Email Spam tracking 101 - Meaning of email headers
Email Spam tracking 102 - The many uses of DejaNews
Email Spam tracking 103 - The WHOIS database
Email Spam tracking 104 - A spammer unmasked
Thinking of bulk emailing - Consequences of spamming?
Figuring out fake E-Mail  -  Deciphering fake email or posting?

Email Spam tracking 101
by Bill Mattocks

Here's where it gets amusing!
So, let's just enjoy this spam for a moment, shall we?

Are you sitting comfortably? Good, then I'll begin. 

Here is a spam I just received. It is bad, because it is spam. It is bad, because it attempts to masquerade as being information I requested to avoid detection as spam.

It is bad because it has mangled headers to attempt to deflect complaints away from the true perpetrators. It is also quite funny. Here it is, dissected for the newer anti-spammers to watch and learn from.

First line:

>Received: from ( [])
>by (EMWAC SMTPRS 0.83) with SMTP id
><>; Wed, 10 Sep 1997 20:00:52 -0500

This is my mail server getting the spam from a mail server known as Please note that the ISP listed here may well have been innocently hijacked by the spammer, we really don't know yet.

>Wed, 10 Sep 1997 21:02:53 -0500
>Received: from

  Back to: eMail Bolts & Nuts FAQ's

Home | Product Info | Quick Tour
eMail CRM Freeware Maximize
the life-time value of your clients and getting them to smile at you

eMail Bolts & Nuts Interesting emails stuff that you should  know eMail Broadcast FAQ's

Art of eMail CRM How to apply minimum efforts for maximum result, at the shortest time?


Useful Web Sites Freeware & shareware tools to help you speed-up your PC Internet

Free2-Try The easiest way to
stop spam getting into your PC.
100% effective. I recommend it.

stop spam

Free eBook Sun Tzu Art of War Leaders who takes on the role
of the commander, without thoughtful strategy invite defeat.

Sun Tzu

Guest Book  |  Minute Wisdom
For anyone; Filled with stolen moments, lost dreams, and too many 'if onlys'...

Guest book

Free eMail Marketing Tips Great email marketing strategies and ideas to help you increase sales

email tips


This is all fake, inserted by the spammer's bulk mail software.
It can be safely ignored.

>Received: from ( [])
>by (8.8.5/8.8.5) with SMTP id UAA03117;
>Wed, 10 Sep 1997 20:27:30 -0500

This line purports to show where actually got the mail from that it relayed to me.

Please note that " "
does not belong to
How do we know this? Simple, we use a tool called nslookup (available for many platforms).

Here is what we see:

Translated Name:
IP Address:

Translated Name:
IP Address:

Next Page....What does this all mean? It means that the first part of the line is bogus, but the second part is correct.

We know that because most mail server software will report accurate information about where it got the mail from in most cases (it has to be misconfigured or older brain-dead software to be completely silent about where it got the mail from)...Continue...