After the massive response to my "I've caught a spammer"-posting last night, I thought I'd post an update on my investigations, and also share some tips and tricks on how each one of us can make a difference fighting spam...
First of all - yes, for those of you who wonder, I did have a 20 minute phonecall with the president of the "advertising company" I mentioned I had hunted down yesterday. I will also keep this dialogue going, as he was "surprised" by my call -- apparently they've been in business for a year, and mine was the first call they ever got.
I got some initial insight into their business, and I will share this with you separately later on; quick summary: basically there is this whole massive industry of collecting and reselling """legitimately opted-in mailadresses""" of people who, when signing up for various sites have allowed the site to """share your mailaddress with selected, carefully screened partners"""... This, of course, should set off all ones alarm bells, and if it doesn't, you really have noone but yourself to blame for at least some of the spam you're receiving.
However, their current claim is that "by mistake" a list of "bad addresses" (apparently slang for adressees that are not opted in) has been purchased and added to the "opt-in mailinglist". We'll leave them with the benefit of the doubt for now; I've traded some sample messages for contact information of the people that actually send out the messages, and of course I will keep you posted. I expect to dig into this either tomorrow night (I'm in a different timezone than the people I'm looking for) or Monday. Watch this space regularly for more updates ;-)
In the meantime, I thought I'd share some techniques and tips you can use if you want to call your spammer:
Some of the next tips are easiest to use if you have access to a UNIX shell account. If you don't I'll try to come up with some web-based alternatives.
First; how can we find out who the spammer is? My approach was to actually access one of the URLs that was marketed in the mailing I received. If the spam does not advertise a URL but rather a phone number, you're done (this doesn't happen all too often nowadays, does it...? :-)
Find out who owns the domain name by doing a "whois". From a UNIX shell account, type
and if it is registered with someone else than Internic/Verisign, they will at least return the name of the whois-server to query. If the site is hosted with for example GoDaddy.com, type
whois -h whois.godaddy.com domainname.com
This website seems to do the trick as well.
Businesses registering a domain name are obliged to give a valid email address and other contact information (including phone and fax) to go with their registration, and this is publicly available information. You might come across a few fake ones, but don't give up.
If all digging into the domain records fails; find their ISP. There are a variety of ways to go about this. If the company uses a webhosting company, you can usually go about doing the above whois on the company that is listed as their "name servers" when you looked up the whois on domainname.com
Unix users can also do a
host -al domainname.com
or, if that's refused, at least a
host -t MX domainname.com
should yield the names of the mailservers serving the domain and
host -t NS domainname.com
the name servers. Most ISPs have an "abuse@" address, and emailing firstname.lastname@example.org should definitely get you an response.
If there are no domain-names; just IP addresses, you can try to find the corresponding domain name by using a tool named "nslookup" and then go ahead as mentioned above.
In case there is no corresponding domain name, you can make an attempt to find the owner of the net or the administrative contact by using the whois servers of the three network coordination centres based in Europe, USA and Asia.If this fails, try to Traceroute to their address and contact the ISP of the ISP...... and so on and so on.... Go for a "full header view" of your email to view all the servers your mail has passed through before reaching you, and try contacting them to help you find your target...
The centres are RIPE (Europe, Middle East, parts of Africa ), ARIN (North and
South America, the Caribbean and sub-Saharan Africa) and APNIC (Asia Pacific) and their whois servers are located at:
Good luck! Don't blame me if you don't get hold of the spammer in the end, though... Here's some more you can do:
The saddest part is that after getting zero response or action for any complaint sent to the Sprint abuse address, we decided to send each spam report to every email address (including press contacts and executive-offices) we could get off the Sprint site. All of a sudden we've had real people contacting us, even if it is only because we've annoyed them.Not the most polite way to go, but there you go -- it has been tried before ;-)
Anders Jacobsen |
[weblog / photography]