|
Please also realize the importance of contacting the original domain when you receive SPAM/UCE. Unless the provider is known to be "spam tolerant" in which case you would froward your complaint to their upline). It's impossible for them to know it's happening until someone forwards them a complaint. If everyone were to ignore spam, the originating domain would never know it's happening. Here is an example of spam originating from Netcom, even though it does not have the word 'netcom' anywhere in the headers. This is intended as an instruction to people who do not already know how to read headers. If you know how to read headers, please disregard. This is an EXAMPLE of junk mail headers. Please do not send to any of the domains referenced. The IP numbers have been changed except the ones referencing Netcom.
Received: from server1.fake (server1.fake [266.0.93.1]) Let's start reading this from the top. You reside somewhere in the server2.fake domain. Let's see where you received it from.
Received: from server1.fake (server1.fake [266.0.93.1]) You received it from server1 [266.0.93.1]. Never go by what is in the parenthesis. It could be forged, always go by the IP number in brackets. Where did server1 receive it from?
Received: from internet.abc (server.internet.abc [266.32.0.4]) by This means that server1 received it from [266.32.0.4], there are tools on the web that will help you verify the name associated with the IP number (see below). Let's keep going down and see if this IP was the originator or if it was relayed through them.
Received: from 432BRxr9q ([205.184.139.163]) This means that it was relayed through internet.abc! It came from 205.184.139.163. Now we go to one of our tools to find the name associated to that IP number. I use nslookup on 205.184.139.163. It tells me that it is knx-tn7-03.ix.netcom.com. Let's go down one more time to see if this is the originator, or if it was relayed through netcom also.
Received: from login_0246.whynot.spam (mx.whynot.spam[206.0.231.0]) by If this was a valid Received line, it would show received by netcom.com. Since it doesn't this is a FORGED header. Conclusion: It originated at [205.184.139.163] which is knx-tn7-03.ix.netcom.com. It was relayed through [266.32.0.4] which was internet.abc. Not all SPAM's will come with a vast number of forged headers. There are email programs that act as their own sendmail, and send the SPAM straight from a dial-up account. Here is an example.
Received: from 206.175.97.77 by pageplanet.com There is several line in the headers that will miss-lead the new-comer. You will note the To line
To: Friend@pageplanet.com The SPAMmer simply places Friend@ in the To line, and the receiving machine when preforming a DNS check will fill in the line to complete the headers. This DOES NOT mean your ISP is at fault. The second line that brings questions to the new-comer is the Message-ID
Message-ID: <1324030598-9640589@pageplanet.com> Being the message reached your ISP's server without a Message-ID, their server will assign the message one. This is standard for all ISP's. You will note that these headers has only one Received line. The ip number in the line is the point of injection confirmed by the server. Had the SPAMmer programmed his/her software to give a HELO, the ip in the DNS Callback would have been inclosed.
Received: from 206.175.97.77 by pageplanet.com Conclusion: It originated at 206.175.97.77 which is hdn86-077.hil.compuserve.com sent directly to pageplanet.com. Remember, always go by the IP addresses in brackets. Never go by the From line, Reply-To line, Authenticated Sender line, or the name of the domain in the parenthesis. To find tools such as 'nslookup' on the web, use your favorite search engine to lookup that word. There is two parts to a server name. The name (i.e. mail.kellyfreehold.com), and the ip (i.e. 205.152.36.30). When a server is "shaking hands" with another server, they introduce themselves with what is called a HELO. This HELO can be forged. Prudent System Administrators will configure their machines to preform what is called a DNS CallBack, that is to challenge the HELO for Authentication. This will usually be found after the HELO inclosed in parentheses, or brackets. If the HELO has an ip enclosed in parentheses, the server will place the CallBack information enclosed in brackets. The point of injection is usually found in the first to third "received" line depending upon the type of software used to send the SPAM/UCE. If you note a forged HELO followed by a CallBack the information in the CallBack will usually be the point of injection. This may also be seen in another format in which the spammer forges the HELO. In such a case the header may appear as:
Received: from mail.kellyfreehold.com (206.175.97.77) by pageplanet.comIn this case the rDNS results is displayed and inclosed by the parenthesis, (206.175.97.77), An nslookup of mail.kellyfreehold.com has the IP address of 205.160.14.30 which revels the HELO is a complete forgery, therefore mail.kellyfreehold.com is a victim of another spammers lie. Sending a complaint to postmaster@kellyfreehold.com, or their providers would be counterproductive, and put an overload on their system and employees that essentially has the same results as "spamming" the victim with complaints. Where you can find the "Tools" to trace the "point of injection" and the SPAMmers internet provider or connection?
http://www.samspade.org/t/Where to send your complaint. In most cases, email your complaint the the SPAMmer provider at postmaster@theproviders domain. Remember, NEVER flame the SPAMmer, or send a reply . Being you have taken a stand against this type of Net Abuse, you will be, and are considered by the SPAMmers as a "Net-Terrorist", and they will retaliate in what ever means they can . There WILL BE, AND IS A CONTRACT on your internet account. Cordially, Duane K. Kelly
|