At the moment, spamming is not illegal, although the contents the actual Spam messages may violate a state or federal law. Other Spam messages may violate the spammer's contract with his Internet Service Provider, or else cause enough harm to a third party to warrant a civil lawsuit. As well as wasting a lot of time and money (estimated cost to all Internet users this year is $255 million), the web is actually running into bottlenecks on servers carrying Spam to the ill-fated recipient.

Here are four scenarios that could get the spammer busted:

1. If you received a message promising free cable TV schemes, you could forward the messages to the Federal Trade Commission and let them decide if it is illegal and worth taking action on.

2. Supposedly unhealthy amounts of people seem to be hooked on Internet porn at the moment. This increases the risk of illegal or disturbingly hardcore material being advertised rather carelessly by the spammer. It is advised that you find out as much information as possible about this type of spammer (you will see how later) and contact the police.

3. Literally all ISPs now have anti-Spam policies and will happily deal with the offender by banning him from the server. Some even fine offenders that put an unnecessary strain on the systems resources. Some as much as $500 per message!

4. Spammers often forge email headers so that it seems as though the message is coming from another person or they add someone else's phone number to the message. This results in an innocent individual getting bombarded with complaints by email and phone.

If the spammer is stupid enough to supply you with a web site address, you should not have much trouble finding out who is hosting the site, providing they have given you the right site and have a domain. Follow the link. If the site content is similar to the message, you are in luck! Just visit Internic and find the administrative contact for domain on the WhoIs search.

If the spammer has given you the address of a free provider such as Geocities just fire a quick message over to them, informing them of the spammer using their service. It should be easy enough to target a spammers' provider if they have a sub-domain (e.g. http://www.provider.com/~spammer/).

Targeting a spammer by his web site is all well and good and will cause the spammer a fair amount of frustration when the site goes down, but the main aim is to complain to the postmaster of his ISP (where the Spam was sent from). This information can only be found in the email headers.

Find Clues in Email Headers

The big problem with email headers is that the experienced spammer so easily forges them nowadays. But all hope is not lost. By searching deep into the email header you can find clues that can lead you to the spammer's ISP.

The ISP is bound to take action, providing the spammer hasn't set up his own ISP for the purposes of spamming. The punishments can range from simply a warning, to being thrown off the ISP, to being heavily fined for each message that went through the server. But first we need to find the domain to complain to.

Below is a typical email header:

Delivered-To: d#-alexh@dial.pipex.com
Return-Path: paul@base.com
X-Envelope-To: alexh@dial.pipex.com
X-Envelope-From: paul@base.com
Received: (qmail 25716 invoked from network); 15 Aug 1998 17:41:58 -0000
Received: from mx01.globecomm.net (206.253.129.8) by depot.dial.pipex.com with SMTP; 15
Aug 1998 17:41:58 -0000
Received: from venture.com (cs1-12.mil.ptd.net [204.186.27.12]) by mx01.globecomm.net
(8.8.8/8.8.0) with SMTP id NAA17236 for; Sat, 15 Aug 1998 13:41:33 -0400 (EDT)
From: paul@base.com
Message-Id: 199808151741.NAA17236@mx01.globecomm.net
To: alexh@2-cool.com
Subject: Opportunity
Date: Sat, 15 Aug 1998 10:08:35

The received lines are the ones that contain the vital information about where the Spam originated. Read the received lines from top to bottom, the top being my provider (depot.dial.pipex.com) and the bottom being venture.com (where the spammer sent email from). Anything in between is the servers that the message passed through before getting to you.

Now lets look at the line venture.com (cs1-12.mil.ptd.net [204.186.27.12]) and see if we can get any information from it. The venture.com part can very easily be forged, so it is the (cs1-12.mil.ptd.net [204.186.27.12]) that we should be interested in. First, we need to check that the IP address (204.186.27.12) matches 12.mil.ptd.net. This can be done by going to Whois and running their IP address!

You can see if a domain has a web page by taking the name and adding "www." to the start, For example, I typed in www.ptd.net. If you see a page with content similar to the email Spam you received, you've probably identified the bad guys. If you see a page telling you about Internet access services and other types of legitimate business, you've probably identified the party to complain to.

If you have identified the spammer's site or there is no site at all (most spammers are too lazy to create a web site) you will need to find to upstream provider. This can be found using the TraceRoute tool. If the site I had come across were the spammer's, I would simply invoke "TraceRoute cs1-12.mil.ptd.net". There are many web TraceRoute gateways online if you do not have access to this tool. Try looking for one on a search engine.

If you are investigating a spammer who is connected to a small local ISP, TraceRoute will figure out which big national ISPs the Spam messages are passing through. If the local ISP is chronically tolerant of Spam, you might suggest that representatives of the big ISP have a talk with them.

There are two ways to contact the ISP now: by invoking the "dig -x 11.22.33.22 soa" (Start Of Authority) to find out the administrator, or simply sending a message to postmaster@spammersdomain.com.

Complaining to the ISP

Now that you have an address for the ISP, it is time to complain. Remember to be polite, as it is probably not them who sent out the bulk mailing, and they are likely to be inundated with complaints regarding the Spam. Always send the full message header to the ISP so that they can investigate further. Apologize to them if you have directed the message to the wrong person and ask if they can forward the complaint to the appropriate party.

The ISP should send you an email to inform you of the actions they have taken against the offending spammer. Don't worry if they haven't--they probably have had too many complaints. If you do get a response like "The guilty account has been terminated", send them a thank-you note, and tell them that you appreciate their actions.

Taking Things Further

Very rarely should you need to inform the police, but if the message content offers something particularly illegal, you can just print out the message (including headers), send it to the FBI, to the attorney general of the state that the message claims as its origin, or to the local police.

If you feel that the message is in some way fraudulent, print it out and send it to the Federal Trade Commission with a cover letter expressing your concerns:

Federal Trade Commission
6th Street and Pennsylvania Ave NW
Washington, DC 20580

If you are planning on complaining to the spammer directly, be careful. The last thing you want it to be mail bombed and to be put on a spammer's hit list! If they have a free phone number ring it and see who picks up, the chances are that it is a pre-recorded message, but it could be someone the spammer has set up. In this case, tell them that their phone number was given out in the Spam and they should have a cause for concern. Tell them all you know about the spammer so that they can follow up on the problem that has been caused for them.