How to fight back at spammers

What is "spam"?  Spam is unsolicited commercial email (UCE), also known as junk email. The name comes from a 1970's Monty Python comedy skit about SPAM luncheon meat in which the main joke involved ridiculous repetition. Spam could be UCE from quasi-respectable companies that put you on mailing lists without your permission or disregard your remove requests.  Most of it is the dirtbag spam with forged return addresses promoting pornography, get-rich-quick schemes, pirated software, fake pharmaceuticals, etc.  Self mailing email viruses these days use spam technology--forging the return address in the headers.

What is not spam?  Any time you register a product, enter a contest, or log onto a website that requests your email address, you may be subscribing to somebody's newsletter. As long as they are not reselling their mailing lists, this is generally considered legitimate. If you want to unsubscribe, you should make at least one attempt to ask them nicely to unsubscribe you. Usually they will comply. In some cases if you are subscribing to a "free" email service that is supported by advertising, accepting advertising from clients known to be approved by the service provider may be a condition for continuing to use the service.  If you are signed up with a service check your account options.  There may be "special offers" that were selected by default which you can deselect.

Should you ever use the "unsubscribe" or "remove" function?  The only time you should use the sender's stated remove procedure is if it is a known legitimate business to which you can remember how you may have subscribed yourself.  (Beware of spammers mimicking legitimate companies. See advice further down this page for checking the hyperlink behind the displayed hyperlink.)  Do not use it to try to remove yourself from the dirtbag spammer's list.  At best it is useless.  If it functions at all, it will probably confirm that yours is an active address, resulting in increased spam.  If the sender claims you subscribed yourself, but you think the sender is lying, you are usually correct.  The new Federal antispam law has not made this advice any less valid.

Are anti-spam laws helpful?  Some of the state civil laws used to give you some leverage with the "respectable" company that disregards your remove request.  Most were unlikely to help you with the anonymous dirtbag spammers.  The new federal law is supposed to make it a crime to send spam with forged return address and/or domain.  As 2004 began, spammers were already violating it. Since it is supposed to supersede state laws, there is some controversy over whether it will be strong enough to control the "respectable" company that disregards your remove request.  I would not take an email address currently unknown to the spammers and put it on a do-not-spam list.  Secrecy is still your best defense against spam.  The FTC has dropped the idea of having a do-not-spam list, because they know spammers won't respect "do-not".

Is there a way to make the spam stop?  If the spammers have started selling your address, it will never be spam-free.  Your only hope of having a spam-free account is to start a new one and hope it isn't a name that became available because a previous user discontinued it because of incoming spam. If the spammers have your address and you start a new account with a new ISP, do not use exactly the same address if the new account  is with a large ISP.  The spammers throw various major domains at previously used addresses in experiments to obtain more addresses.

Can you do anything to hurt the spammers?  You can noticeably inconvenience them.  You can report the spammer to the abuse department of his internet service provider (ISP).  Most ISP's will pull the plug on the account used to send the spam.  Some will stop hosting his webpage.  Many ISP's do have a symbiotic relationship with the spammer.  Complaints from enough spam recipients could turn the spammer into a less valued customer.  That is why the spammers try to mislead you about their ISP.  I like to think that the spammer who bought spam software and an address list that happens to include a troublesome spam-fighter will have some animosity towards the vendor who sold that list.

How do you do that when the spammer has forged his return address?  First of all you must have complete headers for the email.  Making your email program show complete headers will probably require selecting an option in the email program.  The method varies with the program.  In Eudora you use the Blah, blah, blah button.  In Hotmail you use Options, Mail Display Settings, Message Headers, Advanced. In Yahoo use Mail Options, Personalization, General Preferences, Headers, Show all headers on incoming messages.  Complete headers have enough information for the sender's ISP to identify the account.  There is also enough information for you to identify the ISP.  The spammer can forge the domain name, but the mail server will insert the domain name server (DNS) number.  Spammer's can forge in extra DNS numbers to mislead you, but they can't make the real one disappear.  Usually the real DNS number is on top.  Sometimes your own incoming mail server will put its DNS number on top.  If you're tracing the DNS number to your own ISP, look for another DNS number below that.  There may even be another genuine DNS number below that from the spammer's internet access to another server.  It is not just spam in which this happens.  If I get legitimate email from a web based service like Hotmail or Yahoo, beneath the DNS number for Microsoft or Yahoo is a DNS number from the internet access.   If you see four or more sets of DNS numbers, the ones lower down are probably forged.  DNS numbers are in four groups of one to three digits.  For example, a traceroute on gave me a DNS number of

 How do you find out who is registered to what DNS number?  Traceroute can be helpful for doing this, although it can be misleading.  In fact it may be more useful for finding the DNS number of a domain than for finding the domain of a DNS number.  Here are some links to some traceroute sites:

Traceroute CMU

Traceroute SDSC

Traceroute Opus1

I recommend reading the advice given by Opus1 at

Usually more reliable and informative in tracing a DNS number is to check the whois of the network information center (NIC). A good starting point is the American Registry for Internet Numbers:

ARIN Whois

If the DNS number is outside ARIN's area, the ARIN whois will refer you to the correct NIC.  An NIC is not an ISP, and they will not handle your spam complaint for you.  The NIC will have its own whois for you to check.  Here is a list of some links to the whois of some foreign NIC's:








Latin America


The Asia Pacific Network Information Centre provides some excellent advice at

There are domain registry Whois sites, which show the data provided by the registrant.  These are most useful in contacting a respectable or semi-respectable company.  Dirtbags often provide fake data or foreign registries for their porn-spam or scam operation, so this can be interesting but rarely directly useful in fighting them.
There are a lot of different registries. A site that is very good at searching numerous registries is

Forward the email to the abuse address, if there is one.  Typically this is something like abuse@the-spammer'  Sometimes there is no abuse address, and you could use the administrative or technical contact listed in the whois.  Be sure to include complete headers in your forwarding.  Check your outgoing email.  Some email programs will chop out the headers in a forwarding.  If yours does, you may have to copy and paste the text of the header. In Yahoo choose option to forward as attachment.  I usually send a Bcc: to myself.  It not only confirms that it was successfully transmitted, it shows me how the forwarding looks to the recipient.  Usually no additional comment is needed to simply forward to the spammer's ISP.  If you want to also go after the webpage the spammer is promoting, you should explain who is hosting what.  For example, in your email to abuse@the-spammer' and  you could insert a message like:

"Spam sent from DNS hosted by the-spammer'

Spammer's webpage  at DNS hosted by

Resolving the spammer's webpage can involve plodding through quite a bag of tricks.  At the least the hyperlink is usually displayed differently than the actual webpage address. In this and most other webpages the displayed text is different from the actual hyperlink. A spammer might put in a whole fake hyperlink as displayed text, and to your browser it is only meaningless displayed text.  If you put your cursor over the hyperlink, you should see the real webpage address displayed down in the status bar.  In web based email you can capture the webpage address as text.
Open Notepad (if you haven't already done that). Right click on the link to bring up a task list, and choose Copy Shortcut. Click on Copy Shortcut. In Notepad choose Edit, Paste or you can use Ctrl + P to paste the shortcut you copied.
Hotmail creates a problem, but provides the tools to solve it. Clicking on the link or putting the cursor over it, Hotmail displays the address from within Hotmail.  That means it imposes a lot of extra stuff, starting with the DNS number of Microsoft/Hotmail.  The solution?  When you have the advanced option selected, you can click on View E-mail Message Source.  That will open a new window showing the html code of the message.  The webpage address as entered by the spammer will be in there, although cluttered with html formatting instructions.  Spammers have gotten wise to that, and sometimes encode their message as an attachment.  The Message Source shows an enormous line of meaningless text.  The solution?  From your Hotmail message, click on Content-Type: text/html. That will display the message in its own Window.  Now put the cursor over the hyperlink and right click to get Copy Shortcut. Click on Copy Shortcut.  You should now be able to paste the webpage address as entered by the spammer into your text notes.
In an email program like Eudora you won't be able to bring up Copy Shortcut. What to do? One solution is to save the email message to a file. When you choose File, Save As... you should have a choice of saving as text or html. Choose html. After you have saved your message to an .htm file you can open it in your web browser. From there you can use Copy Shortcut.

In a web browser you can also see the address of a hyperlink by right clicking on Properties.  You can capture the information in the Properties box to text by selecting it with your mouse and use Ctrl + C to copy it. If there is an image on top of the hyperlink, Properties might give you information about the image file instead of the hyperlink.  This is usually not helpful, but sometimes it can be helpful.  With limited storage space available at their website, the .jpg and .gif files might be kept on a different server from a different ISP.  Sometimes that ISP is willing to pull the plug on the account storing the pictures.

Spammer's have begun to adapt to the above methods, and now many have javascript which can disable right-clicking in Windows.  In my most recent experiments the same spammer's webpages that could disable right clicking in Windows could not disable right clicking in linux.

Spammer's can mislead you by putting useless junk in front followed by @.  For example will take you to  Everything in front of @ is ignored by the browser.  Besides tricking you into overlooking, the spammer is trying to get you to waste your time and squander your credibility complaining against  Newer versions of Internet Explorer should reject these pages, but it may still access the page from a hyperlink within a Hotmail message.  Phishing scams have been targeting Hotmail addresses for that reason.  The Mozilla Firefox web browser should give you an alert to URL's that use the www.something@something-else ploy.

Be careful about trying to visit the spammer's website to get information.  Many have malicious javascript, and anything you click may trigger an attempt to push spyware to download.  Visiting the webpage may be less hazardous if you are running linux.  Never do this logged into linux as root [administrator].

Never accept a file download from a spammer's webpage.  Never accept the webpage's request to bookmark the page.  It may install more than a bookmark.

Qui facit per alium facit per se ("He who acts through another, acts for himself"), also described as respondeat superior ("let the master answer"). It's a genuine legal principle, although probability of enforcement is somewhere between slim and none inclusive. If you are willing to visit the spammer's pornography website, which is probably hosted by an ISP in another continent, you will probably find that it is full of hyperlinks to many pornography domains. These are owned by the principal offender. The throwaway foreign webpage named in the spam is an agency of the principal offender. The spammer is an agent of the principal offender. Do a traceroute on the domain to get the DNS number. Do ARIN Whois. Chances are very high that ARIN will not refer you to APNIC, RIPE, or LACNIC this time, because the pornographer's hyperlinked websites are usually hosted by ostensibly respectable ISP's in the good, old U.S. of A. Will those ISP's pull the plug on their pornographer clients? My own experiments in complaining indicate they don't. There may be the rare exception  of a dirtbag who was violating the host's stated policy without the host's knowledge. More often the pornographer is paying the ostensibly "respectable" ISP handsomely to tolerate a large number of complaints.  I am not in a position to witness their business agreements, but based on how these ostensibly respectable ISP's respond or fail to respond to complaints, I would infer that the real terms of service are probably something like:
1. Maintain at least two layers of agency (spammer and referral site) with third party IP's so we can have plausible deniability about aiding and abetting spam.
2. Do not post obvious child pornography. The Feds will crack down on us, and we will not protect you from that.
3. Pay us with funds that will not be repossessed by someones fraud department.

Some additional advice:

First of all, I recommend visiting those traceroute and whois sites and bookmarking them.

When doing a spam workup, open Notepad and use it to paste in notes, DNS numbers, abuse contact addresses, etc.

You may have more spam in your inbox than you have time and energy to work up. You inflict maximum pain by doing the newest ones first.

If you do go to the spammer's webpage and find yourself in a porno-pop-up with no visible exit, before you pull the plug on your computer try the following:
In Windows hit Ctrl + Alt + Delete
This should bring up the Windows Task Manager. Select the malicious program and click on End Task. Disconnect your internet connection to keep the malicious scripts from downloading more of them faster than you can close them.

Although repeat spams may look identical, you should still recheck the details.  Sometimes an ISP does pull the plug, and the spammer is now using a different ISP or a different webpage address from the last one he used.

If a traceroute on tells you this is "unknown host", but the webpage is still functioning, try entering it as

If you visit spammers' webpages I recommend clearing cache (in Netscape/Mozilla) or deleting internet temporary files (in Internet Explorer) after you are done.  It's risky to visit a spammer's webpage using Windows.  If you do, be sure you have a firewall enabled, and keep antivirus and antispyware updated.
Run antivirus and antispyware complete system checks.

Click here to visit poison ivy page

Click here to visit homepage