Find a spammers ISP

by Selwyn Bergman of BMSC-Online

1 | 2 | 3 | [4] | 5

All IP addresses are categorised according to region and are controlled by one of a few Regional Internet Registries (or RIR's). The current RIR's are:

  • AfriNIC (African Network Information Centre) - Africa Region
  • APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region
  • ARIN (American Registry for Internet Numbers) - Canada, the United States, and several islands in the Caribbean Sea and North Atlantic Ocean
  • LACNIC (Latin American and Caribbean IP address Regional Registry) - Latin America and some Caribbean Islands
  • RIPE NCC (Reseaux IP Europeens) - Europe, the Middle East, Central Asia, and African countries located north of the equator.

Some of the RIR's in turn divide themselves up into smaller regions for improved management. For example, within APNIC you will find a separate 'RIR' dealing with Korea, Japan and so forth.

Got em?When an organisation applies for an IP address, or a range of IP addresses, they would have had to give one of the above RIR's information pertaining to who would manage the IP address. So by making an online query to these RIR's, you're likely to find which organisation is responsible for the IP address that the spam email came from. You can query an IP by making use of the 'Whois' service thats available at each of the RIR's. Furthermore, many proactive ISP's put additional information that contains a contact for Mail or Network Abuse and it pops up when you get the results from your online query.... usually something like "Please address all SPAM or Network abuse to abuse@someorganisation.co.za". If you find an email address (or several email addresses) set aside to deal with network abuse, make a note of them. Otherwise jot down the email address of the administrative or the maintenance contact.

Another way of getting the info:
The Samspade website can also assist you somewhat. Visit their website and type in the IP address you found in the text box. Click 'Do stuff' and see what comes out. Most times Samspade gathers information pertaining to who's in charge of the website, who they work for, their telephone numbers, addresses etc etc. At other times Samspade will fail, but will tell you which RIR can provide more assistance. Look through Samspades output for email contacts, you should find email addresses for a technical contact, an administrative contact and an abuse contact. If Samspade didn't give any detailed information, look at the bottom for a reference to which of the RIR's whois database was used, and visit their website - you're more than likely to find another solution there.

Previous: Tracing the source | Next: Reporting the Spam
1 | 2 | 3 | [4] | 5