Reading Forged Email Headers, Part 2

% whois gdcapz89.net
No match for "GDCAPZ89.NET".

This having failed, we look inside the parenthesis where we find another domain name (gvn.net) as well as an IP address. Let's see who has registered for that IP address by performing an nslookup:

% nslookup 209.63.138.174
Server: blackbox.pobox.com
Address: 208.210.124.26

Name: rppp174.gvn.net
Address: 209.63.138.174

An nslookup tells the user the IP address of the machine in use as well as the registrant of the IP address entered. From this nslookup we can see that the Received: line matches, telling us that this email did indeed originate at gvn.net.

Imagine you are the recipient of this spam and you have just figured out that gvn.net is the domain that sent this to you. You are probably pretty mad, and the urge to send some nasty mail to gvn is hard to resist. Well let me tell you, as a person who deals with angry customers every day: DON'T DO IT. We don't know that gvn is a spamming domain; we don't even know who they are. So before we go throwing a fit, let's just see how guilty they are. The best way to do this is see if they have a web site. You do this by going to your web browser and adding http://www to the domain name.

Go to gvn.net and see for yourself. Who are these people and what do they do? We already know from the .net that this is some kind of ISP. And indeed they are - Global Valley Network. Although I can't find their User Policy to prove it, they certainly don't look like a spamming domain. Chances are the spammer is abusing their services to send out this mail.

What to do then? Send a polite note to gvn.net, asking them to shut down their user who is abusing resources. Tell them the mail originated at gvn.net, went directly to growl.pobox.com which transferred the mail to newton.qsolutions.com . Since there is no more-detailed destination information, we can assume that this mail was sent through a bulk email program. There is no way of finding the exact address, other than the fact that this has arrived at a certain mailbox.

3. When was this email sent?
The Date: line claims this mail was sent on Tues, 08 Aug 2000 00:35:59 -0400 (EDT). However, the first Received: line claims that the email was received on Thu, 17 Aug 2000 03:35:11 -0400 (EDT). How can we explain the discrepancy?

The Date: line is added by the user or the user's machine and passed on the next recipient. Therefore, in this header, the Date: line is definitely forged.

Now that you are an expert...

Secondly, please be polite. Even once you find the domain that sent that mail, remember: Unless this is a spamming domain, the ISP didn't send you the spam, a user did. There is no reason to be nasty and offensive. Just ask them to deactivate the account and give them the evidence (the full headers). That's all you need to do.

Thirdly, keep in mind that even with all of this information, the best method of action may not be to "go after" the spammer. Think about the many spams you've gotten that had telephone numbers to call to be added to the "Remove" list. Sometimes these numbers are used for scams and will incur high charges on your telephone bill. Or the spammer wants you to send money by snail mail -- these are all scams and going after the email address may be of little use. So other than politely notifying the offending domain, just delete the mail.

Lastly, if you really want to be a geek, you can read all about how email works by reading RFC 822. RFC 822 is official documentation of email headers. It's very technical, but this site breaks down the RFC into small chunks so that you don't get overwhelmed.

For more information about what to do about spam that you've received, please see our section on dealing with spam.