How Do I Trace a Spammer?

There are a number of ways to find out where a spam is actually coming from. In some cases, the spammer will make no attempt to hide this information from you, while in other cases, they will go to great lengths to obscure their actual contact information.

It is not always necessary to find out the actual email address that the spam has been sent from. If you can simply find out the domain name or the server where the emails are originating from, then steps can be taken to report the spammer and effectively shut them down.


Through a Reference the Spammer Makes
If the spammer lists a reply email address with their message that you think is valid, then you can use this address to find the server that is hosting them. If there is no email address listed but the spam you receive makes reference to a web page or domain name, then you can find the spammer's host server using this information.

Finding the hosting server is accomplished using a Whois Database. If the email address or website is of the .com, .net, .biz, or .org, variety then is the place to check. If the website is a .ca domain, then consult the CIRA Whois Database. If the website is from a national top-level domain such as .it, .uk, and .au, then consult the Top-Level Registries for a list of whois databases by country. Once you have performed a Whois search, you will be able to view the contact information for the owner of the server that is currently hosting your spammer. It is often possible to get the administrative contact email address and phone number for the spammer's domain from these databases.


Through the Header Information
If the email you receive does not make any mention of a webpage or email address, you can try to find out the spammer's actual location by reading the header information. See How do I identify an email as spam? for instructions on how to access the header of an email.

Spammers are able to place false email addresses in the From, Return-Path, and From: lines of the header. However, the Received: line(s) can tell the true story about where the email actually came from. The Received header is usually formatted as follows:

Received: from ? by ? via ? with ? id ? for ?; date-time
(Each "?" indicates field data that is specific to every message such as the doman name, IP Address, computer name, etc.)

There may be more than one Received line in the header of an email if the message was passed between intermediary mail servers before it reached yours. Every time an email message passes to a new mail server, a new Received line is added to the header. Therefore, reading the Received lines from the top down is like tracing the route the email took back to its source.


Received: from (spamman@localhost []) by (0.0.1/0.0.2) with SMTP id MAA00153 for jdoe; Mon, 13 Aug 2002 07:12:42 -0500

It should be noted that as you approach the bottom of the Received list, the spammer may have added forged Received lines to the header in an attempt to confuse you or lead you astray. Forged Received lines can often be identified by verifying the content in their fields. Often the "from ?" field will contain a non-exisiting or unrelated domain name or the IP Address listed will be invalid or fake.

The best way to identify a spammer from the Received header is the IP Address listed in the "from" field since it may be possible to forge all other parts of the message. If you have only this IP Address to go by, you can use an IP Address Whois database to lookup the owner and provider of this email address. There are three major IP Address Whois databases for the major geographical regions of the internet: North America Europe Asia Pacific


By Tricking the Spammer

This method of finding the spammer's actual email address or domain name is much less technical. Simply send a response email to the spammer, in a very polite tone inquiring information about the product or service they are trying to sell. If you express some genuine interest in their wares, they will consider you a potential sale and may respond to you from their actual email address, or with some valid contact information such as their ordering website. Now you are armed with enough contact information to do away with the spammer.


Now What?
Once you have found the actual email address of the spammer "spammer@dmname.end" then entering the "dmname.end" domain name in the appropriate whois database will give you the contact information for the owner of the spammer's domain and server.