How to Deal with and Report Spam or a Spammer

Want to know how to deal with spam? We love reporting spammers. It’s such a satisfying feeing to report a spamer, especially when you get a response back saying that the spammer has been nuked. But many people don’t know how to report spam email. So we thought that we would share the love with you, and tell you how to report a spammer.

no spam

Before we get to how to report a spammer, first let’s distinguish between different types of spam. There is:

1. Email you receive from a company with whom you have done business or made an inquiry, but did not sign up to be on their mailing list.

2. Email you receive from a legitimate company with whom you have never done business.

3. Email you receive from non-legitimate (by which we mean not known to you or the average person) sources.

With respect to type 1 – email you receive from a company with whom you’ve done business or made an inquiry – as much as we hate to say it, the simplest thing for you is to just hit the ‘unsubscribe’ link. Yes, you shouldn’t have to unsubscribe from something to which you never subscribed in the first place, but it is the easiest way to dispense with getting those mailings – the (generally valid) assumption being that legitimate companies will honour their opt-out requests. Don’t forget that under Federal law, those companies have ten days to remove you from their list, so you may keep getting their spam for a week or so.

Type 2 email – email you receive from a legitimate company with whom you have never done business – is even more annoying, because you never even contacted this company, and here they are spamming you. Nonetheless, if they are a company you know, the easiest thing to do is to unsubscribe. But you may not want to do the easiest thing – you may be annoyed enough at them for spamming you that you may want to let their email service providers and ISPs know that they are spamming. That they somehow acquired your email address and added it to their mailing list with no contact – let alone consent – from you. If so, read on.

Type 3 email – email you receive from non-legitimate (by which we mean not known to you or the average person) sources – is the most problematic, but often the most satisfying to report. That said, Type 3 email falls into two subcategories: email from a source that seems as if it could be legitimate, but clearly how they got your email address was not legitimate; and email from purely ultra-spammy, shady characters (such as herbal supplement or prescription drug spam).

An example of the first subcategory – email from a source that seems as if it could be legitimate, but clearly how they got your email address was not legitimate – would be this spam that we received recently:

From: Retail Gazette
Subject: Sales of FMCG goods rise 3% across Europe – Latest Retail News
Date: November 22, 2013 1:01:12 AM MST
Reply-To: newsletter@newsletter.retailgazette.co.uk

Sales of FMCG goods rise 3% across Europe

Fast-moving consumer goods (FMCG) sales for the third quarter of 2013 rose 3 per cent from 1.2 per cent compared to the same period last year, according to Nielson. The global insights firm said that the rises were driven by 2.8 per cent inflation and a 0.2 per cent rise in sales volumes. Turkey experienced the highest nominal year-on-year sales growth (+9.5 per cent) in Q3 among the 21 European countries measured, followed by Portugal (+6.6 per cent) and Norway (+4.2 per cent).

Mind you, we had this spammer nuked, and yes it was very satisfying.

We assume that everyone has received and can identify spam which would fall into the second category, email from purely ultra-spammy, shady characters (such as herbal supplement or prescription drug spam).

So, for the average person who wants to get into reporting spammers, we recommend reporting spam from category 3, and maybe from category 2, depending on your preferences.

In order to report a spammer, you need to ascertain through what services they are sending the spam. You will want to determine what website (if any) they are advertising in their spam, and who are the providers who are provisioning that website. What we mean by the latter is who is the domain registrar for the website, and who is hosting the website.

If the spammer is using an email service provider (“ESP”), the easiest way to find out which ESP they are using is to hover over any included unsubscribe link, to see where it leads.

Using our Retail Gazette spam example:

how to report spam unsubscribe link

As you can see, the unsubscribe link goes to mkt3983.com. We happen to know that mkt3983.com is actually the large and legitimate ESP called SilverPop. But if you didn’t know that, you could either assume that mkt3983.com is a legitimate ESP and send your spam report to “abuse@mkt3983.com”, or you could go to their site, and/or do a “whois” lookup (more on that in a minute). Going to mkt3983.com actually leads to a simple page which says, at the bottom:

Definition of SPAM from MAPS- Mail Abuse Prevention System

An e-mail is SPAM if:
1. The contact’s personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

(By the way, that definition of spam was written by our own Anne Mitchell, with Paul Vixie, the founder of MAPS; we’re pleased to see that it is still in use!)

So, now we know to report this particular spam to abuse@silverpop.com.

“abuse” is the industry standard for the email address that all Internet companies should have set up for the purpose of receiving complaints about things such as spam coming from their system. This is known as a “role account” (other common role accounts include ‘postmaster’ and ‘info’).

At this point, if you have reported the spammer to their ESP, you will have done more than 90% of the spam recipients out there, and you may want to stop there. But be aware that what is most likely to happen is that the spammer will just go to another ESP. Which is why we also always make sure to get the spammer’s webhost in on the game.

To determine this, you will want to do a “whois” lookup. Whois is how you find out who owns a domain (the URL or address) on the Internet. It also tells you which domain registrar they used to register the domain, and it also tells you who handles their DNS (Domain Name System) information, which is the service that maps a domain name to the IP address of the computer that is hosting the website.

So, a “whois” lookup is very useful.

One of our favourite places to do a whois lookup is at Whois.com. We like it because it is straight-forward, and gives you the results right up front, without a bunch of ads trying to get you to buy your own domain.

Type in the domain name for which you want to perform the whois lookup (in this case retailgazette.co.uk):

how to report a spammer whois lookup-1

And you will see these results:

Domain name:
retailgazette.co.uk

Registrant:
Quest Search and Selection

Registrant type:
Unknown

Registrant’s address:
63 Williams Grove
Surbiton
Surrey
KT6 5RP
United Kingdom

Registrar:
Mesh Digital Limited t/a Domainmonster.com [Tag = MONSTER]
URL: http://www.domainmonster.com

Relevant dates:
Registered on: 20-Jan-2010
Expiry date: 20-Jan-2014
Last updated: 28-Feb-2013

Registration status:
Registered until expiry date.

Name servers:
ns1.domainmonster.com
ns2.domainmonster.com
ns3.domainmonster.com

Now we know that retailgazette.co.uk was registered on January 20, 2010, and it was registered through DomainMonster.com, who also provides their DNS (often the DNS is provided by a different provider, not the domain registrar). We also know that it was registered by an entity calling itself “Quest Search and Selection”, and that they are located at 63 Williams Grove, Surbiton, Surrey England.

What this means is that you can now send your spam complaint to not only their ESP (SilverPop) but to the registrar and host of the website that they are advertising in their spam. To do this, you would send your complaint to, in this example, abuse@domainmonster.com.

Again, you may wish to just stop there, and you will have done far more than most, and can feel really good about reporting that spammer.

But as you may imagine, you can always go further down the rabbit hole. For example, we decided to lookup Quest Search and Selection, and found their website at http://www.questsearch.co.uk/. We did a whois lookup on questsearch.co.uk, and learned that it had a completely different registrant and address from retailgazette.co.uk, but the same registrar and DNS provider, so we included that information in our spam complaint.

It is important to understand that the more information you can provide up front in your spam complaint, the more effective it will be.

And that leads us to the last part of our tutorial: finding the headers in the spam, and including them in your complaint.

All spam complaints need to include a copy of the offending email, including the full headers. And if the spam was not sent through an ESP, but directly from the spammer’s computer, those headers may be the only way to determine where to send your spam complaint.

Now, email headers are those things that include the routing information for the email: who sent it, to whom they sent it, the subject, etc..

But those are only the things that everybody sees when they open an email that they have received. There are ‘hidden’ headers as well – i.e. headers that are not displayed when you open an email to read it. These headers tell the complete story of the journey that email took to reach you – every computer and routing system and route that it took, from the moment the spammer clicked “send” up until the moment it was deliverd to your inbox.

Nearly all email programs (Outlook, Apple Mail, etc.) and email providers (Gmail, Yahoo, etc.) provide a way to see your full headers. (See our tutorial on how to find your email headers here.)

Here are the full email headers from a piece of spam we recently received (note that this fake confirmation was for something that nobody ever requested be sent to us):

From: “Sierra Consultants”
Subject: Please confirm your subscription to Sierra Consultants’ Newsletter!
Date: November 20, 2013 11:23:53 AM MST
To:
Delivered-To: dearesq@dearesq.com
Received: by 10.112.210.225 with SMTP id mx1csp375487lbc; Wed, 20 Nov 2013 10:24:23 -0800 (PST)
Received: (qmail 9931 invoked from network); 20 Nov 2013 18:24:21 -0000
Received: (qmail 9929 invoked by uid 30297); 20 Nov 2013 18:24:21 -0000
Received: from unknown (HELO p3plibsmtp01-06.prod.phx3.secureserver.net) ([72.167.238.222]) (envelope-sender ) by p3plsmtp22-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP for ; 20 Nov 2013 18:24:21 -0000
Received: from p3plsmtp22-01.prod.phx3.secureserver.net ([68.178.252.53]) by p3plibsmtp01-06.prod.phx3.secureserver.net with bizsmtp id ruQF1m00l19tJ5w01uQFsW; Wed, 20 Nov 2013 11:24:15 -0700
Received: (qmail 23238 invoked from network); 20 Nov 2013 18:24:15 -0000
Received: (qmail 22368 invoked by uid 30297); 20 Nov 2013 18:23:54 -0000
Received: from unknown (HELO p3pismtp01-049.prod.phx3.secureserver.net) ([72.167.238.67]) (envelope-sender ) by p3plsmtp22-01.prod.phx3.secureserver.net (qmail-1.03) with SMTP for ; 20 Nov 2013 18:23:54 -0000
Received: from drone168.ral.icpbounce.com ([207.254.213.225]) by p3pismtp01-049.prod.phx3.secureserver.net with ESMTP; 20 Nov 2013 11:23:54 -0700
X-Received: by 10.68.163.132 with SMTP id yi4mr2124698pbb.152.1384971863002; Wed, 20 Nov 2013 10:24:23 -0800 (PST)
Return-Path:
Received-Spf: pass (google.com: domain of SRS0=gFqF=U5=bounce.secureserver.net=srs0=7qon=u5=icpbounce.com=bounces+1279252.23903966.106737@bounce.secureserver.net designates 68.178.252.59 as permitted sender) client-ip=68.178.252.59;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of SRS0=gFqF=U5=bounce.secureserver.net=srs0=7qon=u5=icpbounce.com=bounces+1279252.23903966.106737@bounce.secureserver.net designates 68.178.252.59 as permitted sender) smtp.mail=SRS0=gFqF=U5=bounce.secureserver.net=srs0=7qon=u5=icpbounce.com=bounces+1279252.23903966.106737@bounce.secureserver.net; dkim=pass header.i=@icontactmail3.com
Mime-Version: 1.0
Errors-To: bounces+1279252.23903966.106737@icpbounce.com
List-Unsubscribe: ,
X-List-Unsubscribe:
X-Unsubscribe-Web:

X-Feedback-Id: 01_1279252_106737:01_1279252:01:vocus
X-Return-Path-Hint: bounces+1279252.23903966.106737@icpbounce.com
Content-Type: multipart/alternative; boundary=”cdf82e78-582d-4a55-9037-dacf81ae37d3″
Message-Id: <0.1.8F.132.1CEE61DAB1E0030.0@drone168.ral.icpbounce.com>

Generally speaking, the bottom-most domain address that you see in the headers will be from where the spam originated. In this case, it was sent from a mail server calling itself “icpbounce.com”, and it’s pretty clear that this is owned by “icontact.com”, in fact the headers saying “list-unsubscribe” clearly show that you can unsubscribe via icontact.com. icpbounce.com is one of iContact’s servers.

At the top of the headers, you can see that the spam was sent to an email address at dearesq.com.

Everything in between is the routing that it took to get from iContact’s server to the inbox at dearesq (some of the intermediate headers show various checks and authentications that took place along the way).

You don’t have to worry about most of this information (unless you are looking in the headers to figure out where to send your complaint), you simply have to include these headers with your complaint, because the companies to whom you are complaining will need them.

After you send in your complaint, you may never hear from the companies to whom you sent your complaint. This doesn’t mean that they haven’t acted on it – some companies are just too busy, too understaffed, or too small to answer every spam complaint individually. But some companies do respond, and every once in a while you will get a response like this:

Thanks for bringing this to our attention. We take spam prevention very seriously. We have filters that put suspicious emails into a queue to be inspected by our Spam and Fraud team. We subscribe to the Spamhaus blacklist so that we can weed out emails containing blacklisted domains. We also block on a number of other vectors (suspicious phrases, known bad Reply-To addresses, etc.).

I’m recommending to our team that we remove this user’s ability to send email.

And that is a very satisfying result.

[Note: This articles was originally posted in 2011, and was updated in 2017]

91
Get notified of new Internet Patrol articles!

2 Replies to “How to Deal with and Report Spam or a Spammer”

  1. You missed one type of spam, companies that refuse to unsubscribe the user. I’m still getting (what I now consider spam) email from a company that I had originally subscribed to, but later decided I didn’t want. I unsubscribed on two different occasions just to make sure I did it, but I still get email from them. You can bet that I’ll never do business with that company again.

  2. Very detailed and informative. Explained better than I have ever seen, BUT – too time consuming! How about just ONE link where ALL the spam can be forwarded to and can be dealt with?

Leave a Reply

Your email address will not be published. Required fields are marked *