Is there a way to trace the source of spam? I keep getting loads of spam with identical messages. For example,

I am interested in stock investing, and somewhere someone picked up my email address and now I get at least 15 emails every day such as the following"

"This tightly held company has rocketed up in price on every
great news release.  More spectacular news expected this week.
All our members should get in on this one early before it blows up.

Co: Ever-Glory International Group Inc.
Sym:(egly)                                
Currently Trading at: $1.25    
Target_Price:  $4.5O "

The message changes everyday, just enough so that I can't use messages rules.  I have a spam filter, plus my ISP has spam filtering, which I have turned on.
sheana11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Find out who is spamming you

***Here is some info for you

http://www.private.org.il/harvest.html

***How do I find the spammer's ISP?

You need to open up the email header and find the spammer's IP address.

***How Do I find the Spammer's IP address?

Where's that IP address?
Some spammer's think they can safely hide behind an IP address (an address in the form of 123.123.123.123). Not so! you can look up owners of IP addresses at the following sites:

American Registry for Internet Number
European IP Address allocations
Asia Pacific IP Address allocations

Now, opposite to domain names, IP addresses are bound to a physical location. If you cannot figure out easily where your IP address is, try all three look-ups.
Also in most cases you can do a so-called reverse DNS (or rDNS) lookup, you give the IP address and the DNS server returns with the appropriate name. However, often more than one web site is hosted on the same IP number. so take care you don't start writing to the wrong guy.
When you have the spammer's IP address, search the whois databases of the Regional Internet Registries (RIRs). For information on how to use the Whois database, refer to: Using the Whois database to find the spammer/hacker's network

***How Do I find IP addresses in the EMAIL?

This depends on your software see here for the info you need

http://spamcop.net/fom-serve/cache/19.html

***Now I know the IP address or the Domain name what do I Do?

To find IP addresses from a domain name
http://www.apnic.net/search/index.html

***What do I do Next

Go here http://www.activatormail.com/fastreport.htm

***I've got stuck - What can I do now?

Go here http://www.samspade.org/
And here www.spamcop.com 

***How do I stop it happening again?
Try this http://www.sunbelt-software.com/product.cfm?id=930
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sheana11Author Commented:
Pete, thanks so much for your prompt and thorough reply!  Is there a way I can safely post the email header here on Experts-Exchange without further compromising my security? Or give a "fake" spam header going through the steps?  If someone could "walk" me through an example, I think it would be great.  Let me know.
0
ahoffmannCommented:
> ***How do I find the spammer's ISP?
>You need to open up the email header and find the spammer's IP address.

PeteLong, I'm pretty sure you're joking here ;-)

There is no way to trace back (spam-)mails except you have full control over *all and every* server such a mail passes through in *exactly that moment* the mail arrives and gets delivered again. Dot. Period.
In most countries this is more a legal than a technical problem.
Is ther at least one server you don't have control? then evn forget thinking about it.

sheana11, posting the header here is useless (see comment above), 'cause most parts of that header can be forged anywhere.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

r-kCommented:
"...most parts of that header can be forged anywhere"

True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.

To the original poster, if you are not good at reading email headers you can post one or two of them here. If you want to stay safer you can edit them to remove any information that identifies your email or IP address or domain name. The main lines of interest in the header are the oldest ones, normally at the bottom of the header.

For example, here is the relevant line from the most recent spam I got a few minutes ago:

Received: from reconauto.com ([82.42.205.213]) by xx.xxx.xxx.xx with Microsoft SMTPSVC(5.0.2195.6713);
       Mon, 3 Apr 2006 ....

Tracing this a bit with whois seems to show it (82.42.205.213) belongs to Telewest Broadband IP Network Services in Surrey, England.

However, keep in mind that identifying the IP that is sending you the spam is probably not enough to stop the spam. In many cases it is just a PC belonging to some unsuspecting user in a different city or country who has been hacked or infected and doesn't know what to do about it. You could notify their ISP, but response rate is poor.

Or, as ahoffman said, it could also be faked in some cases.
0
FermionCommented:
Here's one, VERY effective fix:

Change you email address, and notify ONLY trusted parties of the change.

If you are concerned that some of the "trusted" parties are porting spam(willingly or not) than notify only 1 at a time, wait a day or two(check for spam), and continue with the next notification.

Very effective.
0
zephyr_hex (Megan)DeveloperCommented:
spamcop is a great way to parse spam and send reports on spammers to ISP's.

http://www.spamcop.net
0
floorman67Commented:
the short answer is yes you get get the originating ip from the headers, do a reverse dns, and contact the ISP, BUTTTTT you will never stop spam entirely and its a HUGE chance that that ip never sent it to begin with and was forged.

spam is now against the law in many locations so the spammers are getting smart and using anonymous mail port proxies set up in 3rd world countries just for this (for the guy who said ots worth a look at the headers, sorry, more spam is ran through proxy than not these days, sir.)

Tracking down spam is a waste of time, money, and is frustrating at best.

all major isps and sites will be constantly attacked with wordlist and autogenerated lists (example: xxx@comcast.net, xxx1@comcast.net, xxx2@comcast.net), with the headers originating ip forged, and many times ran through anonymous proxies.

your best bet would be to harden your spam filters, block and single ip ban known abusers/proxies via lists (and there are a TON of them http://www.google.com/search?hl=en&q=email+abuse+lists&btnG=Google+Search ), and also have a system whereby you have multiple email  addresses for family, business, friends, etc, and a central email only place on the web to do business like a server side script contact form under http/https with the actual email address hidden, encrypted, or obfuscated for less chance of reverse engineering and spambotted. This way u can change email addresses ass needed and simply update it in a scripted variable.

If you go the web page email form route i would highly suggest http request flood protection, xxs protection,  and heavy input checking (max input charactor count and email address format authentication), and an image verification routine to stop automated bots.

Some people actually with nix the email entirely and use a form and save to sql database and check it via an admin interface for messages. If you ever do this ensure it is sql-injection protected as well as the other forms of server side script protection listed above.

This means you cant be bothered with spam unless they take the time to manually input all the data ... spammers wont do that as they rely on bulk for their profit via mailbots
0
ahoffmannCommented:
> "...most parts of that header can be forged anywhere"
> True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.
are we talking about spam mails, or about legal mails?
Do you know spamers who do not forge their activities? ok, script kiddies do that and can be plonked ;-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.