Tracking Spammers: Received lines 

picsearc.gif The Received: lines show, in reverse order, the path through the Internet that the message took.

Return-Path: <lantto@kiruna.se>
Received: from socknet.sock.com ([123.66.73.253]) by mail5.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.02)) with SMTP id BAA23397 for <shchen@nedcom.com>; Thu, 23 Jul 1999 01:59:00 -0700 (PDT) From: lantto@kiruna.se
Received: by socknet.sock.com (station v4.1) from default id QAA01069; Thu, 23 Jul 1999 16:52:27 +0800 Date: Thu, 23 Jul 1999 16:52:27 +0800
Received: from login_01224.roverdipper.net (mail.roverdipper3.net[123.75.899.454]) by roverdipper.net (8.8.5/8.7.3) with SMTP id XAA04759 for user1224@roverdipper.net; Thu, 23 July 1999 15:26:47 -0700 (EDT)
To: lantto@kiruna.se
Subject: JUST RELEASED! 10 Million!!!
X-PMFLAGS: 225549798.233
X-UIDL: 15424665_288569.564.747
Comments: Authenticated Sender is <user1224@roverdipper.net>
Message-Id: 01658742211308922@g_hipkernia.com

The first Received: line (Received: from socknet.sock.com) won't be false because it is added by the recipient's SMTP server.

For the other Received: lines, you can use NT's nslookup to verify that the IP address and domain name actually match. If the IP and domain don't match, the Received: line is false. You can also do a DNS lookup to identify who the IP address actually belongs to. If running the whole IP address, all four blocks, does not yield results, run only the first three. Use the UNIX program Whois, or the Internet to see if the name you get back is real or not. You may need to run the IP address of several Received: fields before uncovering something fishy.

After identifying a suspect domain or company name, check the World Wide Web to see what you can find out. For example,

bltgreen.gif Check http://www.suspect-domain.com.

bltgreen.gif Use tracert to determine the path from the suspect domain to your computer. This can give you the spammer's IP address or domain name and/or the spammer's ISP.

bltgreen.gif Use whois [IP address] on a UNIX computer to find out to whom the IP address and/or domain name is registered. You can learn the name, address, phone number, and email address of the person who registered the domain (use this information to determine if you've got the spammer, a relay, a hijacked server, an ISP, or an innocent party that is also being abused).

bltgreen.gif Use dslookup on an NT computer to translate an IP address into a domain name, or vice-versa.

bltgreen.gif Run the company name or any other names and addresses that you learned from whois, tracert, or dslookup through a search engine and see what you get.

bltgreen.gif Search http://www.dejanews.com for the company, domain name, or product that's being hawked, etc.

bltgreen.gif Also search http://www.dejanews.com for the user name in the From: field. Spammers use many aliases, but they often use the same group of aliases; they may also use stock phrases, phone numbers, and other tell-tale bits of information that can aide you in tracking down their identity.

In the example email header above, red text indicates the portions of the Received: line(s) that the spam filter considers when applying rules.

See also:

Time Savers
Tools
Offers to remove your name from the spammer's list
Add-Edit: Routing domain