This section deals with the technical aspects of spam, like telling
where it came from. Having a UNIX shell account will be extremely
helpful as a lot of the utilities are native to UNIX; however,
you can perform most of these functions with other
operating systems using third-party (usually shareware) tools, unlike UNIX,
which comes with many of the tools mentioned already installed.
Attempts have been made in this section to detail how to do the functions
described on your computer, with alternatives listed at the appropriate
points.
OK, I just got spammed. Now what?
First, please make sure that it is indeed spam and that you didn't
subscribe yourself to a list and ended up forgetting about it. This is
more common than you might think -- ever fill out one of those web forms
and forget to check whether the "Send me Info" box was checked or
unchecked? It's usually set on by default.
Also make certain that it's not from someone you met or corresponded with
briefly, and have since forgotten. (It's happened to me!)
Here's a list of things to look for:
- Forged headers.
- Sent from a throwaway account. Common ISP's that supply throwaway
account include Compuserve, Prodigy, and Netcom.
- Relayed through a third-party mailserver.
- Promotes a webpage on another site.
- Directs replies to an e-mail address on another system. Common
examples include AOL and hotmail accounts.
If you're certain it's spam, continue on!
Back to Top
But I only got one copy.
How do I know it was really sent in bulk and therefore spam?
You don't.
To elaborate, you don't need to. If it looks like spam and smells like
it (be sure to check the headers for signs of forgery), it's best to
complain to the ISPs involved and let them make that determination. If
yours is the only complaint they have received, then perhaps it wasn't a
spam at all. If however the ISP receives hundreds of complaints, they
can then conclude that their client did spam and take appropriate action
against them.
Back to Top
What are these "headers" you folks keep
talking about?
An e-mail message is divided into two parts, the headers and the body.
The headers contain all the technical information, such as who the sender
and recipient are, and what systems it has passed through. The body
contains the actual message text. The headers and body are separated by
a blank line. In some mail programs, the headers are shown separately.
How can I view the headers
with mail client X?
What follows are instructions for viewing headers with some of the more
popular mail clients:
- Elm, Pine, and Mutt
- Press "h" from the message selection menu to view the full headers of
the currently selected message.
- Eudora
- Open the message. Under the title bar are four options. The second from
the left is a box which says "Blah, Blah, Blah." Click on that to
display the full headers.
- Hotmail
- Go into "Options", "Preferences", and choose "Message headers".
You'll want to choose the "Full" option to display Received: headers.
"Advanced" will display that as well as MIME headers.
Do note, however, that sometimes Hotmail has to press some previous
generation mailservers into service, and messages sent through those
mailservers won't show any headers no matter what. :-(
- Lotus Notes 4.6.x
- Open the offending mail. Click on "Actions", then "Delivery information".
Cut and paste the text from the bottom box, marked "Delivery information:".
- Netscape Mail
- Choose "OPTIONS" from the options menu bar. Listed as an option is
"Show Headers". Choose full headers.
- Outlook Express
- Open the message. Choose "File" from the options menu bar. Listed as
an option is "properties". Another window will open, showing two tabs.
You want to choose the one titled "Details". Then cut and paste the
headers into the message you want to forward.
- Outlook 2000
- Double click on the message to open itup, click on
"View --> Options", and you will see the message headers in a box at the
bottom of the window. You can copy/paste them from that window.
- Pegasus
- Choose "READER" from the options menu bar. Listed as an option is:
"Show all Headers". This does not work for HTML messages, however.
A workaround is to select the message properties, and de-selecting
"Contains HTML data".
Back to Top
How do I read them?
This depends on your mail reading program. Most programs have an option
that will display all the headers of the message. Another technique is
to read your e-mail with a standard text editor as opposed to an e-mail
program. Check the docs that come with your email reader or read the
online help. You could also contact your ISP for assistance or talk to
your help desk if this takes place at work.
You'll know that you're viewing the headers when you see several lines
that start with the word "Received: ". These lines are very important to
tracking the source of a spam, as you'll see later.
Back to Top
What does "forging" mean?
"Forging" means trying to disguise where the message came from. Spammers
do this a lot so that you won't know whom to complain to. It can be done
by a variety of methods, from simply placing deliberately erroneous
information in their email program, to manually sending mail using Telnet
to an SMTP server (port 25). This requires fairly intimate knowledge of
the SMTP protocol, which is, unfortunately, not hard to understand.
(RFC 821. A slightly more
readable version is
available at the faqs.org site).
Forging e-mail headers is not presently illegal in the US.
Some argue that it should be.
Back to Top
Uh, what's Telnet?
Telnet is the name of both a program and a part of the TCP/IP protocol
suite which allows you to remotely access a computer. In the case of
services such as mail, which run on port 25, you can telnet into that
port and interact with the service manually. You can also do this to
webservers on port 80 or finger daemons on port 79. It's kinda neat. :-)
Anyway, to access telnet if you are on a UNIX system, just type
telnet hostname <port>, where the port number is
optional. If you are on Windows 95/98/NT, choose "Run" from the start
menu and type telnet hostname <port> from there.
Otherwise, searching Tucows for a
Telnet program would be a good thing (NiftyTelnet for Macintosh is pretty
good).
Back to Top
What is the "point of injection"?
In a typical spam, there are two different kinds of systems involved:
- The sending system. This is the actual machine that the spammer
is on, assuming that they are using a SLIP/PPP connection. Its name
usually has "dialup" or "ppp" somewhere in the name.
- The mailing system. This is the "point of injection". Most
e-mail clients (or MTAs under UNIX) allow the user to designate a
"smarthost", or more commonly known as a "relay". This will take the load
off of the user's machine and place it on the ISP's mailserver so the
user can do other things. When forging a message, the spammer will
choose another host elsewhere on the Internet so that their provider
will not know what they are up to.
Back to Top
How can I track down the sending
system?
Look in the headers and you will find a series of lines starting with the
line "Received:". One of these is added for every system the e-mail
passes through.
The synopsis for a Received: header is:
Received: from <one system> by <the next system> <the current
date>
Therefore, the following example headers:
--------QUOTED HEADERS-------------
Received: from hermes.ntview.com by oasis.ot.com (8.7.6/8.7.3) with ESMTP
id CAA26482 for <dmuth@ot.com>; Tue, 28 Jan 1997 02:25:42 -0500 (EST)
-------END QUOTED HEADERS----------
demonstrate that the original message was sent by hermes.ntview.com.
The Received: headers are added at the top of the message by each MTA
(Mail Transport Agent), so that your
own system's Received: line should be the first you read, and the spammer's
will be somewhere down the list. The list should form an unbroken path
(i.e. from B by A, from C by B, from D by C). If the path is broken somewhere,
it is often a sign that the rest of the Received: lines are forged.
One other way to get an idea of the sending system is to look for the
first occurence of a PPP or SLIP hostname, or something similar
indicating a dialup connection. Spammers don't relay through dialups
very much. :-)
Back to Top
What about these "stealth" mailers?
Some of the newer spamming programs put in fake Received: headers in order
to prevent users from finding the first ones. This is rather foolish,
as most spammers don't understand the net and put in wildly bogus values.
Here are a few things that let you know a header has been forged:
- Look for a wrong Eastern Timezone of "-0600 (EST)"
(EST is normally -0500, while EDT is -0400)
in
conjunction with an SMTP id which will always start with "GAA..." This is
perhaps the most common Stealth Mailer signature seen (an example of it
appears below)
- A new, laughably "repaired" Stealth Mailer has surfaced recently; its
signature errors are an SMTP id which always starts with "XAA..." and an
Eastern Timezone correction which is even more wrong than before, now
listing "-0700 (EDT)"
- Look for a spoofed address in the Received: header. A real Received:
header has the address of the recipient as the address (i.e. dmuth@ot.com in
the above example). If the address there isn't yours, it's a forged header.
- Look for a spoofed SMTP id. A real one generally matches its first
letter to the hour of the time the hand-off occurred; e.g., if the time
listed in this header is between midnight and 1:00 a.m., its SMTP id
should start with "A..."; between 1:00 a.m. and 2:00 a.m. should indicate
"B..." and so on.
- Look for IP node numbers of 0 or greater than 254. IP addresses only
range from 1 to 254. (0 indicates a network address and 255 is for
broadcasting).
- Look for a system named "alt1", this can be filtered on as I have
caught many spams with zero false positives in this manner.
A few examples of spoofed headers:
Received: from email4all@aol.com by email4all@aol.com (8.8.5/8.6.5) with
SMTP id GAA02084 for <email4all@aol.com>; Thu, 26 Jun 1997
10:52:37 -0600 (EST)
Received: from lconn.net (alt1.lconn.net(206.25.61.0)) by lconn.net
(8.8.5/8.6.5) with SMTP id GAA06154 for <gpg@lconn.net>; Wed, 25 Jun 1997
23:00:38 -0600 (EST)
Back to Top
A word about firewalls and
forwarders
If your ISP has a firewall, or you have some sort of forwarding from
another e-mail address, there may be one or more extra sets of
Received: headers present. Please mention this when reporting a spam to
the list.
For example, if I have an e-mail address of dmuth@forwarder.com which
forwards e-mail to the address dmuth@myhost.com, there will be an extra
Received: header put in by forwarder.com:
Received: from forwarder.com (forwarder.com [201.96.1.32])
by myhost.com (8.8.7/8.8.7) with ESMTP id SAA02629
for <dmuth@myhost.com>; Thu, 18 Sep 1997 18:31:46 -0400 (EDT)
Back to Top
What's this stuff in parentheses in the
Received: header?
When there is stuff in a set of parentheses, it is due to the receiving
host adding in the IP address (and possibly a reverse DNS as well) of the
host which sent them the e-mail. This prevents the sending host from
lying about its name (A Good Thing).
For example:
--------QUOTED HEADERS-------------
Received: from q.qqq.com (ppp-206-171-250-20.vntrcs.pacbell.net
[206.171.250.20]) by mail.themall.net (8.8.5/8.8.2/IIAM 1.0 (DCH)) with
SMTP id IAA00719; Wed, 5 Mar 1997 08:40:22 -0800 (PST)
-------END QUOTED HEADERS----------
mail.themall.net did a reverse DNS and determined that this mail really
came from pacbell.net as opposed to qqq.com, which is really in the
Netherlands. Whoever sent this lied about their origin, but the system
did a "callback" of sorts.
Just a note though, a forged header could have a forged "reverse DNS"
lookup as well.
Back to Top
How do I track down the point of injection?
The point of injection is usually the second host in the mail path
(i.e. the second bottom-most Received: line); the
first is usually the spammer's machine. Remember, if the spammer is
trying to cover their tracks, they won't use their own ISP's
mailserver.
For example:
--------QUOTED HEADERS-------------
Received: from smtp.gte.net (radius3.gte.net [206.124.68.25]) by
oasis.ot.com (8.7.6/8.7.3) with SMTP id SAA18708 for <dmuth@ot.com>;
Wed, 5 Mar 1997 18:41:30 -0500 (EST)
Received: from r9892423 (Cust118.Max60.Los-Angeles.CA.MS.UU.NET
[153.34.100.118]) by smtp.gte.net (SMI-8.6/) via SMTP id QAA16410; Wed, 5
Mar 1997 16:31:34 -0600
-------END QUOTED HEADERS----------
The spammer set their relay to smtp.gte.net, an innocent system. Also,
as you can see, smtp.gte.net did a reverse DNS, which is good as the
spammer put a bogus name in for their system (r9802423).
Back to Top
What about host names like
"222.173.190.239" or even "3735928559"?
Sometimes, they're an attempt by the spammer to conceal the host's
name. If you're lucky, you can find out the host's name just by
running an nslookup or similar.
However, not all hosts have a human-readable name; if the host you
want to investigate only has an IP number, you can at least try to
find out who owns the netblock via whois.
See below.
The single big number is a special case of a raw IP address. All
Internet addresses (IPv4) are really 32-bit numbers (between 0 and roughly 4.2
billion) but they're conventionally broken up into 8-bit pieces with
periods between them. If you are familiar with hexadecimal notation,
this should be fairly easy to understand: 3735928559 is equal to
0xdeadbeef which, if you insert periods between the octets, is
0xde.0xad.0xbe.0xef, which is 222.173.190.239. (This is not really an
existing host address, at the time of this writing.)
Many, many hosts are badly configured so that there is no reverse DNS
for looking them up by IP number, even though there is a host name
associated with that IP number. Sometimes you can find a host's name
by probing it a little bit. For example, telnetting to port 25 will
get you a standard SMTP greeting which contains a host name, if that
host is running an SMTP (mail) server. (Of course, the host name there
could still be forged or incomplete.)
Back to Top
Why should I bother to track down the
point of injection?
Most sysadmins do not like it when another user sends out hundreds of
thousands or even millions of pieces of e-mail through their system without
their permission. Therefore, they will appreciate you telling them that
their system was/is being abused in such a manner.
Secondly, it is also a theft of service to use another system for sending
your e-mail. When Cyberpromo sends out its 2 million bulk e-mails, all
they send to the innocent mailhost is the text of the message and a list
of the recipients. This poor system now has to create one copy of the
message for every address on that list and deliver them,
which is a huge waste of resources on that system. At this
point, the sysadmin may want to sue the spammer.
Back to Top
What's Traceroute, and how do I use it?
Traceroute is a UNIX tool (there are versions for other OSes) for
determining the path that your data packets take from one system to
another. In the case where a spammer has their own domain, you can use it
to determine who their ISP is and complain to them directly.
The synopsis of the traceroute command on UNIX is:
traceroute <hostname>
For example:
$ traceroute whitehouse.gov
traceroute to whitehouse.gov (198.137.241.30), 30 hops max, 40 byte packets
1 milo.ot.net (199.234.240.100)
2 slab.ot.net (199.234.240.1)
3 ucsc2-gw-hssi1-0.phl.prep.net (129.250.201.1)
4 ucsc1-gw-fddi-1-0.phl.prep.net (192.204.183.1)
5 border2-hssi1-0.WestOrange.mci.net (204.70.66.5)
6 core1-fddi-1.WestOrange.mci.net (204.70.64.33)
7 somerouter.sprintlink.net (206.157.77.106)
8 sl-pen-18-P4/0/0-155M.sprintlink.net (144.232.0.73)
9 144.232.8.2 (144.232.8.2)
10 sl-dc-17-F0/0.sprintlink.net (144.228.20.17)
11 sl-eop-1-S0-T1.sprintlink.net (144.228.72.66) **The upstream**
12 whitehouse.gov (198.137.241.30)
As you can see, whitehouse.gov has sprintlink.net as an ISP, also known
as their "Upstream Provider".
Back to Top
I don't have/use/understand
UNIX. Can I still use traceroute?
Yes. Most operating systems, including Win 3.x, Win95, and WinNT, have a
traceroute tool. On Windows systems, open a DOS session and use the
command
tracert <hostname>
This tool is present on most Win95 and WinNT machines, and on Windows for
Workgroups 3.11 with the TCP/IP-32b drivers installed. (Hint: Try it. If
it doesn't work, it's probably not installed. Easier than figuring out
the gibberish above) ;-)
On the Macintosh, you can use the shareware product called IPNetMonitor,
which has a full suite of I.P. tools, including Trace Route, Whois, NS
Lookup & Ping. It is available at:
http://www.sustworks.com. Also available is AGNet Tools, which can be
found at
Lycos (Tucows).
The rest of the information on traceroute applies. Note that you may not
have this program installed, especially if you use a third-party TCP/IP
stack. In this case, see the section on
web based traceroutes for Web-based gateways to traceroute.
Back to Top
Traceroute says "unknown
host", now what?
You probably have chosen a mail alias -- a system that handles mail for a
given Internet domain. Use the nslookup command to search for MX
records and run traceroute to the resulting system(s).
The synopsis for using nslookup is:
nslookup -q=mx <hostname>
Although nslookup's output is verbose and a bit cryptic to the neophyte,
you should be able to glean some good host names from the list you get.
Example:
dmuth:~$ nslookup -q=mx ot.com
Server: ns.ot.com
Address: 199.234.240.5
ot.com preference = 10, mail exchanger = mail.ot.com
ot.com nameserver = ns.ot.com
ot.com nameserver = dns-east.prep.net
mail.ot.com internet address = 199.234.240.2
ns.ot.com internet address = 199.234.240.5
dns-east.prep.net internet address = 129.250.252.10
In this case, the mail alias for ot.com is mail.ot.com, which you could
then do a traceroute to.
Back to Top
Traceroute hangs, now what?
Since traceroute does a reverse DNS on every host it encounters, there
may be a DNS server not responding that prevents traceroute from
finishing the trace. Try a "traceroute -n" to display only the IP
addresses. You can use nslookup later to determine the host names.
Back to Top
I get a bunch of
asterisks (**), now what?
This means that the host you're trying to reach didn't respond. This may
indicate that the spammer has been disconnected! (Joy!)
Of course, it could be that the system is just down for a while, such as
a dialup host which is not currently dialed up to the net.
Back to Top
Web Based Tracerouting
Point your web browser to
http://www.traceroute.org for a list of
traceroute servers you can use.
Back to Top
What's WHOIS, and how do I use it?
'Whois' specifies a protocol by which a whois client (link to
whois clients) can query a 'Whois' server for information
regarding domain names, IP ranges or people.
In general, the syntax of the Whois command (under Unix) is:
- $ whois -h <whois.host.to.query> "search string"
Certain whois clients are installed to query a particular whois
server (normally whois.internic.net) by default.
Usually when querying a particular whois server, you can always
ask for 'help' .
Back to Top
Using 'Whois' for Domains (.com, .net, .edu, .org ):
Before using 'whois' randomly, it pays to understand a certain
hierarchy in the organisation of domain names. Historically, the
InterNIC handled all domains under .com, .net, .edu, and .org
. Recent changes have forced this system to be split up into a
Registry (the core database) and many Registrars (organisations
which register domains into the Registry ).
To query the Registry for domains within the .com, .net .edu, and
.org TLD (Top Level Domains), first query the InterNIC Registry:
This will return a *redirection* to the database
of the
appropriate Registrar. ( Formerly, Network Solutions was both the
Registry (as InterNIC) and Registrar ), ie:
- Whois Server Version 1.1
