Last updated: 29 December 2003
Spammers nearly always use fake "From:" addresses and engage in other forgeries to try and deflect complaints. If you are serious about locating the spammer, you'll have to do a fair bit of digging. To quote a much more experienced spam-fighter than me: "This is a battle of Clue and always will be."
So, where to start?
The first thing is to make sure you're looking at ALL of the message headers. Your newsreader probably won't show the Path: or NNTP-Posting-Host: headers (to name but two) unless you specifically request it to. There should be an option to Show All Headers buried somewhere in one of the menus (in one well-known package, the actual menu item is called Blah, blah, blah...)
Right, you should now be looking at something like this:
From: Brooke@brooklyn.org Subject: - 586gp.JPG 34198 bytes (1/1) 88814 Message-ID: <22079819.5510@brooklyn.org> Date: Wednesday, 22 Jul 1998 19:55:10 -0600 Organization: <no organization> NNTP-Posting-Host: 152.173.20.35 X-Trace: 22 Jul 1998 21:11:36 -0500, 152.173.20.35 Path: news.demon.co.uk!demon!dispose.news.demon.net!demon!diablo.theplanet.net! rill.news.pipex.net!pipex!uunet!in2.uu.net!208.237.64.7!brooklyn.org
Note: I have split the "Path:" line so it displays properly on this Web page. In a real message, the list would appear on one long line.
That's a lot of headers to wade through? Well, as previously explained, you can ignore the From: line (and the Reply-To: line, if present). Of the other lines, the X-Trace: line won't always be present (and is really only of interest to the ISP), and the Organization: line won't be of much help, either.
So, let's zoom in on the three most interesting lines: Message-ID, Path and NNTP-Posting-Host. Of these, the Message-ID and NNTP-Posting-Host can (with some difficulty) be completely faked, so you should concentrate your efforts on the Path line to begin with.
Path: news.demon.co.uk!demon!dispose.news.demon.net!demon!diablo.theplanet.net! rill.news.pipex.net!pipex!uunet!in2.uu.net!208.237.64.7!brooklyn.org
What this shows you is the route the message took to reach your system: the name at the front of the list shows the last system to handle the message, and the name at the end is (or should be) the user on the originating system (i.e. the person who sent the message). In the above example, this is the first clue that fakery is afoot: the path ends with a site name, not a user name (some newsreaders put the text not-for-mail instead of the actual user's name, but in this case neither are present).
Many spammers put fake entries onto the end of the path in an effort to throw you off the scent, but bear in mind that no matter how many fake entries a spammer does add, the message will sooner or later have to be transmitted onto a genuine news server which will add its own (genuine) address to the list. So the trick is to work down the list, ticking off the genuine entries until you reach a suspect entry.
So, what's to stop a spammer cramming dozens of genuine entries onto the list? Quite simply, were they to do that the spam wouldn't go very far: when the message reaches one of the genuine news servers on the list, the server would see its own name already there and it would discard the message.
What I am suggesting is that you work down the path from start to end, checking each entry in turn. That could be a lot of work: there are likely to be 15 or 20 entries on the list, so I must be off my rocker, right?
Well, maybe not. As explained above, the spammer could put bogus entries at the end of the list and some of these may look plausible: this would throw you off the scent. Now I could at this point give you a list of sites (for example I could say that howland.erols.net and news.maxwell.syr.edu are genuine while newsfeed.slurp.net is probably bogus) but I want you to find this out for yourself. There are two reasons for this: (a) I might have made a mistake, and (b) one rule to bear in mind is trust as few people as possible in this game.
Fortunately, there is a short-cut. If you look at some genuine (i.e. non-spam) messages, the Path fields are likely to be 100% genuine, so you will quickly get a feel for the usual paths that messages take between the various Usenet servers, and will be that much better prepared to spot any fakery that a spammer might try to indulge in.
Let's have another look at the end of our example path:
rill.news.pipex.net!pipex!uunet!in2.uu.net!208.237.64.7!brooklyn.orgThat actually consists of 6 entries:
How do you check these entries out? The first thing to try is a DNS name-to-address check (nslookup) on the name supplied. Many UNIX/LINUX implementations (and Windows NT, for what it's worth) come with nslookup as part of the standard build, but if you're using another operating system you might like to use the Web page at network-tools.com to do the lookup. Some other useful tools are listed below.
You can only do this for names that actually have fullstops in, so you won't be able to check the !pipex! or !uunet! entries directly (but note that those names appear in adjoining entries so they're probably OK).
You can also do the nslookup on any numeric addresses that may appear in the list (e.g. 208.237.64.7 in the above example). If this "reverse lookup" works, you'll have a domain name to work with for the remaining steps below. If the reverse lookup doesn't work, you've found a fake entry and should complain to the ISP mentioned in the previous entry (i.e. the one to the left).
note: you are supposed to be able to do a WHOIS on numeric addresses, e.g. "whois 208.237.64.7", but I can't seem to get it to work reliably...
If the address exists, you can jump to looking for a Web site (see below).
If the address doesn't exist, it could be a fake (inserted by the spammer) or it could be a security feature adopted by some ISPs - one UK ISP uses this technique to prevent non-subscribers from attaching to its Usenet news server. So the next step is to check out the domain name.
Unfortunately, there isn't one single place to check: it depends on the address itself.
If the address ends with a 2-character country code, you will need to check with one of the regional registries:
If the address ends with .com, .edu, .org or .net, you can check with the American registry:
Personally, I use the formatted web page at network-tools.com, which has a number of other useful utilities collected together in one place.
When doing a WHOIS, you only check on the rightmost portion of the address. In the case of the American registry, you only enter the last two components of the address: for example to check rill.news.pipex.net you would only enter pipex.net
For the regional registries, you will often have to enter more. For example, to check an address ending in .uk with the European registry, you would enter the last three components: instead of news.itg.net.uk you would enter itg.net.uk
A successful query would produce an output something like this:
Interport Communications Corp. (INTERPORT2-DOM)
1133 Broadway
New York, NY 10010
US
Domain Name: INTERPORT.NET
Administrative Contact, Technical Contact, Zone Contact:
Administrator, Interport Domain (JR181) domreg@INTERPORT.NET
212-989-1128 (FAX) 212-989-0453
Billing Contact:
Administrator, Interport Domain (JR181) domreg@INTERPORT.NET
212-989-1128 (FAX) 212-989-0453
Record last updated on 29-Jul-97.
Record created on 06-Jun-94.
Database last updated on 12-Jan-98 03:59:43 EDT.
Domain servers in listed order:
NS1.INTERPORT.NET 199.184.165.1
NS2.INTERPORT.NET 199.184.165.2
NS3.INTERPORT.NET 207.237.112.10
-----------------------end whois------------------------------
If you get a "not found" error from your WHOIS search (assuming you checked with the correct registry), you've found a fake entry and should complain to the ISP mentioned in the previous entry in the Path (which you would presumably have already checked).
Have a quick look around the website to make sure it's legit (a real ISP will have things like signup details and Acceptable Use Policies in easy-to-find locations).
If it checks out, the ISP is genuine and you can move on to check the next entry in the Path. If it's bogus, you should complain to the previous ISP in the Path.
One important exception: Sites ending in .edu almost certainly won't be trading as an ISP (they're meant to be universities/colleges, after all). The watchword here is: "Use your loaf."
Many spammers operate from "bulk mailing" companies (also known as spam nests). Any complaints to these places will at best be ignored, and the spammer might choose to retaliate (e.g. by mailbombing you, or by using your address as the "From:" address on his next flood of spam).
So, it's important to send your complaint to a location where they are likely to take proper action, and that means the ISP.
The next thing to establish is who to complain to at that site. Check the domain name against the list of published spam-reporting addresses in the first instance.
If you don't find a published address, you should send a polite message of complaint to: abuse@domain (e.g. for pipex.net the address might be abuse@pipex.net).
If that doesn't work (i.e. if the email is returned undeliverable), send the message to the "Administrative Contact" (mentioned in the WHOIS output) instead.
Here is a copy of a form letter you might use to combat spam:
-------------------------------------------------
I regret to inform you that there is a subscriber of yours who has been
spamming in [name of newsgroup]. He/she has violated the
newsgroup's "no spam" rule as outlined in the FAQ (located at
[URL goes here]).
Please take steps to identify and warn this individual.
Thank you.
{message headers from posting}
-----------end letter----------------------------
Remember to include ALL the message headers from the original post, and (if the message wasn't too big, say under 5K) the body of the message as well. If the message was too big, just send the first few lines.
If you have time, you can make the ISP's task easier by indicating why you are complaining to them (e.g. by appending the WHOIS details of suspect entries in the path).
The FAQ
It helps a lot if the newsgroup's charter includes posting guidelines with a "no spam" or "no commercial advertising" rule. These guidelines are often contained in the newsgroup's FAQ (Frequently Asked Questions) file. If you can't wait for the FAQ to be posted to the newsgroup itself, you can check on one of the archive sites, for example:
Please send comments to the address listed on the contacts page.