Death of a Spammer

It's possible to put a spammer out of business (at least temporarily, by killing their account at the provider they used with a particular spam "attack"). To do this, you have to Forward the original spam to the abuse department of the domain it came from. Important: to be sure that the message you forward is readable by the abuse department you forward it to, disable any HTML in your signature when you send it–HTML can make the forwarded material unreadable when the message is viewed on a computer.

Note: WebTV has added a new e-mail address for reporting spam that's not from a WebTV user (for reporting WebTV user spam, use abuse@webtv.net). You can now forward commercial e-mail from other domains to spam@corp.webtv.net.

To see what domain it really came from, you need to read the full headers of the spam (the headers show the original source of any e-mail, unless they're forged, including all intermediate routing along the way).

WebTV's mail system doesn't display full headers for us, but there is a trick to expand the headers using only your own mailbox (and thanks to whoever figured out the latest twist making this work again). Here are the steps:

Open the message you want to see the full headers for.
Hit the Send key, and click the button on the popup.
Put the cursor into the message text area below the Subject line, and hit Return twice then press Alt-z. This will give you two blank lines followed by § in the message area.
Press Cmd-A then Cmd-X. This cuts the Return-Return-§ from the message area.
Move the cursor to the Subject line, then erase the entire Subject line text using Cmd-Delete, and press Cmd-V. This will paste two blank lines and the § into the Subject line.
Address the message to your own address, and Send it.

Go to Mail, open that message, scroll down and look in the original spam's headers for a line beginning with Return-Path. Within the Return-Path are one or two sections of received-by/from routing information–this is the one place in which you can find one accurate piece of information. Read these carefully and you should be able to "walk back" to the identity of the originating mailserver. Here's an example from an actual spam I received:

Received: from mailsorter-102.bryant.webtv.net 
(209.240.198.92) 
by
      postoffice-272.iap.bryant.webtv.net; Sun, 28 Mar 1999 
23:24:08
     <ujnasqw@cysource.com> -0800 (PST)
Return-Path: 
Received: from isp02.cysource.com ([216.1.243.129]) by
      mailsorter-102.bryant.webtv.net (8.8.8/ms.graham.14Aug97) 
with
      ESMTP id XAA21095; Sun, 28 Mar 1999 23:24:07 -0800 (PST)
Message-Id: 
<199903290724.XAA21095@mailsorter-102.bryant.webtv.net>
Received: from 4oVH2diB4 (sfr-qbu-pqq-vty118.as.wcom.net 
[216.192.25.118])
      by isp02.cysource.com (Post.Office MTA v3.5.3 release 223 
ID#
      0-57592U2500L250S0V35) with SMTP id com; Mon, 29 Mar 1999 
01:23:39
      -0600
DATE: 28 Mar 99 11:30:20 PM
FROM: ujnasqw@webtv.net
Reply-to: zxsert@webtv.net
TO: zxcder@webtv.net

In this example, notice that the To:, From:, and Reply-to: addresses (at the bottom of the headers) all show webtv.net as the source domain–as does the Message-Id line...but that's not where this came from.

Looking through the Return-Path information above that, you'll see that mailsorter-102.bryant.webtv.net received the message from isp02.cysource.com (the beginning of the Return-Path info says the message came from cysource.com...but it didn't, read on).

Further down, you'll find that isp02.cysource.com actually received it from 4oVH2diB4 (sfr-qbu-pqq-vty118.as.wcom.net [216.192.25.118])–and this is legitimate. The one piece of information here that you can absolutely count on is the four-part IP number in square brackets at the end. Even if the name portion of this section is inaccurate, the IP is real.

Copy the headers, from the first Received line through the Subject line, and go directly to SpamCop.net. Paste the headers into the large box, and click the button. After about 5-10 seconds, you'll get a report which may trace the source, and give you one or more abuse addresses to forward the spam to.

If the report says the header couldn't be parsed (understood and used to track the source), go to the four-part IP number described above, copy that, go back to the first page of SpamCop.net and click Host Tracker–paste the IP number into the small box, and click the button. This always gives you an abuse address to report to.

Running the example above through SpamCop.net gave a report that indicated wcom.net was the source of the spam (although it may have been "borrowed" by the spammer; sometimes spammers find an open mailserver port that they can hijack temporarily to use as a relay for their messages)–in any case, that's who you complain to.

In this example, you would then forward the original message (not the bounced copy) to abuse@wcom.net (the result from SpamCop.net) as well as to spam@corp.webtv.net (I put the WebTV spamfighting addy in the To: line, and the other addy[s] in the Cc: line).

I've been doing this for a while, and I've gotten messages back from many domains' abuse departments assuring me that they take spamming seriously, and that they will pursue the matter and attempt to shut down the source.

Some more addys you can forward spam to, when appropriate:

pyramid@ftc.gov–visit this Federal Trade Commission page for more information.
enforcement@sec.gov–visit this Securities and Exchange Commission page for more information.

Further useful sites:

SpamCop.net–you can copy and paste the headers of a spam message into a form on this site, and it will attempt to trace the source for you.
SamSpade.org–many tools for finding more information about your pet spam.
SPUTUM's DRONE pages are an excellent intro for newbie spam killers–including an explanation of why spam is bad.
Suespammers.org is nearly self-explanatory by name alone...

For other online resources about spam and how to help defeat it, visit my Privacy Links' spam section.

...is brought to you by...

get your free homepage today