Tracing the source of a Spam email

by Selwyn Bergman of BMSC-Online

[3]

Open the offending message in your inbox and view the full headers. Different email clients have different ways of doing this, but the facility almost always exists. Using my Linux-based Evolution email client, I would select the email, click on 'view' then 'select message display' and finally 'show full headers'. Microsoft's Outlook email client simply requires that you right-click on the message and select 'view headers' from the popup menu. The full header information should look something like this:

Envelope-to: myaddy@mydomain.co.za
Delivery-date: Wed, 26 Oct 2005 09:45:49 +0200
Message-ID: <435F3422.4709FD2D@server.co.za>
Date: Wed, 26 Oct 2005 09:45:38 +0200 (08:45 BST)
From: Spammer <fakeaddy@fakedomain.co.za>
Reply-To: fakeaddy@fakedomain.co.za
Organization: Fake Organisation
MIME-Version: 1.0
To: Selwyn Bergman <myaddy@mydomain.co.za>
Subject: [Fwd: Spam email subject line]
Etc etc..

Start reading the headers from the bottom and work your way to the top, looking line by line for the one that starts with 'Received: '. In the above example the line to isolate was:
Received: from anotherserver.co.za ([1.1.1.1] helo=servers.co.za) by mail.server.co.za with esmtp (Exim 4.44 (FreeBSD)) id blah for myaddy@mydomain.co.za; Wed, 26 Oct 2005 09:45:39 +0200

This was where the email initially came from and where it was first delivered to. Look closely at the four numbers located in square brackets [1.1.1.1] thats the exact IP address that we're looking for - theres only one such PC connected to the internet in the world. Never mind the rest, its all technical mumbo-jumbo. If you want to know more about reading email headers, take a look at this article.

Now that you have the IP address of the culprit you can move on to find out who's supposed to be monitoring their activity.

Previous: Who can stop Spam

Next: Tracing the spammers ISP

[3]