Tracking Spammers: Getting Started
Start tracking spam by looking at the email header information.
Each server receiving a message, for relay or delivery, automatically logs the IP address of the sender. However, the information in most header fields can be easily forged. For spam, most header information is forged to shield the spammer against a flood of complaints.
The most reliable field in the header is the Received: field. This is because the domain of the routing SMTP server is automatically pre-pended, or added to the front, of the header of each email. Even if the spammer has added several false Received: entries to throw you off the track, you can be pretty sure that somewhere in the header information, the true originating domain of the spammer can be found.
The spam filter reads only the first "word" (shown in red, in the example below) following the Received: from and by: lines of each Received comment. The content filter considers information anywhere in the field.
Some SMTP server programs will perform a reverse DNS lookup to verify that the domain name and IP address match, or that the username can be resolved. The following example shows a case (shown in dark red) where they did not:
Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11]) by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007; Wed, 22 Jul 1999 09:25:39 -0400 (EDT) Message-Id: <199907221321.JAA29175@2doormail.2door.com.> X-Authentication-Warning: 2doormail.2door.com.: noaccess set sender to <sharon49@mci.com> using -f
The Goal
The goal in tracking spammers is to identify false domain names for use in constructing spam and content filter rules. False domain names often make good rules because the incidence of false positives tends to be low. Using false domain names can also be efficient because bulk emailers often reuse the same false domain names, making it a more reliable marker than the actual domain name.
Another benefit of tracking is that you may be able to determine who the spammer's ISP (Internet Service Provider) is.
See also: