Spam messages occur every day. The spammers of the world count on people to "just hit delete" when spam arrives. By doing so the people/suckers who are not interested encourage spamming to continue. There is no negative feedback to the process.
I want to help change that. I want to put the negative feedback into the system. I want to get accounts shut down; I want to help administrators close the open relays. If spammers make a living by getting 0.3% response rates, I want to see how well they do by getting responses sent to their ISPs and to the open relay points.
Below, I will take apart a message, as an example of what a spammer will do to hide. Hopefully you can use this information to push additional negative feedback into the system. Together, we can reduce the amount of spam.
I'm going to dissect a typical spam message, for clues about tracing it back to its source. If you have some better techniques please send them to me.
The headers below are pretty trustworthy because they were added by the local system. I trust the System Administrators to do their job right.
From - Mon Feb 25 09:00:44 2002 Received: from lucy.cs.wisc.edu (lucy.cs.wisc.edu [126.96.36.199]) by claven.cs.wisc.edu (8.9.2/8.9.2) with ESMTP id NAA09030 for <firstname.lastname@example.org>; Sun, 24 Feb 2002 13:02:47 -0600 (CST)
A possible forged header. This might not be forged, but since anyone can get a free Yahoo.com e-mail account, the cost to the spammer is minimal.
NOTE: I still send a copy of spam messages to Yahoo.com. There are laws that allow companies to sue people who fraudulently use their domain names. Yahoo.com can build up a case and go after the spammer where it will hurt the most - the wallet.
These headers were again added by a system I trust.
Received: from nt01.tjr.com ([188.8.131.52]) by lucy.cs.wisc.edu (8.11.3/8.11.3) with ESMTP id g1OJ2k202130 for <email@example.com>; Sun, 24 Feb 2002 13:02:46 -0600 Date: Sun, 24 Feb 2002 13:02:46 -0600 Message-Id: <200202241902.g1OJ2k202130@lucy.cs.wisc.edu>
Now the spammer tries, feebly, to hide the real origination point. This is such a weak attempt that it is laughable; fortunately it is also the normal attempt.
Received: from qmhim.yahoo.com (mail.co.van-buren.mi.us [184.108.40.206]) by nt01.tjr.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 15LNR8A7; Sun, 24 Feb 2002 13:39:35 -0500
The spammer is trying to impersonate a yahoo.com site. If you believe the header, you will complain to yahoo.com, but they won't be able to do anything about the machine in question.
Most computers ship with an operating system that has a program
nslookup will let
you quickly find out the IP address of a given host name. I used
nslookup qmhim.yahoo.com to find out that
the name does not exist. The spammer forged the name.
There is an indication of the real message source.
is a real pairing of machine name and IP address.
The spam appears to have originated from Van Buren County
NOTE: It is not always easy to report spam. The mail exchange (MX) record for Van Buren County is broken. I can't even e-mail them to tell them to fix their record, BECAUSE their e-mail gets rejected. I finally e-mailed the company that provides name server service for them, but that doesn't guarantee anything will change in the near future.
This one header also reveals that the message came through
nt01.tjr.com. I would guess that the machine
is a Windows NT box (based on the machine name and the
mail server it reports). Windows NT tends to install a lot
of software by default that is poorly configured. This appears
to be a mail server that allows open relaying.
As a community service, I e-mailed the postmaster at the domain, suggesting that the mail server configuration be changed or that the mail server be turned off. I haven't heard anything back yet. I am not holding my breath while waiting for an answer.
The spammer used an e-mail address that might or might not be a real address in the "To:" line. I probably got spammed as a blind carbon copy (BCC:), so that my account wouldn't show up in the To line.
This message was the fourth (or was it the fifth) spam message
I received that listed either a
swirve.com address in its Reply-To field.
The spammer apparently opened lots of accounts at these two
sites. Supposedly the accounts have been found and terminated,
but I keep getting spam with these Reply-To addresses. Since
the accounts are free, even if they are closed, it is no real
cost to the spammer.
The complete original is available in text form from Example spam as text