Spam messages occur every day. The spammers of the world count on people to "just hit delete" when spam arrives. By doing so the people/suckers who are not interested encourage spamming to continue. There is no negative feedback to the process.

I want to help change that. I want to put the negative feedback into the system. I want to get accounts shut down; I want to help administrators close the open relays. If spammers make a living by getting 0.3% response rates, I want to see how well they do by getting responses sent to their ISPs and to the open relay points.

Below, I will take apart a message, as an example of what a spammer will do to hide. Hopefully you can use this information to push additional negative feedback into the system. Together, we can reduce the amount of spam.

I'm going to dissect a typical spam message, for clues about tracing it back to its source. If you have some better techniques please send them to me.


Trusted Headers

The headers below are pretty trustworthy because they were added by the local system. I trust the System Administrators to do their job right.

From - Mon Feb 25 09:00:44 2002
Received: from ( [])
	by (8.9.2/8.9.2) with ESMTP id NAA09030
	for <>; Sun, 24 Feb 2002 13:02:47 -0600 (CST)

Untrusted Headers

A possible forged header. This might not be forged, but since anyone can get a free e-mail account, the cost to the spammer is minimal.


NOTE: I still send a copy of spam messages to There are laws that allow companies to sue people who fraudulently use their domain names. can build up a case and go after the spammer where it will hurt the most - the wallet.

Trusted Headers

These headers were again added by a system I trust.

Received: from ([])
	by (8.11.3/8.11.3) with ESMTP id g1OJ2k202130
	for <>; Sun, 24 Feb 2002 13:02:46 -0600
Date: Sun, 24 Feb 2002 13:02:46 -0600
Message-Id: <>

Forgery and Fraud

Now the spammer tries, feebly, to hide the real origination point. This is such a weak attempt that it is laughable; fortunately it is also the normal attempt.

Received: from ( []) by with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
	id 15LNR8A7; Sun, 24 Feb 2002 13:39:35 -0500

The spammer is trying to impersonate a site. If you believe the header, you will complain to, but they won't be able to do anything about the machine in question.

Most computers ship with an operating system that has a program called nslookup. nslookup will let you quickly find out the IP address of a given host name. I used the command nslookup to find out that the name does not exist. The spammer forged the name.

There is an indication of the real message source. [] is a real pairing of machine name and IP address. The spam appears to have originated from Van Buren County (Michigan, USA).

NOTE: It is not always easy to report spam. The mail exchange (MX) record for Van Buren County is broken. I can't even e-mail them to tell them to fix their record, BECAUSE their e-mail gets rejected. I finally e-mailed the company that provides name server service for them, but that doesn't guarantee anything will change in the near future.

This one header also reveals that the message came through I would guess that the machine is a Windows NT box (based on the machine name and the mail server it reports). Windows NT tends to install a lot of software by default that is poorly configured. This appears to be a mail server that allows open relaying.

As a community service, I e-mailed the postmaster at the domain, suggesting that the mail server configuration be changed or that the mail server be turned off. I haven't heard anything back yet. I am not holding my breath while waiting for an answer.

More Fraud

The spammer used an e-mail address that might or might not be a real address in the "To:" line. I probably got spammed as a blind carbon copy (BCC:), so that my account wouldn't show up in the To line.


Yet More Cheap Stupidity

This message was the fourth (or was it the fifth) spam message I received that listed either a or a address in its Reply-To field. The spammer apparently opened lots of accounts at these two sites. Supposedly the accounts have been found and terminated, but I keep getting spam with these Reply-To addresses. Since the accounts are free, even if they are closed, it is no real cost to the spammer.



The complete original is available in text form from Example spam as text