Is there a way to trace the source of spam? I keep getting loads of spam with identical messages. For example,

Posted on 2006-04-03
Last Modified: 2010-04-11
I am interested in stock investing, and somewhere someone picked up my email address and now I get at least 15 emails every day such as the following"

"This tightly held company has rocketed up in price on every
great news release.  More spectacular news expected this week.
All our members should get in on this one early before it blows up.

Co: Ever-Glory International Group Inc.
Currently Trading at: $1.25    
Target_Price:  $4.5O "

The message changes everyday, just enough so that I can't use messages rules.  I have a spam filter, plus my ISP has spam filtering, which I have turned on.
Question by:sheana11
    LVL 57

    Accepted Solution

    Find out who is spamming you

    ***Here is some info for you

    ***How do I find the spammer's ISP?

    You need to open up the email header and find the spammer's IP address.

    ***How Do I find the Spammer's IP address?

    Where's that IP address?
    Some spammer's think they can safely hide behind an IP address (an address in the form of Not so! you can look up owners of IP addresses at the following sites:

    American Registry for Internet Number
    European IP Address allocations
    Asia Pacific IP Address allocations

    Now, opposite to domain names, IP addresses are bound to a physical location. If you cannot figure out easily where your IP address is, try all three look-ups.
    Also in most cases you can do a so-called reverse DNS (or rDNS) lookup, you give the IP address and the DNS server returns with the appropriate name. However, often more than one web site is hosted on the same IP number. so take care you don't start writing to the wrong guy.
    When you have the spammer's IP address, search the whois databases of the Regional Internet Registries (RIRs). For information on how to use the Whois database, refer to: Using the Whois database to find the spammer/hacker's network

    ***How Do I find IP addresses in the EMAIL?

    This depends on your software see here for the info you need

    ***Now I know the IP address or the Domain name what do I Do?

    To find IP addresses from a domain name

    ***What do I do Next

    Go here

    ***I've got stuck - What can I do now?

    Go here
    And here

    ***How do I stop it happening again?
    Try this

    Author Comment

    Pete, thanks so much for your prompt and thorough reply!  Is there a way I can safely post the email header here on Experts-Exchange without further compromising my security? Or give a "fake" spam header going through the steps?  If someone could "walk" me through an example, I think it would be great.  Let me know.
    LVL 51

    Expert Comment

    > ***How do I find the spammer's ISP?
    >You need to open up the email header and find the spammer's IP address.

    PeteLong, I'm pretty sure you're joking here ;-)

    There is no way to trace back (spam-)mails except you have full control over *all and every* server such a mail passes through in *exactly that moment* the mail arrives and gets delivered again. Dot. Period.
    In most countries this is more a legal than a technical problem.
    Is ther at least one server you don't have control? then evn forget thinking about it.

    sheana11, posting the header here is useless (see comment above), 'cause most parts of that header can be forged anywhere.
    LVL 32

    Expert Comment

    "...most parts of that header can be forged anywhere"

    True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.

    To the original poster, if you are not good at reading email headers you can post one or two of them here. If you want to stay safer you can edit them to remove any information that identifies your email or IP address or domain name. The main lines of interest in the header are the oldest ones, normally at the bottom of the header.

    For example, here is the relevant line from the most recent spam I got a few minutes ago:

    Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.6713);
           Mon, 3 Apr 2006 ....

    Tracing this a bit with whois seems to show it ( belongs to Telewest Broadband IP Network Services in Surrey, England.

    However, keep in mind that identifying the IP that is sending you the spam is probably not enough to stop the spam. In many cases it is just a PC belonging to some unsuspecting user in a different city or country who has been hacked or infected and doesn't know what to do about it. You could notify their ISP, but response rate is poor.

    Or, as ahoffman said, it could also be faked in some cases.
    LVL 3

    Expert Comment

    Here's one, VERY effective fix:

    Change you email address, and notify ONLY trusted parties of the change.

    If you are concerned that some of the "trusted" parties are porting spam(willingly or not) than notify only 1 at a time, wait a day or two(check for spam), and continue with the next notification.

    Very effective.
    LVL 42

    Expert Comment

    spamcop is a great way to parse spam and send reports on spammers to ISP's.
    LVL 5

    Assisted Solution

    the short answer is yes you get get the originating ip from the headers, do a reverse dns, and contact the ISP, BUTTTTT you will never stop spam entirely and its a HUGE chance that that ip never sent it to begin with and was forged.

    spam is now against the law in many locations so the spammers are getting smart and using anonymous mail port proxies set up in 3rd world countries just for this (for the guy who said ots worth a look at the headers, sorry, more spam is ran through proxy than not these days, sir.)

    Tracking down spam is a waste of time, money, and is frustrating at best.

    all major isps and sites will be constantly attacked with wordlist and autogenerated lists (example:,,, with the headers originating ip forged, and many times ran through anonymous proxies.

    your best bet would be to harden your spam filters, block and single ip ban known abusers/proxies via lists (and there are a TON of them ), and also have a system whereby you have multiple email  addresses for family, business, friends, etc, and a central email only place on the web to do business like a server side script contact form under http/https with the actual email address hidden, encrypted, or obfuscated for less chance of reverse engineering and spambotted. This way u can change email addresses ass needed and simply update it in a scripted variable.

    If you go the web page email form route i would highly suggest http request flood protection, xxs protection,  and heavy input checking (max input charactor count and email address format authentication), and an image verification routine to stop automated bots.

    Some people actually with nix the email entirely and use a form and save to sql database and check it via an admin interface for messages. If you ever do this ensure it is sql-injection protected as well as the other forms of server side script protection listed above.

    This means you cant be bothered with spam unless they take the time to manually input all the data ... spammers wont do that as they rely on bulk for their profit via mailbots
    LVL 51

    Expert Comment

    > "...most parts of that header can be forged anywhere"
    > True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.
    are we talking about spam mails, or about legal mails?
    Do you know spamers who do not forge their activities? ok, script kiddies do that and can be plonked ;-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now