How To Determine The Origin Of Spam?
Spam will continue spreading as far as it makes profit. If nobody buys from spammers or acts upon their scams, spam will end. This is the obvious and easiest way to fight spam. You can ignore and delete spam emails you receive. But you can also take vengeance on the spammer by complaining to the spammer's Internet Service Provider (ISP). The ISP will block their connection and maybe impose a fine (depending on the ISP's acceptable usage policy).
Spammers beware of such complaints and try to disguise their messages. That's why finding the right ISP is not always easy. Let’s look inside a spam message. Every email message includes two parts, the body and the header. The body is the actual message text and attachments.
The header is a kind of the envelope of the message. The header shows the address of the message sender, the address of the message recipient, the message subject and other information. Email programs usually display these header fields: From: shows the sender's name and email address. To: shows the recipient's name and email address. Date: shows the date when the message was sent. Subject: shows the message subject. The From: field usually contains the sender's email address. This lets you know who sent the message and allows you easily reply. Spammers, of course, don’t want you to reply and don’t want you to know who they are. Therefore, they put forged email addresses into the From: lines of their emails.
So the From: field won’t help you if you want to determine where the spam email comes from. Tip! With G-Lock SpamCombat you can easily preview not only the message text but also all the fields of the message header . You can choose the preview format by yourself. You can view the message as HTML, decoded message, or message source.There are also several Received: fields in the header of every message. Email programs don’t usually display the Received: lines but the Received: lines can be very helpful in tracing the spam origin. Just like a postal letter goes through a number of post offices before it’s delivered to the recipient, an email message is processed by several mail servers. Each mail server adds a line to the message header – a Received: line – which contains - the server name and IP address of the machine the server received the message from and - the name of the mail server itself. Each Received: line is inserted at the top of the message header. If we want to reproduce the message’s path from sender to recipient, we start from the topmost Received: line and walk down until the last one, which is where the email originated.
Just like the From: field the Received: lines may contain forged information to fool those who would want to trace the spammer. Because every mail server inserts the Received: line at the top of the header, we start the analysis from the top. The Received: lines forged by spammers usually look like normal Received: fields. We can hardly tell whether the Received: line is forged or not at first sight. We should analyze all the Received: lines chain to find out a forged Received: field. As we mentioned above, every mail server registers not only its name but also the IP address of the machine it got the message from. We simply need to look what name a server puts and what the next server in the chain says. If the servers don’t match, the earlier Received: line is forged. The origin of the email is what the server immediately after the forged Received: line says about where it received the message from. Let's see how determining of the spam email origin works in real life.
Here is the header of a spam message we’ve recently received: ************************************************** Return-Path: Delivered-To: email@example.com Received: from unknown (HELO 60.139.96) (221.200.158) by mail1.myserver.
Zone Labs Articles
Zone Labs Books