Tracing Spammers

by Tom Barnes-Lawrence

This article is intended as a basic primer on some facts about tracing spammers:

The From: address and the Reply-To: address in e-mail can be forged quite easily. As such, would you expect any spammer to use their real e-mail address in them? No, of course not. You may have at least noticed the occasional spammer sending you spam apparently from your own address? That's because spammers generally don't use ordinary email clients and send emails out one at a time; they tend to use specialised spamming software. In the interests of protecting the guilty, no link to anyplace selling this specialised software will be provided. So, if you ever decide to send an angry reply to a spammer, then you have likely just harrassed an innocent person, who has probably already received a few bounce (returned) messages thanks to the spammer.

Other than the e-mail address, the main way to trace the spammer is to examine the "Received: From" header. These are extra e-mail headers that all e-mail has, but generally most e-mail software doesn't show them unless you specifically enable the function.

Here is a link to a site showing how to enable full headers in several different e-mail clients. (uia.com)

Most software hides the headers because they are generally of little use to most people. Each e-mail will generally have several such headers, the first being the one describing your machine collecting email from your email account, the next one describing your ISP or email provider receiving it from another mail server, and last describing its transferrence from the original sender. There may well be several intermediate "Received: From" headers if the e-mail travels between numerous different machines. Now, each mail server fills in a new header according to the machine from which it got the e-mail. It will use the sending machine's IP address (of the form 1.2.3.4 or similar) and hostname (of the form mail.someone.com, etc).

Now, here's the important point: Firstly, each legitimate machine that fills in the "Received:" header will know the IP address of the sender, as this cannot be faked, but the hostname (as above, mail.someone.com) is reported by the sender and can easily be faked. This is made a lot easier for spammers as they will use other people's compromised machines (that have been infected with e-mail-relaying worms or other malicious programs) to relay their spam for them rather than sending it through their ISP. They set up these machines to hide the origins of the e-mail, rather than behaving as proper mailservers.

Secondly, an e-mail can have any number of "Received:" headers, and none of the receiving mailservers can or will check the validity of these headers when they're attached to the mail. So an email sent from a spamming machine could easily have a bunch of fake headers already on it. Therefore the address of the spammer's machine isn't necessarily the last "Received:" header.

Points To Consider When Tracking Spammers

  • Just because you receive a spam, it doesn't follow that the apparent senders of the spam are actually working for the people they claim to advertise. They could in fact be framing them. This has happened before.
  • Be very careful before trying to take action against spammers. We all hate them, but if you don't have your wits about you, you might well get the wrong person.
  • I've probably made a few mistakes here too. If I find I have and can confirm they really are mistakes, I'll go back and correct them. I don't want to give out false information.
That said, all information herein is the responsibility of Tom Barnes-Lawrence, (c) 2005, may be redistributed with attributions left intact and/or with permission of the author.