English | Indonesia home | services | resources | network | forum | F A Q | about | contact

Backtracking the Spam Email Sender with the Email Headers

As anyone can forge an email header and type basically anything they want as the return address, mail host or whatever else they like, some people use that feature to send unsolicited emails.

You can read the email header to backtracking the spam email sender, but it may or may not do any good. Even if you can locate the email sender, at best you can write their internet service provider and hope they close the account. At worst, you won't be able to figure it out, or the email sender will live in a foriegn country and the ISP won't care anyway.

Here how to backtracking the sender using the email header:

  • Try looking at the "received" lines or look for "x-authentication" warnings. Many servers will stamp the email sent out with information about the actual sender. Pay particular attention to IP addresses (bunches of numbers, like 192.168.123.456) because it is safe to say any domain name in the message is probably bunk.
  • Use WHOIS to backtrack IP addresses to their provider. If you are running Unix or OS/2, you already have WHOIS tools. If your machines are running Microsoft Windows or Macintosh, you can download WHOIS tools from Tucows. Amiga users can find WHOIS packaged as part of NetInfo. You may try this Network Query Tools for IP tracking purposes.

    The default whois server does not store IP addresses. Here are the domain names of the whois servers that do: 

    American Registry for Internet Numbers - whois.arin.net
European IP Address Allocations        - whois.ripe.net
Asia Pacific IP Address Allocations    - whois.apnic.net
  • If you can't found who the spam sender is, but you can tell what the mail server relay they are using, write the owner of the mail server relay. Chances are the system administrator does not even know he/she is being abused. The admin might have logs containing more information, or they may at least be able to correctly configure some protection on their mail server so that they can't be taken advantage of again. This helps everybody. If you want to report any spam abuse coming from ChaliceHost.com's network, please write a message to abuse@chalicehost.com
  • Beware of red herrings. While the truth may be contained somewhere in the header, quite a lot of it may be fake. Watch out.

How do delete all spam messages?

Tucows has several anti-spam utilities that will allow you to filter and delete e-mail without downloading it.