Sam Spade (www.samspade.org) has a freeware program designed for Windows users. (Users of other platforms can use the form on home page.) Described as a "network query tool," it will help you not only trace e-mail messages, but conduct other sleuth work. To use, simply paste the information you want it to work on (in this case, the header text) into the program's magic input box located at the upper left. It is called that because you don't need to tell the program what kind of search to do, it does whatever it can automatically. A color-coded report is generated listing the results. Anything that appears in blue type can be clicked on to generate a secondary report using that information.

Dissecting a Header
To understand those reports, and how to use the information presented, you need to know the basics of what can be found in a header. Here's a breakdown of a header's contents and those portions that are of the most use in tracing a message.

Non-essentials: Your mail server will put a date and time stamp for when it was received into every message. (A "mail server" is the computer used by your service provider that sends and receives mail over the Internet.) The lines containing that information, as well as the From: and Subject: lines written by the sender are usually of no use in message tracing. The e-mail address given in the From: line should match that found in the Return-Path:. If they don't, it could be because the sender has not configured their email program properly. Lines that start with MIME-Version, Content-Type, and Status will not be of much use. Others that may appear could refer to an anti-virus checker that your provider uses, etc.

Essentials: The most important line is the Received: line, and your message may have several of them. Sorting out the real ones from the fake is where the fun begins! Figure 1 contains the header for a typical piece of junk mail. I will be using that to help explain how to read this line. The first Received: line was put in by my own ISP service. (I'm blocking out the name of their mail server & IP number.) Notice that the origin is referred to by a name, called the domain, and a number, called the IP address. An IP address can be written several different ways but is usually written as a string of numbers inside square [ ] brackets. [127.0.0.1] deserves special mention because it is a "loopback." This address always refers to the computer you are currently working on. It is often used within phony entries within headers to try to hide the origin of a message.

The second Received: line says the computer name 'amavis' at the domain "xxxx.com" sent this to my ISP service, but the IP number is the loopback value. This is an obvious phony line and is intended to mislead. It is clear from this line, however, that the sender did not want to be found.

With the third Received: line, we hit real pay dirt. It says the mail server at mailogen.com sent the message to my ISP. Using Sam Spade, I can easily trace both the IP number and the domain name back to Cybercon, Inc. For the uninitiated, this company specializes in selling services and products to those who send out junk mail. Sending them a complaint would be futile and would probably increase the amount of junk they'd be sending me.

Not all junk mail will trace back to such flagrant offenders. Every ISP and on-line service is required to maintain a mailbox for reporting abuse – typically postmaster@domain-name.com but could also be abuse@domain-name.com as well. Many have setup special addresses to accept complaints about those using their services. Use Abuse.net (www.abuse.net) to find out if the service you want to contact has listed a special address. Sending out unwanted messages is usually considered a Terms of Service (TOS) violation and is grounds for having their service removed.

One last line found within the header deserves special mention, and that is the Message-Id: line. It includes clues in addition to those mentioned above, but would be of most use to your service provider. By using that ID code, they can find the entry made in their system logs when this message arrived. Not all services are willing to do this, as it does take some time. However, many are willing – if you ask them nicely and not too frequently – for help in tracing really offensive messages back to their source. They will need the entire header and message content to compare to that in the service log. If the message contained a virus, they also help you in reporting the matter to the FBI's Internet Fraud section (www.ifccfbi.gov).

Filter, Filter, Filter
If sending a complaint isn't going to do any good, what can I do? Use the filtering/rules available within most programs to get rid of messages coming from this source as well as other sources that match a particular pattern. I would create two rules in this case, one for the IP number, and another for the mail server name. Filtering based on the given e-mail address isn't going to do too much good as they can change that too easily. The only down side to filtering is that it is like attacking the weeds growing in your garden. It needs constant maintenance to do much good.

There are specialized products available to supplement or replace the filtering tools found within email programs. Most can filter based on anything found within the header as well as subject line and message body. Not too many of these products are free, however.

Legal Spam?
Some time ago, I noticed spam messages that claim to be legal under Bill S.1618, HR 3113, or the Unsolicited Electronic Mail Act of 2000. The reason why such claims are bogus is simple. Not one of these bills actually became law! US Senate passed S.1618, but it failed to pass the House. HR 3113, which passed the House, sat ignored by the Senate until that session of Congress ended. Congress has been trying to pass some sort of unsolicited e-mail law, but (as of this writing) has not done so.

Oddly enough, these claims can appear just as frequently within messages received by residents of other countries. Such laws passed by the US government would apply only to people and businesses residing in the US. For any writer to assume otherwise is incredibly arrogant.

For the facts concerning pending legislation in US Congress, see www.cauce.org. I would strongly urge every US resident to do so as legislation in regard to these kinds of messages will be passed soon. Once that happens, you and I will be able to go after these companies where it hurts – their wallets. CAUCE has links to similar organizations based in India, Canada, Europe, or Australia.

Other Resources
There are a few other net resources I can recommend for further reading. For a look at the history of how the term spam came to mean net abuse, check out www.templetons.com/brad/spamterm.html. For those who feel nostalgic, or don't remember the now famous Spam Sketch by the cast of Monty Python's Flying Circus, find the words to it in Sam Spade's help file. Spamhaus (http://spamhaus.org) maintains a searchable list of companies, like Cybercon Services, which have open relays. Orbz (www.orbz.org) has a searchable list of those who, for whatever reasons, have never fixed this problem.

Figure 1.