Tracking Spammers: Time savers 

picsearc.gif The top-most Received: line in any email message will be that of the recipient's own domain. Once you hit upon false header information, all header fields below that line are suspect. Somewhere between these two parameters should be the true IP address of the spammer, and the ISP used to deliver the message. Whenever you discover a false Received: field in the header, include it in your anti-spam rules. Spammers may reuse the same fakes.

Some tips to help quickly identify forged header information follow:

bltgreen.gif Any IP address block higher than 255 is fake. Obvious, perhaps, but sometimes people are just careless (or clueless). Here's an example:

Received: from login_01224.roverdipper.net (mail.roverdipper3.net[123.75.899.454]) by roverdipper.net (8.8.5/8.7.3) with SMTP id XAA04759 for user1224@roverdipper.net; Thu, 23 July 1999 15:26:47 -0700 (EDT)

bltgreen.gif Real SMTP id's will usually match the first letter of the id with the hour that the hand-off between SMTP servers occurred (A for 12:00-1:00 A.M., B for 1:00-2:00 A.M., etc.). Note that the SMTP id in the example above starts with X, which does not correspond to the subsequent time stamp, 15:26:47. If X were genuine, the time stamp would be the 23:00 hour block. Here's another example,

Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11]) by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007; Wed, 22 Jul 1999 09:25:39 -0400 (EDT) Message-Id: <>

bltgreen.gif Timestamps are GMT, (Greenwich Mean Time), and in the United States, EST (Eastern Standard Time) is five hours behind (-0500) . PST is eight hours behind (-0800). If these numbers don't jibe, the information is fake.

bltgreen.gif Messages are passed from server to server in a chronological order, usually no more than a few minutes apart. Of course, exceptions are possible, especially with some of the free email services whose mail queues can be many hours long. Check the time stamps in each Received: field to identify anomalies. Here's an example:

Return-Path: <sharon49@mci.com>
Received: from gnetmgt.2door.com (2doorfw.2doorinv.com [123.159.94.172])
 by mail.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.02)) with ESMTP id GAA05865;
 Wed, 22 Jul 1999
06:26:58 -0700 (PDT)
From: sharon49@mci.com
Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11])
 by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007;
 Wed, 22 Jul 1999
09:25:39 -0400 (EDT)
Message-Id: <199907221321.JAA29175@2doormail.2door.com.>
X-Authentication-Warning: 2doormail.2door.com.: noaccess set sender to <sharon49@mci.com> using –f
Received: from host-209-214-48-152.tys.bellsouth.net(123.214.48.152) by 2doormail via smap (V2.0beta)
 id xmar28923; Wed, 22 Jul 98
09:20:43 –0400
DATE: 23 Jul 98 9:33:20 AM

bltgreen.gif Most messages are passed from server to server in some geographic semblance of order. If you notice a general sweep from east to west in the Received: fields, but then, suddenly, there is a line for gorpsys.greplines.com.bz (brazil), or some such oddity, it is possible that the server was hijacked.

bltgreen.gif If you're stuck, additional help with tracking down header information may be available from: news.admin.net-abuse.email <news:news.admin.net-abuse.email>

See also:

Getting Started
Sending A Complaint
Tools