Basic Spam Chasing

February 2004
Updated September 2006
Updated February 2008

I really hate it. I hate it so much, that I threw together some basic directions on how to chase the spam you get. What does that mean? It means you track down where the spam came from, and you forward it to the source. In theory, they will stop/block/cancel the person responsible for sending it, making sending spam that much more difficult.

Looking for a more automated solution? Scroll to the bottom...

Here's the basic idea of what you need to do:

1) Identify your mail server
2) Identify exactly where the junk mail came from
3) Forward the junk mail to the junk mail's source and your ISP
4) Forward the junk mail to the owner of the site that the junk mail advertises
5) Repeat (since you probably have a crap load of junk mail)

1) Identify your outgoing mail server. If you use an email address from your ISP, then you most likely use their mail server. It may be something like smtp.[yourisp].com or mail.[yourisp].com.

2) Identify where the mail is coming from. This part is complicated. There are lots of mail clients out there, so its impossible for me to give you specific instructions. But I can tell you generally what you need to do. First, if there's a 'From:' address, ignore it completely. What you have to do is show the full mail headers. By default, most mail programs show an abbreviated set of mail headers, because you really don't need to know the details on legitimate emails. For Spam Chasing, you need it all. Once you have the full headers showing, its time to get busy. The following is an example of the type of headers you may see, without their actual values in place:

Subject:
Date:
To:
Reply-To:
Received:
Received:
Received:
Received:
X-Antivirus:
X-Priority:
X-Msmail-Priority:
X-Mailer:
X-Mimeole:
Organization:
Mime-Version:
Content-Type:
Message-Id:
X-Virus-Scanned:

Now you may see a lot of different web sites and domain names in there, but ignore them. Everything there can be and probably has been faked. Everything but one line. Look for the 'Received:' line that contains your mail server. The format should be something similar to this:

That line is they key, it tells you the exact IP address that talked to your mail server. It is the source of the junk mail. Copy that IP address.

3) The next step is to find out who that IP address belongs to. Go to my WhoIs page and look up the IP:

http://www.whatsmyip.org/whois

You have to read the results carefully. If the IP is not in the arin database, it should send you a link to another database that does contain that IP. Once in a while you may have to jump to a 3rd database, but not usually. Once you get the results, it should list who owns the IP address, and it should have IP addresses you can forward the junk mail too. The best address is an abuse@domain.com address, but if they don't list an address like that, send it to whoever they do list. From time to time I go to their web site and look up some email address on their site, to make sure they get the junk. Bookmark the arin web site, you will be using it a lot.

So in addition to any email address you find for the IP's owner, you also want to forward the junk mail to your ISP's email address, usually abuse@[yourisp].com or spam@[yourisp].com.

4) Next you want to find out who owns the web site the spam mail advertises. There has to be a link in the mail somewhere. If not, its probably a virus-generated email and not spam per-se. Find the link, and copy just the domain name. For instance below, you'd want just the green part...

http://click.wonderful-deals.com/sp/t.pl?id=277136:1421725

That domain is what you need. Now with that address, you want to go back to my whois page, and look up who owns the domain. There will be email addresses. They may or may not be real, but those should be to the spammer himself so it will be nice to send him his mail back.

Next, on the whois page, you want to type the domain into the top box and resolve it to its IP address. Now lookup that IP address and see what you get. That most likely will be the ISP or web host of the spammer's web site. Add any email addresses you see there to your forwarding. They will close down the spammers web site and make him start all over. The harder is it so be a spammer, the fewer spammers there will be.

5) Repeat until your junk mail folder is empty, or until you have gone insane.

www.spamcop.net

Sign up for SpamCop (Its free although you can donate if you want to). You will be given your own unique email address to use. Forward your SPAM to that email address. For each spam you sent to it, spamcop will automatically scan the email headers and body, and lookup all the 'Abuse' email addresses, and send you a confirmation email. That confirmation email contains a link that will bring you to yet another page. This page lets you send, in a single click, all of the SPAM reports for the server(s) the email came from, and the server(s) hosting the web site the SPAM is advertising. Its a little confusing at first but in the end it lets you save a TON of time by automating a lot (but not all, you still have to click on the confirmation email YOU get sent, for each SPAM you send to SpamCop) of the process of reporting SPAM.

To forward a SPAM to them, you have to do so with full headers. I've found that the best program for SPAM reporting is Mozilla ThunderBird. It automatically does full headers when you forward, so you don't have to do anything special there. And it lets you click on multiple emails and click forward, so you can send all of your SPAM email to SpamCop all at once. I use Apple Mail as my primary email client, and I have my SPAM filters put all my SPAM in a special email account. I have Thunderbird check JUST that account. It seems like a complicated process but its really much simpler than it seems. And this system allows me to report 100% of my SPAM! Doing it by hand, I never had near enough time to do it all!