The first thing you need to realize is that the From: and To: fields tell you absolutely nothing about where the SPAM message originated. These fields can contain anything the spammer wants! For instance, a message might as well have:

To: Spam Victim 
From: Relentless Spammer 

Of course, instead of spammers using something so obviously fake, they use something that looks real and tricks recipients into thinking the mail came from some place it didn't. It also often makes a recipient ask the question, 'Why do I get email that is not addressed to me?'

Note: Because this information is almost always spoofed, clicking "Forward" in your mail client and forwarding a copy of spam that contains only the spoofed "To:" and "From:" fields is a waste of time. Likely your message will not be read by abuse administrators because there is no useful information contained in your complaint and no way to track down the spammer. Furthermore, because you didn't investigate the origin of the spam, the complaint is likely in the wrong hands (e.g. not the hands of the network administrator from where the spam originated.)

So, how do you find out where a piece of spam comes from if you can't look at the "To:" and "From:" fields? You can use a tool that helps you decipher the message headers and figure out who to complain to. One such tool that does a fairly good job of this is located at SpamCop's website. Spamcop allows you to paste message headers into a web form for analysis. It will attempt to figure out which headers are real and which are forged and let you choose which abuse addresses to send a pre-formatted complaint to. By far, this is the easiest and most efficient way for most consumers to report spam. However, SpamCop's analysis is not foolproof and may make mistakes. Keep this in mind if you use their service!

Note: If you are not sure how to find the message headers of a spam message, SpamCop keeps an up-to-date list of how to view message headers in a wide variety of e-mail clients.

 Tracking Spammers Manually

If you wish to understand more about how mail headers work and report spam manually, here is a brief introduction about how to get started:

First it is important to understand that an email message starts from the sender's computer and is transmitted through many different mail servers before it finally reaches your e-mail box. Each time it is transmitted through a mail server it gets stamped with a "Received:" line that indicates the source (IP address) and date of the transmission. These "Received:" lines must be deciphered in order to track down the spammer. Unfortunately, spammers often forge the "Received:" lines in order to make an already difficult task even more difficult.

Let us look at an example of some message headers from a spam message so that we can examine what "Received:" lines look like. This example shows a piece of spam that was transmitted by a computer (IP address of 66.79.40.231.) The spam was sent to spam_victim@mydomain.com (changed to protect the recipient). (Incidentally, the owner of this computer did not know his computer was part of a zombie network and being used by spammers to transmit spam!) Typically, you will want to read the "Received:" lines from the bottom up. The last "Received:" line (green) is usually the first mail server to receive the message and contains the origin of the spammer. However, you must keep in mind the last line (or last several lines) may be forged; this makes analysis tricky.

Return-path: <AOKHPLQ@gessy-verne.com>
Envelope-to: x
Delivery-date: Sat, 04 Sep 2004 21:53:02 -0700
Received: from [216.34.94.175] (helo=amx.mailix.net)
	by mx.mailix.net with esmtp (Exim 4.24-NY)
	id 1C3p1R-0000I1-Ui
	for <spam_victim@mydomain.com>; Sat, 04 Sep 2004 21:53:02 -0700
Received: from [66.79.40.231] (helo=66-79-40-231.dsl.coastalnow.net)
	by amx.mailix.net with smtp (Exim 4.30-wind)
	id 1C3p0G-00053j-GW
	for <spam_victim@mydomain.com>; Sat, 04 Sep 2004 21:51:49 -0700
Message-ID: <ERCY_____________JNUO@flxb.com>
From: "Kirby" <AOKHPLQ@forged-domain.com>
Reply-To: "Kirby" <AOKHPLQ@forged-domain.com>
To: Joe 
Date: Sun, 05 Sep 2004 17:46:37 -0300
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Subject: You've got to see this Ph-arm-acy

Starting from the bottom going up, the last "Received:" line (green), we can see that the message was received BY the amx.mailix.net mail server FROM the IP address 66.79.40.231. This IP address is the address used by the spammer to transmit the spam. In this particular case, the IP address belonged to a compromised customer. (We contacted the customer so that they could clean and secure their computer.)

It is important to note, that while sometimes entire "Received:" by lines are forged, other times only part of a line is forged. Usually, if part of the line is forged, the part you can usually trust is the IP address shown in brackets not the name beside it. This is because most mail servers are smart enough to detect forgeries when adding the stamp to a message and will correct the IP address.

Note: It isn't humanly possible for any internet service provider to investigate the message headers of every piece of spam that every customer receives, so do not forward copies of your spam to Gallatin River - we have plenty of samples! This doesn't mean that we do not care care about the spam you receive. SPAM wastes bandwidth, requires significant resources to process, and makes customers unhappy, thus we do all we can to stop it -- but sending Gallatin River copies of your spam is usually not very helpful, unless the SPAM originated from another Gallatin River customer. It is important to do research prior to submitting complaints and send the complaint to the right organization so that they can track down the spammer; most all internet service providers welcome a well-researched and accurate complaint about spam originating from their network.

In our example, now that we have determined that the spammer's IP address is 66.79.40.231, we still don't know who to complain to. In order to find out, you first need to find out who owns the IP address. This is done by looking up information in the correct "WHOIS" database.

There are four Regional Internet Registries that document IP Address owners:

• ARIN: Look up an IP at ARIN (North America, a portion of the Caribbean, and sub-equatorial Africa)
• RIPE: Look up an IP at RIPE (Europe, the Middle East, Central Asia and Africa)
• APNIC: Look up an IP at APNIC (Asia Pacific Region)
• LACNIC: Look up an IP at LACNIC (Latin American and Caribbean region)

Note: Sometimes when you look up an IP address in one database it might point you to one of the others. For instance if you look up a Korean IP in ARIN's database it will refer you to APNIC. Alternatively, you can look up an IP in all WHOIS databases at once by typing it into the WHOIS search box at www.dnsstuff.com

Once you key in the IP address in the proper WHOIS registry, you will receive back information about who owns the IP address and a contact e-mail address. You can try sending your complaint (include the full headers of the spam message!) to the abuse contact listed. If an abuse contact is not listed, you can take the domain of one of the other listed email addresses and try looking it up at abuse.net which maintains a list of abuse contact addresses per domain. As an exercise, you can try entering the IP address in our example (66.79.40.231) into ARIN's WHOIS search to see what is returned.

Learning how to read mail headers and figuring out who to complain to is a time consuming and difficult task, but unfortunately is necessary to track down and report spammers. If you are interested in learning more, here are some resources that may help:

• Tracking Spammers - Deciphering Email Headers
• Tips on Fighting Spam
• Reading Email Headers
• Tracking Spam
• Can the Spam Yourself
• Tools at www.dnsstuff.com that can help you track spammers
• Spam/UCE Fighting Resources at Cauce