[ How To Trace SPAM ]


Thank you for taking the time to fight SPAM!

Rest assured the domain deuce.com did *not* send you SPAM.
Most likely the name "deuce" was forged on the email in 
question with something like "mailserver.deuce.com".
In fact, deuce.com has no servers of its own, it is
simply a personal (vanity) nameplate.

If you are interested, please read on to find out how you 
can easily determine where a SPAM email came from (or any 
email for that matter.)  You will be much more effective if 
you send a complaint to the correct place.  Most ISP's today 
are very good about dealing with SPAM.

Regards,
steve@deuce.com

-----------------------------------------------
How to Figure out where a SPAM email came from

This is something that I wrote myself.
At the end I have listed some good sites
about dealing with SPAM that I recommend.
-----------------------------------------------

Look at the headers of the original SPAM email
(here is an example of an actual SPAM): 


Return-Path: <>
Received: from mailserver.deuce.com (2Cust55.tnt20.lax3.da.uu.net [208.255.121.55])
       by camel9.mindspring.com (8.8.5/8.8.5) with SMTP id LAA05079;
       Thu, 3 Dec 1998 11:11:28 -0500 (EST)
Message-ID: <24786.33507@mailserver.deuce.com>
From: <>
Subject: Dream Getaway -- Yours (64817)
Date: Thu, 03 Dec 1998 08:06:42 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Transfer-Encoding: 7bit


You are looking for the specific line:

Received: from mailserver.deuce.com (2Cust55.tnt20.lax3.da.uu.net [208.255.121.55])

Depending on your email program you might have to turn on something
that will show you all the headers rather then just the basic ones.

In this example it looks like "mailserver.deuce.com" is the sender,
but this is actually forged, and usually a non-existent name is used
so that reply's don't work.  You want to look at the IP number rather 
then the name, in this case [208.255.121.55].  This will tell you 
which server sent the email.  Hopefully the owner of that server
can track down the actual user who sent the SPAM.

Also, when there are two hostnames, the one in (parentheses) is
usually the correct one, and the IP address in [square-brackets] is almost
always correct. Look up the IP number in the [ ] not the hostname.

You can pretty much disregard any other address's given in other headers,
or in the mail itself as those are normally used for "cover."

If you want to check the host name, to see if it exists, use nslookup. 
This will confirm that the domain name is forged.

There are nslookup tools on the web (go to yahoo and search nslookup)
Here is a good one that I use:  http://www.infobear.com/nslookup-form.cgi

Output of: nslookup mailserver.deuce.com

*** ns.digiweb.com can't find mailserver.deuce.com: Non-existent host/domain 
Server: ns.digiweb.com 
Address: 206.161.225.3 

Note - nslookup returns the name of the server that did the search first,
and then what you were looking for.  If a match is made it will follow 
with specific information, like this (now plug in the IP number 208.255.121.55)

Output of: nslookup 208.255.121.55
Server: ns.digiweb.com 
Address: 206.161.225.3 

Name: 2Cust55.tnt20.lax3.da.uu.net 
Address: 208.255.121.55 

Now you have the actual server/IP and real name that the SPAM came from.

To find more information on that specific server/IP use whois.
I like to use this one: http://www.arin.net/whois/arinwhois.html
Note:  if this fails you might check the Euro version of this,
just back up a page and there is a tool for this as well.

Here is the output of 208.255.121.55

UUNET Technologies, Inc. (NETBLK-UUNET97DU)
   3060 Williams Drive, Suite 601
   Fairfax, VA 22031
   US

   Netname: UUNET97DU
   Netblock: 208.250.0.0 - 208.255.255.255
   Maintainer: UUDA

   Coordinator:
      Uunet, AlterNet - Technical Support  (OA12-ARIN)  help@UUNET.UU.NET
      +1 (800) 900-0241

   Domain System inverse mapping provided by:

   DIALDNS1.UU.NET		153.39.194.10
   DIALDNS2.UU.NET		153.39.194.26

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 19-Nov-98.
   Database last updated on 3-Dec-98 16:12:39 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.


Now send your complaints to that domain and hopefully they will 
deal with the sender.  Again, most ISP's are very good about 
dealing with SPAM today.
---

Here are two very good sites about how to deal with and track SPAM:
----------------------------------------------------------------------
http://www.mcs.com/~jcr/junkemaildeal.html
http://www.netwizards.net/spam.html
[ Back ]
www.deuce.com webmaster@deuce.com