h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

One of the IP blocks we own was included in the header information used by spamware. We were receiving 50 complaints a day for something which couldn't possibly have come from our network (the IP block is owned but not in use, and all of its addresses are blocked at our Internet edge). In effect, the anti-spammers were spamming us... nobody was trying to sell us anything, but our resources were drained just the same.

As someone on the receiving end of numerous erroneous complaints, I thought it important to point out almost all the information in the header can be (and usually is) falsified. Be careful when parsing email headers. Sending email to everyone indicated in the header, or using a program which does, serves to contribute to the clutter.

good point...I track spam manually, and sometimes the originating IP address doesn't make sense (it's the IANA or something similar). So then I go up the list. I usually then find an IP address in Brazil or Korea or somewhere...

I also use the method of manually tracing and reporting spam. I'd rather decide myself on what is spam then letting spamfilters and such do that job. If I don't have the time to research it, alas, it goes to the recycle bin (but does not get recycled ).

There really is just one piece of the header that you can really trust, and that is the IP address of the server that sent the piece of spam to the mailserver of your provider. Remember: all the rest *can* be faked - it isn't always faked, but it's no use investigating any further IP addresses in the header. Usually you'll end up with an address in a reserved block, the US Army or such things.

A good piece of software, by the way, to do whois lookups is Sam Spade (www.samspade.org - you can use the online tools, or install the program if you run on Windows). Highly recommended by me, I use it all the time.

Another tip for those who are really getting the hang of tracing spammers and such: should you have installed a firewall on your PC (which I highly recommend if you have any kind of permanent connection through the Internet with DSL or cable), use a logfile analyser to see who has been trying to entering your computer. I use the ZoneAlarm firewall in conjunction with ZoneLog Analyser (zonelog.co.uk) and together with Sam Spade I've been able to track some would-be intruders. Please DO read the manual if you start with ZoneLog Analyser....

Regards,

Rick

Just a little additional information:

Should you receive any Get Rick Quick schemes coming from the US (most I get come from the US), you can forward them to the Federal Trade Commission at [email protected].

Should the spam come from California and NOT have 'ADV:' in the subjectheaders (which is required by law) you can forward the e-mail to [email protected].

Regards,

Rick

thanks Rick, that's all great information good to know.