Main menu


How To Determine The Origin Of Spam?

Anti-Spam Email Filter, antispam software, spam, spam blocker, stock spam, image spam

Spam will continue spreading as far as it makes profit. If nobody buys from spammers or acts upon their scams, spam will end. This is the obvious and easiest way to fight spam. You can ignore and delete spam emails you receive. But you can also take vengeance on the spammer by complaining to the spammer's Internet Service Provider (ISP). The ISP will block their connection and maybe impose a fine (depending on the ISP's acceptable usage policy). Spammers beware of such complaints and try to disguise their messages. That's why finding the right ISP is not always easy.

Lets look inside a spam message. Every email message includes two parts, the body and the header. The body is the actual message text and attachments. The header is a kind of the envelope of the message. The header shows the address of the message sender, the address of the message recipient, the message subject and other information. Email programs usually display these header fields:

From: shows the sender's name and email address.
To: shows the recipient's name and email address.
Date: shows the date when the message was sent.
Subject: shows the message subject.

The From: field usually contains the sender's email address. This lets you know who sent the message and allows you easily reply. Spammers, of course, dont want you to reply and dont want you to know who they are. Therefore, they put forged email addresses into the From: lines of their emails. So the From: field wont help you if you want to determine where the spam email comes from.

Tip! With G-Lock SpamCombat you can easily preview not only the message text but also all the fields of the message header . You can choose the preview format by yourself. You can view the message as HTML, decoded message, or message source.There are also several Received: fields in the header of every message. Email programs dont usually display the Received: lines but the Received: lines can be very helpful in tracing the spam origin.

Just like a postal letter goes through a number of post offices before its delivered to the recipient, an email message is processed by several mail servers. Each mail server adds a line to the message header a Received: line which contains

- the server name and IP address of the machine the server received the message from and
- the name of the mail server itself.

Each Received: line is inserted at the top of the message header. If we want to reproduce the messages path from sender to recipient, we start from the topmost Received: line and walk down until the last one, which is where the email originated.

Just like the From: field the Received: lines may contain forged information to fool those who would want to trace the spammer. Because every mail server inserts the Received: line at the top of the header, we start the analysis from the top.

The Received: lines forged by spammers usually look like normal Received: fields. We can hardly tell whether the Received: line is forged or not at first sight. We should analyze all the Received: lines chain to find out a forged Received: field.

As we mentioned above, every mail server registers not only its name but also the IP address of the machine it got the message from. We simply need to look what name a server puts and what the next server in the chain says. If the servers dont match, the earlier Received: line is forged.

The origin of the email is what the server immediately after the forged Received: line says about where it received the message from.

Let's see how determining of the spam email origin works in real life. Here is the header of a spam message weve recently received:

Received: from unknown (HELO ( by mail1.myserver.xx with
SMTP; 7 Nov 2006 10:54:16 -0000
Received: from by; Tue, 07 Nov 2006 05:53:35 -0500
Date: Tue, 07 Nov 2006 12:48:35 +0200
From: Pharmacy

Reply-To: umceqhzjmndfy
X-Priority: 3 (Normal)
Subject: Cheap Med*s V!agra Many Med_s QnNXpRy9
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

At first, look at the forged From: field. The email address in the From: and Reply-To: lines doesnt exist. So, the spammer took care about directing bounced messages and all the indignant replies people may send to a non-existing email account.

Secondly, the Subject: line. It contains the variations of the Meds and Viagra words that are known to be met in spam messages. Plus, the subject contains a range of random characters. Its obvious that the subject line is skillfully tailored to fool anti-spam filters.

Lastly, lets analyze the Received: lines. We start from the oldest one - Received: from by; Tue, 07 Nov 2006 05:53:35 -0500. There are two IP addresses in it: says it received the message from

We check if the next (and last in this case) mail server in the chain confirms the state of the first Received: line. In the second Received: field we have: Received: from unknown (HELO ( by mail1.myserver.xx with SMTP; 7 Nov 2006 10:54:16 -0000.

mail1.myserver.xx is our server and we can trust it. It received the message from an "unknown" host, which says it has the IP address Yes, this confirms what the previous Received: line says.

Now lets find out where our mail server got the message from. For this purpose, we look at the IP address in brackets before the server name mail1.myserver.xx. It is This is the IP address the connection was established from, and it is not The spam message originates from Its important to note that its not necessarily that the spammer is sitting at the computer and sending spam over the world. It may happen the computers owner doesnt even suspect of being sending spam. The computer may be hijacked by a Trojan, which is spreading spam without the machines owner knowing it.

We hope this information will help you identify the spammer's ISP and report them about spam so they can take proper measures.