Is there a way to trace the source of spam? I keep getting loads of spam with identical messages. For example,

Posted on 2006-04-03
Medium Priority
Last Modified: 2010-04-11
I am interested in stock investing, and somewhere someone picked up my email address and now I get at least 15 emails every day such as the following"

"This tightly held company has rocketed up in price on every
great news release.  More spectacular news expected this week.
All our members should get in on this one early before it blows up.

Co: Ever-Glory International Group Inc.
Currently Trading at: $1.25    
Target_Price:  $4.5O "

The message changes everyday, just enough so that I can't use messages rules.  I have a spam filter, plus my ISP has spam filtering, which I have turned on.
Question by:sheana11
LVL 57

Accepted Solution

Pete Long earned 1000 total points
ID: 16360629
Find out who is spamming you

***Here is some info for you


***How do I find the spammer's ISP?

You need to open up the email header and find the spammer's IP address.

***How Do I find the Spammer's IP address?

Where's that IP address?
Some spammer's think they can safely hide behind an IP address (an address in the form of Not so! you can look up owners of IP addresses at the following sites:

American Registry for Internet Number
European IP Address allocations
Asia Pacific IP Address allocations

Now, opposite to domain names, IP addresses are bound to a physical location. If you cannot figure out easily where your IP address is, try all three look-ups.
Also in most cases you can do a so-called reverse DNS (or rDNS) lookup, you give the IP address and the DNS server returns with the appropriate name. However, often more than one web site is hosted on the same IP number. so take care you don't start writing to the wrong guy.
When you have the spammer's IP address, search the whois databases of the Regional Internet Registries (RIRs). For information on how to use the Whois database, refer to: Using the Whois database to find the spammer/hacker's network

***How Do I find IP addresses in the EMAIL?

This depends on your software see here for the info you need


***Now I know the IP address or the Domain name what do I Do?

To find IP addresses from a domain name

***What do I do Next

Go here http://www.activatormail.com/fastreport.htm

***I've got stuck - What can I do now?

Go here http://www.samspade.org/
And here www.spamcop.com 

***How do I stop it happening again?
Try this http://www.sunbelt-software.com/product.cfm?id=930

Author Comment

ID: 16361037
Pete, thanks so much for your prompt and thorough reply!  Is there a way I can safely post the email header here on Experts-Exchange without further compromising my security? Or give a "fake" spam header going through the steps?  If someone could "walk" me through an example, I think it would be great.  Let me know.
LVL 51

Expert Comment

ID: 16365012
> ***How do I find the spammer's ISP?
>You need to open up the email header and find the spammer's IP address.

PeteLong, I'm pretty sure you're joking here ;-)

There is no way to trace back (spam-)mails except you have full control over *all and every* server such a mail passes through in *exactly that moment* the mail arrives and gets delivered again. Dot. Period.
In most countries this is more a legal than a technical problem.
Is ther at least one server you don't have control? then evn forget thinking about it.

sheana11, posting the header here is useless (see comment above), 'cause most parts of that header can be forged anywhere.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 32

Expert Comment

ID: 16366155
"...most parts of that header can be forged anywhere"

True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.

To the original poster, if you are not good at reading email headers you can post one or two of them here. If you want to stay safer you can edit them to remove any information that identifies your email or IP address or domain name. The main lines of interest in the header are the oldest ones, normally at the bottom of the header.

For example, here is the relevant line from the most recent spam I got a few minutes ago:

Received: from reconauto.com ([]) by xx.xxx.xxx.xx with Microsoft SMTPSVC(5.0.2195.6713);
       Mon, 3 Apr 2006 ....

Tracing this a bit with whois seems to show it ( belongs to Telewest Broadband IP Network Services in Surrey, England.

However, keep in mind that identifying the IP that is sending you the spam is probably not enough to stop the spam. In many cases it is just a PC belonging to some unsuspecting user in a different city or country who has been hacked or infected and doesn't know what to do about it. You could notify their ISP, but response rate is poor.

Or, as ahoffman said, it could also be faked in some cases.

Expert Comment

ID: 16366492
Here's one, VERY effective fix:

Change you email address, and notify ONLY trusted parties of the change.

If you are concerned that some of the "trusted" parties are porting spam(willingly or not) than notify only 1 at a time, wait a day or two(check for spam), and continue with the next notification.

Very effective.
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16367290
spamcop is a great way to parse spam and send reports on spammers to ISP's.


Assisted Solution

floorman67 earned 1000 total points
ID: 16367678
the short answer is yes you get get the originating ip from the headers, do a reverse dns, and contact the ISP, BUTTTTT you will never stop spam entirely and its a HUGE chance that that ip never sent it to begin with and was forged.

spam is now against the law in many locations so the spammers are getting smart and using anonymous mail port proxies set up in 3rd world countries just for this (for the guy who said ots worth a look at the headers, sorry, more spam is ran through proxy than not these days, sir.)

Tracking down spam is a waste of time, money, and is frustrating at best.

all major isps and sites will be constantly attacked with wordlist and autogenerated lists (example: xxx@comcast.net, xxx1@comcast.net, xxx2@comcast.net), with the headers originating ip forged, and many times ran through anonymous proxies.

your best bet would be to harden your spam filters, block and single ip ban known abusers/proxies via lists (and there are a TON of them http://www.google.com/search?hl=en&q=email+abuse+lists&btnG=Google+Search ), and also have a system whereby you have multiple email  addresses for family, business, friends, etc, and a central email only place on the web to do business like a server side script contact form under http/https with the actual email address hidden, encrypted, or obfuscated for less chance of reverse engineering and spambotted. This way u can change email addresses ass needed and simply update it in a scripted variable.

If you go the web page email form route i would highly suggest http request flood protection, xxs protection,  and heavy input checking (max input charactor count and email address format authentication), and an image verification routine to stop automated bots.

Some people actually with nix the email entirely and use a form and save to sql database and check it via an admin interface for messages. If you ever do this ensure it is sql-injection protected as well as the other forms of server side script protection listed above.

This means you cant be bothered with spam unless they take the time to manually input all the data ... spammers wont do that as they rely on bulk for their profit via mailbots
LVL 51

Expert Comment

ID: 16368249
> "...most parts of that header can be forged anywhere"
> True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.
are we talking about spam mails, or about legal mails?
Do you know spamers who do not forge their activities? ok, script kiddies do that and can be plonked ;-)

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question