You will need to take a look at the headers on the message as follows (Thanks to Michael, Piers and others) :Claris E-Mailer - under Mail select Show Long Headers.
Eudora (before ver. 3) - Select Tools , Options... , then Fonts & Display then Show all headers.Eudora (ver. 3.x, 4.x IBM or Macintosh) - Press the BLAH button on the incoming mail message.
HotMail - To expose the full message header, click "Options" on the Hotmail Navigation Bar on the left side of the page. On the Options page, click "Preferences." Scroll down to "Message Headers" and select "Full."For Lotus Notes 4.6.x - From the menu bar, select Actions, then Delivery Information. Copy the information from the bottom box into your email report at the top of the spam.
For Lotus Notes R5 - From the menu bar, select Actions, then Tools, then Delivery Information. Copy the information from the bottom box into your email report at the top of the spam.MS Outlook - Double click on the email in your inbox. This will bring the message into a window. Click on View - Options. You can also open a message then choose File....Properties....Details.
MS Outlook Express - Alt-Enter, or Alt-F then R.MS Outlook Express - More Detailed: To look for, copy and send headers In Outlook Express:
Netscape 4.xx - Double click on the email in your inbox. Click on View - Headers - All.PINE - You have to turn on the header option in setup, then just hit "h" to get headers.
Programs that do not comply with any Internet standards (like cc-Mail, Beyond Mail, VAX VMS) throw away the headers. You will not be able to get headers from these email messages.Aussie tells us that in Pegasus to view the full headers for each message, use CTRL-H. This will show the full headers for the particular message, but will not add them to any reply or forward. You need to cut/paste the message into the reply/forward to send these headers.
Richard tells us with Nettamer, a MS DOS based email and USENET group reader you must save the message as an ASCII file, then the full header will be displayed when you open the saved file with your favorite ASCII editor.At this point if you are "pushing the envelope" on your ability to figure out how to get that complaint to the correct person, I would suggest joining the Usenet group alt.spam or news.admin.net-abuse.email and post the message with a title like "Please help me decipher this header". Unfortunately there is no "single" place to complain to about spam (or Unsolicited Commercial Email). Complaints have to be directed to the correct ISP (Internet Service Provider) that the spam originated from. See the below section entitled "Reporting spam".
A URL to help you figure out how to look at the headers:
A little different description of headers:
Also, please look through the body of the message for email addresses to reply to. Complain to the postmasters of those sites also (see below for a list of complaint addresses).Gregory tells us that assuming a reasonably standard and recent sendmail setup, a Received line that looks like :
Received: from host1 (host2 [ww.xx.yy.zz]) by host3(8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600
shows four pieces of useful information (reading from back to front, in order of decreasing reliability):
Do not get confused by the "Received: from unknown" portion. The word "unknown" can be *anything* and should be ignored, this is whatever the spammer put in the SMTP HELO command when they connected to the SMTP server.
IP portion = 184.108.40.206Traceroute 220.127.116.11 gives us:
Step Host IPFind route from: 0.0.0.0 to: 18.104.22.168 (22.214.171.124), Max 30 hops, 40 byte packets
snip13 acsi-sw-gw.customer.alter.net. (126.96.36.199 ): 235ms
14 atlant-ga-2.espire.net. (188.8.131.52 ): 272ms15 184.108.40.206 (220.127.116.11 ): 279ms
16 orland-fl-1-a5-0.espire.net. (18.104.22.168 ): 362ms17 iag.net.orland-fl-1.espire.net. (22.214.171.124 ): 195ms
18 d1.s0.gw.dayb.fl.iag.net. (126.96.36.199 ): 230ms19 s0.gw.bestnetpc.net. (188.8.131.52 ): 231ms
20 * * *21 184.108.40.206 (220.127.116.11): 372ms
See the traceroute section below for how to interpret the "*" (and other codes) that are returned from a traceroute.Note - if you see something like the following realize that the only portion you can trust is within the "([" and the "])". The spammer put in the (faked) portion "mail.zebra.net (18.104.22.168)" :
Received: from mail.zebra.net (22.214.171.124) ([126.96.36.199])Kamiel tells us that you might also want to make sure that the IP is not hosted by an intermediary site. Check it out at:
http://www.arin.netYou should complain to the abuse@ or postmaster@Last Two or Three words at the end of the name. I would complain to firstname.lastname@example.org OR email@example.com (but NOT both sites) since after looking below at the list of complaint addresses in this FAQ there are no alternate addresses for iag.net or espire.net. Unless it is a "major provider" (someone in the below complaint list) I usually complain to the upstream provider rather than risk the chance of complaining to the spammer and being ignored. If you go too far up the chain, however, it may take quite some time for the complaint to filter down to the correct person.
Louise tells us that you are entitled to make an 'alleged' accusation but to prevent yourself from being libel, prefix your statement with:-"Without prejudice: I suspect you are the culprit of such and such."
The constitutional and legal boundary of 'Without prejudice' exempts Politician's opinions being spoken publicly and this prefix is often adopted by Solicitors (English) or Lawyers/Attorneys (USA).I use :
abuse@XXXXX - Without prejudice I submit to you this Unsolicited Commercial Email is from your user XXXX. UCE is unappreciated because it costs my provider (and ultimately myself) money to process just like an unsolicited FAX. Please look into this. Thank you.BE SURE to verify the IP address. Windows '95 machines place the name of the machine as the "name" and place the real IP address after the name, meaning a spammer can give a legitimate "name" of someone else to get someone innocent in trouble. A spammer at cyberpromo changed their SMTP HELO so that it claimed to be from Compuserve. The Received line looked like the below, but a quick verification of the IP address 188.8.131.52 showed it was indeed from cyberpromo :
Received: from dub-img-4.compuserve.com (cyberpromo.com [184.108.40.206]) by karpes.stu.rpi.eduThe below email was passed to me thru a "mule" (un1.satlink.com [220.127.116.11]). The Spammer hijacked an open SMTP port to reroute email to me:
Received: from un1.satlink.com (un1.satlink.com [18.104.22.168]) by ddi.digital.net (8.9.1a/8.9.1) with ESMTP id GAA06372; Fri, 27 Nov 1998 06:53:20 -0500 (EST)Received: from usa.net ([22.214.171.124]) by un1.satlink.com (Netscape Messaging Server 3.54) with SMTP id AAT2FEA; Fri, 27 Nov 1998 08:46:07 -0200
A NSLookup on 126.96.36.199 resolves to user38ld07a.dialup.mindspring.com, so after I complain to mindspring.com I also send the postmaster of the open SMTP port the following:postmaster@XXXXX - Your SMTP mail server XXXXX was used as a mule to pass (and waste your system resources) this email on to me. You can stop your SMTP port from allowing rerouting of email back outside of your domain if you wish to. FYI only. Info on how to block your server, see:
http://maps.vix.com/tsi/Test for server vulnerability :
http://samspade.org/t/There are some systems that "claim" to "cloak" email. It is not true. If you receive one that looks like the following :
Received: from relay4.ispam.net (firstname.lastname@example.org) by ddi.digital.net (8.8.5/8.8.5) with ESMTP id KAA28969 for email@example.com; Thu, 26 Jun 1997 10:41:46 -0400 (EDT)Received: from --- CLOAKED! ---
orReceived: from cerberus.njsmu.com ([188.8.131.52]) by ddi.digital.net (8.8.5/8.8.5) with ESMTP id HAA06250 for firstname.lastname@example.org; Mon, 25 Jan 1999 07:11:18 -0500 (EST)
From: email@example.comReceived: from The.sender.of.this.untracable.email.used.MAILGOD.by.IMI
It is still broken down as follows :- The route the email took originated from one of the systems above the line marked "cloaked" or the line "untraceable" (in fact this makes it even easier to trace). There is no magic to it. Complain to that provider. If you get no response from the site that spammed, you should ask your provider to no longer allow the above site [184.108.40.206] to connect to your system.
It has been kindly pointed out to me that there is a "feature" (read "bug") in the UNIX mail spool wherein the person emailing you a message can append a "message" (with the headers) to the end of their message. It makes the mail reader think you have 2 messages when the joker that sent the original message only sent one message (with a fake message appended). If the headers look *really* screwy, you might look at the message before the screwy message and consider if it may not be a "joke" message.There are also IBM mainframes and misconfigured Sun Sendmail machines (SMI-8.6/SMI-SVR4) that do not include the machine that they received the SMTP traffic from. You have to route the message (with headers) back to the postmaster at that system and ask them to tell you what the IP of the machine is that hooked into their system for that message.
An example of a Microsoft Exchange server that the "HELO" transaction is taken as the "From" portion (and is completely false) :Received: from dpi.dpi-conseil.fr (dpi.dpi-conseil.fr [220.127.116.11]) by ddi.digital.net (8.9.3/8.9.3) with ESMTP id KAA06614 for firstname.lastname@example.org; Thu, 26 Aug 1999 10:51:31 -0400 (EDT)
Received: from FIREWALL ([192.168.0.254]) by dpi.dpi-conseil.fr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id QW11TJV1; Thu, 26 Aug 1999 16:44:38 +0200It has also been pointed out that someone on your server can telnet back to the mail port and send you mail. This also makes the forgery virtually untraceable by you, but as always your admin should be able to catch the telnet back to the server. If they telnet to a foreign SMTP server and then use the "name" of a user on that system, it may appear to you that the message came from that user. Be very careful when making assumptions about where the email came from.
Note for AOL users when looking at headers:If you get double headers at the end of a message (like the below) the spammer has tacked on a extra set of headers to confuse the issue. Ignore everything except the last set of headers. These are the *real* headers.
------------------ Headers --------------------------------Return-Path: Gloria@me.net
Received: from rly-za05.mx.aol.com (rly-za05.mail.aol.com [172.31.36.101]) byair-za04.mail.aol.com (v51.16) with SMTP; Mon, 16 Nov 1998 19:16:02 1900Received: from mailb.telia.com (mailb.telia.com [18.104.22.168]) by rly-za05.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0) with ESMTP id TAA05189;
Mon, 16 Nov 1998 19:15:53 -0500 (EST)From: Gloria@me.net
Received: from signal.dk ([22.214.171.124]) by mailb.telia.com (8.8.8/8.8.8) with SMTP id BAA14174; Tue, 17 Nov 1998 01:15:50 +0100 (CET)Received: from 126.96.36.199 by signal.dk viaSMTP(950413.SGI.8.6.12/940406.SGI.AUTO) id AAA28586; Tue, 17 Nov 1998 00:53:13 +0100
Message-Id: 199811162353.AAA28586@signal.dkDate: Mon, 16 Nov 98 18:27:19 EST
To: Gloria@papa.fujisankei-g.com.jpSubject: ATTENTION SMOKERS - QUIT SMOKING IN JUST 7 DAYS
Reply-To: Gloria@papa.fujisankei-g.com.jp------------------- Headers --------------------------------
Return-Path: email@example.comReceived: from rly-yd04.mx.aol.com (rly-yd04.mail.aol.com [172.18.150.4]) by air-yd02.mx.aol.com (v56.14) with SMTP; Mon, 11 Jan 1999 23:54:48 -0500
Received: from phone.net ([188.8.131.52])by rly-yd04.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
with SMTP id XAA01327;Mon, 11 Jan 1999 23:51:03 -0500 (EST)
From: firstname.lastname@example.orgTo: Someone@aol.com
Date: Tue, 15 Dec 1998 20:54:19 -0600Message-ID: email@example.com
Subject: Life insurance, do you have it?Mime-Version: 1.0
Content-Type: text/htmlContent-Transfer-Encoding: quoted-printable