This document is intended as a guide for University of Florida students and faculty to help them in dealing with unwanted spam. Others are welcome to use this document as a reference, but some particular comments may be specific to within the University of Florida.
If, after reading this document, you have identified the source of a virus or spam email as originating from UFL address space, please forward it (with the intact headers, as described below) to firstname.lastname@example.org
- UF E-mail Spam Filtering
- abuse.net – Offers mail filtering and reporting
- Spam Cop – Online spam reporting service that also offers filtering
- Spam Laws
- emailabuse.org – Good general reference
- ftc.gov – Complaint form for identity theft/fraud
- ftc.gov – Can spam page
The following is a simple summary of the process to follow when sending a spam complaint. The first thing you should do is determine the actual origin of the spam, the second thing you should do is to find out where to send your complaint to based on that information, and lastly of course, email the complaint.
The following message is an example of a spam complaint that could be sent for the sample spam below:
To: email@example.com,firstname.lastname@example.org,email@example.com From: firstname.lastname@example.org Subject: Spam: HK$280 or US$35 to get 30,000,000 e-mail address (fwd) The following piece of email was sent to me from a computer on your network (126.96.36.199). Please take whatever action is necessary to prevent any further spam messages from your network, thank you. -----------Forwarded Message Below------------
Below is an actual piece of spam that has been anonymized for protection of the user it was sent to. Note that to even see a message like this, it’s necessary to view the full headers for an email. A short description below shows how to do this in a few popular email clients:
UF Webmail: Open the message and select message source from the lower-right hand corner
Netscape Messenger: Click the View menu, select Headers and then All
Outlook Express: Double click the message to open it up, click the View menu, and select All Headers
Pine: Simply press H to view full headers when viewing the message
- Open the email in a new window by double-clicking it.
- Click the expansion button in the lower right corner of the Options toolbar box. (The box by default holds the Follow Up and Mark as Unread buttons)
- Find the headers under Internet headers:
Outlook 2000, 2002, 2003:
- Open the message in a new window in Outlook.
- Select View | Options… from the message’s menu.
Received: from leo (pomuhn02193.netvigator.com [188.8.131.52]) by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with SMTP id MAA74438; Wed, 25 Apr 2001 12:23:04 -0400 Date: Wed, 25 Apr 2001 12:23:04 -0400 Message-Id: <200104251623.MAA74438@nersp.nerdc.ufl.edu> From: email@example.com To: USERNAME@nersp.nerdc.ufl.edu Subject: HK$280 or US$35 to get 30,000,000 e-mail address X-Mailer: snEtV2AhorANevsNdOCTyW Content-Type: text/plain; X-Priority: 3 X-MSMail-Priority: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from Quoted-Printable to 8bit by nersp.nerdc.ufl.edu id MAA74438 200,000 Fax number of Hong Kong Enterprises 1,500,000 E-mail list for Hong Kong 1,000,000 E-mail list for China 2,000,000 E-mail list for Taiwan 25,000,000 E-mail list for the world. This is your best way to get the above information to promote your product. Only HK$280 or US$35 can get it. (Postage excluded if outside Hong Kong) If you only got the hit rate only 0.5%, there is (200,000+1,500,000+1,000,000+2,000,000+25,000,000)*0.5/100=148500 customers. If you got only USD1.00 from each customer, you can earn USD148,5000.00 from here. Give us a e-mail for your contact information.
Now that we’ve got the full source of a spam message that was sent to us, let’s look at it to try and figure out where email originated from and see how we can alert the system administrator of the spam.
Note that the first three lines of the above source show the path the email took. In some messages, multiple hops will be made, but they will almost always be composed of three line blocks such as this. In those cases, you will want to go to the last block on the list to find the first email server that received the message. See the below examples for more on this.
Notice that the message claims that:
Received: from leo (pomuhn02193.netvigator.com [184.108.40.206]) by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with SMTP id MAA74438; Wed, 25 Apr 2001 12:23:04 -0400
Meaning a machine named leo who claimed to be pomuhn02193.netvigator.com with an IP address of 220.127.116.11 sent a message through nersp.nerdc.ufl.edu to the user on Wed, 25 Apr 2001. The machine name is configured by the user and so we can’t trust that, and the name pomuhn02193.netvigator.com can be faked easily, but it’s harder to fake the IP address. So 18.104.22.168 is our first bit of information that will lead us to our spam report.
Now it’s time for us to find out where to send our complain based on the IP. Our first stop is http://swhois.net/. Swhois is a smart whois query that will recursively try whois servers until it has the right server for a given IP address. When we try our suspect IP, we’re told that it is from:
Cable & Wireless USA (NETBLK-CW-10BLK) CW-10BLK 22.214.171.124 - 126.96.36.199 Hong Kong Telephone, Inc. MIAA 28/F TELECOM TOWER (NETBLK-CW-208-151-64) CW-208-151-64 188.8.131.52 - 184.108.40.206
The descriptions in parenthesis are links to more detailed information for each of those records, so we’re going to click on both of those to find the email address we need to send the complaint to.
The second link gives us the email firstname.lastname@example.org, and the first one gives email@example.com. The best emails to send the spam report to would first be: firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org. If we don’t receive a reply from them, or if we think that our complaint might be better heard by the first provider, we can always send it to those addresses as well (email@example.com, firstname.lastname@example.org).
Here are some additional examples to demonstrate how to locate the correct source IP from an email. Note that even the source IP on the first connection can be spoofed, however, it requires an insecure mail server to send through to do that, and, in that case, often going to the second server the mail was sent to and complaining that their mail server is misconfigured can be a positive step to take.
EMAIL #1 Received: from smtp.ufl.edu (sp28fe.nerdc.ufl.edu [220.127.116.11]) by mail.grove.ufl.edu (8.9.3/8.9.3/h4) with ESMTP id LAA20364 for ; Mon, 26 Feb 2001 11:56:56 -0500 (EST) From: email@example.com Received: from clas.ufl.edu (fury.clas.ufl.edu [18.104.22.168]) by smtp.ufl.edu (8.11.2/8.11.2/2.2.1) with ESMTP id f1QGt5H58750 for ; Mon, 26 Feb 2001 11:55:05 -0500 Received: from marble.rexelusa.com ([22.214.171.124]) by clas.ufl.edu (8.9.3+Sun/8.9.1/dna) with ESMTP id LAA05138 for ; Mon, 26 Feb 2001 11:55:04 -0500 (EST) Message-Id: <200102261655.LAA05138@clas.ufl.edu> Received: from ddcfirewall.Rexelusa.com (firewall1.rexelusa.com [10.1.1.25]) by marble.rexelusa.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id FQ6A5WAG; Sun, 25 Feb 2001 16:19:12 -0600 To: firstname.lastname@example.org Date: Sun, 25 Feb 01 15:33:35 EST Subject: toner supplies X-UIDL: 7a187e738164a673124e17e6bfb3ac77 -----Original Message----- From: email@example.com [mailto:firstname.lastname@example.org] Sent: Sunday, February 25, 2001 3:34 PM To: email@example.com Subject: toner supplies PLEASE FORWARD TO THE PERSON RESPONSIBLE FOR PURCHASING YOUR LASER PRINTER SUPPLIES
The source IP appears to be: 126.96.36.199
EMAIL #2 Received: from post.cnt.ru (post.cnt.ru [188.8.131.52]) by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with ESMTP id AAA56716 for ; Thu, 26 Apr 2001 00:00:08 -0400 Received: from mail.com (ppp1-43.dial-up.cnt.ru [184.108.40.206]) by post.cnt.ru (8.11.3/8.11.1) with SMTP id f3Q3vtA01460; Thu, 26 Apr 2001 07:57:56 +0400 Message-Id: <200104260357.f3Q3vtA01460@post.cnt.ru> From: "Altervest-Nara" To: Subject:=?Windows-1251?Q?=EA=EE=F2=F2=E5=E4=E6=E8!?= Date: Thu, 26 Apr 2001 07:58:34 Ìîñêîâ? (ëåòî) MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: post ÎÎÎ " Ëèöå
As this shows, many spam messages are in a foreign language. The source IP appears to be: 220.127.116.11