Get that spammer!

A tool for tracking down junk e-mailers, junk news posters and their internet service providers.

Keywords: net abuse, junk email, spam, emp, excessive multi posting, velveeta, ecp, excessive cross posting, udp, usenet death penalty, aup, acceptable use policy, tos, terms of service, t&c, terms & conditions


Feedback: (NO JUNK EMAIL)

Goto: Tools, ISP's, Links, Instructions, Suggestions, Why?, How to advertise, Complaint


Do on

Other web TRACEROUTE's, Other WHOIS servers & DIG list hosts in domain


Internet Service Providers - Does Your Acceptable Use Policy:

A good AUP saves you time and aggravation. For details see an informative article by Chris Lewis.
For examples see MCI's T&C & other terms & conditions, terms of service, & acceptable use policies.

Other things an ISP can do





  1. Step one is to look at all the headers of the message. News/email readers normally show only a subset of the available headers to avoid screen clutter. Select the option that makes the hidden headers visible. In Netscape select Options/Show all headers, in Pegasus or Pine press H and in VM press t. Other news/email readers have similar options.

  2. Important headers are:

    All contain a network host name that may give you a clue as to who the spammer is. However, any or all of them may be faked. It is common for spammers to send email from a throwaway account at one site and solicit replies at other sites, so you may need to track down two or more network locations. Make a list of all host names mentioned in the headers and in the body of the message. These are the parts to the right of the @ sign in email addresses, between // and / in web links, in the last Received: header and at the right end of the Path: between !'s.

    Path: gives the list of hosts a news item passed through, from the poster's site at the right end to get to your site at the left end. One or more entries on the right end may be faked so you may need to cooperate with others to track down which host in the Path: list the message was injected at. Like the Path: header Received: headers are a list of sites the message passed through in reverse order but with only one host name per header. Again, the bottom entries (earlier timewise) in the Received: list may be faked. Even with normal, non-faked operation not all hosts or network routers a message passes through are recorded in the Path: or Received: headers. Use TRACEROUTE (described below) to get a more complete list.

  3. Host names usually have machine name and domain name parts. For example has a machine name of kryten and domain name of (engineering faculty, monash university, education sector, australia) with larger domains, and au. Look at your list of host names and see if you can add some local domain names to the list by stripping machine names from host names. This is a trial and error procedure and may not always give a valid result.

    A couple of traps: The domain <something> is really and <something> is really

  4. Some of the host/domain names you've discovered may actually be a numerical network IP address eg. kryten's is Use DIG ipaddress->hostname to find a host name given an IP address and use DIG hostname->ipaddress to find an IP address given a host name. Add any new host/domain names discovered to your list. IP addresses can have zero, one or several host names. Host names can have zero, one or several IP addresses.

    Some hosts and domains designate one or more hosts to handle any email directed to them. Use DIG hostname->mailexchanger to find out if there are any such hosts.

  5. DIG queries domain name servers for information about the host/domain names you've found. It gives a mess of information most of which you can ignore. You're not normally interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records.

    Any email sent to the queried host/domain will initially go via one of the hosts given by the MX records if they exist, otherwise it will go to the host given by the A record. If there are no MX and no A records then email will normally bounce. The MX and A host names may be in completely different domains. Add any new domains to your list.

    If an IP address has no corresponding hostname the SOA `start of authority' record can be used to see which hosts/domains are responsible for that part of the net. is responsible for unallocated addresses so if you get this it usually means the queried IP address is faked or in error. If there is no SOA record try doing a DIG ipaddress->hostname on another IP address which is in the same subnet as the one you're interested in ie. vary the last number from 1 to 254. eg. For you might try Some machines are configured by accident or by design to not reveal who is responsible for them.

  6. Use WHOIS to find the administrative and technical contacts for the hosts/domains you've discovered. This will give more contact information including email addresses. If there is more than one WHOIS entry for the domain you've entered you'll get a list of abbreviated entries. To get full information use an entry's key as a query string (eg. gives keys MCI8-HST and MCI2-DOM). Add the host/domain names of the email addresses to your list. You may need to strip off one more left elements of each domain before you get a domain that WHOIS knows about (eg. -> -> -> au). This WHOIS covers US non-military domains only. For other domains see other WHOIS servers.

  7. Use TRACEROUTE to get a list of sites handling messages between this web server host and each of the host/domain's. This can take several minutes. Ideally it should be from your mail host but this should do. The last entry in the TRACEROUTE results list should be the host/domain you're querying. The next-to-last should be the Internet Service Provider (ISP) for your queried host/domain. The next-to-last for that ISP is their ISP and so on. More than one host at the end of the list may be owned by the spammer and so you need to use some judgement as to whether, when you send email to one of the hosts, you're talking to the spammer or their ISP. Add the hosts at the end of the list together with their domains to your host/domain list. This TRACEROUTE will have trouble if the test link is heavily loaded (likely during Australian working hours). If so you could try other web TRACEROUTE's.

  8. Use a web search engine to look for references to the domain names you've found. Look for `domain' and `www.domain' Virtually all ISP's have web sites like this and you can use the web pages to get some idea of whether it's actually the spammer or the ISP, together with the size, contact addresses and the email/news policy of the ISP. You can also use a general web search engine to find out other information about the spammer.

  9. You should now have a list of hosts and domains with a fair idea of the spammer's addresses and their ISP's addresses. Send an email to the spammer's ISP (this may or may not have the same domain name as the spammer themselves) using the abuse@ address and a copy to the spammer themselves. Be polite. You want results don't you? In the message include a copy of the spam with full headers, detail the reasons why you find the spam unacceptable, tell them about the Net Abuse FAQ and the Advertising FAQ and request that they not do it again. A sample is appended but use your own words if you can so that they know this is you saying it and not some form letter. If abuse@ bounces send the message to admin@, root@ or postmaster@ and additionally ask them to configure an abuse@ address which forwards to their person responsible for handling net abuse. If the email addresses aren't working you could try a fax gateway or check out the email search FAQ.

  10. Large ISP's will generally not reply to you because they're too busy but if they receive enough complaints (and with full on spammers they usually do) it is likely the spammer will be dealt with. Most ISP's are good net citizens because it's in their own interest to maintain a good reputation. If you see the spam again send another message but this time post a copy of the spam with full headers to the newsgroup and let the experts have a go. You may also want to email the ISP of the ISP. You should read the newsgroup for week or two to get a feel for how spammers operate and are dealt with. Be warned that the newsgroup includes plenty of argumentative posts from spam supporters in addition to posts from people trying to reduce spam.

Thats it! Look at the links list for further information on handling net abuse.

If the above procedure doesn't handle junk email to your satisfaction you may want to set up a filter to delete email/news items at your site before you see them. Not terribly effective generally unless you're willing to bounce every unauthorised address but it works for some persistent spammers. For reading news items look for a feature called kill-files. Not all news readers have them though. For reading email look at the filtering features your email program possesses or get an email filtering program which deletes email items before the email reader program sees them. Talk to your system administrator or ISP too; they may have some ideas specific to your site.

A final warning: Any message on the internet which doesn't use strong encryption/authentication techniques like PGP can be completely fake. Occasionally enemies on the net attack each other by tricking a third party into doing their dirty work for them. Treat any address you get with suspicion until proven otherwise.




Why the fuss?

Nobody wants to open their email in the morning and find one personal message, two bills and a thousand pieces of unsolicited junk. Or to open their favourite news group and find ten relevant items and a thousand spams.

When any of tens of thousands of small businesses and other special interest groups can send tens of thousands of email messages or news postings per day for peanuts, when they need to do it because their competitor is already doing so and when they are allowed to do it the above scenarios are only a matter of time.

There are already reports of individuals in the US receiving more than one hundred unsolicited junk email messages per day. Some useful alt.* newsgroups have become completely unreadable because of hundreds of irrelevant crossposted news items per day.

The drop in cost effectiveness with increased advertising is lower on the net. The marginal cost of running an email address grabbing and spamming program overnight while a net account would otherwise be idle is almost nil. Posting a duplicate news item to multiple newsgroups is trivial. A business can afford to waste hundreds of thousands of people's time for only minor profit to themselves and still come out ahead. Only if there are other constraints (eg. an ISP volume charging or terminating their access) will this one-sided tradeoff change.

If you post news items infrequently, your email address isn't on a publicly accessible web page and you don't often web surf commercial sites you may only have received a few junk email messages. Don't be fooled. Hundred thousand email address lists are already in wide circulation and when your email address gets on one as the result of web surfing the wrong site, paying a bill or making a sales query you will find it very hard to get off.

Incidently, if you want to do mass unsolicited junk email think about this: Most junk emailers only do it once. Creating thousands of angry instant enemies isn't a smart way to run a business.


How to advertise

If you want to do a broadcast do it using the broadcast protocol provided: news. If you want to do a point to point message use the point to point protocol provided: email. Anything else is abuse of other people's net resources. If you want to do a broadcast address it correctly with the facilities provided: newsgroups and subject headings. Again, anything else is abuse of net resources. Unnecessary repetition is also an abuse of net resources.

So, the appropriate place for a commercial message is a single on topic post with a meaningful subject heading in one of the biz.marketplace.*, comp.newprod (moderated) or newsgroups. For obvious reasons people rarely read these. This is the balance between commercial advertisers and other people's rights though.

So you're left with web pages and news signature advertising. The former is okay because only those people interested in a topic will go looking for them and other people's net resources are not unnecessarily wasted. The later is okay because you will have contributed something back to other newsgroup participants with the posting itself, paying for the general reduction in utility of the news caused by your small signature ad. If not then it is also abuse of net resources.

Note: I'm using the term net resources in the more general sense of not only bandwidth and disk space but also of the general utility to the people participating. The general utility of the net and it's facilities is reduced by every off topic post, useless email message or deceptive web page. Incrementally each loss is small but the total loss is massive and that is why so many people are willing to spend time fighting this scourge.

The best way to advertise on the net is to give away value so that people will want to visit you and also to pay for your use of other people's net resources. You can create value in small ways by competitions, games, prizes and freebies. The expected return on these things to the participants is usually terrible though. It's better to create value in a larger way by sponsoring `good works'. The advertisers on the search engines, NetScape and Id software have all done very well using this approach. On a smaller scale sponsoring a useful FAQ, piece of software, moderated news group, community service web site, entertainment web site or industry service web site are good approaches. If this is done in an innovative way it can be a very effective. Like everything else in life though remember that you don't get something for nothing; make sure it really is a useful/interesting resource and not just a deceptive advertising ploy likely to turn off a very advertising aware population. Once you have a useful resource you can legitimately announce it in the relevant newsgroups and in non-net advertising and build up a client base via sponsor advertising in the resource. Everybody wins.

This is the right way.


Complaint example

Subject:  COMPLAINT Re: GameSpot's $20,000 Games Contest
Date:     Mon, 22 Jul 1996 15:55:37

Hi administrator,

The following junk email is being broadcast to our site, costing us time
and money. Such email is *NOT* ok. I *strongly* object to the
involuntary shifting of their business costs on to others. There are
appropriate forums for such messages in the news (the biz. newsgroups) and
on the web (easily found with web searches) and if a significant fraction
of companies on the net start using email for broadcasts (one off or
otherwise) it will become useless.

The email is from and solicits replies for who appear to have ISP

Please give them a warning as it probably contravenes your acceptable use
policy. If it's premeditated or a repeat offender I request that you
cancel their account.

Does your acceptable use policy:

- warn users about unacceptable net behaviour?
- ban net abuse such as unsolicited junk email broadcasts & newsgroup spams?
- ban the use of your services as a mail drop or name server for spams
  from throwaway accounts on other sites?
- allow you to immediately suspend an account on reasonable suspicion
  whilst it is investigated and to terminate the account if proven?
- allow you to charge an offender for any costs incurred in dealing with it?

A good AUP saves you time and aggravation. For details see an informative
article by Chris Lewis: <>


Julian Byrne <> (NO JUNK EMAIL)

------- Forwarded Message Follows -------

Return-path: <>


Orignal maintained by Julian Byrne < (NO JUNK EMAIL)>
This version maintained by Rainer Zocholl < (NO JUNK EMAIL)>
Copyright © 1996. Last modified: Sat Nov 9 11:24:49 AESuT