Site hosted by Build your free website today!

Site Map

Navigate Rantage
Rant Index
Tracing Spammers

This Page

Lovely Counter

free hit counter

Whole Thing, sorry

NOTE: This has been recently transplanted from the contact info section from my "about:me" page. I haven't tidied it up much. Sorry, I'll hopefully get around to it, bear with me.

<snip>... I should point out some facts about tracing spammers that many people are depressingly ignorant of:

  • You know the From: address,and the Reply-To: address in emails? They can be forged, quite easily. As such, would you expect any spammer to use their real email address in them? No, of course not. If this wasn't obvious to you, I would imagine that you would have at least noticed the occasional spammer sending you spam apparently from your own address? Yeah, that's because they generally don't use ordinary email clients and send them out one at a time or anything, they tend to use specialised spamming software. No, even if I knew of any, I wouldn't link to it, sorry. So point is, if you ever decide to send an angry reply to a spammer, then you are a big cretin, and have just harrassed an innocent person (who has probably already received a few bounce messages thanks to the spammer himself).
  • Other than the email address, the main way to trace the spammer is the "Received: from" header. These are extra email headers that all emails have, but are generally not shown unless you get your client to do it, because they'd be of little use to most people. Each email will generally have several such headers, the first being the one describing your machine collecting email from your email account, the next one describe your ISP or email provider receiving it from another mail server, and last describes it's transferrence from the original sender. There may well be several intermediate "Received: from" headers if the email travels between numerous different machines. Now, each mail server fills in a new header according to the machine it got the email from. It will use the sending machine's IP address (of the form or similar) and hostname (of the form, etc).

    Now, here's the important point: Firstly, each legitimate machine that fills in the "Received:" header will know the IP address of the sender, as this cannot be faked, but the hostname is reported by the sender and can easily be faked. For more information, you should see this report from who were set up by spammers doing just that. This fact is made a lot easier for spammers as they will use other people's compromised machines to relay their spam for them rather than sending it through their ISP. They set up these machines to try to cover their tracks rather than behaving as proper mailservers. Secondly, an email could have any number of "Received:" headers, and none of the receiving mailservers can or will check the validity of those already in the email. So as such, an email sent from a spamming machine could easily have a bunch of fake headers already on it, hence the address of the spammer's machine isn't necessarily the last "Received:" header.

  • Just because you receive a spam, it doesn't follow that they're actually working for the people they claim to advertise. They could in fact be framing them. This has happened before.
  • So in short, be damned careful before trying to take action against spammers. We all hate them, but if you don't have your wits about you, you might well get the wrong person.
  • Having moved this little essay of mine, I need to split it up better for easier reading. This will probably be done some time in the future.
  • I've probably made a few mistakes here too. If I find I have and can confirm they really are mistakes, I'll go back and correct them. I don't want to give out false information.

These pages created and maintained with MMSS (Make My Static Site)