Spammers often forge the headers of their articles in an attempt to avoid losing their accounts or other punishment. These notes may help you track the source of spam. The most important thing is to have a newsreader that can show you the full headers of a post in question. The important lines are as follows: From: Who the message is from. This is the easiest to forge, and thus the least reliable. Reply-To: The address to which replies should be sent. Often absent from the message, and very easily forgeable. However, it often provides a clue. For example, forged spam often has a legitimate Reply-To: field so that the spammer can receive mail orders. Sender: The account that sent the message. News software is supposed to insert this line if the user modifies the From: line. Most news software is broken in this respect, so this line is rarely present. Organization: Identifies the organization from which the message was sent. This can be any string, and may be forgeable, depending on the system that sent it, but sometimes helps to trace a forgery. Message-ID: A unique string assigned by the news system when the message is first created. This is also forgeable in most cases, but requires a little more specialized knowledge than forging the From: line. Also, the Message-ID: often identifies the system from which the sender is logged in, rather than the actual system where the message originated. The format of a Message-ID: field is @. Each kind of news software has its own style of unique string. Sloppy forgeries often get it wrong, thus a forgery can be confirmed by comparing the message id with some legitimate messages from that same site. NNTP-Posting-Host: Identifies the system where the article was inserted, *if* the article was inserted via the NNTP protocol. Articles inserted via UUCP or other mechanisms will not have this line. This line is rarely forged, as it requires specialized knowledge *and* access to an insecure server to forge. This line may be missing if the article was injected via the UUCP protocol rather than NNTP, or if it was injected into a server using Microsoft software. In the former case, the Path: line is extremely reliable and other headers are likely correct (UUCP is difficult to forge). In the latter case, you should contact the site in question and ask them to junk their crappy Microsoft software and install something real. Path: This is the most reliable line in the header. It contains a list of all sites through which the article traveled in order to reach you. It is completely unforgeable after the point where it was injected. After that point, it may be a forgery, i.e.: your-site!site!site!site!forgers-site!fake!fake!fake If the Path: line has been partly faked, it may require that several people scattered across the internet examine the same post and compare the Path: lines to figure out where the fake sites begin. Note that if the fake sitenames refer to actual sites on the internet, those sites may not have a copy of the article, because of the way the news distribution system works. This can provide a clue. In general practice though, most forgers don't have the ability to fake this, so the Path: line will be completely legitimate from end to end. Here, for example is part of a legitimate post from Compuserve: Path: howland.erols.net!feeder.chicago.cic.net!news.compuserve.com!newsmaster From: John_Doe@compuserve.com (John H. Doe) Date: Tue, 11 Feb 1997 05:34:14 GMT Organization: Retired Message-ID: <32ffbfb4.16726035@news.compuserve.com> Reply-To: John_Doe@compuserve.com NNTP-Posting-Host: ld10-252.compuserve.com As you can see, all of the fields in this message agree with each other. Here is an example of a forgery: Path: cs.utexas.edu!www.nntp.primenet.com!nntp.primenet.com! cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news.sprintlink.net! news-peer.sprintlink.net!uunet!in3.uu.net!206.250.118.17! nntp.earthlink.net!usenet From: "wetboy" Date: 11 Feb 1997 15:00:15 GMT Organization: Earthlink Network, Inc. Message-ID: <01bc182b$684a6e60$eb122399@default> NNTP-Posting-Host: cust107.max38.new-york.ny.ms.uu.net X-Newsreader: Microsoft Internet News 4.70.1155 Although the From: line identifies this post as having come from AOL, you can see that AOL is mentioned nowhere else in the headers. At the very least, it should have been in the Path: line. In fact, it should have been in all of the identifying lines. Obviously this post never went anywhere near AOL. In this case, the Message-ID line is completely bogus (there's no such site as "default".) The NNTP-Posting-Host: line identifies the source as uu.net, while the Organization: line identifies Earthlink. Note that both sites appear near the end of the Path: line. This post was either injected into the news stream by an Earthlink customer connected from uunet, or it was injected at uunet with the Path: and Organization: lines forged to frame Earthlink as the guilty site. Since forging Path: lines is very difficult to do, I would guess it's the former case.