Learning how to knock out a spammer

If your interested in learning how to take down a spammer, read on.  The information that will be provided in this article will only get you started.  Over the years we have had several people ask us to help them deal with a spammer or or bot master.  Most of what we do is investigative work.  By that we mean actually pulling apart the emails or decompiling the bots that we catch.  Granted decompiling is a job that most users cannot do themselves, but the pulling apart emails, you can.

First off, you need to copy your entire spam email message over to plain text file.  An example in how to do this using Microsoft Outlook Express.  The easiest way to do this is to right click on message in the top window, above the preview window, and click on properties.  Then click on details.  After that, you can now see the full raw email with headers.  Right click in that window and select all and the right click again and select copy.  Now your ready to paste that over to a blank text file.  Open up windows explorer and either find a directory that is suitable or create one to place all your investigative work in. 

Now create a new blank text file by right clicking any place in the explorer on the right side of the program where all the other files would normally be.  Just don't click on a file itself.  Now rename it accordingly dot txt (example.txt) so you know what it is.  Open that file now and right click in it and paste the content of what you just copied from the raw email and then save it off.

You will need a few tools to to help you in completing this investigation and you can download them here on our site.

These tools listed will help you investigate and get you started in reporting spam to the right places.  Please keep in mind though that you need to thoroughly investigate before making that complaint to the host provider or ISP.  Complaining to the wrong provider will not only piss the provider off, but could result in serious backlash to your provider.  You've been warned!

Windows users will need the below programs to help you.  If you are running a installation of a NIX system, you should already have these tools already built in.

Geektools
NSLOOKUP for Windows

Install these tools and keep reading.

Now, look at the email and find where the http:// of the URL starts and copy just the domain name portion without the http://www. portion or suffix beyond the (example.com)/index.html.  Click on NSLOOKUP and copy the domain name and paste it into the program and hit enter.  We'll use the domain name from this article to show a great example, until the registrar terminates the domain.  You should see:

151.201.22.120
158.142.160.217
173.172.243.20
173.19.26.252
188.36.132.161
190.183.76.95
200.226.150.70
202.131.190.199
202.181.203.146
204.118.0.2
207.13.63.96
208.96.88.89
209.51.85.202
216.104.109.9
217.166.213.26
24.141.107.228
24.237.88.208
24.239.153.188
24.30.179.243
58.169.246.205
60.51.48.10
64.150.231.161
66.231.135.49
67.77.32.172
68.112.20.128
68.54.221.250
69.149.255.223
69.249.22.165
71.227.140.32
71.58.185.212
76.11.238.161
76.26.26.141
81.56.67.245
83.185.94.175
83.80.130.188
84.105.106.220
85.24.163.179
88.176.171.91
89.142.64.95
94.212.11.215
99.189.77.122
99.19.253.137
99.236.138.199
99.36.43.208

Open your Geektools and type in each of the IP address(s if more than one) and notate who the IP belongs to.  You should see something like this below:

OrgName: Verizon Internet Services Inc. 
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
NetRange: 151.196.0.0 - 151.205.255.255 
CIDR: 151.196.0.0/14, 151.200.0.0/14, 151.204.0.0/15 
NetName: VIS-151-196
NetHandle: NET-151-196-0-0-1
Parent: NET-151-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
NameServer: NS5.VERIZON.NET
NameServer: NS6.VERIZON.NET
Comment: Please send all abuse reports to abuse@verizon.net.
Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
RegDate: 1991-09-25
Updated: 2009-09-15
OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse 
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net
OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services 
OrgTechPhone: 800-243-6994
OrgTechEmail: IPNMC@gnilink.net
# ARIN WHOIS database, last updated 2009-10-02 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now that you have the records, you can now look thru them to find the abuse@domain name to send your full raw unedited copy of the spam mail to.  If you find more than one IP listed in the NSLOOKUP, you can check and should check each IP to find all the host providers involved.  If you cannot find a reporting abuse email in the records, then your only recourse is to pull up the host providers website and look for a contact email there.  It is possible that they may not provide it there either, but they may have an online form to send mail to them directly.  Choose the appropriate department to send your complaint to.  We cannot stress highly enough to do your homework before sending these complaints in.  If you have evidence, like logs of the intruder or something else that is pertinent to the complaint, be sure to send that as well.  Some departments may not accept attachments, so you may have to copy and paste that into the email you send them.  If you are still unable to find the right reporting department or one does not exist, you can always contact the registrar responsible for that domain name or if you are unsure how to do some of this, please let us know and we'll see if we can help you answer you questions.