Gecko-AK.org Networking/Security Reference Pages

Gecko Logo

Gecko-AK.org Home

Networking/Security Home

Basic Networking:



Routing:



Network Monitoring:



Network Security:

Valid HTML 4.01!

Valid CSS!

How to Identify the REAL Source of an unsolicited E-mail

Now What?:

So you've isolated the connection information from the headers. But you still don't know who sent the e-mail. What do you do next?

As we said on the previous page, the group of four numbers separated by the square brackets in the received line is the sender's IP address, which is like a phone number for every computer, router or other device on the Internet. Unless it is a private IP address, it uniquely identifies one such host on the Internet (at least at that moment in time).

Now, you need to match the sender's IP address to a domain name. There are two commands that you want to use for this task: nslookup and whois. These commands may not be available on all computers, however. Windows 9x (including ME) won't have either command, but NT, 2000 and XP will have nslookup. Windows does not, to the best of my knowledge, have the whois command, so unless you have a *nix O/S (Linux, Mac OS-X, FreeBSD, Solaris, etc.), you'll have to use GeekTools' whois.

Both nslookup and whois will return the host name for an IP address. For example, this web page is hosted on the server www.gecko-ak.org. As I write this document, the IP address for my web server is 209.112.170.79. If I type nslookup www.gecko-ak.org, I'll get the following response: 

    nslookup 209.112.170.79
    Server:  ns1.gecko-ak.org
    Address:  209.112.170.79

    Name:    gecko-ak.org
    Address:  209.112.170.79
This tells me that the host name for 209.112.170.79 is gecko-ak.org, which is also the domain name for my server.

If you have the domain name for the sender's IP address, you now have almost everything you need to report the spam message to the proper abuse administrator. If you run the whois command (or use Geektools' whois command) on the domain name, you should get contact information for that domain. What you want to find is the abuse contact. Unfortunately, not every whois record contains the abuse contact. In general, if you e-mail abuse@domain.name, you should reach the abuse administrator for domain.name. For example, to reach the abuse admin for BigISP.net, you would e-mail abuse@BigISP.net. Another almost certain contact for any given domain is postmaster@domain.name. There is also an abuse contact lookup on DNSstuff.com's web site, but you will need to know the domain name first.

Once you have the abuse or postmaster contact address, e-mail the full message headers from the spam mail that you received to abuse@domain.name or postmaster@domain.name (or both), and request that they identify the original sender and take action to provent the miscreant from continuing to send UCE/UBE to you, and you're done!

"Great," you say, "but I still don't know who really sent the e-mail." Unfortunately, you probably never will. Most ISPs will not give out customer information or the results of an abuse investigation without a court order. However, most abuse departments will take action against their customers, even if they won't tell you who the offender was or what was done to the sender. If they don't take care of abuse complaints, other ISPs will blacklist the offender's domain to keep their own customers happy.

Next: Other Spam Tools






Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .