Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Fighting email spam (How to fight spam)

Problem: Most spam emails (and virtually all current viruses) arrive with fake sender addresses, making it difficult to notify the service provider of the person really responsible for this nuisance.

Explanation: Most spam these days is sent with a fake return address. In these cases, complaining to the administrator of the sender domain is a waste of time. You first need to figure out where the spam really came from before you can complain to the administrators of the servers involved in sending the spam to get the offenders kicked off.

Solution: The following link lets you find out which provider an IP address is assigned to.

https://joewein.net/whois/
How to use this form:
  1. Display the mail header in the spam e-mail. How to do this depends on your email client:
    • Outlook Express: File / Properties / Details / Message Source.
    • Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
    • Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
    • Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
    • Other mail programs: See here

    You'll see something similar to the following (not all fields will be present):

    Return-path: <angelicohattersley@yahoo.com>
    Envelope-to: mail@recipient.com
    Delivery-date: Thu, 05 Jun 2003 14:06:15 +0200
    Received: from [213.165.64.100] (helo=mx0.gmx.net)
    	by mxng15.myprovider.com with smtp (Exim 3.35 #1)
    	id 19NtVS-00089g-00
    	for mail@recipient.com; Thu, 05 Jun 2003 14:06:10 +0200
    Received: (qmail 30356 invoked by alias); 5 Jun 2003 12:06:10 -0000
    Delivered-To: GMX delivery to recipient@gmx.net
    Received: (qmail 30132 invoked by uid 65534); 5 Jun 2003 12:06:08 -0000
    Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
      by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
    From: "Dieter Wroblewski " <angelicohattersley@yahoo.com>
    Reply-To: "Dieter Wroblewski " <angelicohattersley@yahoo.com>
    To: joevicki2000@yahoo.com
    Date: Fri, 21 Feb 2003 07:55:25 -0800
    Subject: SilkSnake.com - Porn, Games, Movies and Much More
    MIME-Version: 1.0
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    Message-ID: <20030605120609.30223gmx1@mx010-rz3.gmx.net>
    X-Resent-By: Forwarder <forwarder@gmx.net>
    X-Resent-For: recipient@gmx.net
    X-Resent-To: mail@recipient.com
    
  2. Find out from where the mail reached your mailserver. In this case the mail claims to be from a yahoo.com customer, but it never passed through a yahoo.com mailserver. It's fake. Look at the Received: lines, they have all the information you need. Generally you want the very first line starting with Received: from, but if your mail is automatically resent through a mail forwarder such as GMX or POBOX (indicated by Delivered-To: lines in this example) then look for the first Received: from line after the last Delivered-To: line. In this case that is:
    Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
      by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
    
    Make sure the from address is from an outside server, not your own provider. Sometimes mail gets internally forwarded at your mail provider.

    The sender's computer claimed to be server called fw.muan.chonnam.kr (in Korea), but you can't trust HELO values - they can be faked. More significant is the IP address that follows (in other cases the IP address may preceed the server name or may be enclosed in square brackets such as [211.34.18.231]). It's always a sequence of four numbers from 0 to 255, separated by dots. The string "unknown" in that same line indicates that the receiving mailserver tried to do a reverse lookup to get a name for the number and couldn't find one. Well-administered networks provide name lookups for all their IP-addresses. Paste the IP address into the above Domain or IP field and click the Go button.

    The form queries the the NIC of the country or region (for example, ARIN for USA and Canada, RIPE for Europe, APNIC for addresses in Japan, Australia, Singapore, Korea and China, LACNIC for Brazil and Argentina, AfriNIC for South Africa or Nigeria). Here is what we get:

         [ ISP Network Abuse Contact Information ]
         Name               : Pubnet Abuse Manger
         Phone              : +82-2-710-1457
         Fax                : +82-2-710-1411
         E-Mail             : abuse@pubnet.ne.kr
    

  3. For webmailers such as Yahoo, find the IP address from which the mail was posted. This applies to advance fee fraud spam ("Nigeria scam") that usually involves real sender addresses and free webmailers:

    Yahoo:

    Received: from [196.201.83.243] by web37806.mail.mud.yahoo.com via HTTP; Sun, 05 Mar 2006 11:32:44 PST
    Date: Sun, 5 Mar 2006 11:32:44 -0800 (PST)
    From: jane robert <mrs_janerobert2002@yahoo.com>
    Subject: FROM: MRS  JANE ROBERT.
    To: mrs_janerobert2002@yahoo.com
    

    Hotmail:

    Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
    	 Sun, 5 Mar 2006 21:36:55 -0800
    Message-ID: <BAY19-F13459EA4EFC8B2F2474D2BA4E90@phx.gbl>
    Received: from 81.91.238.45 by by19fd.bay19.hotmail.msn.com with HTTP;
    	Mon, 06 Mar 2006 05:36:51 GMT
    X-Originating-IP: [81.91.238.45]
    X-Originating-Email: [henryunnachukwu@hotmail.com]
    X-Sender: henryunnachukwu@hotmail.com
    From: "chigozie unnachukwu" <henryunnachukwu@hotmail.com>
    

    Web.de:

    Received: from [84.254.131.218] by freemailng2302.web.de with HTTP;
    	Sun, 05 Mar 2006 20:23:06 +0100
    Date: Sun, 05 Mar 2006 20:23:06 +0100
    Message-Id: <9273898@web.de>
    MIME-Version: 1.0
    From: MRS LARISA SOSNITSKAYA <contact_nit01@web.de>
    

    Webmailers often log the IP address of the machine from which the email was posted via a browser using a "Received:" line such as the above. Look for "via HTTP" or "with HTTP" in usually the last "Received:" line. Alternatively look for a "X-Originating-IP:" line or something similar. Use this IP address to locate the provider. Send complaints to both the webmail provider and the ISP used for the posting.

Soon you'll know who to complain to. You should paste the complete message source (with full headers, see above) into your email and leave the subject line unchanged from the spam. Most domains have an abuse contact such as abuse@domainname. If mails to that address bounce, write to postmaster@domainname instead. Write a short and polite complaint, followed by the unmodified spam message.

By the way, you should never try to use any of the unsubscribe addresses provided by spammers. Writing to these addresses only confirms that the spam has reached a recipient and has been read. More often than not trying to unsubscribe will "reward" you with even more spam!

We have developed jwSpamSpy to protect you from both spam and viruses. It stops around 99% of spam sent to our mailboxes as well as all current viruses. It's easy-to-use Virus Reporting Assistant greatly simplifies the job of contacting the service provider of virus infected machines. Learn more about it here: jwSpamSpy

Other Anti-Spam Resources:
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)
AOL dial-up address ranges and mail servers
Dynamic IP addresses