Entrance

Tracing the sender of spam

If you want to report a spammer you should do it the the ISP that is operating the net the spammer is sending from. This can be fun to do a couple of times, but in the long run to do this manually for all spams you get are too much work.

The spammer often uses a lot of trickery to try to deceive where the spam is actually sent from. This involves adding a bunch of fake lines in the header.

Lets look at this spam email header:

From - Mon Sep 27 11:37:04 2004
X-UIDL: 1096254571.82878.cp.vh.realitychecknetwork.com,S=3055
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <Berry@adni.net>
Delivered-To: webmaster@M
Received: (qmail 82870 invoked from network); 27 Sep 2004 03:09:30 -0000
Received: from unknown (HELO 66.230.157.130) (211.173.185.3)
by dns1.realitychecknetwork.com with SMTP; 27 Sep 2004 03:09:30 -0000
Received: from wvnet.at (adsl66-112-21-43-rb.sm.centurytel.net [66.112.21.43]) by wvnet.at2 (8.12.11/8.12.11) with ESMTP id 89E658FDBCBFEF for <xxxxxx@xxxxxxx.com>; Mon, 27 Sep 2004 06:12:07 +0200
Date: Sun, 26 Sep 2004 23:15:07 -0500
From: Ty Mills <Berry@adni.net>
Subject: Nominated for an MBA
To: xxxxxxxxx@xxxxxxxxxx.com
Message-ID: <AF0D0A73.16483@intraware.com>
MIME-version: 1.0
Content-type: text/html; charset=us-ascii; format=flowed
Content-transfer-encoding: 7Bit
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

The From: line is almost 100% fake in spam.

The line Received: from unknown (HELO 66.230.157.130) (211.173.185.3) is the line we want to look at. This is the line where our mail server is getting the message. It is most likely that the spammer is connecting directly to our mail server. An other way is for the spammer to use a relay. We can not make any assumptions on what happened before it reached our server. It is the people running the (wrongly configured) mail relay, or the network where the machine connected to our mail server you should try to complain to. When you look at the header line you see two different ip addresses. The last ip address is the correct one. The HELO ip address can be anything, it is basically a command in SMTP that the spammer sends and can be set to any address the spammer want. This is set to something to try to confuse, your mail server will add the correct address based on the address in the TCP connection. The correct ip address of the machine connecting to your mail server is in white.

The text in orange is faked. In a normal mail the orange text is the route the mail took before it came to the machine now connecting to your mail server. Example your machine, to your smtp server. This is a spam message, and this is most likely to be something faked. You should only focus on the machine connecting to your mail server. 211.173.185.3

So who is responsible for that address?
https://www.dnsstuff.com/ have a lot of fun tools you can use.
The address belongs to: KRNIC, and further is delegated to: CJ CableNet Pukincheon Broadcasting Co., Ltd and gives hcpark@cj.net as an abuse contact. Many high roller spammers operate as "ISPs". So hcpark@cj.net could actually be read by the spammer. So complaining upward the ranks to KRNIC people is probably also wise.

Tracing and complaining about spam are a lot of work. So you will probably get tired after a while if you get 100 spam mails a day. There are probably some programs that can do some of this automatically. Will it stop spam coming to your mail box??? Probably not much :)