How to Complain about Spam

Michael A. Covington
Artificial Intelligence Center
The University of Georgia
Athens, GA 30602-7415

The contents of this page date from before the passage of the CAN-SPAM Act and are not up to date. The technical information about how to trace the origin of spam is still useful, so I am keeping the page up for historical reasons.

The opinions and advice given here are based on my experience handling computer security incidents for The University of Georgia, but I am no longer on the incident handling team. Please do not contact me about spam or other computer security problems unless either (1) the present U.Ga. security team referred you to me, or (2) you wish to employ me as a consultant. -- Michael Covington

What is spam?

"Spam" or "UCE" is unsolicited commercial e-mail, i.e., e-mail sent to large numbers of people who didn't request it, containing advertisements or commercial messages of some sort.

Bulk mailings that you have requested are not spam. That is why you should not give your e-mail address to any business unless you know what they are going to use it for. Be careful -- some businesses will request your e-mail address on a form with fine print that says they have the right to resell it.

Many spammers say falsely that you have requested their mailings when you haven't. If you get a bulk mailing that is not from a company you recognize, then you probably didn't request it, even if it says you did.

Why can't people just report spam to The University of Georgia, or to their ISPs?

There are three reasons you shouldn't report spam to the University (or to whoever provides your Internet access) unless it actually seems to have originated on their site:

(1) There's too much of it. When you get spammed, we do too.

(2) If you just forward it to us, we won't receive the original header and won't be able to investigate the spam. You have to do the first stage of investigation yourself because nobody else can.

(3) Complaints are more effective if they come directly from the victims. This helps convince the site administrator that large numbers of ordinary people are being bothered, not just a few crotchety system administrators.

Is spam illegal?

Even if not illegal, it's universally hated

The Internet community considers spam intolerable for several reasons:

The cost of handling e-mail is mostly at the receiving end. That is, spammers are not paying the postage on their mass mailings.
The content of spam is often inherently annoying or obnoxious, comprising get-rich-quick schemes or other petty (or large) frauds and containing obvious lies.
To relay thousands of copies of their advertisements, spammers often steal computer services by making unauthorized use of mail-relaying services at unsuspecting sites, often Asian universities.
Spam is a nuisance. It wastes the time of the people who receive it and have to wade through it.

All major American and Western European Internet service providers prohibit their customers from spamming, whether or not the spam itself is mailed through the service provider in question.

Why it's not against federal law

Just before the Monica Lewinsky scandal broke, the U. S. Congress was on the verge of passing a law that would restrict spamming, and at the same time would legalize spamming under some circumstances (a bad idea). The law did not pass.

Spammers often claim, misleadingly, that their messages comply with the proposed law (the Murkowski bill, S.1614), as if that somehow legitimized what they were doing.

Unsolicited advertising by fax is illegal in the United States. Many people feel that the "junk-fax law" should be broadened to cover spam; that might even be done by a court ruling, but so far, it hasn't happened.

In many places it is illegal

The states of Washington and California and other places have local laws against spamming. See www.spamlaws.com for current information.

Pyramid schemes are illegal everywhere

Whether or not delivered by spam, pyramid schemes are illegal. A pyramid scheme is a scheme where you send money to the first name on the list, cross it off, add your name and address at the bottom, and distribute copies.

Pyramid schemes are illegal because there's no way everybody can make money. Nothing of value is being created, and there's no way everybody can receive more money than they send out; money doesn't come out of thin air.

Pyramid schemers often claim to have found loopholes in the law such as:

Selling "reports" rather than just asking for money. (Since the report has no value other than to cause the money to change hands, the postal inspectors do not consider the transaction to be a sale.)
Claiming that their get-rich-quick scheme "is featured on TV."
Claiming that their scheme has been approved by some government agency.

A good way to take action against this type of spammer is to send copies of the chain letter to the postmasters at all the U.S. ZIP codes that are on the address list (e.g., "Postmaster, New Haven, CT 06520").

Many spammers violate other fraud laws. In some places, for instance, it is illegal to give a false name or address when soliciting business, and that might apply to e-mail addresses. Consistent enforcement of existing laws has already greatly reduced the spam problem compared to what it was two or three years ago.

How to keep from receiving spam

Before I get to that, here's a more important piece of advice: Don't give up your right to use e-mail, newsgroups, etc., simply because you're afraid of spammers. All they can do is waste your time, and by reporting them properly, you can make sure that they suffer more inconvenience than you do.

To avoid receiving lots of spam:

Never reply to the "remove" address or click the "remove" button on a piece of spam. Notoriously, spammers do not comply with such requests. All you're doing is telling them that you received their spam, so now they know your address works!
Never click on a web link in a piece of spam. Remember, you have no idea what it leads to. All you know is that it was sent to you by a dishonest person!
Be a bit cautious about giving out your e-mail address. Don't conceal it totally, but don't give it to anyone from whom you do not actually want to receive e-mail. Don't automatically type it every time anyone asks for it; ask what it's going to be used for.
Don't put a mailto button on your web page; instead, present your e-mail address as plain text, and only in one place. (Automatic programs called "spambots" examine web pages and gather e-mail addresses from them. The fewer times yours gets gathered, the better.)
When you use newsgroups (Usenet, Dejanews), don't use your e-mail address as your return address. (This is a setting in the software that you use to read newsgroups.) Instead:
- Obscure your address by adding something else like "delete.this" at the end of it, e.g., jones@bigcompany.com.delete.this; or
- Give your web address rather than your e-mail address; people who want to contact you can look at your web page to find out how to do so.
Both of these tactics keep spammers from gathering your address from newsgroups.
If your Internet service provider offers a spam-blocking service, use it, but don't expect it to work miracles.

4. How to complain effectively

Never try to communicate with a spammer directly, for several reasons:

Most spammers give false return addresses.
Occasionally, spammers deliberately try to frame an innocent person. If you get spam that involves something blatantly illegal, such as child pornography, look carefully because it may be a frame-up.
Spammers are dishonest, and in many cases stupid and/or malicious.

Instead, your goal should be to identify how the spammer is connecting to the Internet, and get his service provider to take action against him.

Quite often, the spammer is expecting to get his account taken away. That doesn't mean that it's futile to complain. Your complaint has two useful effects:

It makes spamming harder, even if not impossible. (We may not be able to stop spammers, but we can inconvenience them to the ends of the earth!)
It convinces the service provider that spam is not tolerated and that they must prohibit their customers from doing it. (Present-day anti-spam rules arose largely because Internet service providers learned that if they let people spam, they would be deluged with complaints.)

How to find out where the spammer is connected

Sometimes the spammer tells you where he is

The "from" or "reply-to" address on a piece of e-mail is almost always false. Many spammers falsely claim to be on America OnLine (aol.com) or on some other site that they want to flood with complaints.

However, spammers have to provide you some way to get in touch with them and send them money. Sometimes they request you to e-mail a specific address to buy their services or to get removed from their mailing list. Often, they include web links in their e-mail.

Do not actually click on these links. You do not know what will happen.

However, do take a good look at them. Read the addresses. Instead of clicking on a link, just move your mouse cursor to it and watch -- the address will appear at the lower left corner of your main window. Write it down.

Note that an address may be written normally (http://somewhere.com), or as a four-part IP number (http://111.222.333.444), or as a large integer (http://982409240). See below for information on what to do with these.

Any Internet connection used by the spammer is worth tracing. It need not be the one from which the spam was actually sent. Addresses at which spammers receive e-mail (even "remove" requests) are worth tracing because most Internet service providers prohibit their customers from doing any spamming whether or not the spam is sent from that particular site.

Sometimes you must analyze the header

If the only contact information that a spammer gives you is a postal address or telephone number, things are not so easy. Often, however, you can still determine how the spammer is connected to the Internet.

The header of an e-mail message is like the address and postmark on a letter. It is a block of information that tells you how the e-mail reached you.

Parts of the header may be fake, though in my recent experience, complete falsification is nearly impossible. Every computer that handles the e-mail will add some information to the header, so even if the message starts out with a completely false header, true information will get added to it en route.

How to look at an e-mail header

Your mail-reading software provides some method to look at e-mail headers. If nothing else, you can save the entire piece of e-mail to a file and then look at the file with an ordinary text editor.

In Microsoft Outlook Express, here's how to view a header:

In the list of messages (normally at the upper right), right-click on the message that you want to investigate.
Choose "Properties."
Choose "Details."
You will now be looking at the header. If you wish, you can click on "Message Source" to view the entire message (header, text, and attachments) as a text file.

Normally, you will want to copy the header onto the Windows clipboard so that you can insert it into the complaint that you're writing. To do this, just mark the text with the mouse, right-click, and choose "Copy." Then go to the message you're writing and choose "Edit, Paste."

How to interpret the header

Here's an example of a header from a genuine piece of spam.

Received: from asdfasdfasdf-co-za.asdfasdfasdf.co.za ([196.14.134.146])
    by aisun0.ai.uga.edu (8.9.1/8.9.1) with ESMTP id DAA05726
    for ; Wed, 14 Feb 2001 03:21:21 -0500 (EST)
Date: Wed, 14 Feb 2001 03:21:21 -0500 (EST)
From: Jay_G9999@qwerty.no
Message-Id: <200102140821.DAA05726@aisun0.ai.uga.edu>
Received: from sable1 (host-216-77-212-127.fll.bellsouth.net [216.77.212.127]) 
    by asdfasdfasdf-co-za.asdfasdfasdf.co.za with SMTP 
    (Microsoft Exchange Internet Mail Service Version 5.5.1960.3)
    id 1S5Q566V; Wed, 14 Feb 2001 10:31:38 +0200
To: Jay_G9999@games.nmi.no
Subject: MAKE $50,000 IN 90 DAYS! N 90 DAYS! IT WORKS!
MIME-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Length: 14659

The "From" line is almost certainly fake. The spammer is calling himself Jay_G9999@qwerty.no, an address on a Norwegian site. He is almost certainly not in Norway. This is just the address he typed into his mail-sending software; anybody can type anything as his return address.

The "To" line is uninformative since the destination addresses were actually in the "BCC" lines, which were deleted in transit.

The "Received" lines are important. Although they could be partly fake, for the most part they tell you the route by which this piece of e-mail reached you. Specifically:

The message was delivered to mc@ai.uga.edu on aisun0.ai.uga.edu (that's me, the hapless victim).
It was sent to ai.uga.edu from something called "asdfasdfasdf-co-za.asdfasdfasdf.co.za ([196.14.134.146])." (I have changed this name at the request of the site owner.) Note that:
- The suffix .za is for sites registered in South Africa.
- The name asdfasdfasdf-co-za.asdfasdfasdf.co.za may well be fake.
- The IP address 196.14.134.146 is almost certainly genuine.
  I subsequently heard from the owner of that site, and the spam was apparently relayed through their machine without their permission.
It was sent to South Africa from host-216-77-212-127.fll.bellsouth.net [216.77.212.127]. That seems to be where it originated.

Aha! Now we're getting somewhere. Bellsouth.net is a major Internet service provider in the southeastern United States, and "fll" probably indicates one of their sites in Florida.

The spammer is sitting there in Florida, or somewhere in Bellsouth's territory, giving a false Norwegian address and forwarding his mail through a site registered in South Africa (or at least a site that identifies itself as such).

On the strength of this information, I sent a complaint, with a full copy of the header as well as the contents of the spam, to abuse@bellsouth.net, and they took action against the spammer.

Sometimes they get away...for now

Some spammers can connect to the Internet without going through a recognized, accountable service provider. Here's a header from which I wasn't able to extract much information:

Received: from RNR-DB. ([211.106.66.239])
    by aisun0.ai.uga.edu (8.9.1/8.9.1) with SMTP id BAA22758
    for ; Mon, 12 Feb 2001 01:50:09 -0500 (EST)
From: toner3@yep.com
Received: from 211.106.66.239 by RNR-DB. (SMI-8.6/SMI-SVR4)
    id PAA13725; Mon, 12 Feb 2001 15:20:25 +0900
Message-Id: <200102120620.PAA13725@RNR-DB.>
To: friend@republic.com
Date: Sun, 11 Feb 01 03:43:18 EST
Subject: toner supplies
Content-Type: text
Content-Length: 4106

The point of origin here is, or appears to be, 211.106.66.239. Both "Received" lines look very fishy; this message was not postmarked by Bellsouth or any other large company.

At this point I decided that this particular spam was not worth the time it would take to investigate further. That doesn't mean that I'm giving up; on the contrary, I fully expect this spammer to be caught and stopped -- just not by me, right now.

How to identify a service provider and submit a complaint

Using WHOIS data

Suppose you find out that a spammer is using an address on xyzxyz.com (a fictitious example). What do you do next?

The really big sites, both commercial and educational, usually have abuse addresses. That is, you can write to abuse@excite.com, abuse@telocity.net, abuse@uga.edu, etc., to complain about spammers using those sites.

Ordinarily, though, you must look up the site to find out who it belongs to. This is done through the UNIX "whois" command or through the server at www.networksolutions.com.

Remember that you are looking up only the last 2 words of the address. For example, server1.blah.mysite.com will not be listed, but mysite.com will be.

A word of caution: Plenty of sites are registered to unscrupulous characters who give false names and addresses, or who simply ignore spam complaints. Unfortunately, it is presently very easy to register a ".com" address with a false name and address. As long as the bills are paid, the registrars don't care.

More often than not, though, the "whois" data will include someone who works for an Internet hosting company and will act on the complaint. Here, for example, is a fictitious example:

Registrant:
Doe, John (XYZXYZ-DOM)
   115 Nowhere Road
   New Haven, CT 95630  US

   Domain Name: XYZXYZ.COM

   Administrative Contact, Billing Contact:
      Doe, John  (DD400)  doe@aol.com
      Doe, John
      115 Nowhere Road
      New Haven, CT 95630  US
      206 555-2368
   Technical Contact:
      Hostmaster, BlitherCom  (BC510)  hostmaster@BLITHERCOM.COM
      Blithering Idiot Communications
      007 Somewhere Road, Suite 8
      Santa Cruz, CA 95060
      (831) 555-1111 (FAX) (831) 555-1111

   Record last updated on 13-Dec-2000.
   Record expires on 18-Dec-2002.
   Record created on 17-Dec-1996.
   Database last updated on 14-Feb-2001 10:21:08 EST.

   Domain servers in listed order:

   NS.BLAH.COM      168.192.28.46
   NS2.BLAH.COM     168.192.28.35

Here's what you learn from this:

The site is registered to one John Doe of New Haven, Connecticut. If this person appears to be the spammer, do not contact him directly.
The site is hosted by Blithering Idiot Communications, for which you have an address and phone number. Since these do not match John Doe's address, Blithering Idiot is apparently an Internet service provider. Complain to them.
The site is nameserved by BLAH.COM, to whom you can and should also complain about the spam. (Do a "whois" search and make sure they're not the same as John Doe or Blithering Idiot.)

Tracing routes to find upstream service providers

Suppose John Doe, the suspected spammer, were the only person listed in the "whois" data. In that case you must find out how he actually connects to the Internet. One way is to find out who nameserves his site (as just mentioned). Another is to trace the route to it from your computer.

Under Windows 98, the tracert command does this. (Under UNIX, it's traceroute.) You must give it the full address of a machine, not just the last two words. Here is a fictitious example:

C:\WINDOWS>tracert www.xyzxyz.com

Tracing route to www.xyzxyz.com [168.192.66.239]
over a maximum of 30 hops
  1     4 ms     3 ms     2 ms  dsl-64-128-248-186.telocity.com [64.128.248.186]
  2    22 ms    22 ms    23 ms  route-64-128-254-1.telocity.com [64.128.254.1]
  3    24 ms    25 ms    25 ms  fe1-2-core1.atl.tlct.net [216.227.49.81]
.
.
.
 16   148 ms   148 ms   149 ms  ge-1-1-0.a05.lsanca01.us.ra.blither.net [129.250.29.138]
 17   149 ms   151 ms   249 ms  p1-1-0-0.a05.lsanca01.us.ce.blither.net [209.189.123.150]
 18   272 ms   270 ms   271 ms  www.xyzxyz.com [168.192.66.239]
Trace complete.

The first half of the list, or more, tells you how you are connected to the Internet. Then you start to see the path to www.xyzxyz.com. In particular, in this fictitious example, you learn that www.xyzxyz.com is connected through blither.net.

Accordingly, if you know of a spammer using xyzxyz.com, you are quite justified in complaining to blither.net.

Dealing with addresses that are just numbers

If an address is just a number, such as 200.300.101.4 or even 3375129860, you can still tracert to it and identify it.

Making sure your complaint is complete

Whenever you complain about spam, you must include the spam itself, plus a copy of its full header (headers are not included when you forward e-mail!), plus any other relevant data, such as "whois" or "tracert" output.

What to expect after you complain

In general, you will not get a personal response to your complaint. Many spamming episodes generate thousands of complaints, and the system administrator doesn't have time to answer them all.

Do not be offended when system administrators do not act immediately on the complaints that you send in. People accused of spamming, just like people accused of any other wrongdoing, are innocent until proven guilty.

Every system administrator gets a certain number of complaints that are made in bad faith -- that is, they seriously distort the situation or report nonexistent misbehavior in order to try to harm someone. To weed these out, investigation is necessary, and for legal reasons, system administators generally cannot tell you what they find out.

Other resources in the fight against spam

www.cauce.org -- Coalition against Unsolicited Commercial E-Mail (CAUCE), the largest and most important spam-fighting organization.

Stopping Spam -- useful book published by O'Reilly Associates.

www.allwhois.com -- a "whois" server that extends outside the United States.

The content and opinions expressed on this Web page do not necessarily reflect the views of,
nor are they endorsed by, the University of Georgia or the University System of Georgia.