Spam

This document is intended as a guide for University of Florida students and faculty to help them in dealing with unwanted spam. Others are welcome to use this document as a reference, but some particular comments may be specific to within the University of Florida.

If, after reading this document, you have identified the source of a virus or spam email as originating from UFL address space, please forward it (with the intact headers, as described below) to abuse@ufl.edu


Contents


Spam Related Links


Explanation of Process

The following is a simple summary of the process to follow when sending a spam complaint. The first thing you should do is determine the actual origin of the spam, the second thing you should do is to find out where to send your complaint to based on that information, and lastly of course, email the complaint.


Sample Complaint

The following message is an example of a spam complaint that could be sent for the sample spam below:

To: sellect@netvigator.com,abuse@netvigator.com,postmaster@netvigator.com
From: youremail@ufl.edu
Subject: Spam: HK$280 or US$35 to get 30,000,000 e-mail address (fwd)

The following piece of email was sent to me from a computer on your
network (208.151.78.193).  Please take whatever action is necessary to
prevent any further spam messages from your network, thank you.

-----------Forwarded Message Below------------

Spam Samples

Below is an actual piece of spam that has been anonymized for protection of the user it was sent to. Note that to even see a message like this, it’s necessary to view the full headers for an email. A short description below shows how to do this in a few popular email clients:

UF Webmail: Open the message and select message source from the lower-right hand corner

Netscape Messenger: Click the View menu, select Headers and then All

Outlook Express: Double click the message to open it up, click the View menu, and select All Headers

Pine: Simply press H to view full headers when viewing the message

Outlook 2007:

  • Open the email in a new window by double-clicking it.
  • Click the expansion button in the lower right corner of the Options toolbar box. (The box by default holds the Follow Up and Mark as Unread buttons)
  • Find the headers under Internet headers:

Outlook 2000, 2002, 2003:

  • Open the message in a new window in Outlook.
  • Select View | Options… from the message’s menu.
Received: from leo (pomuhn02193.netvigator.com [208.151.78.193])
by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with SMTP id MAA74438;
Wed, 25 Apr 2001 12:23:04 -0400
Date: Wed, 25 Apr 2001 12:23:04 -0400
Message-Id: <200104251623.MAA74438@nersp.nerdc.ufl.edu>
From: mailcentre@sinatown.com
To: USERNAME@nersp.nerdc.ufl.edu
Subject: HK$280 or US$35 to get 30,000,000 e-mail address
X-Mailer: snEtV2AhorANevsNdOCTyW
Content-Type: text/plain;
X-Priority: 3
X-MSMail-Priority: Normal
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from Quoted-Printable to 8bit 
by nersp.nerdc.ufl.edu id MAA74438

200,000 Fax number of Hong Kong Enterprises
1,500,000 E-mail list for Hong Kong
1,000,000 E-mail list for China
2,000,000 E-mail list for Taiwan
25,000,000 E-mail list for the world.

This is your best way to get the above information to promote your
product.

Only HK$280 or US$35 can get it. (Postage excluded if outside Hong Kong)

If you only got the hit rate only 0.5%, there is
(200,000+1,500,000+1,000,000+2,000,000+25,000,000)*0.5/100=148500
customers. If you got only USD1.00 from each customer, you can earn
USD148,5000.00 from here.

Give us a e-mail for your contact information.

Process

Now that we’ve got the full source of a spam message that was sent to us, let’s look at it to try and figure out where email originated from and see how we can alert the system administrator of the spam.

Note that the first three lines of the above source show the path the email took. In some messages, multiple hops will be made, but they will almost always be composed of three line blocks such as this. In those cases, you will want to go to the last block on the list to find the first email server that received the message. See the below examples for more on this.

Notice that the message claims that:

Received: from leo (pomuhn02193.netvigator.com [208.151.78.193])
by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with SMTP id MAA74438;
Wed, 25 Apr 2001 12:23:04 -0400

Meaning a machine named leo who claimed to be pomuhn02193.netvigator.com with an IP address of 208.151.78.193 sent a message through nersp.nerdc.ufl.edu to the user on Wed, 25 Apr 2001. The machine name is configured by the user and so we can’t trust that, and the name pomuhn02193.netvigator.com can be faked easily, but it’s harder to fake the IP address. So 208.151.78.193 is our first bit of information that will lead us to our spam report.

Now it’s time for us to find out where to send our complain based on the IP. Our first stop is http://swhois.net/. Swhois is a smart whois query that will recursively try whois servers until it has the right server for a given IP address. When we try our suspect IP, we’re told that it is from:

Cable & Wireless USA (NETBLK-CW-10BLK) 
	CW-10BLK  208.128.0.0 - 208.175.255.255
Hong Kong Telephone, Inc. MIAA 28/F TELECOM TOWER (NETBLK-CW-208-151-64) 
	CW-208-151-64 208.151.64.0 - 208.151.95.255

The descriptions in parenthesis are links to more detailed information for each of those records, so we’re going to click on both of those to find the email address we need to send the complaint to.

The second link gives us the email sellect@netvigator.com, and the first one gives ipadmin@cw.net. The best emails to send the spam report to would first be: sellect@netvigator.com, abuse@netvigator.com, and postmaster@netvigator.com. If we don’t receive a reply from them, or if we think that our complaint might be better heard by the first provider, we can always send it to those addresses as well (abuse@cw.net, postmaster@cw.net).


Additional Examples

Here are some additional examples to demonstrate how to locate the correct source IP from an email. Note that even the source IP on the first connection can be spoofed, however, it requires an insecure mail server to send through to do that, and, in that case, often going to the second server the mail was sent to and complaining that their mail server is misconfigured can be a positive step to take.

EMAIL #1

Received: from smtp.ufl.edu (sp28fe.nerdc.ufl.edu [128.227.128.108])
  by mail.grove.ufl.edu (8.9.3/8.9.3/h4) with ESMTP id LAA20364
  for ; Mon, 26 Feb 2001 11:56:56 -0500 (EST)
From: toner4@e247.com
Received: from clas.ufl.edu (fury.clas.ufl.edu [128.227.148.247])
  by smtp.ufl.edu (8.11.2/8.11.2/2.2.1) with ESMTP id f1QGt5H58750
  for ; Mon, 26 Feb 2001 11:55:05 -0500
Received: from marble.rexelusa.com ([12.18.100.217])
  by clas.ufl.edu (8.9.3+Sun/8.9.1/dna) with ESMTP id LAA05138
  for ; Mon, 26 Feb 2001 11:55:04 -0500
(EST)
Message-Id: <200102261655.LAA05138@clas.ufl.edu>
Received: from ddcfirewall.Rexelusa.com (firewall1.rexelusa.com
[10.1.1.25]) by marble.rexelusa.com with SMTP 
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
  id FQ6A5WAG; Sun, 25 Feb 2001 16:19:12 -0600
To: happyguy@republic.com
Date: Sun, 25 Feb 01 15:33:35 EST
Subject: toner supplies
X-UIDL: 7a187e738164a673124e17e6bfb3ac77

-----Original Message-----
From: toner4@e247.com [mailto:toner4@e247.com]
Sent: Sunday, February 25, 2001 3:34 PM
To: happyguy@republic.com
Subject: toner supplies

PLEASE FORWARD TO THE PERSON
RESPONSIBLE FOR PURCHASING
YOUR LASER PRINTER SUPPLIES

The source IP appears to be: 12.18.100.217


EMAIL #2

Received: from post.cnt.ru (post.cnt.ru [212.15.122.243])
  by nersp.nerdc.ufl.edu (8.9.3/8.9.3/2.1.0) with ESMTP id AAA56716
  for ; Thu, 26 Apr 2001 00:00:08 -0400
Received: from mail.com (ppp1-43.dial-up.cnt.ru [212.15.118.43])
  by post.cnt.ru (8.11.3/8.11.1) with SMTP id f3Q3vtA01460;
  Thu, 26 Apr 2001 07:57:56 +0400
Message-Id: <200104260357.f3Q3vtA01460@post.cnt.ru>
From: "Altervest-Nara" 
To:
Subject:=?Windows-1251?Q?=EA=EE=F2=F2=E5=E4=E6=E8!?=
Date: Thu, 26 Apr 2001 07:58:34 Ìîñêîâ? (ëåòî)
MIME-Version: 1.0
Content-Type: text/plain;
        charset="windows-1251"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: post

ÎÎÎ "
Ëèöå

As this shows, many spam messages are in a foreign language. The source IP appears to be: 212.15.118.43