You can also read this for more details
http://www.fuzzo.com/spam_faq.htm
They tell its free to repost so i am reposting a small fraction
Tracing an e-mail message
To trace the e-mail you have to look at the header. Most mail readers do not show the header because it contains information that is for computer to computer routing. The information you usually see from the header is the subject, date and the "From" / "Return" address. About the only thing in an e-mail header that can't be faked is the "Received" portion referencing your computer (the last received).
You will need to take a look at the headers on the message as follows (Thanks to Michael, Piers and others) :
Claris E-Mailer - under Mail select Show Long Headers.
Eudora (before ver. 3) - Select Tools , Options... , then Fonts & Display then Show all headers
Eudora (ver. 3.x, 4.x IBM or Macintosh) - Press the BLAH button on the incoming mail message
For Mac Eudora 4.x, hitting the following will cause Eudora to alter its default setting so that BLAH will be automatically selected for all new email received after this switch is set:
x-eudora-setting:123=y When checked, Eudora will show all the headers from messages, not just an abbreviated set.
HotMail - To expose the full message header, click "Options" on the Hotmail Navigation Bar on the left side of the page. On the Options page, click "Preferences." Scroll down to "Message Headers" and select "Full."
For Lotus Notes 4.6.x - From the menu bar, select Actions, then Delivery Information. Copy the information from the bottom box into your e-mail report at the top of the spam.
For Lotus Notes R5 - From the menu bar, select Actions, then Tools, then Delivery Information. Copy the information from the bottom box into your e-mail report at the top of the spam.
MS Outlook - Double click on the email in your inbox. This will bring the message into a window. Click on View - Options. You can also open a message then choose File....Properties....Details.
MS Outlook Express - Alt-Enter, or Alt-F then R.
MS Outlook Express - More Detailed:
To look for, copy and send headers In Outlook Express
1- Press CTRL F3
2- Press CTRL A
3- Press CTRL C
4- Press Alt F4. (At this point the message is already copied)
5- Open a new message. Right click and paste or select Edit and paste.
Netscape 3 - In the Netscape Mail window, click View/Document Source.
Netscape 4.xx - Double click on the email in your inbox. Click on View - Headers - All.
PINE - You have to turn on the header option in setup, then just hit "h" to get headers.
Yahoo - 1.Log into your Yahoo! Mail account.
2.Click the "Options" link on the left-hand navigation bar.
3.Click the "Mail Preferences" link on the right.
4.Locate the Show Headers heading and select "All."
5.Click the "Save" button to put your new settings into effect.
Programs that do not comply with any Internet standards (like cc-Mail, Beyond Mail, VAX VMS) throw away the headers. You will not be able to get headers from these e-mail messages.
Aussie tells us that in Pegasus to view the full headers for each message, use CTRL-H. This will show the full headers for the particular message, but will not add them to any reply or forward. You need to cut/paste the message into the reply/forward to send these headers.
Richard tells us with Nettamer, a MS DOS based email and USENET group reader you must save the message as an ASCII file, then the full header will be displayed when you open the saved file with your favorite ASCII editor.
At this point if you are "pushing the envelope" on your ability to figure out how to get that complaint to the correct person, I would suggest joining the Usenet group alt.spam or news.admin.net-abuse.email and post the message with a title like "Please help me decipher this header". Unfortunately there is no "single" place to complain to about spam (or Unsolicited Commercial E-Mail). Complaints have to be directed to the correct ISP (Internet Service Provider) that the spam originated from. See the below section entitled "Reporting spam".
URL's to help you figure out how to look at the headers:
http://www.concentric.net/~Nvam
http://www.rahul.net/falk/mailtrack.html
A little different description of headers:
http://ddi.digital.net/~gandalf/trachead.html - Line by line tracing of a spammers e-mail
http://help.mindspring.com/features/ema ... /index.htm
http://help.mindspring.com/features/ema ... tended.htm
http://www.mcs.net/~jcr/junkemaildeal.html - Another Header Analysis
http://www.stopspam.org/email/headers/headers.html - In depth header analysis
There is spamming software that sends the e-mail directly to your computer. This makes only one received line in the e-mail making your life many times easier. The computer that is not your computer is the spamming computer.
Also, please look through the body of the message for e-mail addresses to reply to. Complain to the postmasters of those sites also (see below for a list of complaint addresses).
Gregory tells us that assuming a reasonably standard and recent sendmail setup, a Received line that looks like :
Received: from host1 (host2 [ww.xx.yy.zz]) by host3
(8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600
shows four pieces of useful information (reading from back to front, in order of decreasing reliability):
- The host that added the Received line (host3)
- The IP address of the incoming SMTP connection (ww.xx.yy.zz)
- The reverse-DNS lookup of that IP address (host2)
- The name the sender used in the SMTP HELO command when they
connected (host1).
Looking at the below we see 6 received lines. Received lines are like links in a chain. The message is passed from one computer to the next with no breaks in the chain. The received lines indicate that it ended up at ddi.digital.net (my computer) from mail.bestnetpc.com. It was received at mail.bestnetpc.com from unknown (HELO paul-s.-aiello) ([205.160.183.123]). The last three lines suggests that it was received at in2.|bm.net from mh.tomsurl|.com and from reb50.rs41|1date.net. Since none of these computers are in the first two received lines then we can ignore these lines and every received entry after this line (this UCE had 4 or 5 more faked Received lines in it that were deleted for this example). We also know that these lines are faked because no domain name has a "|" character in the name. Domain names only have alphabetic or numeric characters in the name.
Do not get confused by the "Received: from unknown" portion. The word "unknown" can be *anything* and should be ignored, this is whatever the spammer put in the SMTP HELO command when they connected to the SMTP server.
Received: from mail.bestnetpc.com (IDENT:qmailr@mail.bestnetpc.com [205.160.183.3]) by ddi.digital.net (8.9.1a/8.9.1) with SMTP id CAA10768 for
gandalf@digital.net; Thu, 26 Nov 1998 02:55:11 -0500 (EST)
Received: (qmail 25259 invoked from network); 26 Nov 1998 08:05:49 -0000
Received: from unknown (HELO paul-s.-aiello) ([205.160.183.123]) by mail.bestnetpc.com with SMTP; 26 Nov 1998 08:05:49 -0000
Received: (from uudp@lcl|lhost) by in2.|bm.net (8.6.9/8.6.9) id CFF569794 for suppressed; Thursday, November 26, 1998
Received: from tomsurl|.com (mh.tomsurl|.com [100.257.57.69]) by m4.tomsurl|.com (8.6.12/8.6.12) with ESMTP id PAA21932 Thursday, November 26, 1998
Received: from reb50.rs41|1date.net (
root@reb50.rs41|1date.net [256.36.1.176]) by tomsurl|.com (8.6.12/8.6.12) with ESMTP id PBA023891 for suppressed;
So we complain to whomever owns unknown (HELO paul-s.-aiello) ([205.160.183.123]). Make sure that you do a nslookup (or use
http://samspade.org/t/ , put the address in the section "address digger", click on Whois IP block and Traceroute and click on "do stuff") on the IP address's. I try to verify 205.160.183.123 is paul-s.-aiello. Indeed paul-s.-aiello does not even exist and 205.160.183.123 does not resolve to a name when I do a NSLookup. Next would be a traceroute. See further below for more in-depth tracking on resolving an IP.
IP portion = 205.160.183.123
Traceroute 205.160.183.123 gives us:
Step Host IP
Find route from: 0.0.0.0 to: 205.160.183.123 (205.160.183.123), Max 30 hops, 40 byte packets
snip
13 acsi-sw-gw.customer.alter.net. (157.130.128.26 ): 235ms
14 atlant-ga-2.espire.net. (206.222.97.24 ): 272ms
15 206.222.104.37 (206.222.104.37 ): 279ms
16 orland-fl-1-a5-0.espire.net. (206.222.99.7 ): 362ms
17 iag.net.orland-fl-1.espire.net. (206.222.106.6 ): 195ms
18 d1.s0.gw.dayb.fl.iag.net. (207.30.70.38 ): 230ms
19 s0.gw.bestnetpc.net. (207.30.70.254 ): 231ms
20 * * *
21 205.160.183.123 (205.160.183.123): 372ms
See the traceroute section below for how to interpret the "*" (and other codes) that are returned from a traceroute.
Note - if you see something like the following realize that the only portion you can trust is within the "([" and the "])". The spammer put in the (faked) portion "mail.zebra.net (209.12.13.2)" :
Received: from mail.zebra.net (209.12.13.2) ([209.12.69.42])
Kamiel tells us that you might also want to make sure that the IP is not hosted by an intermediary site. Check it out at:
http://www.arin.net
You should complain to the abuse@ or postmaster@Last Two or Three words at the end of the name. I would complain to
abuse@iag.net OR
abuse@espire.net (but NOT both sites) since after looking below at the list of complaint addresses in this FAQ there are no alternate addresses for iag.net or espire.net. Unless it is a "major provider" (someone in the below complaint list) I usually complain to the upstream provider rather than risk the chance of complaining to the spammer and being ignored. If you go too far up the chain, however, it may take quite some time for the complaint to filter down to the correct person.
Louise tells us that you are entitled to make an 'alleged' accusation but to prevent yourself from being libel, prefix your statement with:-
"Without prejudice: I suspect you are the culprit of such and such."
The constitutional and legal boundary of 'Without prejudice' exempts Politician's opinions being spoken publicly and this prefix is often adopted by Solicitors (English) or Lawyers/Attorneys (USA).
I use :
abuse@XXXXX - Without prejudice I submit to you this Unsolicited Commercial E-Mail is from your user XXXX. UCE is unappreciated because it costs my provider (and ultimately myself) money to process just like an unsolicited FAX. Please look into this. Thank you.
BE SURE to verify the IP address. Windows '95 machines place the name of the machine as the "name" and place the real IP address after the name, meaning a spammer can give a legitimate "name" of someone else to get someone innocent in trouble. A spammer at cyberpromo changed their SMTP HELO so that it claimed to be from Compuserve. The Received line looked like the below, but a quick verification of the IP address 208.9.65.20 showed it was indeed from cyberpromo :
Received: from dub-img-4.compuserve.com (cyberpromo.com [208.9.65.20]) by karpes.stu.rpi.edu
The below e-mail was passed to me thru a "mule" (un1.satlink.com [200.9.212.3]). The Spammer hijacked an open SMTP port to reroute e-mail to me:
Received: from un1.satlink.com (un1.satlink.com [200.9.212.3]) by ddi.digital.net (8.9.1a/8.9.1) with ESMTP id GAA06372; Fri, 27 Nov 1998 06:53:20 -0500 (EST)
Received: from usa.net ([209.86.128.234]) by un1.satlink.com (Netscape Messaging Server 3.54) with SMTP id AAT2FEA; Fri, 27 Nov 1998 08:46:07 -0200
A NSLookup on 209.86.128.234 resolves to user38ld07a.dialup.mindspring.com, so after I complain to mindspring.com I also send the postmaster of the open SMTP port the following :
postmaster@XXXXX - Your SMTP mail server XXXXX was used as a mule to pass (and waste your system resources) this e-mail on to me. You can stop your SMTP port from allowing rerouting of e-mail back outside of your domain if you wish to. FYI only. Info on how to block your server, see: