Fighting SPAM, How to Lodge a Complaint
Baldwin explains how to lodge a
complaint against the person or organization responsible for the
computer that sent a SPAM message or a message carrying a virus.
Published: February 5, 2004
By Richard G. Baldwin
Java Programming Notes # 2158
The purpose of this short tutorial is to show you how to lodge a
complaint against the person or organization responsible
for the computer that sent a SPAM message or a message carrying a virus.
At any instant in time, every computer connected to the Internet has a
unique address, commonly referred to as the IP address.
This address is similar to your home address, or your telephone number,
except that it may change more frequently.
Some computers have an IP address that is more or less permanently
assigned and rarely changes. Other computers are assigned a
different IP address every time they are turned on and connected to the
Regardless of whether the IP address is permanent or transitory,
records should exist that show which IP address was assigned
to which computer at every instant in time.
Useful for lodging a complaint
This IP address can be used to lodge a complaint against the
responsible party for every SPAM message and every message containing a
virus that is set loose on the Internet.
(Keep in mind, however, that in many cases involving
SPAM, and most cases involving viruses, the operator of the computer is
an unwilling and unknowing participant in the process. In those
cases, the computer has become contaminated with an uninvited
program that is sending out the messages. In those cases, the
operator needs to be notified and asked to remove the uninvited program
from the computer.)
Every Email message contains the originating
Although you don't ordinarily see it when viewing your Email messages,
every email message contains the IP address of the computer that
sent the message.
(While it may be possible for someone to insert a fake
originating IP address into a message, unlike the Email return address
that can be easily faked, faking the originating IP address is not an
easy task, and probably isn't often done at this point in time.)
The IP address can lead to the source of the
Once you know how to identify the originating IP address, it is a
relatively simple matter to obtain contact information that will allow
you to lodge a complaint. I will show you how later in this
Finding the originating IP address
First however, let me show you how to identify the originating IP
Every Email message contains a header in a more or less standard
format. The originating IP address is contained in that
header. Although most Email readers don't show you the header by
default, most will show you the complete header if you are
interested in seeing it. For the Email reader that I use, I can
see the complete
header by pulling down the View menu, selecting Headers,
and then selecting All.
An example Email message header
As an example of an Email header (not an example of a SPAM or virus
message), I am going to show you the header for a message that I
recently received from the Social Security Administration. The
complete header for that message is shown in Figure 1.
Although the complete header is very complex (as indicated in
Figure 1), what you need to do is very simple.
Look for the last Received line
From - Thu Dec 25 09:42:08 2003
Received: from mailhub1.austin.cc.tx.us (email@example.com [184.108.40.206])
by omnistarhost.com (8.11.6/8.11.6) with ESMTP id hBOMYuL27782
for <firstname.lastname@example.org>; Wed, 24 Dec 2003 16:34:57 -0600
Received: from monk.austincc.edu (email@example.com [220.127.116.11])
by mailhub1.austin.cc.tx.us (8.12.3/8.12.3/Debian-6.4) with ESMTP id hBOMX8xS005866
for <firstname.lastname@example.org>; Wed, 24 Dec 2003 16:33:08 -0600
Received: from mailhub1.austin.cc.tx.us (email@example.com [18.104.22.168])
by monk.austincc.edu (8.12.3/8.12.3/Debian -4) with ESMTP id hBOMX7De005423;
Wed, 24 Dec 2003 16:33:07 -0600
Received: from listserv.gsa.gov (host.159-142-1-236.gsa.gov [22.214.171.124])
by mailhub1.austin.cc.tx.us (8.12.3/8.12.3/Debian-6.4) with SMTP id hBOMX3xS005860;
Wed, 24 Dec 2003 16:33:03 -0600
Received: from listserv (listserv [126.96.36.199])
by listserv.gsa.gov (8.11.7p1+Sun/8.11.7+sun) with ESMTP id hBOMWEE10793;
Wed, 24 Dec 2003 17:32:14 -0500 (EST)
Received: from LISTSERV.GSA.GOV by LISTSERV.GSA.GOV (LISTSERV-TCP/IP release
1.8e) with spool id 378417 for SSA_ENEWS@LISTSERV.GSA.GOV; Wed, 24
Dec 2003 17:13:02 -0500
Received: from scog-ws3.gsa.gov ([188.8.131.52]) by listserv.gsa.gov
(8.11.7p1+Sun/8.11.7+sun) with ESMTP id hBOM4EE01502 for
<firstname.lastname@example.org>; Wed, 24 Dec 2003 17:04:14 -0500 (EST)
Received: from 184.108.40.206 by scog-ws3.gsa.gov with ESMTP (GSA Internet
E-Mail System (MMS v5.6.0)); Wed, 24 Dec 2003 17:04:00 -0500
X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001
X-MIMETrack: Serialize by Router on SCOG-NOTESSMTP1/GSAEXTERNAL(Release 5.0.8
|June 18, 2001) at 12/24/2003 05:04:00 PM,
Serialize complete at 12/24/2003 05:04:00 PM
Content-Type: multipart/alternative; boundary="=_alternative 00793D7E85256E06_="
Date: Wed, 24 Dec 2003 17:03:55 -0500
Reply-To: Social Security eNews <SSA_ENEWS@listserv.gsa.gov>
Sender: Social Security eNews <SSA_ENEWS@listserv.gsa.gov>
From: "^ENews" <ENews@SSA.GOV>
Subject: eNews: Social Security eNews December 2003
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
As you will note in Figure 1, the header contains many lines that
begin with the word Received:
The number of such lines will vary from one message to the next.
What you will be looking for is the last such line in the header.
(I highlighted it in blue in Figure 1.)
Find the IP address in that line
The last Received: line will contain the IP address for the
computer that sent the offending message. I highlighted the IP
address in red in Figure 1.
What does the IP address look like?
An IP address always consists of four numbers having from one to three
digits each. The four numbers will always be separated by
IP addresses are often enclosed in matching square brackets [...],
but that is not the case in Figure 1. The IP address consists of
the four numbers and the three periods. (The square brackets,
if they are present, are not part of the IP address.)
Copy down the IP address. You will need it later.
Identify the responsible organization or person
The next step is to identify the organization or person that is
responsible for the IP address. (IP addresses are issued to
organizations and individuals in much the same way that your telephone
number is issued to you when you sign up for telephone service.)
Identifying the responsible organization and the responsible party
within that organization is easy. Several web sites on the
Internet maintain databases containing such information and make it
available for free. One of the easiest databases to use is the
ARIN WHOIS database at http://www.arin.net/whois/.
Using the Arin database
Just click on the link given above to open a page containing a data
Enter the IP address that you copied earlier and press the button
labeled Submit Query. This will produce a page that looks
something like the one shown in Figure 2. (This is the
information provided for the IP address highlighted in red in Figure
1. Each of the blue links in Figure 2 will take you to other
pages containing additional information.)
Again, don't panic
OrgName: General Services Administration
Address: 18th & F Street, NW
Address: Mail Stop Room 2040
NetRange: 220.127.116.11 - 18.104.22.168
NetType: Direct Assignment
TechName: General Services Administration 18th& F Streets, N
TechPhone: 1-800-903-IISC (4472)
OrgTechName: General Services Administration 18th& F Streets, N
OrgTechPhone: 1-800-903-IISC (4472)
Once again, this looks pretty complicated, but fortunately you will
only be interested in the information in the four red lines near the
bottom of Figure 2.
Registering your complaint
If you prefer, you can call the telephone number to complain, but the
best bet is to send an Email message to the address given. (Or
possibly the best bet is to do both.) The advantage to the
Email message is the ease with which you can provide the information
that the organization will need to track down the offending computer
within the organization.
Send the full header from the offending message
When you send the Email message, be sure to include a copy of the full
header from the offending message in your message. Someone there
will understand how to interpret all of the information in the header,
and that is the information that the organization will need to track
down the offending computer.
Use copy and paste if possible
Trying to copy all of that information manually would be a daunting
task, but should not be necessary. It should be possible for you
to copy the header to the clipboard on your computer and then paste it
into your Email message.
The way to go about doing that will differ from one Email reader to the
next. With my reader, I can view the message, pull down the View
menu, and select Message Source. This opens up a
version of the message that allows me to highlight the entire message
header with the mouse, copy it to the clipboard, and paste it into the
Email message that I am composing. (The header consists of
everything from the first line down to and including the line that
starts with Status:)
Viruses send SPAM and viruses
It probably wouldn't do much good to complain to an originating
distributes SPAM for profit (but then, it may do some good if
thousands of people complain on a daily basis). However, as
mentioned earlier, many cases involving SPAM
and most viruses are actually sent by malicious programs that have
computers of unsuspecting people. Sometimes complaining to the
technical contact for the originating IP address of a SPAM or virus
message will result in the malicious code being removed from the
That will eliminate the SPAM and virus messages being transmitted by
Every little bit helps
Removing such code from one computer wouldn't have much impact on the
overall problem, but removing such code from thousands of computers
a significant impact on the problem. If nothing else, it would
make it easier to identify the real culprits in the war against SPAM
An example case
For example, a good friend of mine was recently notified by her cable
modem ISP that a computer connected to her cable modem had been
transmitting SPAM or
viruses. Apparently the ISP had received a complaint that
included the date, time, and originating IP address in the message
header. The ISP was able to use this information to determine
that the IP address had been assigned to my friend's cable modem at the
time that the message was transmitted. My friend received
technical advice from the ISP to help in cleaning up
the computer and eliminating the problem.
Nothing in this document is intended to suggest that the Social
Security Administration computers are used to distribute SPAM or
viruses. A message from the Social Security Administration was
chosen for illustration purposes due simply to the fact that it is easy
to see the connection between the information in Figures 1 and 2 for a
well-known government agency. Making that connection would be
more difficult for a case involving a real spammer.
Copyright 2004, Richard G. Baldwin. Reproduction in whole or
part in any form or medium without express written permission from
Baldwin is prohibited.
About the author
is a college professor (at Austin Community College in Austin, TX) and
private consultant whose primary focus is a combination of Java, C#,
and XML. In addition to the many platform and/or language independent
benefits of Java and C# applications, he believes that a combination of
Java, C#, and XML will become the primary driving force in the delivery
of structured information on the Web.
Richard has participated in numerous consulting projects, and he
frequently provides onsite training at the high-tech companies located
in and around Austin, Texas. He is the author of Baldwin's
Programming Tutorials, which
has gained a worldwide following among experienced and aspiring
programmers. He has also published articles in JavaPro magazine.
Richard holds an MSEE degree from Southern Methodist University
and has many years of experience in the application of computer
technology to real-world problems.