For example, look at this recent spam I received:
From qoy86@angie_105@mailexcite.com Fri May 15 23:55:55 1998
Received: from proxy2.ba.best.com (root@proxy2.ba.best.com [206.184.139.13])
by shell3.ba.best.com
(8.8.8/8.8.BEST) with ESMTP id XAA05666
for <dwelch+XRCPT.6477656c63684070686f6e65626f792e636f6d@shell3.ba.best.com>;
Fri, 15
May 1998 23:55:54 -0700 (PDT)
From: qoy86@angie_105@mailexcite.com
Received: from tor-vs1.nbc.netcom.ca (tor-vs1.nbc.netcom.ca [207.181.89.33])
by proxy2.ba.best.com
(8.8.8/8.8.BEST) with ESMTP id XAA08688
for <dwelch@phoneboy.com>;
Fri, 15 May 1998 23:54:48 -0700 (PDT)
Received: from netrepreneur.mymail.net (9.west-palm-beach-01.fl.dial-access.att.net
[12.70.38.9])
by tor-vs1.nbc.netcom.ca
(8.8.5/8.8.8) with SMTP id CAA09763;
Sat, 16 May 1998 02:45:27
-0400 (EDT)
Date: Sat, 16 May 1998 02:45:27 -0400 (EDT)
Received headers get appended to the top of a message as they go through each mail server. The "last" Received header you will see is usually the originator of the mail. This rule doesn't always work since these headers can be "forged." My rule of thumb is to look discrepencies between what the originator 'reports' his mailserver to be (netrepreneur.mymail.net) and what the SMTP server says it is 9.west-palm-beach-01.fl.dial-access.att.net). I try and find the first SMTP server that is truly "resolvable" and go from there.
In this case, the perpetrator (12.70.38.9, an att.net address) is using some mail relay at netcom.ca. Big surprise as Netcom has open SMTP relays and has ignored repeated requests by the net at large to close them.
There are new types of spam programs that, instead of going through intermediate SMTP servers, the email is directed right to your ISPs mail server. In this case, about the only thing you can do is report the problem to the provider who the mail came from. In this case, that would be att.net.
Each provider has it's own email address used to report spam. You may be able to find this information on the providers website. In many cases, it is abuse@provider.com. In all cases, postmaster@provider.com should work, or at least tell you where the complaint should be directed to. If all else fails, you can use an "whois" utility to take the domain of the provider and send email to the technical contact for the domain in question. To check the "whois" of a domain, you can use InterNIC's Web Interface to Whois.
On a different piece of spam, I checked out the mail headers:
Received: from proxy2.ba.best.com (root@proxy2.ba.best.com [206.184.139.13]) by shellx.best.com (8.8.3/8.8.3) with ESMTP id JAA21453; Fri, 22 Nov 1996 09:26:48 -0800 (PST) From: aid@ultragrafix.com Received: from yoda.globaltech2000.com (haljr.globaltech2000.com [206.54.182.99]) by proxy2.ba.best.com (8.8.3/8.7.3) with SMTP id JAA21951; Fri, 22 Nov 1996 09 :21:20 -0800 (PST) Received: by yoda.globaltech2000.com from localhost (router,SLMAIL95 V2.2); Fri, 22 Nov 1996 00:36:14 Central Standard Time Received: by snappy from somewhere.com (0.0.0.0::mail daemon; unverified, SnappyMail V0.1,alpha 1); Subject: 4 Internet Addresses To: nobody@globaltech2000.com;ultragrafix.com;; Date: Fri, 22 Nov 1996 00:36:14 Central Standard Time Message-Id: <19961122003614.bm8307.in@yoda.globaltech2000.com>Look at the Received: lines here. You can tell that a bulk of the mail processing happens on globaltech2000.com (the Received: lines listed last are good indications of where the mail came from). A whois on globaltech2000.com tells me:
Ultragrafix (GLOBALTECH3-DOM) P.O. Bx. 170955 Arlington, TX 76003 USA Domain Name: GLOBALTECH2000.COM Administrative Contact, Billing Contact: Canady, Glenn (GC768) canady@ULTRAGRAFIX.COM (817)557-4139 Technical Contact, Zone Contact: DFW Internet Serices, Inc (ID54) root@DFW.NET 817) 332 - 5116 Record last updated on 16-May-96. Record created on 14-Apr-96. Domain servers in listed order: NS1.DFW.NET 198.175.15.15 DFW.DFW.NET 198.175.15.10 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.Doing a whois on dfw.net nets a dead-end... their Domain servers and technical contacts all terminate at DFW Internet, which probably means their ISP is spammer-friendly and your complaints are likely to fall on deaf ears. The last thing you can do is a "traceroute" on one of the nameservers for the domain. Here's what this tells me:
traceroute to ns1.dfw.net (198.175.15.15), 30 hops max, 40 byte packets 1 core-fddi3-0.mv.best.net (206.86.0.1) 14 ms 36 ms 2 ms 2 core1-hssi3-0.san-francisco.best.net (206.86.228.90) 5 ms 6 ms 5 ms 3 166.48.13.249 (166.48.13.249) 5 ms 5 ms 5 ms 4 border3-fddi-0.Denver.mci.net (204.70.2.115) 31 ms 32 ms 32 ms 5 border3-fddi-0.Denver.mci.net (204.70.2.115) 30 ms 29 ms 29 ms 6 dfw-internet-service.Denver.mci.net (204.70.30.26) 76 ms 113 ms 124 ms 7 ns1.dfw.net (198.175.15.15) 100 ms 80 ms 86 msMy provider (best.com/best.net) goes off to MCI's routers and makes it to dfw.net, which gives globaltech2000.com their Internet access.