Being a guide on tracking down and nailing the senders of unsolicited advertisements.
By Andrew C. Bulhak, with help from Cosma Shalizi

AntoSpam HOWTO

Introduction

Over the past few years, as the Internet has become popular among the real world, it has attracted many problems. The Internet was built on a honor system of sorts; traditionally, it was used by a community which shared certain values and honoured an unwritten code of behaviour, or netiquette. However, with the explosion of popular interest, all this has changed. The majority of users today have arrived in the past few years; among these are some who do not know or care about the etiquette of the Net, and who believe the Internet to be a form of unlimited free advertising. These people, whether through ignorance, malice or a combination of both, waste the time and resources of others. Fortunately, they are in a minority, their behaviour is not widely condoned, and thus it is possible to retaliate against them.

Like most users, I have received unsolicited advertisements (spam) by email several times. To discourage this behaviour, I make a point of tracking down the access provider of the spammer and complaining not just to their postmaster (who, in most cases, is the spammer), but to the postmaster of the site upstream. Some providers (such as UUNet/AlterNet and MCI) have a policy of prohibiting spamming in user agreements and/or pulling the accounts of offenders.

Note that all IP numbers, email addresses and domain names used for demonstration purposes in this document are fictional.

Tracking down email spammers

Step 1: Look at the headers

If you have received unsolicited advertisements by email, how do you track down who is responsible? Well, firstly you look at the headers. If they're forged, there will often be some clue of the actual origin of the post. More often than not, they either won't be forged or a URL will be provided. Your second line of attack is the InterNIC database; if you get an ad from [email protected], do a whois makemoneyfast.com. That may reveal information, such as other domains associated with the spammer (which may be owned by the spammer or may be ISPs).

Key headers to look for are:

The X-Sender: or Sender: header

If the spammer has forged the From: header, the mailer software will in most cases still put the apparent identity of the sender in another header.

The Received: headers

Every time the mail is relayed from one computer to another, a Received: line is added. Thus, on a message, you may have something like:

Received: from www.makemoneyfast.com (w3.makemoneyfast.com [333.333.333.333] by bruce.cs.central.edu.au (8.7.1/8.6.9) with ESMTP id XAA18112 for <[email protected]> Fri, 1 Mar 1996 23:57:21 +1100 Received: from spam.mmf.com (dialup-666.provider.net [333.333.333.6]) by www.makemoneyfast.com (8.7.3/8.7.3) with SMTP id AAA27819; Fri, 1 Mar 1996 00:42:18 -0800 (PST) 

The first line indicates that the mail was sent to your machine (in this case, bruce.cs.central.edu.au) from the machine www.makemoneyfast.com. The second line indicates that www.makemoneyfast.com, before that, received the message from a machine which calls itself spam.mmf.com, but whose real name is dialup-666.provider.net. Such a name suggests that this is a private machine run by the spammer, temporarily connected to a service provider by modem. In this case, the provider would be provider.net, meaning that you should complain to [email protected].

Other headers that may carry machine identification

These include Message-Id: and Comments: (which often contains a message from the mailer software about the assumed identity of the sender).

Step 2: Use the InterNIC database

Often, if a spammer has sent mail from their own domain, looking up the InterNIC domain registration information on the domain will yield useful information. In order to get a domain (such as makemoneyfast.com), one has to submit a request to the registry, known as InterNIC. The information which must be provided, and which is stored in the database, includes the addresses of two machines which provide name service to the domain. These machines will in most cases belong to the access provider of the spammer.

On most UNIX systems, you can search the InterNIC database using the whois command. If this is unavailable, telnet to rs.internic.net and enter the command at the prompt as you would otherwise. The information returned typically looks like this:

 [xterm] InterNIC > whois makemoneyfast.com Connecting to the rs Database . . . . . . Connected to the rs Database Dodgy Bros. Advertising Emporium, Inc. (MAKEMONEYFAST-DOM) 666 Main St. Anytown, XX 13013 Domain Name: MAKEMONEYFAST.COM Administrative Contact, Technical Contact, Zone Contact: Jones, J. J. (JJ1313) [email protected] 333-555-1212 Record last updated on 01-Apr-95. Record created on 01-Apr-95. Domain servers in listed order: NS.PROVIDER.NET 333.333.333.1 NS.DOBBSTOWN.EDU 666.666.666.1 

Note that the fact that a machine is listed as a domain server does not automatically mean that it is connected with the spammer. If a domain mentioned here appears in the headers, it is probably connected, and the postmaster there may be the party to complain to.

Note that this will not always work. If the spammer has invested enough to set up two nameservers under their own control (with either the same domain name or a different one), they will be listed there, and they will just gleefully toss any complaints in the bit bucket. In this case, you need to find the site upstream from them. This is where you proceed to step 3.

Step 3: traceroute

If all else fails, and you cannot find the identity of the ISP who provides access to the spammer, you have to use traceroute. Fortunately, in such cases the spammer is often well established, with a semi-permanent Internet connection, and thus easier to get a fix on.

traceroute is a UNIX system utility which traces a path from your machine to another machine. Since it uses low-level protocols, you may need a privileged account to run it (although, chances are that if you have a Linux box on which you are root and a SLIP connection, you will be able to do it from there). (Added by Sinan Ünür: The equivalent command on 32 bit Windows platforms is tracert. You can also download a postcard-ware package called Cyberkit which provides the functionality of a number of UNIX tools.)

To do this, find the name of a site belonging to the spammer. This can be a Web site advertised in the mail, or a machine which belongs to the spammer from which the mail issued. Then call traceroute with the machine name as an argument, like so:

 $ /usr/sbin/traceroute www.makemoneyfast.com 

This will slowly trace the path to the site, link by link, printing out the links along the way. Typically this starts at your site, goes to your local backbone (in my case to telstra.net and gw.au), goes along the Internet backbone (usually sites with names containing fddi and hssi and ending in mci.net or sprintlink.net or something); then it comes down to earth, as it closes on an Internet access company, then one of their gateways, then smaller and smaller sites until it hits home. The last few domains are the ones to whose postmaster you want to complain.

Step 4: Make a complaint

How do you complain? By sending a message to the postmasters at the machines providing access to the spammer. By the Internet standards, each domain on the Internet must have a working address of the form postmaster@domain.name. These are the addresses at the domains you previously found to which you complain. Some service providers have other addresses specifically for handling complaints; for example, America Online (aol.com) and Netcom (netcom.com) use the addresses [email protected] and [email protected].

What do you send? Well, in most cases, something like the following will suffice:

 The following unsolicited commercial message was sent to me by one of your users; it is a waste of my time and disk space and the University's money. Please ensure that this does not happen again. Sincerely, Blake DeKalb Department of Computational Theology, Central University (forwarded copy of spam) 

Of course, you should substitute your name and institution at the bottom. Also customise it further. If you got 10 copies of the ad, say so. If the same attack happened a week ago, and you complained before, say so as well. Also include one copy of the offending mail. But be polite. Do not mailbomb the postmaster with complaints. If you like, you can Cc: it to the spammer, though; although this is more a matter of personal style than anything else.

When you complain, make sure that you retain a copy of the offending message, in case you need to follow up on your complaint. In most cases, this is unnecessary.

(The part about the University's money being wasted is particularly true in Australia, where institutions notionally pay for incoming data. It's probably only a few cents, but still it builds up.)

What happens next?

Chances are that the spammer's service provider receives complaints about unsolicited mail, they will take action. They may issue a warning to the offender, or if the offender has been warned before, they may terminate their service.

Cosma Shalizi has the following suggestion to add:

Post news of the attack to news.admin.net-abuse.misc and news.admin.net-abuse.announce, including headers. Personally, I'd delete the list of addresses, if they show up --- why make it easier for other spammers? This spreads news of the attack, helps put pressure on the offending site's administration, and alerts sysadmins who can lean on rogue sites.

Odds and ends

In some cases, a spammer will have the gall to say in their message something like "If you wish to be removed from the mailing list, mail [email protected]", or even a preemptive apology for any inconvenience caused. Do not be taken in by this. Talk is cheap, especially when someone else pays. The advertiser does not have the right to put you on their mailing list in the first place, and if you quietly remove yourself by mailing this address, you are helping to legitimise this mode of operation. If nobody complains, it will become accepted practice.

I have heard that many spammers buy CD-ROMs of email addresses, usually collected from USENET or similar sources, for the purpose of spamming. If you find any companies which advertise such data or programs for sending unsolicited advertisements, it may be a good idea to let them know that they are providing a service which is not appreciated and to politely ask them to desist.

The following points were added by Cosma Shalizi:

Some points to add to acb's excellent summary of spam-hunting practice:

  1. Spammers buy email lists, and the addresses can be very old. (I'm being bugged by a five year old address snarfed from Usenet.) If you complain from your new address, some have the gall (or the stupid program) to add your new address to their list. When this happens, repeat the spam-hunting procedure, only with an even greater degree of righteous anger.
  2. Some spammers provide 800 numbers. It can be quite effective, and is almost always quite satisfying, to call and give them a piece of your mind. But don't do something like setting your modem to call them continuously: You lose all the moral advantage.
  3. Some spammers become abusive when you complain. Cc'ing their abuse to their postmaster can work wonders. Here in Her Own Country, snail-mail spammers (i.e. direct marketers and such) have to tell you where they got your address from. I don't know whether that law applies to email spam: Probably not.