If you want to report a spammer you should do it the the ISP that is
operating the net the spammer is sending from. This can be fun to do a
couple of times, but in the long run to do this manually for all spams
you get are too much work.
The spammer often uses a lot of trickery to try to deceive where the
spam is actually sent from. This involves adding a bunch of fake lines
in the header.
Lets look at this spam email header:
From - Mon Sep 27 11:37:04 2004
Received: (qmail 82870 invoked from network); 27 Sep 2004 03:09:30 -0000
Received: from unknown (HELO 22.214.171.124)
by dns1.realitychecknetwork.com with SMTP; 27 Sep 2004 03:09:30 -0000
Received: from wvnet.at (adsl66-112-21-43-rb.sm.centurytel.net
[126.96.36.199]) by wvnet.at2 (8.12.11/8.12.11) with ESMTP id 89E658FDBCBFEF
for <email@example.com>; Mon, 27 Sep 2004 06:12:07 +0200
Date: Sun, 26 Sep 2004 23:15:07 -0500
From: Ty Mills <Berry@adni.net>
Subject: Nominated for an MBA
Content-type: text/html; charset=us-ascii; format=flowed
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
The From: line is almost 100% fake in spam.
The line Received: from unknown (HELO 188.8.131.52)
(184.108.40.206) is the line we want to look
at. This is the line where our mail server is getting the message. It
is most likely that the spammer is connecting directly to our mail server.
An other way is for the spammer to use a relay. We can not make any assumptions
on what happened before it reached our server. It is the people running
the (wrongly configured) mail relay, or the network where the machine
connected to our mail server you should try to complain to. When you look
at the header line you see two different ip addresses. The last ip address
is the correct one. The HELO ip address can be anything, it is basically
a command in SMTP that the spammer sends and can be set to any address
the spammer want. This is set to something to try to confuse, your mail
server will add the correct address based on the address in the TCP connection.
The correct ip address of the machine connecting to your mail server is
The text in orange is faked. In a normal mail the orange text is the
route the mail took before it came to the machine now connecting to your
mail server. Example your machine, to your smtp server. This is a spam
message, and this is most likely to be something faked. You should only
focus on the machine connecting to your mail server. 220.127.116.11
So who is responsible for that address?
https://www.dnsstuff.com/ have a lot of fun tools you can use.
The address belongs to: KRNIC, and further is delegated to: CJ CableNet
Pukincheon Broadcasting Co., Ltd and gives firstname.lastname@example.org as an abuse contact.
Many high roller spammers operate as "ISPs". So email@example.com
could actually be read by the spammer. So complaining upward the ranks
to KRNIC people is probably also wise.
Tracing and complaining about spam are a lot of work. So you will probably
get tired after a while if you get 100 spam mails a day. There are probably
some programs that can do some of this automatically. Will it stop spam
coming to your mail box??? Probably not much :)