[Tutorial] About spam/tracing e-mail & How to avoid spam

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sat May 11, 2002 4:33 am    Post subject: [Tutorial] About spam/tracing e-mail & How to avoid spam
Using a case study of a e-mail I got, it's not really spam but its sort of.

The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get 'active' e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like john-no-spam@i.hate.spam-btopenworld.com

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:


<!-- Begin Shaolin Tiger E-mail Saver

randomword = "john";
randomword2 = "btopenworld";
append = "?Subject=Enquiry&Body=Please%20Insert%20Your%20Message%20Here.";

document.write('<a href=\"mailto:' + randomword + '@' + randomword2 + append + '\">');
document.write(randomword + '@' + randomword2 + '</a>');
// End -->

3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you've signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

If you follow all of these you wont get any spam. My yahoo account which I made when I was internet Naive gets about 20-30 spams a day, this is just from signing a few guestbooks with my real e-mail address and putting it on my first home page.

Now I follow the above rules, I don't get any Smile

If you do get some, follow below:

In this example youremail@yourdomain.com = Your e-mail address.

Find the full headers of the message, headers can be found in the message source in Outlook Express.

Headers look like this:


Return-Path: <nobody@letters.ezinehub.com>
Delivered-To: securityforumsco-admin@
Received: (qmail 94940 invoked by uid 1373); 2 May 2002 20:16:38 -0000
Delivered-To: youremail@yourdomain.com
Received: (qmail 94937 invoked from network); 2 May 2002 20:16:37 -0000
Received: from unknown (HELO letters.ezinehub.com) (
  by ns1.dc-hosting.net with SMTP; 2 May 2002 20:16:37 -0000
Received: (from nobody@localhost)
   by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012;
   Thu, 2 May 2002 16:20:29 -0400
Date: Thu, 2 May 2002 16:20:29 -0400
Message-Id: <200205022020.g42KKTr28012@letters.ezinehub.com>
To: youremail@yourdomain.com
From: support@exactseek.com
Subject: Important ExactSeek site listing information.

The main things you want to look for are:

1) The e-mail address it originated from (Most likely spoofed)

From: support@exactseek.com

2) The server used to send it (Most likely an open relay)

by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012

3) The IP address it originated from (Usually unspoofed, often encoded or hidden)

(HELO letters.ezinehub.com) (

In this case as this resulted from a search engine submission the SMTP server and the senders IP are the same.

Generally they would be different.

The next stage is to find the upstream provider of the SMTP server and the originating IP. Also take note of the domain the e-mail appeared to come from.

For this we would use Sam Spade or something similar.

If you are using Win2k you can just use tracert (Trace Route) from the command line.

As Samspade is down for maintenance at the moment I will use tracert in this example.

Result of tracert on letters.ezinehub.com

1 160 ms 160 ms 161 ms
2 240 ms 181 ms 140 ms
3 161 ms 180 ms 160 ms
4 160 ms 160 ms 180 ms
5 160 ms 160 ms 160 ms sl-gw10-lon-8-0.sprintlink.net []
6 160 ms 160 ms 161 ms sl-bb21-lon-8-0.sprintlink.net []
7 220 ms 241 ms 240 ms sl-bb20-msq-10-0.sprintlink.net []
8 340 ms 240 ms 241 ms sl-bb20-rly-15-1.sprintlink.net []
9 240 ms 241 ms 240 ms sl-gw19-rly-9-0.sprintlink.net []
10 240 ms 241 ms 240 ms sl-affinity-11-0-0.sprintlink.net []
11 240 ms 240 ms 241 ms core2a.balt.skynetweb.com []
12 241 ms 240 ms 240 ms ezinehub.com []

As can be seen the upstream provider is sprintlink.net and the web host most likely skynetweb.com.

This should be repeated for the provider of both the originating IP address and the SMTP server used.

The next step is to e-mail all of these people using the e-mail I constructed below:

ShaolinTiger wrote:

The following COMMERCIAL UNSOLICITED E-MAIL was received by myself at the non-published, non-used address sent to youremail@yourdomain.com. Please educate your users that this spam and can clog people's mailboxes and subject them to criminal prosecution.

In some states, it falls under the definition of illegal faxing without the recipient's permission. (Device having a computer, modem, and printer and capable of printing images. USC 47.5.II.227. Fine: $500 per recipient.)

In some countries, notably England, it falls under the Criminal Statutes regarding unauthorized alteration of computer data or theft of computer resources. (Theft of access time and disk space.)

Anyone affiliated to this person and/or company can be held responsible as an ACCESSORY to these CRIMINAL ACTIONS!

EDUCATE your Users or cut them off at the phone line!

E-mail this to abuse@, spam@, postmaster@ all the ISP's/Web-hosts/Services providers you identified using traceroute or Samspade.

E.g. in this case abuse@sprintlink.net; spam@sprintlink.net etc.

Include the full e-mail with full headers, proof of traceroutes and so on.

Stop the spammer, they are wasting everyones bandwidth.

I will update this document whenever I think of something to add to it, or something new comes up.

Any comments/suggestions are welcome and if you don't understand any of it ask and I will clarify.

© ShaolinTiger 2002

Last edited by ShaolinTiger on Tue May 14, 2002 8:24 pm; edited 4 times in total

Author: TinTin PostPosted: Sun May 12, 2002 2:00 am    Post subject: Spam
Wink Thanks Shaolin. I hate spammers!

Author: cielLocation: LYON ( FRANCE ) PostPosted: Sun May 12, 2002 7:15 pm    Post subject: Thanks

Thanks for this help, i add a link in my own forums to your post, as i think it would be helpful for other ppl.


Last edited by ciel on Fri Sep 16, 2005 12:59 am; edited 1 time in total

Author: TinTin PostPosted: Sun May 19, 2002 6:59 pm    Post subject: Hate Mail
Just been Reading BC, It seems that Cab is the latest target.

Have posted a response to him, to tell him to log onto here and read this!!

Author: LexyLouLocation: On Top PostPosted: Sun Sep 15, 2002 3:31 am    Post subject: topic
How do you trace an e-mail, when certain information has been removed or cleverly hidden??

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Feb 24, 2003 7:51 pm    Post subject:
Found a site about e-mail, the ultimate e-mail site.

Got plenty of info about tracing here:


It's a great site with everything about e-mail.


Author: catwomanLocation: Edinburgh, Scotland PostPosted: Sat Mar 01, 2003 12:50 pm    Post subject:
I think I nees to learn a lot more about computers before I put this into action!

Catwoman...........woefully ignorant Confused

Author: Ipsec Espah PostPosted: Wed Mar 03, 2004 2:00 am    Post subject:
Some spammers now use web bugs by including HTML code like this

<p><img border="0" src="http://www.spammer.com/open_email.asp?reference=######"
width="275" height="63"></p>

Which uses ASP to gather info about you and finally redirecting it to a image. Not only does it get info about you but it also verifies your email address which results in more spam. Mad

My usenet email addy is bounce@ which supposedly screws up the bots. The more people that use it the better.

Author: ZCorker PostPosted: Sun Mar 07, 2004 8:46 pm    Post subject: Tracing the real McCoy vs spoofed e-mail
Below is a partial header (lowest link in heading) from a spammer that sends out info on Viagra. Would you please advise me how to trace the "real e-mail" of the spammer.

I am not planning on reporting the spammer to his IP or anyone else. I have not had much success with this technique and instead have a special surprise for the spammer.

Spammer's address appears to be spoofed.

Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar [])
by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ
(sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:00 -0800 (PST)

What is the real e-mail address of the spammer? Spamcop report alleges the following:

From: "Kellie J. Drummond" <kelliej.drummondbe@aol.com>
To: x, x, x,
Date: Sun, 07 Mar 2004 12:18:45 +0000
Subject: You will never know if don't try it!
Message-ID: <GNAD_______________________________________ndbe@aol.com>
Received: from mx05.nyc.untd.com (mx05.nyc.untd.com [])
by maildeliver19.lax.untd.com with SMTP id AABAEYT7XAABYXA2
for <x> (sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:01 -0800 (PST)
Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar [])
by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ
(sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:00 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-ContentStamp: 1:1:1980731145
Return-Path: <kelliej.drummondbe@aol.com>
View entire message

Parsing header:

Received: from mx05.nyc.untd.com (mx05.nyc.untd.com []) by maildeliver19.lax.untd.com with SMTP id AABAEYT7XAABYXA2 for <x> (sender <kelliej.drummondbe@aol.com>); Sun, 7 Mar 2004 08:03:01 -0800 (PST) found
host (getting name) no name discarded

Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar []) by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ (sender <kelliej.drummondbe@aol.com>); Sun, 7 Mar 2004 08:03:00 -0800 (PST) found
host (getting name) = 186-190-89-200.fibertel.com.ar.
host 186-190-89-200.fibertel.com.ar (checking ip) =
Possible spammer: is not an MX for 186-190-89-200.fibertel.com.ar
host 186-190-89-200.fibertel.com.ar (checking ip) =
Received line accepted

Tracking message source:
Routing details for
[refresh/show] Cached whois for : noc@fibertel.com.ar
Using abuse net on noc@fibertel.com.ar
abuse net fibertel.com.ar = spamming@fibertel.com.ar
Using best contacts spamming@fibertel.com.ar
Yum, this spam is fresh! listed in dnsbl.njabl.org ( ) listed in dnsbl.njabl.org ( ) is an open proxy not listed in plus.bondedsender.org not listed in query.bondedsender.org

Finding links in message body
Parsing text part
no links found

Please make sure this email IS spam:
From: "Kellie J. Drummond" <kelliej.drummondbe@aol.com> (You will never know if don't try it!)
Buy Viagra and Cialas Aka "Super Viagra"..The Viagra that last all weekend!..
and other good prescriptions... Next-Day Fedex ...
View full message

Report Spam to:

Re: (Administrator of network where email originates)
To: spamming@fibertel.com.ar (Notes)

Re: (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Additional notes (optional - max 2000 characters):

ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.

Comments for:spamming@fibertel.com.ar (

Return to report

Comments for:spamcop@imaphost.com (

Return to report

Author: PhiBerLocation: Your MBR PostPosted: Mon Mar 15, 2004 10:07 pm    Post subject:
We are currently adding a Spam Filter box to our organization Very Happy

Last edited by PhiBer on Tue Mar 16, 2004 10:12 pm; edited 2 times in total

Author: cisco studentLocation: SFDC USA: Chico, California PostPosted: Tue Mar 16, 2004 1:20 am    Post subject:
I personally like the idea of having a network spam/virus email filter hardware box at my border, this uses blacklists to block spam from the end user recieving it. Thanks ST for another great post, I would like to add something to the part about never clicking the unsubscribe link. If you click that, they will know that it is a valid email account and will send you more crap. Most spammers just use random addresses to send their spam to.

Author: ChrisM PostPosted: Tue Apr 20, 2004 5:11 am    Post subject:
Well I happened to put my email on a publicly viewed site so what do I do to rid myself of the spam?

Author: FoolLocation: SC, USA PostPosted: Tue Aug 24, 2004 12:09 am    Post subject:
Just read the document...looks pretty nice and informing. Thanks for the great read mate.

Author: Security Hobbit PostPosted: Tue Aug 24, 2004 10:53 am    Post subject:
Presentation at BlackHat 2004 you might find interesting. I really wish they had the audio too.

Curtis Kret
Nobody’s Anonymous—Tracking Spam and Covert Channels

It is more about recognizing spam emails, spam motivations and general forensics, _not_ prevention. Also covers spam as covert channels, criminal scams, etc...


Author: vjy PostPosted: Tue Aug 24, 2004 1:45 pm    Post subject:
hi guys,
the tutorial and the follow ups were excellent. I have a problem, I am not sure if its relevent here. But I am not sure where to post it.
I receive many junk mails in my yahoo account, like undeliverable messages with attachments, but I havent opened the attachments or the mails even once. I am not sure how I am getting the emails, since I have not sent the mails at all.
Kindly let me know what to do? Its very annoying.

Author: Ex0dusLocation: Down Under PostPosted: Fri Nov 18, 2005 3:02 am    Post subject:
those would be just viruses. it is common for viruses attachements to be sent with emails saying "your password has been changed" and "undeliverable messages". all of which try to intice you to opening the attachement.

true bounce back emails will never have attachments. they instead will just insert text in the bounce back email

Networking/Security Forums -> Anonymity // Privacy // Spam

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group