Reporting e-mail addresses used in spam
NOTE: The opinions expressed on this page are those of the author and not of SpamCop. You use the information on this page at your own risk.
If you find that a spam e-mail
you have received contains an e-mail address (e.g., email@example.com
) that the spammer intends to be used for replies, you can report this e-mail address to its provider using the procedures described on this page. Such reporting will, one hopes, encourage the providers to suspend the use of such addresses so that the spammer (or more likely the scammer
) is denied access to his potential targets.
|NOTE: SpamCop does not attempt to trace or report e-mail addresses used in spam. These addresses are forged or stolen in the vast majority of cases, so reporting them would do no good. If you wish to report such addresses, you must do so outside of SpamCop. Please read this page carefully before filing any such reports, in order to be sure that you will be accomplishing something worthwhile and useful with your report.
When should you report e-mail addresses found in spam?
In all but a very few important cases, it is not
useful (and, in fact, it is counterproductive
) to report e-mail addresses found in spam.
Of course, pretty much every
spam message contains an e-mail address that purports to be the origin of the mailing -- usually in the From:
field of the visible mail header, or in the Return-Path:
field of the "invisible" SMTP
mail header. In most cases, however, the spammer has simply stolen or made up such addresses, and does not intend for them to be used for contact. Furthermore, neither these addresses nor their legitimate users will have had anything whatsoever to do with the transmission of the e-mail. Replying to such addresses is pointless
, since the replies will either bounce or will be received by innocent parties unconnected with the spam. Reporting such addresses to their providers is worse than pointless
, since you will be unjustly accusing innocent parties and possibly exposing yourself as a crank.
Therefore, you should not use
the techniques on this page to trace or report any
e-mail address found in spam unless you are positive that the spammer expects to get a response
at this address -- that is, the spammer makes a specific request for replies via e-mail, and provides what appears to be a return e-mail address for this purpose.
You are more likely to find reportable e-mail addresses in e-mail-borne frauds (e.g., job scams
, advance-fee frauds
, and the like) than in garden variety pills-warez-and-watches spam. The fraudsters require such addresses in order to "reach out and touch" their targets, while most other spammers do not expect nor want to hear from recipients at all. It is a good and helpful thing to report addresses found in fraud mail, because they are being used to steal from unwary strangers
|Joe job? In some cases, crooks have been known to send out e-mail falsely implicating other (innocent) parties as the originators of the messages; this practice is known as Joe-Jobbing. Normally, Joe jobs are quite rare, and are usually aimed at private internet domains or websites belonging to the crook's enemies or competitors, but there is a small probability that a crook might try to make trouble for someone by using that person's e-mail address in a purported scam (or spam) mailing. You should keep this in mind when you track down scam addresses; if the message seems too obvious or otherwise smells funny (e.g., the message openly offers obviously illegal goods like stolen credit card numbers or child pornography, and asks for e-mail replies), you might consider not dealing with its e-mail addresses (although you are generally still quite justified in reporting such messages to their sources).
Which addresses should you report?
As you may know, there are several types of return addresses found in e-mail; it is important to give some thought as to which you will focus on, so that you do not waste time on pointless investigation and reporting. Here’s a good protocol to follow:
- If the message has a Reply-To address in the visible header that is different than the From address, this is an excellent one to go after. Scammers frequently use Reply-To addresses in order to redirect replies somewhere else than the original From address of the message. If the sender of the message didn’t want replies, there’d be no point to his providing a Reply-To address.
- If there’s no Reply-To address, try looking at the body of the mailing to see if an address has been embedded there (either in plain text or as part of an HTML mailto link). If the message directs you to reply to this address, then you can probably consider this a "live" address and report it.
- Finally, if there is no Reply-To address, and no addresses in the body, but the message still asks explicitly for e-mail replies, then (and only then) you can report the From address.
If none of these works for a particular message you are looking at, you should consider very carefully whether you should be reporting e-mail addresses within the message. If the message does not ask for replies or provide a specific e-mail reply address, then the odds are great that the return address of the message has been forged or stolen.
Whom do you report to?
If you wish to report an e-mail address used by a spammer, you would do so to the e-mail provider responsible for having issued the address
. In the case of fraud mail, this is usually a different outfit from that used to transmit the original spam to you, so simply reporting the spam source (via SpamCop, for example) will not do anything about the return e-mail address.
In many (probably most) cases, you will be reporting to a well-known service (such as Yahoo or Hotmail) that offers free e-mail addresses and mailboxes to the public. Many scammers are attracted to such services because they generally do not ask many questions or keep very close tabs on what their users are doing with their mail accounts (i.e., they wait for complaints before taking action). The big, well-known freemail services are evergreen choices, although scammers often use many other webmail services (some quite obscure). Large and popular mail services generally have well-publicized abuse reporting addresses, while other mail services may not.
In a few cases, scammers avoid freemail and instead set up their own jackleg mail services just to support their activities; these can be more difficult (but not impossible) to trace down.
|Before we launch into the specifics, a useful reminder: you should not feel obliged to file any spam reports that you suspect may expose you to further spamming or harrassment. This may be worth considering if you find that you would be reporting to suspicious outfits (like tiny offshore ISPs, or net blocks controlled by known spam operations).
How do you find a contact for reporting an e-mail address?
There are several ways to determine to whom you should report e-mail addresses used in spam. They include the following, in rough order of "user-friendliness:"
Go to the provider's website
If you want to report an address like, say, "firstname.lastname@example.org"
, the most straightforward means to find a reporting address might be to go to the provider's main website (in this case, 'http://www.web-mail.foo/'). There, you may find an abuse reporting address (e.g., "email@example.com"
), or perhaps a web form to fill in.
In the case of some freemail sites, you may have to do a bit of digging to find the abuse-reporting resources; often such links are provided in the "contact us"
sections of the site, or may be embedded in the fine-print pages such as the AUP (acceptable-use policy) or the TOS (terms of service). If the website has a search function, you can search for "abuse" (or perhaps "spam," although this may yield a lot of anti-spam sales points for the service). If the site does not have a search feature, you can try a Google site search (i.e., in the case above we might go to Google and type in a search for "site:www.web-mail.foo abuse"
Of course, not all webmail services will have a public portal page (and some may have no website at all); these will have to be tackled using one of the techniques described below.
Use a WHOIS lookup to abuse.net
The Network Abuse Clearinghouse organization, better known as abuse.net
, maintains a service (at http://www.abuse.net/lookup.phtml∞
) that internet providers can use to publish contact information regarding abuse of their services. By doing so, these firms indicate their interest in hearing about such abuse, and presumably also their willingness to stop it.
You can enter the domain-part of the address (e.g., crook.foo
) into the query box at the site above, and abuse.net will return any abuse reporting addresses that it has for the service in question.
If you prefer, you can also query abuse.net via the whois
command (if you have it) using the -h
option (with whois.abuse.net
as the host), for example:
whois -h whois.abuse.net firstname.lastname@example.org
One advantage of using the whois
command is that you can submit the full e-mail address rather than just the domain-part (as shown in the example above), this may save you one or two copy-paste operations.
Note that internet services are not required
to add their info to the abuse.net database, and indeed many do not. In such cases, abuse.net will provide only generic information labeled as such (e.g., "email@example.com (default, no info)"
). You can try reporting to these addresses if you wish, but they are not guaranteed to result in any action, nor even to work at all.
Look up the incoming mail host using a dig program
If you are unable to find an explicit abuse contact for an e-mail address either by visiting the provider's site or by using abuse.net, then you may have to find out which mail host
is accepting mail for the address, and then send a report to the operator of this host. You might need to use this technique in the case of private mail services set up by scammers, such as 'lonelyhearts' fraudsters.
What you must do is to use the dig
command (or an equivalent web-based tool such as this one at MenAndMice.com∞
to locate the mail exchanger (MX) for the e-mail address. If you are using a dig
command line, you could type something like:
dig mx web-mail.foo
If you are using a web-based dig tool, you can enter the domain part of the e-mail address (web-mail.foo
, for example) and request a type-MX lookup.
Whatever method you use, you should get a list of mail servers (in the ANSWER SECTION
of the dig
output) that serve the domain in question. You then have two possible courses of action:
- Find and report to the abuse contact for the domain(s) to which the MX hosts belong. To do this, you could visit the main websites (if any) for these domains, or else use whois to look up the domain, and then see whether there are any abuse-reporting addresses in the output.
- Find and report to the abuse contact(s) for the IP addresses for the MX hosts. To do this, you would use nslookup or host (or even dig) to get the addresses, and then use whois to locate the abuse contacts for these addresses. HINT: dig will often provide the IP adddresses for some or all of the MX hosts in the ADDITIONAL SECTION of its output).
cannot find an MX host for the domain (that is, there's no ANSWER SECTION
in the output), this means that you pretty much cannot deliver mail to anyone in this domain (at least not from where you sit), so the e-mail address you want to report is undeliverable and won't be of any use to the scammer.
What to put in your report
When you report to the provider of an e-mail address, you should clearly describe (1) what you are reporting, (2) why you are reporting it, and (3) what you want done about it (for example, "The e-mail address firstname.lastname@example.org is being used by a 419 scammer as a reply address, and should be shut down"
). As you would with any spam report, it is best to include the full spam mail packet (including headers, if possible) when reporting abuse of e-mail addresses. This info provides the evidence necessary for the provider to take action.
You will most likely not receive any response from the provider beyond a pro-forma
automated acknowledgment. This does not mean that no action will be taken, but it will be difficult for you to check up on the case later on (because it is difficult to determine from outside whether an e-mail address remains deliverable). However, you may perhaps content yourself with the fact that you have done your full duty in filing the report, and that further action must come from others beyond your control.
Email Addresses Used By SpamCop To Report Spam