Detective Work

by on Jan 16, 2008 | 0 comments

In order to properly report spam, you need to learn a few basic networking tools. Very often you will see IP addresses only in the email headers. For those who do not know, IP addresses form the basic building block of the internet. It is a series of numbers separated by periods. Every computer connected to the internet has an IP address when it is connected to the internet. Each ISP has a set of IP block assigned to it. The first 2 or 3 sets of numbers in the IP address will signify the IP block which will be traceable to the ISP. The numbers after the IP block refer to the specific user on the ISP’s network. Additionally, the internet makes use of the domain name service (DNS) to map those IP addresses to actual alpha-numeric names which can be remembered by us – people. The DNS system is a mapping of domain names to the specific IP address of the server which hosts a website, mail server, or any other server online.

There are a series of tools in order to work with this system and identify information based on the information you have. Those tools are:

[hidepost=1]

  1. ping. All ping does is sends a packet of information to a server and looks for an echo. It determines if the server you are pinging is online and responding.
  2. nslookup. A tool to allow you to determine the IP address of a given domain, or the domain of a given IP address.
  3. traceroute. A tool to allow you to trace the route which a data packet follows to arrive at the target server.
  4. whois. A tool to allow you to determine the owner of a given domain name.

To use ping, all you need to do is open up your command prompt window and type “ping [hostname or IP address]“, supplying the domain or IP you wish to ping. Ping will then send a series of data packets to the target and print out on-screen the responses it got (if any) from the server and how long the responses took. Once you’ve sent a few pings and gotten a reply, hit Ctrl-C to stop delivery of the data packets.

NSLookup is also available on your PC through the command prompt. Just type “nslookup [hostname or IP address]“, supplying the domain or IP. If the DNS lookup is available, you will get a result. If you enter a hostname, you will get an IP address. If you enter an IP address, you will get a hostname. Sometimes if you look up a hostname you may get several IP addresses back as a result. This is simply because each of those IP’s responds to that domain. You may find this on popular websites which employ several servers for load-balancing purposes. NSLookup can be useful to see if a hostname in a spam message’s headers actually correspond to the IP address. Many spammers will spoof the hostname to make the email look legitimate. But, an NSLookup will tell you if it is indeed a spoof.

Traceroute is used the exact same way as the above two commands. The results will show you a listing of all servers which the data packet had to go through to reach the target. See, the way the internet is designed, it is very rare that you are communicating directly with your target server. Your information is traveling over a series of servers, bouncing its way to the target. Each line of the results represents a server bounce. If you get “* * *” on a line, it is because that server was too slow to respond (or that that server doesn’t honor traceroute queries). Traceroute is just another detective tool in figure out where a spammer is located.

Whois is run the same way as the prior commands, except that Windows machines do not have it built in (shame on you, Microsoft). All domain names on the internet have to be registered, meaning they all have a person’s name or company attached to it along with contact information. Also, all domains have to be hosted somewhere if they are active, and this information will be available via the DNS system as well. Even though Windows users can’t run this locally (unless they download a third-party utility to do so), you can still run such requests via the web. You can try InterNIC, DNSStuff, or visit one of the regional internet registry websites. The Regional Internet Registries (RIRs) control the allocation of IP blocks in certain areas of the world. They are:

  1. Asia, Pacific Rim. www.apnic.net
  2. USA, Canada, Caribbean. www.arin.net
  3. Europe. www.ripe.net
  4. Latin America, Caribbean. www.lacnic.org
  5. Africa. www.afrinic.net

In order to identify who to report a spam message to, you need to learn to do a couple things: (1) Retrieve the email headers, and (2) run the command-line utilities to identify the source of an IP address. Finding the email headers varies from email program to email program, so you will need to look into that yourself. However, in Outlook 2003 (which I am using), you simply right-click on the email and choose “Options”. You will then see the internet headers. So, for example, I will take a spam message I just got as I was typing this. The email thanked me for my loan request (which I never made), said they were willing to loan me $260,000 and then linked me to a form to fill out. The email’s headers contained the following line:

Received: from rwp44.pie.net.pk (202.125.151.151)
by [MY SERVER] with SMTP; 19 Oct 2005 09:06:55 -0000
Received: from adamsnowzzz (HELO pointhost.localbootlegged)
by bibbl7.epic.sd.biz with WQMTP; Wed, 19 Oct 2005 14:05:55 +0400

Now, the IP address in parentheses cannot be forged, so we can do a look-up on 202.125.151.151. So, the first thing you would want to do is a nslookup or reverse DNS lookup on this IP address. When I do an nslookup on this address, I find that the hostname given in the email’s headers is accurate: rwp44.pie.net.pk. When doing a reverse DNS lookup via DNSStuff.com, I get the same results and I find that the server’s location is in Islamabad, Pakistan. Well, not that I didn’t know this was spam going into it, but if I had my doubts, this would have confirmed it. After all, how likely are we to get a legitimate loan offer here in the US from Pakistan? But, this brings up a lesson for spam reporting which is not so good. Typically, it is not worth your effort to report spammers who have overseas providers. ISPs in the United States are much more likely to run their businesses legitimately. When you see internet activity coming out of areas like Pakistan (mainland China is particularly bad), you can be reasonably accurate in assuming that the owners of those servers do not care what passes through them.

Let’s look at some other spam messages in my account. I see a spam message here from Millionaire’s Concierge, based in Ft. Lauderdale, FL. Based on their email, they are complying with CAN-SPAM. The email is legal and they are probably using a mass-marketing company to send this. However, it is still spam. Next, I find a spam for yet another $400,000 pre-approved loan. Interesting that the offer is coming from Russia. The email even has an account number in the subject line. How cute. Here’s another spam for home-buying of Viagra. The email is coming from Austria.The true hostname was

“chello080108009124.14.11.vie.surfer.at”

however the spammer spoofed it to “alibi”. Here’s another one advertising penis enlargement. It says “To be a Stud, press here” and it links to a Geocities site in Brazil, yet the mail server’s location is in Beijing, China (according to the reverse DNS Lookup). Another interesting thing about this email is that they padded the bottom of the email with what appeared to be some lines out of a book. As started previously, this is a common spammer trick to try to fool bad content filters into thinking it is legitimate. By padding the email with seemingly un-spam like text, maybe they can reduce the spam score enough to make it to your in-box.

H ere is another one. They are advertising a virtual postcard service. The link in the email seems to point to postcards.org. However, the email is in HTML format, so you can view source on the message and see that the link, even though it LOOKS to point to postcards.org, is actually pointing to a Romanian domain name. And worse yet, the link is to an executable, an EXE file. There is a potentially very unsafe link to actually click on. Who knows what it would do. And, of course, a reverse DNS lookup on the IP address in parentheses in the header shows the message is coming from Japan.

Here’s another one that is advertising a free Ipod Nano. They addressed me as “Dear drisley” (a common spam trick, an attempt at social engineering). They apparently appreciate my business, and in return they will give me a free Ipod Nano. Ironically, they link me to dastardliness.com However, doing a reverse DNS on the IP, I get a server under the domain frouncing.com. If you do a WHOIS on that, you get an apartment (most likely) address in Salt Lake City, Utah along with a phone number. Their email address is with Gmail, Google’s free email service. The lookups of the name servers seem to be very circular, so its possible the guy is hosting his own servers. In this case, reporting the spammer by calling that phone number is likely not going to roll any heads. It might, perhaps, shock the guy at that address, though.

The story is mostly the same for each spam message I look at. I am getting them from Pakistan, China, Vietnam, Iran, you name it. Unfortunately, as I said, there is really no receptive ear to reporting to these sources, even if you are able to track it to a specific company (in many times you cannot). Most of the very obvious spam emails are from foreign countries. The viagra ads, the sex ads, and those kind are mostly coming from reasonably anonymous senders in countries which just don’t care about things like that. Then there are other, cleaner spam messages that are CAN-SPAM compliant and do lead to legitimate websites. These companies are likely using companies here in the US to send to a mass mailing list. There is absolutely nothing illegal about it. And they wouldn’t do it if it didn’t generate some business for them. However, it is still spam because I did not subscribe to these people’s mailing lists.

[/hidepost]

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

Discuss This Article (Without Facebook)

Leave a Reply

PCMech Insider Cover Images - Subscribe To Get Your Copies!
Learn More
Every week, hundreds of tech enthusiasts, computer owners
and geeks read The Insider, the digital magazine of PCMech.

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: