If you own an email address, you’re more than likely to have received a junk message from someone you don’t know, claiming to have an amazing product which you can buy at a few clicks of the mouse. There are startling claims that spam accounts for some 80% of all email communications sent and it threatens the very existence of the internet. Most people simply find spam annoying and time consuming while others have actually lost money due to the acceptance of bogus offers. Yet almost all Internet Service Providers (ISP) include an Acceptable Use Policy in their contracts which states clearly that no client may use the services provided by the ISP to send out SPAM. Courts in the US are taking the battle even further by awarding damages from $10 per SPAM email to recipients of SPAM through to $1 billion to ISP’s whose facilities have been used by Spammers to conduct their activities. If everyone who operates an email address in South Africa could receive a $10 for each SPAM email received would we still be in such dire financial straits?.
It’s also clear that replying to the email directly is unsuccessful as culprits almost always cloak their real email identity using some clever software programs. In the unlikely event that the spammer actually receives your reply, there is also no guarantee that they’ll adhere to your wishes to be left alone, even if you quote Section blah de blah of Act blah de point 184 of 1980 whatever. Even the ‘opt out’ links provided on some spam messages are simply just a way to let spammers know that the address is valid and their emails have been received (and read) by someone.
The bitter truth about spam is that the true culprits are difficult to get hold of, and they’re simply not interested in your inconveniences. But we have some broader internet policies that are working in our favour: the powers that be as far as the internet is concerned, consider spam to be a huge problem and; an ISP somewhere has a positively-accepted contract with the sender of the spam which shows that he / she agreed not to do so.
Who can stop SPAM?
It’s becoming clearer now, that the person we should be complaining to is not the sender of the spam email, but rather someone who has some kind of power over the facilities that the person is using to send that email. They can simply stop allowing that spammer access to their internet facilities. Lets think about that for a minute: you’re sitting in your office at work and send out a joke email to a joke list. However someone on the list gets offended by your sense of humour and sends an email to your supervisor complaining about the joke. Your supervisor whips out your signed employment contract which states that you may not use email facilities for that purpose and now you’re in breach of contract. There’s some discipline due which may be anything from a don’t do that again through to getting fired and being held personally responsible for damages caused. A reasonable employee would just stop allowing you access to email for a while – to teach you a lesson. A similarity exists with the case of spam email so all we have to do is find out how to contact the people that let the spammer get onto the internet and let them know what’s happened.
Admittedly, this procedure to find the source of the spam, may be a bit technical and does not guarantee success. It also depends on a response from the ISP concerned. In overview, what you have to do find out where the email came from, find out who is in charge of the place that the email came from, and then contact the person in charge in a specified manner letting them know what’s going on.
The next step is to figure out where that spam email came from.
Tracing the source of the email
Open the offending message in your inbox and view the full headers. Different email clients have different ways of doing this, but the facility almost always exists. Using my Linux-based Evolution email client, I would select the email, click on ‘view’ then ‘select message display’ and finally ‘show full headers’. Microsoft’s Outlook email client simply requires that you right-click on the message and select ‘view headers’ from the popup menu.
In MS Outlook 2002, and 2003 double click email, go to view > options
In Outlook Express 6, double click email, go to file > properties > details
In Windows LiveMail, double click email, click the blue button in the top left corner and from the drop down, click Properties and then click the Details tab
The full header information should look something like this:
Delivery-date: Wed, 26 Oct 2005 09:45:49 +0200
Received: from [18.104.22.168] (helo=aserver.somewhere.co.za) by yourmailserver.co.za with esmtp (Exim 4.51) id 1EUfym-0005Mv-85 for firstname.lastname@example.org; Wed, 26 Oct 2005 09:45:49 +0200
Received: from anotherserver.co.za ([1..1.1] helo=servers.co.za) by mail.server.co.za with esmtp (Exim 4.44 (FreeBSD)) id blah for email@example.com; Wed, 26 Oct 2005 09:45:39 +0200
Date: Wed, 26 Oct 2005 09:45:38 +0200 (08:45 BST)
Organization: Fake Organisation
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
To: Selwyn Bergman
Subject: [Fwd: Spam email subject line]
Start reading the headers from the bottom and work your way to the top, looking line by line for the one that starts with ‘Received: ‘. In the above example the line to isolate was:
Received: from anotherserver.co.za ([22.214.171.124] helo=servers.co.za) by mail.server.co.za with esmtp (Exim 4.44 (FreeBSD)) id blah for firstname.lastname@example.org; Wed, 26 Oct 2005 09:45:39 +0200
This was where the email initially came from and where it was first delivered to. Look closely at the four numbers located in square brackets [126.96.36.199] that’s the exact IP address that we’re looking for – there’s only one such PC connected to the internet in the world. Never mind the rest, its all technical mumbo-jumbo.
Now that you have the IP address of the culprit you can move on to find out who’s supposed to be monitoring their activity.
Find a spammer’s ISP
All IP addresses are categorised according to region and are controlled by one of a few Regional Internet Registries (or RIR’s). The current RIR’s are:
- AfriNIC (African Network Information Centre) – Africa Region – www.afrinic.net
- APNIC (Asia Pacific Network Information Centre) – Asia/Pacific Region – www.apnic.net
- ARIN (American Registry for Internet Numbers) – Canada, the United States, and several islands in the Caribbean Sea and North Atlantic Ocean – www.arin.net
- LACNIC (Latin American and Caribbean IP address Regional Registry) – Latin America and some Caribbean Islands –www.lacnic.net
- RIPE NCC (Reseaux IP Europeens) – Europe, the Middle East, Central Asia, and African countries located north of the equator. –www.ripe.net
Some of the RIR’s in turn divide themselves up into smaller regions for improved management. For example, within APNIC you will find a separate ‘RIR’ dealing with Korea, Japan and so forth.
When an organisation applies for an IP address, or a range of IP addresses, they would have had to give one of the above RIR’s information pertaining to who would manage the IP address. So by making an online query to these RIR’s, you’re likely to find which organisation is responsible for the IP address that the spam email came from. You can query an IP by making use of the ‘Whois’ service thats available at each of the RIR’s. Furthermore, many proactive ISP’s put additional information that contains a contact for Mail or Network Abuse and it pops up when you get the results from your online query…. usually something like “Please address all SPAM or Network abuse to email@example.com”. If you find an email address (or several email addresses) set aside to deal with network abuse, make a note of them. Otherwise jot down the email address of the administrative or the maintenance contact.
Another way of getting the info:
The Samspade website (www.samspade.org) can also assist you somewhat. Visit their website and type in the IP address you found in the text box. Click ‘Do stuff’ and see what comes out. Most times Samspade gathers information pertaining to who’s in charge of the website, who they work for, their telephone numbers, addresses etc etc. At other times Samspade will fail, but will tell you which RIR can provide more assistance. Look through Samspades output for email contacts, you should find email addresses for a technical contact, an administrative contact and an abuse contact. If Samspade didn’t give any detailed information, look at the bottom for a reference to which of the RIR’s whois database was used, and visit their website – you’re more than likely to find another solution there.
Forward your spam message to the abuse contact, and remember to copy and paste the headers of the original spam email that you received. It is very important to include the headers in the forwarded message, as the ISP you are reporting the spam to will require them to investigate the matter further. You may optionally include a brief statement saying something like you’ve received this spam email from someone using their internet facilities.
And that’s pretty much that. The ISP now has all the information it needs to take action against the sender of the spam email. Usually the ISP’s wont let you know what’s happened, because they’ll be getting inundated with complaints, but generally you will begin to notice a decline in the amount of spam you’re receiving. In one case however, I reported someone to a local ISP and they notified the culprit of a cancellation of his account without refund, while cc’ing me on the email.
Article by Selwyn Bergman of BMSC-Online