NetHere Knowledge Base (KB)
Main ::SPAM / UCE
Minimize Text   Default    Enlarge Text

Understanding Email Headers

The place to start your investigation is the set of mail headers which accompany the spam you've received. You will work with the full mail headers. Most email readers display only the To:, From: and Subject: headers and perhaps a couple more by default. Your mail reader should have a setting, a button, a command, a switch or some method of displaying the full set of headers which came the spam you received. You will need to access these headers before you can proceed further.

A lot of the headers sent with spam mail are invalid, or "spoofed". Your task is to determine what the mail headers mean, which ones are valid and which ones are spoofed. To understand headers, it's necessary to understand how SMTP mail service works.

When SMTP (Simple Mail Transfer Protocol) was developed, many people didn't have
mail programs to handle their mail. They would simply telnet to an SMTP server and engage the server in a dialog, in the process of which they would enter their address, the address of the intended recipient, any extra headers they needed, such as a subject, and the body of the message. This can still be done. The standard service port for SMTP is port 25. A dialog with a SMTP server might look something like this. First, telnet from a Unix shell prompt to the mail server.

$ telnet mail.foobar.com 25

The telnet software connects, and the mail server responds with...

Trying 204.251.174.179...
Connected to mail.foobar.com.
Escape character is '^]'.
220 mail.foobar.com ESMTP Sendmail 8.8.3/8.6.12 ready at Mon,
21 Apr 1997 17:52:32 -0500

At this point you're connected to the mail server, which now requires a formal greeting, complete with the name of your system. Then enter...

HELLO fmp.com

The mail server will reply with...

250 mail.foobar.com Hello lindsay@xx.fmp.com
[204.244.177.031],
pleased to meet you

Note that the mail server knows exactly who you are, even though you haven't identified yourself personally. We'll get back to this later. You're now ready to proceed with your message. The next command required by the server is the MAIL command, telling it who the mail is from. you enter...

MAIL From: lindsay@fmp.com

The server likes your address, and tells you so...

250 lindsay@fmp.com... Sender ok

Next you use the RCPT command to tell the server who should receive the mail. You enter the following line...

RCPT To: bigboy@foobar.com

The mail server likes the recipient, and tells you so...

250 bigboy@foobar.com... Recipient ok

The server now has everything it needs to send mail from you to bigboy@foobar.com. From now on, everything you'll send to the server will formally be content. You tell the server...

To which the server replies...

354 Enter mail, end with "." on a line by itself

You could, at this point, just enter the message followed by a "." on a line by itself and be done with it, however within the body of the message, you will want to place some additional headers which will help identify the message and control how it's handled. After these headers, you leave a blank line and enter the real content of the post. You enter...

Subject: Useless mail to your account
From: mr_mailer@dont.write.me.ill.write.you.com
To: joe_user@ten.thousand.addresses.org
Reply-to: useless@nowhere.in.the.world.com

Fax me your money! Get rich quick on the Internet. Don't think, do it now, chump!

To be removed from this list, send a reply with REMOVE in the subject to remove_me@dev.null.com

The message is done. The server announces...

250 RAA01500 Message accepted for delivery

Notice that the To: and From: headers which you placed in the body of the message were not the same as the ones you used when talking to the server. You could have used anything for these headers. On many servers, you could even have used a fake system name in your HELLO and a fake address in your FROM. The only way the server has any hope of identifying you is by what is called an identd authentication check. The server asked your machine "who is talking to me" and your machine said "the users name is lindsay". The server, of course, knew your IP address and was able to look it up using Domain Name Service to get your complete email address.

An authentication check is only possible if the calling machine allows it. If the calling machine is running Unix, it must be running a program called identd for an authentication check to succeed.

Most Windows machines don't run any software which will identify the caller, and since a lot of email gets handled by Windows mail programs, the authentication check has to be optional. If the mail server had been unable to identify me personally, it would have settled for identifying the machine you're using.

When bigboy@foobar.com gets your email, he'll see something similar to the following:

Received: from fmp.com lindsay@xx.fmp.com [204.244.177.031]) by mail.foobar.com (8.8.3/8.6.12) with SMTP id RAA01500 for bigboy@foobar.com; Mon, 21 Apr 1997 17:53:13 -0500
Date: Mon, 21 Apr 1997 17:53:13 -0500
From: mr_mailer@dont.write.me.ill.write.you.com
Message-Id: <199704212253.RAA01500@xx.fmp.com>
To: joe_user@ten.thousand.addresses.org
Subject: Useless mail to your account
Reply-to: useless@nowhere.in.the.world.com

Fax me your money! etc...

Note that just about every address in the headers of the received message above is, or could have been faked, or "spoofed", so we may know very little about who really sent this message. Note, however, the Received: header on the first line of the message, actually continued over several lines in this example. This header was inserted by mail.foobar.com and contains the results of the authentication check done by the server. If your machine had not identified itself, this line would have contained at least your correct machine address. Mail may be routed through several servers in succession. Each server will insert its own Received: header and you may see several such headers. The topmost one is always the most recent, showing receipt of the mail by your mail server, and each previous server which handled the email is listed in each following Received: header.

Spammers will often spoof Received: headers, and if you look closely, you'll often see IP addresses such as "500.202.999.352" or "000.000.000". Nonetheless, the topmost Received: header is always genuine, and each one below it should be examined to determine whether or not it contains valid or spoofed information. If a Received: header is obviously spoofed, then all the Received: headers below it
will also be spoofs.

Note that the Received: header in the above message starts with "Received: from fmp.com". This is the name with which you said HELO, and you might have spoofed this name. Following this in parentheses, however, is the information which the server itself determined to be true - your username, your machine name and your IP address. This information is generally more trustworthy than the former, and when they differ, it may be because of a spoof, or it may simply be that an IAP is using the mail facilities of a contract service whose true information appears in parentheses.

LOCATING SYSTEM ADMINISTRATORS

The appropriate action to take when you get spam email is to contact the mail or abuse administrator of the system on which the mail originated or of the system which was used to relay the spam - or both, if you can. The first part of this job is determining which addresses in headers are spoofed and which are real. For this, it's often useful to use whois to find out if a domain is registered with the InterNIC. A whois lookup will not only tell you whether or not a domain is registered, it will also often give you the email address of one or more contact people responsible for the domain name. For smaller companies which aren't directly in the Internet business, these are often the same people who administer email. Once you've determined that a domain name is valid, email to postmaster@that.domain.name is almost sure to reach a real person. Major ISPs such as Netcom, UUNet and others also maintain an "abuse" address at abuse@domain.name which handles spam complaints. You may also want to write to the DNS contacts, particularly the administrative and technical contacts, as shown in a whois lookup.

One of the best tools for reaching the appropriate system admins on systems involved in spam is the Network Abuse Clearinghouse. Use of their services requires registration and agreement to their very generous terms (you have to agree not to use their facilities to distribute spam) and once registered, you can send your spam notices and complaints to domain.name@abuse.net and the abuse.net system will try to remail your post to the correct administrators at domain.name. The Network Abuse Clearinghouse has developed a fairly sizable database, and using their facilities can save you time and misdirected email.

Remember that you're likely to find the most reliable address in parentheses in the topmost Received: header. All other headers should be viewed with some suspicion, although in some cases they will contain valuable information. Subsequent Received: headers may contain valid information, but you will need to investigate them carefully. Reply-to: headers are almost always spoofed - something which can be done even the simplest mail client.If a Received: header contains an IP address but no domain name associated with it, you should first verify that the IP address is valid. You can use the traceroute utility on fmp to try to get test traffic to the address. If traceroute takes more than 30 seconds to return information, you probably have an invalid IP address. Remember that a valid IP address always contains 4 sets of numbers separated by dots and these numbers will never be higher than 254. If it appears that an IP address is valid, you can address email to a user at that address by enclosing the numeric portion in square brackets, as in postmaster@[207.174.179.25].

SPOOF HEADERS

Beyond the system address contained in parentheses in the first Received: header, all other domain names, usernames and full addresses should be considered suspect. Most easily spoofed is the Reply-to: address which can be set arbitrarily in most mail clients. In mail from mailers sophisticated enough to use spamming programs, all headers, with the exception noted above, are probably fake.

"INSECURE" MAIL SERVERS

Not all mail servers work the same. Some, from older, quieter days on the Internet, don't bother with ident authentication, or if they do, they don't bother to include it in header information.

Consider the following header...

Received: from fake.domain.com by firewall1.cslab.blso.com
(SMI-8.6/SMI-SVR4) id VAA02491; Mon, 21 Apr 1997 21:11:44 -0500
The server which accepted this mail did an identd lookup on the client requesting service, but never bothered to include this information in the Received: header which it generated, accepting at face value the spoofed domain following the HELLO greeting.

Spammers absolutely love servers such as this, since sending email via such a server makes them completely invisible and hence immune to flame email from angry admins and users who have been inconvenienced or annoyed by their junk email. Every SMTP server on the Internet should be configured to adhere to the following guidelines:

1. A mail server should always place at least the IP address of the system requesting mail service in the Received: headers of email. If further information is available, such as the resolved machine and domain name or the results of an ident authentication request, this information should also be included. The client IP address is always available, so there's really no excuse for not including this information.

2. A mail server should accept email for handling only if the client requesting service is in the servers domain or in a trusted domain, or if the recipient address is in the server's domain or a trusted domain.

While item 1 is a reality on many mail servers, item 2 is still the exception rather than the rule, and until the number of mail servers which adhere to these two guidelines approaches 100%, there will still be openings for mailers to operate anonymously.

Once you understand the issues here, you should be on the lookout for mail hosts and relays which don't authenticate, especially if you receive spam email through them. You should notify the postmasters of such systems of the potential for abuse and possible legal liability which they are inviting by essentially running an "anonymous remailer".

At some point you will be setting up a private registry for email servers which fail to authenticate, and the Spam Patrol will act as a clearing house for reports of such servers.

REVERSE PHONE NUMBER LOOKUPS

A rather different tack on tracking spam involves going after the advertiser rather than the mailer. This requires some old fashioned detective work with an Internet twist, and you can ignore mail headers for the time being.

Since every spam is ostensibly a sales pitch, the mailer must provide some method for prospective customers to get in touch. The contact point may be an email address set up to filter out flames and only accept serious inquiries. It may be a mailing address - or it may be a phone number. If the mailer is incautious enough to give a listed phone number as a contact point, you have a good chance of blowing his or her cover. Both PC411 and SearchAmerica provide reverse phone number lookups. The latter charges a nominal fee of 25 to 35 cents for each successful search. I have used PC411 with good results, but have never used SearchAmerica and don't know if its database is more complete or current than that used by PC411. I would guess that both draw on fairly complete lists of published phone numbers and are probably nearly equivalent.

If you are able to positively identify a spam advertiser in this manner, the next step is to obtain as much information about the person as possible. Four11 (not to be confused with PC411) is a good source of general information on people on the Internet. Four11 will help you look up real email addresses for the advertiser, along with other phone numbers and possibly a physical address. You may wish to contact the advertiser directly using these email addresses, or place a call and try to talk to the person responsible for the spams. By all means, when writing to postmasters and administrators of sites deduced from deciphering headers, include all the information you've gathered.

If a mailer is clever and provides an unlisted phone number, a shielded email account or some other means of getting back in touch, you can generally obtain more information by "taking the bait" and replying to the ad as if you were a prospective customer. If replying by email, don't include the original spam, be polite and indicate an interest in buying whatever the spam offers for sale. Contact accounts generally have a fairly severe filter to look for keywords and filter out flames. If the mailer replies back, generally the reply will contain a real email address or some other item of information which will allow you to dig deeper and uncover fairly complete information - enough to be of real help to others affected by the spam who are trying to locate the person.

WHO TO CONTACT AND WHAT TO SAY

First, the correct response to spam email is not mail bombs, flames, flood mail or other forms of hostility directed to anyone. These acts are just as destructive to the Internet as is junk email and generally serve only to make other people as mad at you as you are at mailers. Be patient, dig up facts, notify the right people, and the end result will often be the termination of the mailer's accounts.

The correct response to spam email is to notify the system administrators whose systems received and transferred each piece of spam you've received, as discussed above in the section on understanding headers. In order of importance,
these will generally be:

The postmaster of the system from which your mail server received the spam, as shown in the first Received: header.

The postmasters of other valid systems listed in subsequent Received: headers. Use whois to determine whether or not the domain name shown in the header is real or spoofed.

The administrative and technical contacts listed in the information returned from a whois lookup.

The postmasters or DSN administrators of domains mentioned in the From:, To:, Sender: and other headers if you've found the domain names to be valid using whois. Keep in mind that these addresses are probably spoof addresses, and the system administrators responsible for them are probably a whole lot more upset about the spam than you are, so be specially polite and understanding when you write them. If you've gathered any personal information on the mailer, this information may be especially welcome to these folks.

In addition to postmaster@domain.com, many major ISPs maintain the addresses abuse and sometimes fraud or spam for the purpose of reporting spam.

Be polite and informative when writing to everyone, unless, of course, you've uncovered a valid and unblocked email address for a mailer, in which case, flame away to your hearts content! This can be very emotionally satisfying. It's very important in forwarding spam to system administrators to include the full headers from the offending email since this is where investigative pay-dirt lies for both you and others trying to locate and stop a mailer. Set the subject line of your post to something like "Spam from your system" followed by the original subject of the spam, in quotes or parentheses (you can use both). If the spam is quite long, you need not send all of it. Leave enough text to clearly demonstrate that the email is useless trash which no one in their right mind would want to receive. Be sure not to edit out any of the text containing URLs, phone numbers, addresses (email or postal) or any other information which might help in tracking down the Insert a short note before the headers and text of the spam, clearly and politely indicating that this email is unsolicited and unwelcome.

You also should generally include a short notice on the illegality of spam. Here's the boilerplate text of your standard note which should give you some ideas about what to say:

Ladies and Gentlemen:

The enclosed spam mail is being forwarded to you because your system name or that of a system for which you are a listed system admin appears in the headers or as a reference in the text. As you are doubtless aware, this sort of electronic junk mail is completely contrary to established guidelines for use of the Internet email service. Please take whatever steps are necessary to see that this person sends out no more of these, and that this practice is curtailed on your system.

By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation.

If you are writing to a system admin whose domain name you really suspect was used in a spoof (e.g. the name was in a Reply-to: or From: header), you may wish to include a sentence or two noting that you know that they probably had no involvement in this spam, but that they should know that their domain name is being used inappropriately. They probably already know this, so be gentle, and if you have any relevant information to share on the identity of a mailer, be sure to include it. A single email can be addressed to multiple recipients by separating recipient addresses with commas.

An excellent alternative to digging up the names of administrative and abuse accounts for a given domain name is to use the services of the Network Abuse Clearinghouse. This service maintains a database of appropriate administrative accounts to which to report spam for a large number of domains. The service requires you to register to use it, but it's free, and once you're registered, email to, for example, mailer.com@abuse.net will be redirected by abuse.net to all the appropriate admin accounts at the domain mailer.com.



 

Search Glossary Saved Article Contact us