Tracing the source of a Spam email

by Selwyn Bergman of BMSC-Online

1 | 2 | [3] | 4 | 5

Trace the emailOpen the offending message in your inbox and view the full headers. Different email clients have different ways of doing this, but the facility almost always exists. Using my Linux-based Evolution email client, I would select the email, click on 'view' then 'select message display' and finally 'show full headers'. Microsoft's Outlook email client simply requires that you right-click on the message and select 'view headers' from the popup menu. The full header information should look something like this:

Return-path: <fakeaddy@fakedomain.co.za>
Envelope-to: myaddy@mydomain.co.za
Delivery-date: Wed, 26 Oct 2005 09:45:49 +0200
Received: from [1.1.1.1] (helo=aserver.somewhere.co.za) by yourmailserver.co.za with esmtp (Exim 4.51) id 1EUfym-0005Mv-85 for myaddy@mydomain.co.za; Wed, 26 Oct 2005 09:45:49 +0200
Received: from anotherserver.co.za ([1.1.1.1] helo=servers.co.za) by mail.server.co.za with esmtp (Exim 4.44 (FreeBSD)) id blah for myaddy@mydomain.co.za; Wed, 26 Oct 2005 09:45:39 +0200
Message-ID: <435F3422.4709FD2D@server.co.za>
Date: Wed, 26 Oct 2005 09:45:38 +0200 (08:45 BST)
From: Spammer <fakeaddy@fakedomain.co.za>
Reply-To: fakeaddy@fakedomain.co.za
Organization: Fake Organisation
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Selwyn Bergman <myaddy@mydomain.co.za>
Subject: [Fwd: Spam email subject line]
Etc etc..

Start reading the headers from the bottom and work your way to the top, looking line by line for the one that starts with 'Received: '. In the above example the line to isolate was:
Received: from anotherserver.co.za ([1.1.1.1] helo=servers.co.za) by mail.server.co.za with esmtp (Exim 4.44 (FreeBSD)) id blah for myaddy@mydomain.co.za; Wed, 26 Oct 2005 09:45:39 +0200

This was where the email initially came from and where it was first delivered to. Look closely at the four numbers located in square brackets [1.1.1.1] thats the exact IP address that we're looking for - theres only one such PC connected to the internet in the world. Never mind the rest, its all technical mumbo-jumbo. If you want to know more about reading email headers, take a look at this article.

Now that you have the IP address of the culprit you can move on to find out who's supposed to be monitoring their activity.

Previous: Who can stop Spam | Next: Tracing the spammers ISP
1 | 2 | [3] | 4 | 5