How Do I Trace
There are a number of ways
to find out where a spam is actually coming from. In some cases, the spammer
will make no attempt to hide this information from you, while in other cases,
they will go to great lengths to obscure their actual contact information.
It is not always necessary
to find out the actual email address that the spam has been sent from. If you
can simply find out the domain name or the server where the emails are originating
from, then steps can be taken to report the spammer and effectively shut them
Through a Reference
the Spammer Makes
If the spammer lists a reply
email address with their message that you think is valid, then you can use this
address to find the server that is hosting them. If there is no email address
listed but the spam you receive makes reference to a web page or domain name,
then you can find the spammer's host server using this information.
Finding the hosting server
is accomplished using a Whois Database. If the email address
or website is of the .com,
variety then Internic.net is
the place to check. If the website is a .ca
domain, then consult the CIRA
Whois Database. If the website is from a national top-level domain such
then consult the Top-Level Registries
for a list of whois databases
by country. Once you have performed a Whois search, you will be able to view
the contact information for the owner of the server that is currently hosting
your spammer. It is often possible to get the administrative contact email address
and phone number for the spammer's domain from these databases.
Through the Header
If the email you receive
does not make any mention of a webpage or email address, you can try to find
out the spammer's actual location by reading the header information.
See How do I identify an email as spam? for instructions
on how to access the header of an email.
Spammers are able to place
false email addresses in the From, Return-Path, and From: lines
of the header. However, the Received: line(s) can tell the true story
about where the email actually came from. The Received header is usually
formatted as follows:
Received: from ? by
? via ? with ? id ? for ?; date-time
indicates field data that is specific to every message such as the doman name,
IP Address, computer name, etc.)
There may be more than one
Received line in the header of an email if the message was passed between
intermediary mail servers before it reached yours. Every time an email message
passes to a new mail server, a new Received line is added to the header.
Therefore, reading the Received lines from the top down is like tracing
the route the email took back to its source.
Received: from anywhere.com
by you.ca (0.0.1/0.0.2) with SMTP id MAA00153 for jdoe; Mon, 13 Aug 2002 07:12:42
It should be noted that
as you approach the bottom of the Received list, the spammer may have
added forged Received lines to the header in an attempt to confuse
you or lead you astray. Forged Received lines can often be identified
by verifying the content in their fields. Often the "from ?" field
will contain a non-exisiting or unrelated domain name or the IP Address listed
will be invalid or fake.
The best way to identify
a spammer from the Received header is the IP Address listed in the
"from" field since it may be possible to forge all other
parts of the message. If you have only this IP Address to go by, you can use
an IP Address Whois database to lookup the owner and provider of this email
address. There are three major IP Address Whois databases for the major geographical
regions of the internet:
By Tricking the
This method of finding the spammer's actual email address or domain name is
much less technical. Simply send a response email to the spammer, in a very
polite tone inquiring information about the product or service they are trying
to sell. If you express some genuine interest in their wares, they will consider
you a potential sale and may respond to you from their actual email address,
or with some valid contact information such as their ordering website. Now you
are armed with enough contact information to do away with the spammer.
Once you have found the actual
email address of the spammer "email@example.com"
then entering the "dmname.end"
domain name in the appropriate whois database will give you the contact information
for the owner of the spammer's domain and server.