We help IT Professionals succeed at work.

Is there a way to trace the source of spam? I keep getting loads of spam with identical messages. For example,

sheana11 asked
Medium Priority
Last Modified: 2010-04-11
I am interested in stock investing, and somewhere someone picked up my email address and now I get at least 15 emails every day such as the following"

"This tightly held company has rocketed up in price on every
great news release.  More spectacular news expected this week.
All our members should get in on this one early before it blows up.

Co: Ever-Glory International Group Inc.
Currently Trading at: $1.25    
Target_Price:  $4.5O "

The message changes everyday, just enough so that I can't use messages rules.  I have a spam filter, plus my ISP has spam filtering, which I have turned on.
Watch Question

Technical Architect
Distinguished Expert 2019
Find out who is spamming you

***Here is some info for you


***How do I find the spammer's ISP?

You need to open up the email header and find the spammer's IP address.

***How Do I find the Spammer's IP address?

Where's that IP address?
Some spammer's think they can safely hide behind an IP address (an address in the form of Not so! you can look up owners of IP addresses at the following sites:

American Registry for Internet Number
European IP Address allocations
Asia Pacific IP Address allocations

Now, opposite to domain names, IP addresses are bound to a physical location. If you cannot figure out easily where your IP address is, try all three look-ups.
Also in most cases you can do a so-called reverse DNS (or rDNS) lookup, you give the IP address and the DNS server returns with the appropriate name. However, often more than one web site is hosted on the same IP number. so take care you don't start writing to the wrong guy.
When you have the spammer's IP address, search the whois databases of the Regional Internet Registries (RIRs). For information on how to use the Whois database, refer to: Using the Whois database to find the spammer/hacker's network

***How Do I find IP addresses in the EMAIL?

This depends on your software see here for the info you need


***Now I know the IP address or the Domain name what do I Do?

To find IP addresses from a domain name

***What do I do Next

Go here http://www.activatormail.com/fastreport.htm

***I've got stuck - What can I do now?

Go here http://www.samspade.org/
And here www.spamcop.com 

***How do I stop it happening again?
Try this http://www.sunbelt-software.com/product.cfm?id=930

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Pete, thanks so much for your prompt and thorough reply!  Is there a way I can safely post the email header here on Experts-Exchange without further compromising my security? Or give a "fake" spam header going through the steps?  If someone could "walk" me through an example, I think it would be great.  Let me know.
> ***How do I find the spammer's ISP?
>You need to open up the email header and find the spammer's IP address.

PeteLong, I'm pretty sure you're joking here ;-)

There is no way to trace back (spam-)mails except you have full control over *all and every* server such a mail passes through in *exactly that moment* the mail arrives and gets delivered again. Dot. Period.
In most countries this is more a legal than a technical problem.
Is ther at least one server you don't have control? then evn forget thinking about it.

sheana11, posting the header here is useless (see comment above), 'cause most parts of that header can be forged anywhere.

"...most parts of that header can be forged anywhere"

True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.

To the original poster, if you are not good at reading email headers you can post one or two of them here. If you want to stay safer you can edit them to remove any information that identifies your email or IP address or domain name. The main lines of interest in the header are the oldest ones, normally at the bottom of the header.

For example, here is the relevant line from the most recent spam I got a few minutes ago:

Received: from reconauto.com ([]) by xx.xxx.xxx.xx with Microsoft SMTPSVC(5.0.2195.6713);
       Mon, 3 Apr 2006 ....

Tracing this a bit with whois seems to show it ( belongs to Telewest Broadband IP Network Services in Surrey, England.

However, keep in mind that identifying the IP that is sending you the spam is probably not enough to stop the spam. In many cases it is just a PC belonging to some unsuspecting user in a different city or country who has been hacked or infected and doesn't know what to do about it. You could notify their ISP, but response rate is poor.

Or, as ahoffman said, it could also be faked in some cases.

Here's one, VERY effective fix:

Change you email address, and notify ONLY trusted parties of the change.

If you are concerned that some of the "trusted" parties are porting spam(willingly or not) than notify only 1 at a time, wait a day or two(check for spam), and continue with the next notification.

Very effective.
Top Expert 2010

spamcop is a great way to parse spam and send reports on spammers to ISP's.

the short answer is yes you get get the originating ip from the headers, do a reverse dns, and contact the ISP, BUTTTTT you will never stop spam entirely and its a HUGE chance that that ip never sent it to begin with and was forged.

spam is now against the law in many locations so the spammers are getting smart and using anonymous mail port proxies set up in 3rd world countries just for this (for the guy who said ots worth a look at the headers, sorry, more spam is ran through proxy than not these days, sir.)

Tracking down spam is a waste of time, money, and is frustrating at best.

all major isps and sites will be constantly attacked with wordlist and autogenerated lists (example: xxx@comcast.net, xxx1@comcast.net, xxx2@comcast.net), with the headers originating ip forged, and many times ran through anonymous proxies.

your best bet would be to harden your spam filters, block and single ip ban known abusers/proxies via lists (and there are a TON of them http://www.google.com/search?hl=en&q=email+abuse+lists&btnG=Google+Search ), and also have a system whereby you have multiple email  addresses for family, business, friends, etc, and a central email only place on the web to do business like a server side script contact form under http/https with the actual email address hidden, encrypted, or obfuscated for less chance of reverse engineering and spambotted. This way u can change email addresses ass needed and simply update it in a scripted variable.

If you go the web page email form route i would highly suggest http request flood protection, xxs protection,  and heavy input checking (max input charactor count and email address format authentication), and an image verification routine to stop automated bots.

Some people actually with nix the email entirely and use a form and save to sql database and check it via an admin interface for messages. If you ever do this ensure it is sql-injection protected as well as the other forms of server side script protection listed above.

This means you cant be bothered with spam unless they take the time to manually input all the data ... spammers wont do that as they rely on bulk for their profit via mailbots
> "...most parts of that header can be forged anywhere"
> True, they _can_ be, but most of the time they are not, so it is at least worth looking at the headers.
are we talking about spam mails, or about legal mails?
Do you know spamers who do not forge their activities? ok, script kiddies do that and can be plonked ;-)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.