It used to be that if you received a piece of spam you could just forward the headers of the message to ISP domains you saw in the headers. Now so many of them are forging headers to make it appear that the message came from somewhere other than the real origin.
Usually if you really didn't opt-in for a mailing there will be tell-tale signs in the message that it is spam like "I've never bought from company X and I can't seem to find a straight answer on how to contact them", "boy, there's a lot of 'Received: from' in the headers and it is going through more than 3 domains to get to me!" and "Why am I getting XXX advertisements in my inbox?". Just make sure, because it'd be terrible if you shut down your favourite site for buying vintage glassware because you forgot that you signed up for their mailing list 3 months ago to be notified when they got some Depression Era glass in.
Lately I've received messages from companies that chose to include a web address, this was a mistake on their part as this can be traced, and can enable shutting them down, although probably only for a few days.
The main way I've done this is as follows:
- note any domain name in the message
- try to access each different domain name
- note any numeric redirects (ex. http://www.carrotware.com suddenly became http://65.121.176.23 in your address bar)
Next I fire up the old trusty DOS prompt (in win2k just do start - run - cmd.exe)
Perform traceroutes on each IP address, note any names that resolve from the IP address
C:\>tracert 65.121.176.23
Tracing route to nt8.npsis.com [65.121.176.23]
over a maximum of 30 hops:
1 20 ms 50 ms 10 ms 10.178.176.1
2 10 ms 10 ms 10 ms 172.30.50.65
3 10 ms 10 ms 10 ms 68.52.1.6
4 10 ms 20 ms 20 ms so-1-1-0.gar1.atl1.Level3.net [67.72.8.33]
5 10 ms 20 ms 20 ms so-0-3-0.bbr1.Atlanta1.level3.net [209.247.9.157]
6 50 ms 51 ms 50 ms so-1-0-0.mp1.Denver1.Level3.net [209.247.11.21]
7 50 ms 50 ms 50 ms gigae11-2.hsipaccess1.Denver1.Level3.net [64.159.3.206]
8 50 ms 50 ms 50 ms unknown.Level3.net [63.211.236.218]
9 50 ms 51 ms 50 ms den-core-02.tamerica.net [205.171.16.90]
10 50 ms 60 ms 60 ms slc-core-01.tamerica.net [205.171.8.106]
11 60 ms 60 ms 60 ms slc-edge-02.inet.qwest.net [205.171.131.13]
12 60 ms 70 ms 70 ms 65.117.100.50
13 60 ms 70 ms 60 ms nt8.npsis.com [65.121.176.23]
Trace complete.
Did you notice that 65.121.176.23 became nt8.npsis.com?
Sometimes you're not so lucky to as to get a name and you'll just have to let it run it's full trace. If it gets named IPs in the path within the last 2 hops that's probably the hosting provider, or maybe the backbone provider to the hosting provider (often companies offer reseller accounts that make it look like company A is a hosting provider when they are just selling through company B which actually has the servers & such or company B sells rack space to other companies that want to have complete control over their own server).
Now take any suspect domain names, you may run into many leveled names like subscriber123.city.state.provider-a.net or subscriber123.city.provider-b.co.uk, well, this is where your best judgement will come in. Drop all but the .com, .co.uk, .au, .org, and the word immediately before this, you are left with "provider-a.net" and "provider-b.co.uk". Next is the frustrating part.
Go to a registrar site. I tend to go to www.netsol.com, www.opensrs.net, www.joker.com, or www.planetdomain.com and access the WHOIS.
I'll use my domain of carrotware.com (through the joker.com site since that is my registrar) so you can see what kind of information is included.
Whois-output | |
---|---|
DOMAIN | carrotware.com |
Registrar: | JOKER.COM (CSL-GmbH as ICANN registrar) |
Status: | production |
Handle: | 463262 |
Owner | |
Name: | samantha copeland |
Organization: | |
Email: | <mailbox>@carrotware.com |
Address: | 1604 aaronwood drive |
Postalcode/City: | 37138 old hickory |
State: | tn |
Country: | US |
Administrative contact: | <mailbox>@carrotware.com#0 |
Technical contact: | <mailbox>@carrotware.com#0 |
Billing contact: | <mailbox>@carrotware.com#0 |
Nameserver: | ns1.npsis.com ns2.npsis.com |
created by JORE-1: | 2002-03-28 00:48:01 |
modified by JORE-1: | 2002-05-07 10:27:26 |
db-updated: | 2003-07-29 06:08:28 |
expires: | 2004-03-27 18:47:40 |
Note the DNS servers (called Nameserver in joker.com) are something.npsis.com, this is my hosting provider. If you'd gotten a piece of spam from me that directed you to carrotware.com you'd probably want to send a message to "abuse[at]npsis.com" (replace the [at] with @ - note: I don't collect emails & I don't send out mass messages, if you get something from my site it is not me! this is just an example). Most domains have an "abuse" address these days just for spam and AUP violation reports. As a further step you could also access the whois on my hosting provider to search for extra emails to try if the abuse box fails.
Registrar: TUCOWS, INC.
Whois-Server:whois.opensrs.net
----------------------------------------
Registrant:
NPS Internet Solutions, Inc.
1049 N 140 E
Orem, UT 84057
US
Domain name: NPSIS.COM
Administrative Contact:
Wilkerson, Nathaniel <mailbox>@npsis.com
1049 N 140 E
Orem, UT 84057
US
801-426-4933 Fax: 801-426-4944
Technical Contact:
Wilkerson, Nathaniel <mailbox>@npsis.com
1049 N 140 E
Orem, UT 84057
US
801-426-4933 Fax: 801-426-4944
Registration Service Provider:
NPS Internet Solutions Inc, <mailbox>@npsis.com
1-801-373-8700
1-801-373-8701 (fax)
http://www.npsis.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 21-Feb-2003.
Record expires on 25-Jun-2011.
Record Created on 25-Jun-1999.
Domain servers in listed order:
NS1.NPSIS.COM 65.121.176.5
NS2.NPSIS.COM 65.121.176.6
So my provider and I won't get spamed I'm turning the actual emails into <mailbox>@domain the rest of the information is unaltered. If the abuse box bounces you could try the admin or tech contact box. since they have a phone number you could even give them a call (but be nice! there's that whole flies and honey thing after all).
If you feel like the hosting provider is ducking you or that they are part of the spam, you could get their registrar to tap or their shoulder (opensrs.net) or their apparent hosting provider which from the traceroute looks like "qwest.net" and repeat the whois lookup, the hosting provider should be your first point of contact.
If you can't identify a domain name for a possible provider via the traceroute, try a traceroute on the IP address/ host domain name of the referenced DNS servers (65.121.176.5 and NS1.NPSIS.COM) for either the spaming domain or their hosting provider.
Be sure to include full mail headers and full email messages that include the domain names that you are getting redirected to on top of those actually listed in the message. It's also a good idea to put a small note about why you are contacting them about the spam like "I looked up the domain the SPAM told me to go to and the DNS servers they use appear to be yours, please see the quoted WHOIS data below and the forwarded message".
Now you've done just about all you can do and all you have to do now is sit back and watch that ol' spammer lose their website.
Other references to consider: