HotPOP LITE
Home · Signup! · Login · Support · Services · Contact Us · About Us · Anti-Spam · Terms of Service · Search · Hi-Fi Site

Member of CAUCE

Anti-SPAM Resource Page

This web page has been designed to assist HotPOP.com and Internet users in tracking unsolicited email. HotPOP.com cosiders unsolicited email (SPAM), to be any email not requested by the recipient. The main focus of this web page is understanding transmission headers to find the true source of the abusive email.

Click here for links to other anti-spam sites.
Click here your personal anti-spam settings.
Finding the Transmission Headers

Many modern email clients hide the complete header information, because software vendors consider this information unnecessary for the end user. Finding the complete headers is different for almost every email client. Outlined below is the method used to find headers using the most common email clients. The transmission headers consist of one or more lines beginning with "Received". If you do not see these lines then you do not have the full header information. If you do not know how to view the full header information, and your client is not listed below, please contact your software vendor for help.

  • Eudora Pro/Lite - Open the message and click on the little button at the top of the message window that says "blah blah blah".
  • Outlook - Open the message. Then go to the "options" menu item. The full headers will be in the little window at the bottom of the option window.
Sample Transmission Header
Received: from timeoto.com (web9.prometeus.com [209.150.128.211])
   by itd.earthlink.net (8.8.7/8.8.5) with SMTP id XAA853; 
   Thu, 8 Apr 1999 23:56:13 -0700 (PDT)
Message-ID: <73896.71140@timeoto.com>
From: "John Doe" <jdoe@spoofed.com>
Reply-To: test@spoofed.com
Subject: Hey look at me!
Date: Fri, 09 Apr 1999 02:41:38 -0400 (EDT)
Understanding the Headers

The first rule of interpreting email headers is ignore everything except the "Received" header lines. The format of the header is laid out according to RFC822. This RFC essentially states that all transmission headers except the "Received" lines are supplied by the sender. That means that the "From:" and "Reply-to:" lines are supplied by the abusive person. Many people make the mistake of using this information to determine the originator of the email. Since this information is supplied by the sender, it is obviously unreliable as a form of source determination.

In the example above there is one "Received" line. More often than not, there are multiple "Received" lines. For each mail server an email goes through a "Received" line is added to the top of the header. This makes it possible to trace the exact route from sender to destination. When tracing spam you should look at the received header that is closest to the body of the email. This header is the initial point where the email was injected onto the Internet.

In plain english the received header states that on April 8, 1999 at 23:56:13 PDT the machine with an IP address 209.150.128.211 connected to the mail server itd.earthlink.net. When reading email headers it is important to only use unspoofable information, which is why we use the IP address rather than any naming information. In the example above, the IP address corresponds to web9.prometeus.com. If you do not know how to convert IP addresses into names you should get an nslookup tool for your computer. Their are many shareware ones available. In all circumstances, you should not depend on the name information in the email itself unless you have no alternative.

The received header in our example shows another type of spoofing that is common. When an email client connects to a mail server the server asks it for its hostname. In the example above the client said its name was timeoto.com. Many older mail servers will use this information as the originating host rather than the IP address. Since the IP address is taken from the mail server's connection table it is not spoofable, and should be used instead of the name.

Reporting Abuse

When reporting abuse there are a few key points to keep in mind. First and foremost, a person is reading your email. If you use profanity, and make a general nuisance of yourself, do not be suprised if you do not get a response. Always be polite and complete in your abuse reporting. Simply sending an email that says "stop it" does not accomplish anything. A good abuse email should include a complete copy of the abusive email, with the full transmission headers. It should then include a brief statement explaining the nature of the abuse. You should also, include a valid return address so that the abuse handler can contact you if necessary.

Another important part of abuse reporting is getting the email to the proper person. Many companies have a department dedicated completely to dealing with abuse issues. If the originating network of the abuse has such a department the email should be sent ONLY to that department. Sending a copy of the complaint to any and every email address you can find related to the site accomplishes very little. For example, abuse issues sent to webmaster@HotPOP.com will not reach the abuse staff until the webmaster forwards it to them. Since the abuse staff is on call 24/7 they can handle your issue much more quickly if it goes directly to them, rather than the webmasters who are only around during business hours. If you do not know the proper abuse department email, some good guesses are abuse and postmaster at the particular domain.

Home · Signup! · Login · Support · Services · Contact Us · About Us · Anti-Spam · Terms of Service · Search · Hi-Fi Site

This website copyright 1998-2006 HotPOP LLC
Questions & Comments, visit our Contact Page
Privacy Policy | Terms of Service & Acceptable Use