Fighting SPAM, How to Lodge a Complaint

Baldwin explains how to lodge a complaint against the person or organization responsible for the computer that sent a SPAM message or a message carrying a virus.

Published:  February 5, 2004
By Richard G. Baldwin

Java Programming Notes # 2158

Purpose

The purpose of this short tutorial is to show you how to lodge a complaint against the person or organization responsible for the computer that sent a SPAM message or a message carrying a virus.

Background information

At any instant in time, every computer connected to the Internet has a unique address, commonly referred to as the IP address.  This address is similar to your home address, or your telephone number, except that it may change more frequently.

Some computers have an IP address that is more or less permanently assigned and rarely changes.  Other computers are assigned a different IP address every time they are turned on and connected to the Internet.

Regardless of whether the IP address is permanent or transitory, records should exist that show which IP address was assigned to which computer at every instant in time.

Useful for lodging a complaint

This IP address can be used to lodge a complaint against the responsible party for every SPAM message and every message containing a virus that is set loose on the Internet.
(Keep in mind, however, that in many cases involving SPAM, and most cases involving viruses, the operator of the computer is an unwilling and unknowing participant in the process.  In those cases, the computer has become contaminated with an uninvited program that is sending out the messages.  In those cases, the operator needs to be notified and asked to remove the uninvited program from the computer.)
Every Email message contains the originating IP address

Although you don't ordinarily see it when viewing your Email messages, every email message contains the IP address of the computer that sent the message.
(While it may be possible for someone to insert a fake originating IP address into a message, unlike the Email return address that can be easily faked, faking the originating IP address is not an easy task, and probably isn't often done at this point in time.)
The IP address can lead to the source of the message

Once you know how to identify the originating IP address, it is a relatively simple matter to obtain contact information that will allow you to lodge a complaint.  I will show you how later in this tutorial.

Finding the originating IP address

First however, let me show you how to identify the originating IP address.

Every Email message contains a header in a more or less standard format.  The originating IP address is contained in that header.  Although most Email readers don't show you the header by default, most will show you the complete header if you are interested in seeing it.  For the Email reader that I use, I can see the complete header by pulling down the View menu, selecting Headers, and then selecting All.

An example Email message header

As an example of an Email header (not an example of a SPAM or virus message), I am going to show you the header for a message that I recently received from the Social Security Administration.  The complete header for that message is shown in Figure 1.

Don't panic

Although the complete header is very complex (as indicated in Figure 1), what you need to do is very simple.

From - Thu Dec 25 09:42:08 2003
X-UIDL: 3fe90e0500000077
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <owner-ssa_enews@listserv.gsa.gov>
Received: from mailhub1.austin.cc.tx.us (root@mailhub1.austin.cc.tx.us [206.77.151.36])
	by omnistarhost.com (8.11.6/8.11.6) with ESMTP id hBOMYuL27782
	for <baldwin@dickbaldwin.com>; Wed, 24 Dec 2003 16:34:57 -0600
Received: from monk.austincc.edu (root@monk.austin.cc.tx.us [198.213.3.10])
	by mailhub1.austin.cc.tx.us (8.12.3/8.12.3/Debian-6.4) with ESMTP id hBOMX8xS005866
	for <baldwin@dickbaldwin.com>; Wed, 24 Dec 2003 16:33:08 -0600
Received: from mailhub1.austin.cc.tx.us (root@mailhub1.austin.cc.tx.us [206.77.151.36])
	by monk.austincc.edu (8.12.3/8.12.3/Debian -4) with ESMTP id hBOMX7De005423;
	Wed, 24 Dec 2003 16:33:07 -0600
Received: from listserv.gsa.gov (host.159-142-1-236.gsa.gov [159.142.1.236])
	by mailhub1.austin.cc.tx.us (8.12.3/8.12.3/Debian-6.4) with SMTP id hBOMX3xS005860;
	Wed, 24 Dec 2003 16:33:03 -0600
Received: from listserv (listserv [159.142.1.236])
	by listserv.gsa.gov (8.11.7p1+Sun/8.11.7+sun) with ESMTP id hBOMWEE10793;
	Wed, 24 Dec 2003 17:32:14 -0500 (EST)
Received: from LISTSERV.GSA.GOV by LISTSERV.GSA.GOV (LISTSERV-TCP/IP release
          1.8e) with spool id 378417 for SSA_ENEWS@LISTSERV.GSA.GOV; Wed, 24
          Dec 2003 17:13:02 -0500
Approved-By: chris@LISTSERV.GSA.GOV
Received: from scog-ws3.gsa.gov ([159.142.144.58]) by listserv.gsa.gov
          (8.11.7p1+Sun/8.11.7+sun) with ESMTP id hBOM4EE01502 for
          <ssa_enews@listserv.gsa.gov>; Wed, 24 Dec 2003 17:04:14 -0500 (EST)
Received: from 159.142.144.55 by scog-ws3.gsa.gov with ESMTP (GSA Internet
          E-Mail System (MMS v5.6.0)); Wed, 24 Dec 2003 17:04:00 -0500
X-Server-Uuid: D4208979-786E-433B-9147-FEC48B116F32
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
X-MIMETrack: Serialize by Router on SCOG-NOTESSMTP1/GSAEXTERNAL(Release 5.0.8
             |June 18, 2001) at 12/24/2003 05:04:00 PM,
             Serialize complete at 12/24/2003 05:04:00 PM
X-WSS-ID: 13F4D2DA1YG9608-01-01
Content-Type: multipart/alternative; boundary="=_alternative 00793D7E85256E06_="
Message-ID:  <OF32B7ED00.A20CC09F-ON85256E06.00791170@gsa.gov>
Date:         Wed, 24 Dec 2003 17:03:55 -0500
Reply-To: Social Security eNews <SSA_ENEWS@listserv.gsa.gov>
Sender: Social Security eNews <SSA_ENEWS@listserv.gsa.gov>
From: "^ENews" <ENews@SSA.GOV>
Subject: eNews: Social Security eNews December 2003
To: SSA_ENEWS@listserv.gsa.gov
Precedence: list
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
Status: RO

Figure 1

Look for the last Received line

As you will note in Figure 1, the header contains many lines that begin with the word Received:

The number of such lines will vary from one message to the next.  What you will be looking for is the last such line in the header.  (I highlighted it in blue in Figure 1.)

Find the IP address in that line

The last Received: line will contain the IP address for the computer that sent the offending message.  I highlighted the IP address in red in Figure 1.

What does the IP address look like?

An IP address always consists of four numbers having from one to three digits each.  The four numbers will always be separated by periods.

IP addresses are often enclosed in matching square brackets [...], but that is not the case in Figure 1.  The IP address consists of the four numbers and the three periods.  (The square brackets, if they are present, are not part of the IP address.)

Copy down the IP address.  You will need it later.

Identify the responsible organization or person

The next step is to identify the organization or person that is responsible for the IP address.  (IP addresses are issued to organizations and individuals in much the same way that your telephone number is issued to you when you sign up for telephone service.)

Identifying the responsible organization and the responsible party within that organization is easy.  Several web sites on the Internet maintain databases containing such information and make it available for free.  One of the easiest databases to use is the ARIN WHOIS database at http://www.arin.net/whois/.

Using the Arin database

Just click on the link given above to open a page containing a data entry field.

Enter the IP address that you copied earlier and press the button labeled Submit Query.  This will produce a page that looks something like the one shown in Figure 2.  (This is the information provided for the IP address highlighted in red in Figure 1.  Each of the blue links in Figure 2 will take you to other pages containing additional information.)

OrgName:    General Services Administration
OrgID:      GSA-1
Address:    18th & F Street, NW
Address:    Mail Stop Room 2040
City:       Washington
StateProv:  DC
PostalCode: 20405
Country:    US

NetRange:   159.142.0.0 - 159.142.255.255
CIDR:       159.142.0.0/16
NetName:    GSA
NetHandle:  NET-159-142-0-0-1
Parent:     NET-159-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS.GSA.GOV
NameServer: DNS2.GSA.GOV
NameServer: DNS3.GSA.GOV
NameServer: DNS4.GSA.GOV
NameServer: DNS5.GSA.GOV
NameServer: DNS6.GSA.GOV
Comment:
RegDate:    1992-04-28
Updated:    2002-11-07

TechHandle: NG134-ARIN
TechName:   General Services Administration 18th& F Streets, N
TechPhone:  1-800-903-IISC (4472)
TechEmail:  hostmaster@gsa.gov

OrgTechHandle: NG134-ARIN
OrgTechName:   General Services Administration 18th& F Streets, N
OrgTechPhone:  1-800-903-IISC (4472)
OrgTechEmail:  hostmaster@gsa.gov

Figure 2

Again, don't panic

Once again, this looks pretty complicated, but fortunately you will only be interested in the information in the four red lines near the bottom of Figure 2. 

Registering your complaint

If you prefer, you can call the telephone number to complain, but the best bet is to send an Email message to the address given.  (Or possibly the best bet is to do both.)  The advantage to the Email message is the ease with which you can provide the information that the organization will need to track down the offending computer within the organization.

Send the full header from the offending message

When you send the Email message, be sure to include a copy of the full header from the offending message in your message.  Someone there will understand how to interpret all of the information in the header, and that is the information that the organization will need to track down the offending computer.

Use copy and paste if possible

Trying to copy all of that information manually would be a daunting task, but should not be necessary.  It should be possible for you to copy the header to the clipboard on your computer and then paste it into your Email message.

The way to go about doing that will differ from one Email reader to the next.  With my reader, I can view the message, pull down the View menu, and select Message Source.  This opens up a version of the message that allows me to highlight the entire message header with the mouse, copy it to the clipboard, and paste it into the Email message that I am composing.  (The header consists of everything from the first line down to and including the line that starts with Status:)

Viruses send SPAM and viruses

It probably wouldn't do much good to complain to an originating organization that distributes SPAM for profit (but then, it may do some good if thousands of people complain on a daily basis).  However, as mentioned earlier, many cases involving SPAM and most viruses are actually sent by malicious programs that have invaded the computers of unsuspecting people.  Sometimes complaining to the technical contact for the originating IP address of a SPAM or virus message will result in the malicious code being removed from the computer.  That will eliminate the SPAM and virus messages being transmitted by that computer.

Every little bit helps

Removing such code from one computer wouldn't have much impact on the overall problem, but removing such code from thousands of computers could have a significant impact on the problem.  If nothing else, it would make it easier to identify the real culprits in the war against SPAM and viruses.

An example case

For example, a good friend of mine was recently notified by her cable modem ISP that a computer connected to her cable modem had been transmitting SPAM or viruses.  Apparently the ISP had received a complaint that included the date, time, and originating IP address in the message header.  The ISP was able to use this information to determine that the IP address had been assigned to my friend's cable modem at the time that the message was transmitted.  My friend received technical advice from the ISP to help in cleaning up the computer and eliminating the problem.

Disclaimer

Nothing in this document is intended to suggest that the Social Security Administration computers are used to distribute SPAM or viruses.  A message from the Social Security Administration was chosen for illustration purposes due simply to the fact that it is easy to see the connection between the information in Figures 1 and 2 for a well-known government agency.  Making that connection would be more difficult for a case involving a real spammer.

Copyright 2004, Richard G. Baldwin.  Reproduction in whole or in part in any form or medium without express written permission from Richard Baldwin is prohibited.

About the author

Richard Baldwin is a college professor (at Austin Community College in Austin, TX) and private consultant whose primary focus is a combination of Java, C#, and XML. In addition to the many platform and/or language independent benefits of Java and C# applications, he believes that a combination of Java, C#, and XML will become the primary driving force in the delivery of structured information on the Web.

Richard has participated in numerous consulting projects, and he frequently provides onsite training at the high-tech companies located in and around Austin, Texas.  He is the author of Baldwin's Programming Tutorials, which has gained a worldwide following among experienced and aspiring programmers. He has also published articles in JavaPro magazine.

Richard holds an MSEE degree from Southern Methodist University and has many years of experience in the application of computer technology to real-world problems.

Baldwin@DickBaldwin.com

-end-