Tracing the Senders through Headers
Junk mailers are the equivalent of parasites and terrorists to the Internet. Many have become technically savvy in their pursuit of a fast buck at your expense. Luckily, the same Internet tools junk mailers use to flood e-mailboxes can be used to track them down and report them to their service providers.
The most important and useful thing in a piece of junk mail is the collection of information lines called the headers. On Internet mail systems, the headers appear at the top of a piece of e-mail (hence the name).
If you get a piece of junk mail you should take a minute to read the Internet headers to confirm the origin before you forward the message as a complaint to the junk mailer’s Internet Service Provider (ISP).
The Internet mail headers may look like a mess to start with, but after you’ve spent a little time deciphering the headers you will see how the headers are actually intelligible.
For the purpose of tracking down a junk mailer, we want to look at the "Received:" lines. Think of these lines as a history of where the mail message has been in its journey from the junk mailers to you. A sample set of junk mail headers is below:
Received: from dns (dns.bull.ch [194.206.210.2]) by ixmail9.ix.netcom.com (8.8.7-s-4/8.8.7/(NETCOM v1.01)) with SMTP id MAA12969; Wed, 22 Oct 1997 12:43:15 -0700 (PDT)
From: suzy1@aol.com
Received: from blow (66.bridgeton-03.mo.dial-access.att.net [12.66.34.66]) by dns (8.6.12/8.6.12) with SMTP id VAA84864; Wed, 22 Oct 1997 21:44:54 +0200
Date: Wed, 22 Oct 1997 21:44:54 +0200
Received: from login_0122.ybecker.net (mail.ybecker.net[204.126.205.203]) by suzy1@aol.com (8.8.5/8.7.3) with SMTP id XAA07565 for suzy1@aol.com; Wed, 22 October 1997 14:35:52 -0700 (EDT)
To: suzy1@aol.com
Subject: Have some fun
Reply-To: suzy1@aol.com
X-PMFLAGS: 20720340.50
X-UIDL: 20720340_201230.501
Comments: Authenticated Sender is <suzy1@aol.com>
Message-Id:
<6245691_14093503>
Received: from blow (66.bridgeton-03.mo.dial-access.att.net [12.66.34.66]) by dns (8.6.12/8.6.12) with SMTP id VAA84864; Wed, 22 Oct 1997 21:44:54 +0200
Received:
from login_0122.ybecker.net (mail.ybecker.net[204.126.205.203]) by
suzy1@aol.com (8.8.5/8.7.3) with SMTP id XAA07565 for suzy1@aol.com;
Wed, 22 October 1997 14:35:52 -0700 (EDT)
Step one in tracing the sender is to follow the path the e-mail took to get to your computer. Do this by reading the Received lines from top to bottom. The lines above can be read as follows:
1. The recipient (who in this case is a Netcom user, on the computer
called "ixmail9.ix.netcom.com") had the mail delivered to his mailbox on
Netcom by a computer called "dns.bull.ch", which uses the shortcut name
"dns"
2. The computer called "dns" received a piece of mail from the computer
"66.bridgeton-03.mo.dial-access.att.net", which calls itself "blow".
What about the last Received line? It tries to say that suzy1@aol.com received a piece of e-mail from the machine "mail.ybecker.net". This simply isn’t true, and the first two Received lines tell us why. Notice that there is an unbroken trace between "66.bridgeton-03.mo.dial-access.att.net" and "ixmail9.ix.netcom.com", but there’s no link at all between "mail.ybekcer.net" and "66.bridgteon-03.mo.dial-access.att.net"!
Valid AOL mail
will have a short, verifiable Received path directly from a resolvable
host within AOL.COM to your mail host.
Now you’ve
read the "Received" lines to find the last link in the unbroken chain of
computers used to send the junk mail. You need to decide whether the computer
listed there is the one the junk mailer used to send the mail, or a third
party used to pass the mail on, one which doesn’t follow proper Internet
protocol and fully identify itself and the computer that asked it to send
mail.
In most cases,
especially if the computer is in the USA or Canada, it was the one used
by the junk mailer to send the junk mail. If the computer was elsewhere,
however, it’s not always possible to tell. A good rule of thumb is that
if the computer name ends in ".com", ".net", ".edu" or ".org", it was actually
used by the junk mailer.
Assuming you’ve found the actual sender site, you should forward the complete message to the site’s administrators so they can track down the responsible user and either terminate their access or take some other form of disciplinary action. Generally speaking you will want to address the mail to "abuse" at the last two words in the computer name – for example, in the case of this message, you would send it to abuse@att.net because the last two words in ""66.bridgeton-03.mo.dial-access.att.net" are "att.net".
This can
also get complicated to figure out sometimes. You may want to contact the
mail administrator or the abuse team at your ISP for help with this process.
If you would like to suggest additions to this page, or if you have general comments regarding this page, you can send e-mail to PMFAQ@aol.net.
If you would like a printable copy of this FAQ, click here.