu, coming from out5.ibm.net (line 1). On line 2, we find that the host out5.ibm.net received the spam from slip129-37-124-68.fl.us.ibm.net. Now comes the tricky part. When we check line 3, we loose track of the thread. No ibm.net machine is mentioned there at all. The same thing happens on line 4. That is because those lines are faked. Here’s another hint that should help you confirm that the lines after 2 are faked. On the Internet, each host is assigned a number we call an "IP number." There are no two IP numbers alike. IP numbers are of the format XXX.XXX.XXX.XXX, where XXX is a number between 1 and 255. Look at the IP number on line 4 (100.301.57.69). There can’t be a 301 number on that IP number, therefore the number - and possibly the entire line - is a fake. The host slip129-37-124-68.fl.us.ibm.net is the likely source of the spam.
At this point, we have the name of the computers that originated both spams we just reviewed. On the first example, host-32-96-56-125.rdu.bellsouth.net. One the second, slip129-37-124-68.fl.us.ibm.net. Now is the time to notify the administrator of these computers of the spam their users are sending out. Ignore the first part of the address. You should always sent the spam to the last two pieces of the computer name that originated the email. In our examples, we need to forward the spam, with the entire header information, to abuse@bellsouth.net and abuse@ibm.net respectively. It is important to include the full header information when forwarding the message. In order to take action against spammers, all sys admins require a copy of the spam to be forwarded to them showing all the headers of the email. Many of these computers have thousands of users, and the administrator needs the headers to locate the specific user that sent the message. Here is how to forward the email using with some email readers I know.
The easiest way to forward the message is to NOT do it as an attachment. If you hit "F" while viewing the spam with full headers, a message will appear asking if you want to forward the message as an attachment. Answering "no" to that will cause the spam with full headers to be included in the body of the message you are forwarding.
Forwarding the spam on Outlook is not as straight forward as Pine. First, hit the "Forward" button to forward the message. The problem is that this alone would forward the message without all the headers required. In addition to the forwarded message, follow the instructions listed on section two to display the full headers. Once they are displayed, select the headers and use "ctrl-c" to copy and "ctrl-v" to paste the headers on the message you are forwarding.
View the full headers using the instructions from section two. Once you’ve done that, all you need to do to forward the message is to hit the "Forward" button. Netscape will forward your message as an attachment without clipping any of the headers on the attached email.