Find the Email Spammer!
Posted: Sunday, February 25, 2007
by LBSO
Laundry Bag Store Online
Trace the Email Spam Back and Notify Hosting Provider
We've all been pummeled with tons of email spam. Two popular spams are the Over the Counter (OTC) stock spam and another for Replica Watches. Wouldn't it be nice to trace the spammer back to their hosting company, report them and hopefully get them shut down?
When we send out an email it travels through many network servers to arrive at it's destination. When it doesn't arrive or we can't visit our favorite website it usually means some part of the network path is having problems.
Network experts send a dummy piece of data, (a packet) down the network path to see if it arrives at it's destination, this is called pinging the network. This helps them pinpoint exactly which network server in the path is having problems.
We can use the same process to trace the email spammer back to the hosting company and report them.
The first thing we need to do is get the originating IP address of the spammer.
To get the spam email IP address, click full headers in (bottom right in Yahoo mail) the email and get the IP address from the X-Originating IP or from the earliest Received.
I opened a recent stock spam email in yahoo and clicked full headers and got this IP address:
84.130.107.109
I visited the VisualRoute demo site: http://visualroute.visualware.com which allows us to ping a network. Keep in mind that only a limited number of traces are allowed with the online demo so use them wisely.
Copy and Paste the IP Address or domain name into the box located under:
Test Internet Connectivity & Trace IP Addresses on the VisualRoute site.
Click Start, after it completes click the Performance Graph tab. Hover your mouse over the dots to see each hop server and host/server names.
The VisualRoute server is located in Virgina but can be changed to the UK from the map on the top left.
Hover your mouse over the dots, until you see the IP address you pinged. It will be the last one in the path (on the right). This is the server where the spam originated from.
When you hover your mouse it lists the hosting company and if clicked will query the whois database. The whois database provides a wealth of information about the IP address or domain.
The VisualRoute administrator has disabled this feature in the online demo, however, we can look up the hosting company via the search engines or better yet, query the whois database manually. The whois information usually has an email address posted to report abuse and this is what we're after.
Most people lookup IP addresses or domains using ARIN whois http://ws.arin.net/whois or Network Solutions http://www.networksolutions.com/whois/index.jsp. (With Network Solutions Whois you need to select the IP Radio button.)
Either is a good place to start, but ARIN is the database for North American IP's and domains. Much of the spam comes from other countries.
When we do lookup our stock spam email's IP address 84.130.107.109 in ARIN it will tell what region of the world the spam originated from and to find more information in one of those whois databases.
The primary databases are:
ARIN (North America), RIPE(Europe), APNIC (Asia/Pacific), AfriNIC (Africa),
LACNIC (Latin America/Carribean)
So when we query the stock spam ip address 84.130.107.109 in ARIN it says more info is available in RIPE http://www.ripe.net/whois
Let's Query RIPE with our spammers IP address and see what we get:
Query Ripe for 84.130.107.109
Half way down on the RIPE site we can see the whois information. The IP address is hosted by Deutsche Telekom AG (Germany). Although we could already see that from using the VisualRoute tracer we want the abuse info.
The RIPE whois info clearly displays the abuse contact under remarks. In this case it also has an abuse email address listed under Security Team further down.
We can just forward the spam email to them at their abuse email address and hopefully they'll shut the spammer down. If it's not the right hosting company they'll more than likely reply with an email indicating such.
Hope this helps cut down on the spam email you receive.
Cheers,
Laundry Bag Store Online
Laundry Bags in 14 Vibrant Colors!
For Reprint Rights - The author requests their link remain.
We've all been pummeled with tons of email spam. Two popular spams are the Over the Counter (OTC) stock spam and another for Replica Watches. Wouldn't it be nice to trace the spammer back to their hosting company, report them and hopefully get them shut down?
When we send out an email it travels through many network servers to arrive at it's destination. When it doesn't arrive or we can't visit our favorite website it usually means some part of the network path is having problems.
We can use the same process to trace the email spammer back to the hosting company and report them.
The first thing we need to do is get the originating IP address of the spammer.
To get the spam email IP address, click full headers in (bottom right in Yahoo mail) the email and get the IP address from the X-Originating IP or from the earliest Received.
I opened a recent stock spam email in yahoo and clicked full headers and got this IP address:
84.130.107.109
I visited the VisualRoute demo site: http://visualroute.visualware.com which allows us to ping a network. Keep in mind that only a limited number of traces are allowed with the online demo so use them wisely.
Copy and Paste the IP Address or domain name into the box located under:
Test Internet Connectivity & Trace IP Addresses on the VisualRoute site.
Click Start, after it completes click the Performance Graph tab. Hover your mouse over the dots to see each hop server and host/server names.
The VisualRoute server is located in Virgina but can be changed to the UK from the map on the top left.
Hover your mouse over the dots, until you see the IP address you pinged. It will be the last one in the path (on the right). This is the server where the spam originated from.
When you hover your mouse it lists the hosting company and if clicked will query the whois database. The whois database provides a wealth of information about the IP address or domain.
The VisualRoute administrator has disabled this feature in the online demo, however, we can look up the hosting company via the search engines or better yet, query the whois database manually. The whois information usually has an email address posted to report abuse and this is what we're after.
Most people lookup IP addresses or domains using ARIN whois http://ws.arin.net/whois or Network Solutions http://www.networksolutions.com/whois/index.jsp. (With Network Solutions Whois you need to select the IP Radio button.)
Either is a good place to start, but ARIN is the database for North American IP's and domains. Much of the spam comes from other countries.
When we do lookup our stock spam email's IP address 84.130.107.109 in ARIN it will tell what region of the world the spam originated from and to find more information in one of those whois databases.
The primary databases are:
ARIN (North America), RIPE(Europe), APNIC (Asia/Pacific), AfriNIC (Africa),
LACNIC (Latin America/Carribean)
So when we query the stock spam ip address 84.130.107.109 in ARIN it says more info is available in RIPE http://www.ripe.net/whois
Let's Query RIPE with our spammers IP address and see what we get:
Query Ripe for 84.130.107.109
Half way down on the RIPE site we can see the whois information. The IP address is hosted by Deutsche Telekom AG (Germany). Although we could already see that from using the VisualRoute tracer we want the abuse info.
The RIPE whois info clearly displays the abuse contact under remarks. In this case it also has an abuse email address listed under Security Team further down.
We can just forward the spam email to them at their abuse email address and hopefully they'll shut the spammer down. If it's not the right hosting company they'll more than likely reply with an email indicating such.
Hope this helps cut down on the spam email you receive.
Cheers,
Laundry Bag Store Online
Laundry Bags in 14 Vibrant Colors!
For Reprint Rights - The author requests their link remain.
This Article has been viewed 154 times. (Not updated in real-time.)
No comments yet.We want your comments! If you can read this, you don't have javascript enabled, so you can't use this comment system. Please enable javascript.