http://www.cybernothing.org/faqs/net-abuse-faq.html
And Bill's WWW page "Everything You'd Rather Not Have To Know About 
Net-Abuse" : 
http://www.tezcat.com/~haz1/netabuse/netabuse.html
The latest & greatest version of this FAQ will be found at: 
http://digital.net/~gandalf/spamfaq.html
PLEASE email follow-ups, additions / changes to  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
My news source is OK, but I sometimes miss items. 
There are places in this FAQ with ALL CAPS.  This is where I need some 
help or input.  I accept all and any input.  I consider myself to be 
the manager of this FAQ for the good of everyone, not the absolute & 
controlling Owner Of The FAQ.  I do not always write in a completely 
coherent manner.  What makes sense to me may not make sense to others.  
If the community wants something added or deleted, I will do so.  I 
removed any e-mail and last name references to someone making a 
suggestion / addition..  This is so that someone doesn't get upset at 
this FAQ and do something stupid.  If you don't mind having your e- 
mail in this FAQ (or where it is required), please tell me and I will 
add it back in. 
First off, before trying to determine where the post or e-mail 
originated from, you should realize that (just like the National 
Inquirer, or a logical argument from C&S) the message will have *some* 
amount of truth, but all or most of the information may be forged.  Be
careful before accusing someone. 
Commands used in this FAQ are UNIX & VMS commands.  Sorry if they 
don't work for you, you might wish to try looking around at your 
commands to find an equivalent command (or I might be able to help out 
some). 
And no, I am not going to tell you how to post a fake message or fake 
e-mail.  It only took me about 2 days (a few hours a day) to figure it 
out.  It ain't difficult. 
Three sections to this portion of the FAQ : 
o   Tracing an e-mail message 
o   Listserve messages 
o   Tracing a posted message 
o   What is an IP address and converting an IP address
o   WWW IP Lookup URL's 
o   Converting that IP to a name 
o   Getting a complaint to the correct person 
o   Filtering E-Mail using procmail or News with Gnus 
o   Misc. (Because I can't spell miscellaneous :-)) stuff 
I couldn't think to put anywhere else. 
o   Origins of Spam 
o   The MMF (Make Money Fast) Posts or any fraud on the
Internet 
o   Those annoying 1-900 & 1-800 Sex Phone Ads 
o   How To Respond to SPAM 
o   Revenge - What to do & not to do (mostly not) 
o   Telephoning someone 
o   Snail Mailing someone 
Every e-mail or post will have a point at which it was injected into 
the information stream.  E-mail will have a real computer from which
it was passed along.  Likewise a post will have a news server that 
started passing the post.  You need to get cooperation of the 
postmaster at the sites the message passed thru.  Then you can get 
information from the logs telling you what sites the message actually
passed thru, and where the message "looked" like it passed thru (but 
actually didn't).  Of course you do have to have the cooperation of 
all the postmasters in a string of sites... 
Tracing an e-mail message 
============================================ 
First (and easiest) thing to forge is the e-mail return address.  Most 
personal computer posting software lets you type in just about any e- 
mail address you want to (for example the software I am using to post 
this message).  Unless someone is a real idiot or they truly don't 
know they will annoy tons of people, they will forge a fake e-mail 
return or put in the e-mail of someone they don't like. 
It seems that most machines will accept e-mail from any other machine, 
so don't send e-mail to postmasters at "upstream" sites that are just 
passing the message along. 
You will need to take a look at the headers on the message (if you 
can) In PINE (for example) hit "h" to get headers.  Look for a line 
like the following: 
Message-ID: < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > 
You should look at the message ID first & see what site it appeared to 
come from (the part after the "@" sign).  If it is a bunch of numbers 
(an IP address) then you should then do a "nslookup" (see further
below for a description of nslookup) to see what the site name is.  
Furthermore all the message-ID lines should have a unique number.  If 
not then you have someone who is *very* familiar with the SMTP 
protocol and is forging the e-mail to another site (like the Euphoria 
Tape spammer).  Sometimes this header will even tell you who the 
message actually came from. 
From the below, the only way we can tell the origin site is in the 
Message-Id (which has an IP of 204.183.126.181) is to do a nslookup on 
the IP address, and proceed from there.
>Received: from [199.3.242.38] (ppp007.free.org [199.3.242.38]) by 
>sirocco.CC.McGill.CA (8.6.12/8.6.6) with SMTP id EAA16681; Sat, 11 
Nov 1995 
>04:50:30 -0500 
>X-SMTP-Posting-Origin: [199.3.242.38] (ppp007.free.org 
[199.3.242.38]) 
>X-Sender:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it (Unverified) 
>Message-Id: <v0153051facca0e1e11d6@[204.183.126.181]> 
Sample fake e-mail message : 
From A@b.c.d Sat Nov 11 13:16 EST 1995 
Received: from wavenet.com (wavenet.com [198.147.118.131]) by 
ddi.digital.net (8.6.11/8.6.9) with ESMTP id NAA04656 for 
< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >; Sat, 11 Nov 1995 13:16:03 -0500 
Received: from ddi.digital.net (ddi.digital.net [198.69.104.2]) by 
wavenet.com (8.6.12/8.6.9) with SMTP id KAA27279 for 
This e-mail address is being protected from spambots. You need JavaScript enabled to view it ; Sat, 11 Nov 1995 10:27:52 -0800 
Received: from wavenet.com (wavenet.com [198.147.118.131]) by 
ddi.digital.net (8.6.11/8.6.9) with ESMTP id OAA18017 for 
< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >; Tue, 24 Oct 1995 14:09:46 -0400 
Received: from inetlis.wavenet.com (port16.wavenet.com 
[198.147.118.209]) by wavenet.com (8.6.12/8.6.9) with SMTP id LAA02685 
for < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >; Tue, 24 Oct 1995 11:21:12 -0700 
This is a mail message I sent to myself just to use as an example.  I 
have cut out a bit of the other header information so that I could
take a look at just the important parts. 
Obvious faked piece is the "From" address.  You read the headers from 
the bottom to the top to trace which sites the message has gone thru. 
Make sure that you do a nslookup on the IP address's (for example I 
would verify 198.147.118.131 actually is wavenet.com).  If the IP 
doesn't jive with the name then you may have the IP address of the e-
mail faker.  This message decodes to the following 
port16.wavenet.com = 198.147.118.209 
wavenet.com = 198.147.118.131 
ddi.digital.net = 198.69.104.2 
From site               To site            Date / Time (delta GMT) 
Time in GMT hh:mm:ss 
============================================================== 
inetlis.wavenet.com  wavenet.com     Tue, 24 Oct 1995 11:21:12 -0700 
18:21:12 
wavenet.com          ddi.digital.net Tue, 24 Oct 1995 14:09:46 -400 
18:09:46 
ddi.digital.net      wavenet.com     Sat, 11 Nov 1995 10:27:52 -800 
18:27:52 
wavenet.com          ddi.digital.net Sat, 11 Nov 1995 13:16:03 -500 
18:16:03 
Wolfgang Schelongowski < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > reminds us : 
The first is hh:mm.ss WULT (WULT == Widely Unknown Local Time :-)) 
with a delta from GMT, so you add in the delta to get a "zero" time.  
The time is from the computer transmitting, so it is possible to have 
the clocks several minutes apart. 
GMT = Greenwich Mean Time.  The "time" was kept at RGO (Royal
Greenwich Observatory?), Greenwich England at one time and is also 
known as UTC (UTC = Coordinated Universal Time, or Universal 
Coordinated Time) or "Zulu" or Zero time.  It is kept by the UK 
National Physical Laboratory, and is no longer at the RGO (Royal 
Greenwich Observatory?). 
I manually inserted the first two mail transfers myself (as you can 
see from the date / times) to muddy the waters.  It looks like this 
message originated from inetlis.wavenet.com, when in reality it came 
from ddi.digital.net.  The date / time (in this case) tells you that 
something is wrong, but sometimes a computer may be down along the way 
which would hold up the mail. 
You really need cooperation from other people & get multiple messages 
to compare the headers.  There will be a common "injection" point.  
Whether it is the starting point or in the middle.  Ask that 
postmaster  to look thru the logs & figure out who sent that e-mail.  
Someone from the first common injection point "From" site spammed out 
the e-mail. 
It has been kindly pointed out to me that there is a "feature" (read 
"bug") in the UNIX mail spool wherein the person e-mailing you a 
message can append a "message" (with the headers) to the end of their 
message.  It makes the mail reader think you have 2 messages when the 
joker that sent the original message only sent one message (with a 
fake message appended).  If the headers look *really* screwy, you 
might look at the message before the screwy message and consider if it 
may not be a "joke" message. 
Listserve messages 
============================================ 
A Listserve is an automated (moderated or unmoderated) mailing list 
for an interest group.  A message gets sent to the Listserve and it 
gets passed to everyone on the Listserve list.  A one to many 
relationship. 
Example Header appears below: 
Received: from dir.bham.ac.uk (dir.bham.ac.uk [147.188.128.25]) by 
gol1.gol.com (8.7.5/8.6.9) with SMTP id GAA27292 for < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >; 
Sun, 5 May 1996 06:31:15 +0900 (JST) 
Received: from bham.ac.uk by dir.bham.ac.uk with SMTP (PP) using DNS  
id < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >; Sat, 4 May 1996 20:56:49 +0100 
Received: from emout09.mail.aol.com (actually emout09.mx.aol.com) by 
bham.ac.uk  with SMTP (PP); Sat, 4 May 1996 21:13:03 +0100 
Received: by emout09.mail.aol.com (8.6.12/8.6.12) id PAA29156; Sat, 4 
May 1996 15:35:53 -0400 
Date: Sat, 4 May 1996 15:35:53 -0400 
From:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Message-ID: < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > 
Subject: CRaZy Complimentary Offer........ 
This is a post from Kevin Lipsitz for his "===>> FREE 1 yr. USA 
Magazine Subscriptions".  Reports are that he doesn't provide very 
good service after the sale of the subscription (that is if you even 
get a magazine).  In relation to the Internet he makes a slimy used 
car salesman look like a saint.  We won't even start to discuss the 
fact the he likes to use female names for his messages... 
For more info about "Krazy Kevin" or the Magazine Spam , Tony tells us 
the page "Stop Spam!" is available in html format at: 
http://www.iac.co.jp/~issho/stop-spam.html
Joel mentions that if you want even more details about Kevin, do a 
search on "Lipsitz" in www.altavista.digital.com or www.lycos.com or a 
similar search. 
That having been said, e-mail from a Listserve can usually be broken 
down the same way as "normal" e-mail headers.  There are just more 
waypoints along the way.  As you can see from the above, the e-mail 
originated from : 
emout09.mail.aol.com 
You might with to also direct the listserve owner to look at & ask 
questions in news.admin.net-abuse.misc about how to keep spam off the 
listserve.  It probably won't be all that difficult of a thing to do. 
Tracing a posted message 
============================================ 
Tracing a fake post is probably easier than a fake e-mail because of 
some posting peculiarities.  You just have to save and look at a few 
"normal" posts to try to spot peculiarities.  Most people are not 
energetic to go to the lengths of the below, but you never know. 
Dan reminds us that first you should gather the same post from 
*several* different sites (get your friends to mail the posts to you) 
and look at the "Path" line.  Somewhere it should "branch".  If there 
is a portion that is common to all posts, then the "actual" posting 
computer is (most likely) in that portion of the path.  That should be 
the starting postmaster to contact.  Be sure to do this expeditiously 
because the log files that help to trace these posts may be deleted 
daily. 
Once again, start by looking at the Message-ID, and ask yourself if 
that site makes sense.  Again, look at the number after the Message-ID 
and see if it is identical for several *different* posts (i.e. posts 
to different groups).  Message-ID's are unique for each *different* 
post.  If the Message-ID is the same, then it is faked.  If you 
*really* want to see some fake posts, look in alt.test or in the 
alt.binaries.wares.* groups. 
A fake post: 
Path: 
...!news.sprintlink.net!in2.uu.net!news.net99.net!news!s46.phxslip4.in 
direct.com!vac 
From: This e-mail address is being protected from spambots. You need JavaScript enabled to view it (Female User) 
Subject: Femdom In Search of Naughty Boys 
Message-ID: < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > 
Sender: This e-mail address is being protected from spambots. You need JavaScript enabled to view it (Female User) 
Nntp-Posting-Host: s46.phxslip4.indirect.com 
Organization: Internet Direct, Inc. 
X-Newsreader: Trumpet for Windows[Version 1.0 Rev B final beta #1] 
Date: Mon, 6 Nov 1995 01:59:38 GMT 
Approved:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it