Aunty Spam's
Slam a Spammer Blog

Home RSS Archives Aunty's CAN-SPAM eBook with FREE pdf! Spam & the Law Conference Add to My Yahoo! Subscribe with Bloglines

May 21, 2004

Aunty Spam: How to Read Headers to Report Spam

Posted 3 weeks, 2 days ago on May 21, 2004
Dear Auntie Spam,

How do I read the fine print in the spam's header information to determine from where the spam really originated? I forwarded one to, and they sent me an e-mail saying it wasn't a correct address.

P.S. Since getting Starband, MailWasher won't work on my computer. :( I've been bouncing them back in Bounce Spam Mail, but don't know if it actually works or not. If the address isn't correct, then it isn't working.

Thank you,



Dear Kim,

You raise a number of interesting points and questions in your email. First, if you get spam which appears to be from someone at Hotmail, then pretty much the only thing which you can be certain of right off the bat is that it isn't from Hotmail. So Hotmail was probably correct in returning the spam to you, even though you were trying to do the right thing.

In fact, if you receive spam of the real, true "Make Money Fast" variety, you can rest assured that 99.9% of the time the domain featured in the "From:" email address will belong to an ISP or other Internet site which has no connection to the spam whatsoever (Aunty is a lawyer so she gets to use big words like that). This is known as "domain spoofing", and it is now illegal under CAN-SPAM. Of course, littering is illegal too, but that doesn't seem to stop the litterbugs either.

You are to be commended for wanting to dive into the world of reading headers, and while on some levels it can be very complicated, there is a first level on which it is not difficult at all, and can still be very useful. The first thing you will need to do is to open up an email, and then switch to the 'full header view'. This is called many things by many different email programs, but the most common terms are "full headers", "all headers" and "raw view". Aunty's email program calls it "long headers". Whatever your email program calls it, switch to that view.

Now you will note that in addition to seeing the traditional headers such as "From:", "To:", "Subject:", and "Reply-To:", you will also see lots of other lines, many containing IP addresses. The answer to the question "to whom do I report this spam" lies within these lines. These lines can tell you where the spam originated (or at least what the next closest link was), where it went from there, through which Internet locations it hopped, and generally the path it took to get to your front door. You only have to know how to read the information. If you want to delve even deeper, you can learn all sorts of things, such as where the spammer was geographically when they sent the offending message, what time they sent the spam, and what sorts of resources they abused in the process. But for our purposes we just want to know the path the spam took to get to you.

However, rather than tell you how to read those lines, Aunty is going to refer you to a couple of sites which will not only tell you how to read those headers, but will do so far better than could Aunty. The links are at the end of this missive.

Once you have determined the path which the email likely took, you will a) realize that indeed the email never came close to the domain which is featured in the "From:" address, and b) have a good sense of where its been (no, that doesn't mean that you can put it in your mouth), so that you know to whom to report it.

Now, once you know the sites which were involved, how do you determine the email addresses to which you should send your complaints? Conventional wisdom holds that any responsibly administered mail server will maintain either or both of postmaster@domain and abuse@domain. These are known as role accounts, and while there can be many other role accounts (for example "root", "webmaster" and "news"), these are the only two with which we need concern ourselves for this exercise. Of course, conventional wisdom is not always right - the recommended role accounts are not always set up, but that is not your problem. Aunty recommends that once you determine to which sites you want to send the reports, you send them to postmaster@domain and abuse@domain. So, for example, if you have figured out that one of the domains involved in transitting the spam is "", you may want to send email to and (note that this is a made up domain, so that if any spammer scrapes these addresses it won't cause anybody real to get spammed).

When reporting spam, you should always assume that the site to which you are reporting the spam probably does not know that they have an embarrassing spam problem, and so should approach them with gentleness and respect (good advice for all initial encounters, online and off, thinks Aunty). You should also assume, particularly with an Internet site of substantial size, that their abuse staff is horribly understaffed and overworked, and so a delay in response of a few days may not be unreasonable (in fact some sites don't respond to the person making the report at all).

Aunty promised you some links to sites which will teach you how to divine the information contained in the headers of your spam, and here they are:

PO Box Header Reading Tutorial
Stop Header Reading Tutorial

If all of this seems rather daunting, and related to your MailWasher problems, you may want to consider using one of the services available now which lets you automatically report your spam to a central clearinghouse, where they collect the data and use it to help boost their spam filters, which in turn helps to ensure that you (and all of your fellow service users) don't receive that same spam again. One program which Aunty can recommend is Cloudmark's "SpamNet" for Outlook and Outlook Express. Cloudmark is currently running a free trial, so that you can try SpamNet with no obligation.

Whatever you do, don't let the spammers get you down, and keep on reporting!

Kissy kissy,

Aunty Spam

The trackback url for this post is

Re: Aunty Spam: How to Read Headers to Report Spam

Posted 4 days, 2 hours ago by Dave Kelsen • • • Reply

You forgot to mention that because "you can rest assured that 99.9% of the time the domain featured in the "From:" email address will belong to an ISP or other Internet site which has no connection to the spam whatsoever", it serves no purpose to bounce the spam. It only adds to the traffic the spammers are clogging the net with. The OP says, "If the address isn't correct, then it isn't working." This is true, but the bounce *is* sent - uselessly. Don't bounce, just delete. I would like to ask the OP to give a bit more information about Mailwasher not working with Starband. It should. You can contact the author (Nick Bolton) at, I think. Remember, reporting good, bouncing bad! Dave Kelsen

Trackback URL :

Re: Aunty Spam: How to Read Headers to Report Spam

Posted 4 minutes, 2 seconds ago by EPGeek • • • Reply

To heck with tracking down who actually sent the SPAM. Why not go after the website advertised in the SPAM. I mean duhhhh! The SPAM is all about the website, so you know exactly who the bad guys are. Why not some campaign to go against them directly????

Trackback URL :

Re: Aunty Spam: How to Read Headers to Report Spam

Posted 3 days, 23 hours ago by Kate Grey • @wwwReply

What do you do if your domain is being spoofed? Mine is and I get tons of messages from "Postmasters" telling me they couldn't deliver mail from *alphabetsoup* @ mydomain. I truly resent someone doing this!

Trackback URL :

Re: Aunty Spam: How to Read Headers to Report Spam

Posted 3 days, 16 hours ago by dAVE r • • • Reply

Sending protests to the relaying IP domain can often help, but certain ones are totally non-responsive other than a "bot" form letter response, including MAJOR networks such as SWBELL, and lesser malingerers like, to whom I"ve sent dozens of complaints to no avail. The worst thing that happened to the internet was when dormain registration authority got totally fragmentated without any accountability. "Registrars" such as Enom, Gandi Sarl, and Joker (yes!) allow totally and OBVIOUSLY bogus data in their registration databases, with impossible or non-existant addresses, bogus telephone numbers (222-222-2222, eg.) and bad email contact addresses. The registrars should be REQUIRED, on pain of losing their authority, with severe fines, to VERIFY and MAINTAIN these databases. This would be a major step in stopping scam spam. What good does it do to be able to read the full headers, if 98% of the data is either forged or untraceable due to bogus domain registrations? Frankly, if certain countries don't want to go along with valid and truthful registration processes and filtering relays from known spammers, block them out! Entirely! One could start with China, Korea, & Brazil, three of the worst for relaying spam. Perhaps when the LEGITIMATE businesses in those countries lose their international connectivity, they'll clean up their countries' act. Naive? I don't think so. Evidence points to needing sledgehammer to kill this fly.

Trackback URL :

Re: Aunty Spam: How to Read Headers to Report Spam

Posted 3 days, 11 hours ago by DragonRnBlack • • • Reply

In the not to far future there will be a tightening up of the ship with domain registrations. Its in draft form as we speak and awaiting final approval. This will be interesting to see exactly how they enforce domain registrations which will be required to be legitimate addresses and phone numbers which supposively will be verified, plus maintaining privacy on the WhoIs, RICC, etc.

Trackback URL :

Add Comment Below

To Post an Audio Message, See Directions in Right Margin

( to reply to a comment, click the reply link next to the comment )

Comment Title
Your Name:
Email Address:
Make Public?
Make Public?

Check Out:

The Accidental Evangelist
Dear Esq. Column
Fathers Rights
Post an audio message to this blog! Only .97 cents!
Call 661-716-BLOG,
enter account number 111-222-3333, pin number 4444.
Call and then pay, or pay and then call!


New Service Tells Senders...
Aunty Spam: What is an...
Look! Up in the sky! It's...
Microsoft Now Owns Patent...
Bicy Wifi Shanghai

Aunty Spam Provided By ISIPP

CAN-SPAM Teleseminar 5/6/04
CAN-SPAM Teleseminar 5/13/04
Spam & the Law Conference 7/29/04
CAN-SPAM Compliance Pack

Other Blogs & Sites

Fun Anti-Spam Novelty Products
The Spam Blog
Spam Primer
Ask Leo

Slam a Spammer
Powered by bBlog