NOTE: This has been recently transplanted from the contact info
section from my "about:me" page. I haven't tidied it up much. Sorry,
I'll hopefully get around to it, bear with me.
<snip>... I should point out some facts about tracing spammers
that many people are depressingly ignorant of:
- You know the From: address,and the Reply-To: address in emails?
They can be forged, quite easily. As such, would you expect
any spammer to use their real email address in them?
No, of course not. If this wasn't obvious to you, I would imagine
that you would have at least noticed the occasional spammer sending
you spam apparently from your own address? Yeah, that's
because they generally don't use ordinary email clients and send
them out one at a time or anything, they tend to use specialised
spamming software. No, even if I knew of any, I wouldn't link to
it, sorry. So point is, if you ever decide to send an
angry reply to a spammer, then you are a big cretin, and have
just harrassed an innocent person (who has probably already
received a few bounce messages thanks to the spammer himself).
- Other than the email address, the main way to trace the spammer
is the "Received: from" header. These are extra email headers that
all emails have, but are generally not shown unless you get your
client to do it, because they'd be of little use to most people.
Each email will generally have several such headers, the first
being the one describing your machine collecting email from
your email account, the next one describe your ISP or email provider
receiving it from another mail server, and last describes it's
transferrence from the original sender. There may well be several
intermediate "Received: from" headers if the email travels between
numerous different machines. Now, each mail server fills in a new
header according to the machine it got the email from. It will
use the sending machine's IP address (of the form 18.104.22.168 or
similar) and hostname (of the form mail.someone.com, etc).
Now, here's the important point: Firstly, each legitimate machine
that fills in the "Received:" header will know the IP address of
the sender, as this cannot be faked, but the hostname is
reported by the sender and can easily be faked. For more
information, you should see
from Linux.org who were set up by spammers doing just that.
This fact is made a lot easier for spammers as they will
use other people's compromised machines to relay their spam for
them rather than sending it through their ISP. They set up these
machines to try to cover their tracks rather than behaving as
Secondly, an email could have any number of "Received:" headers,
and none of the receiving mailservers can or will check the
validity of those already in the email. So as such, an email
sent from a spamming machine could easily have a bunch of
fake headers already on it, hence the address of the spammer's
machine isn't necessarily the last "Received:" header.
- Just because you receive a spam, it doesn't follow that
they're actually working for the people they claim
to advertise. They could in fact be framing them. This has
- So in short, be damned careful before trying to take
action against spammers. We all hate them, but if you don't
have your wits about you, you might well get the wrong person.
- Having moved this little essay of mine, I need to split it
up better for easier reading. This will probably be done some
time in the future.
- I've probably made a few mistakes here too. If I find I
have and can confirm they really are mistakes, I'll go
back and correct them. I don't want to give out false information.