Decoding e-mail headers
11.26.07 - 04:10pm
In this article I will explain how to find the info you need within your e-mail headers to report abuse and spam.
This information is only a basic, general guide and in some cases you may need further help.
I suggest you visit the stop spam site.
Example 1.
This was a spam mail sent to my yahoo account, your headers may look slightly different.
X-Apparently-To: someone@yahoo.com via 206.190.39.205; Sun, 05 Dec 2004 08:52:01 -0800
X-YahooFilteredBulk: 65.254.32.146
X-Originating-IP: [65.254.32.146]
Received: from 65.254.32.146 (HELO mail.gpdeals.com) (65.254.32.146) by mta178.mail.scd.yahoo.com with SMTP; Sun, 05 Dec 2004 08:52:00 -0800
X-Info: To report abuse, contact abuse@gpdeals.com
X-GPdeals-Userid: wowdaily
X-GPdeals-ID: 10616305
X-GPdeals-Recipient: someone@yahoo.com
Date: Sun, 5 Dec 2004 01:58:55 -0500
Message-ID: <20041205015855.959403@lists.gpdeals.com>
X-gpdeals-MsgID: wowdaily-916
Subject: Claim your Fire and Ice Grill
From: “Account Services”
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”mg_boundary-163606-784313″
Content-Length: 1978
The part we are interested in here, is this:
Received: from 65.254.32.146 (HELO mail.gpdeals.com) (65.254.32.146) by mta178.mail.scd.yahoo.com with SMTP; Sun, 05 Dec 2004 08:52:00 -0800
This tells us the i.p. address used to send the mail is: 65.254.32.146
With this info we can use an i.p lookup tool like this one at geektools and we will get a page full of information, contact addresses etc but the part we want is:
OrgAbuseEmail: abuse@gnax.net
This is the address we can e-mail our complaints to.
Example 2.
A second more difficult example is below:
This was a spam mail sent to my yahoo account and again your headers may look slightly different.
X-Apparently-To: somebody@yahoo.com via 206.190.39.209; Sun, 05 Dec 2004 09:02:57 -0800
X-YahooFilteredBulk: 69.6.39.92
X-Originating-IP: [69.6.39.92]
Return-Path:
Received: from 69.6.39.92 (EHLO mx92.qbatcrew.biz) (69.6.39.92) by mta237.mail.scd.yahoo.com with SMTP; Sun, 05 Dec 2004 09:02:57 -0800
From: “Mortgage Analysis”
To: ” ”
Subject: Residence Basis Point Process
Date: Sun, 5 Dec 2004 11:02:55 -0600
Message-ID:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Content-Length: 3356
Again, the part we are interested in here is this:
Received: from 69.6.39.92 (EHLO mx92.qbatcrew.biz) (69.6.39.92) by mta237.mail.scd.yahoo.com
This gives us the i.p. address: 69.6.39.92 and again we go to geektools but this time we get the following information, with no abuse address:
Results:
WholesaleBandwidth, Inc. WHOLE-2 (NET-69-6-0-0-1)
69.6.0.0 - 69.6.79.255
LeadPlex LEAD-BLK-69-6-39-0 (NET-69-6-39-0-1)
69.6.39.0 - 69.6.39.255
This tells us that;
A) Wholesale bandwidth Inc owns all addresses from 69.6.0.0 - 69.6.79.255
B) A second company called LeadPlex owns some addresses within this range, namely the i.p’s 69.6.39.0 - 69.6.39.255
In this situation you can either first contact Leadplex and if you get no reply contact Wholesale bandwidth Inc. You could also contact both at the same time.
Who are Wholesale bandwidth Inc. and Leadplex?
Normally with a whois lookup information will be given for an abuse address etc, but in this case no information is given - google is your friend! After searching for their name I found this information.
Searching for Leadplex, brought up this site and we find they are an advertising company - which is not unexpected ;)
You can now send your complaints. When sending reports of abuse you must include the full headers of the e-mail or the abuse system will most likely ignore your e-mail.
Send each e-mail you received from the troublemaker as a separate complaint - combining twenty e-mails into one complaint makes it ‘appear’ less serious.
In summery:
Find the received: from i.p address.
Speak Your Peace