How To Find the Full Headers When Sending Complaints to an ISP*

*ISP = Internet Service Provider

Full headers that contain the entire path and the route the SPAM took is vitally needed when sending complaints about spammers, online harassers or cyberstalkers. If you do not have an e-mail program that has the ability of showing full headers, it's highly recommended you switch to one that does. Without full headers, the ISP is unable to track down a spammer or online abuser.

Jump to Helpful Hints

There are several e-mail programs (also known as x-mailers) that do not have this capability. Some e-mail programs used for interoffice communications also do not have this feature available.

However, e-mail programs such as Eudora Pro and Agent do have this capability. With Eudora Pro, there is a button icon located in the upper left part of the tool bar that reads

BLAH
BLAH
BLAH

If you click on this button, the full headers will appear. This button must also be active if you want to forward any e-mail and include the full headers.

Here is an example of what you usually see when receiving an e-mail or reading a post on a newsgroup -- let's use one of Woodside's e-mail spams for the example:

From: Jffonn@aol.com
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
To: hitchcocks@geocities.com
Subject: Bandit

How can we tell the FROM and REPLY-TO addresses are false? After activating the "full headers" function on your e-mail or newsreader program, the message will look something like this:

From: Jffonn@aol.com
[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for ; Fri, 27 Dec 1996 21:39:19 -0500 (EST)
Message-ID: <32C4C097.41FA@aol.com>
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
X-Mailer: Mozilla 2.01 (Win16; I)
MIME-Version: 1.0
To: hitchcocks@geocities.com
Subject: Bandit

Out of the headers above, what is pasted below is the only part that is not forged, which shows that the e-mail really came from IDT.NET and *not* aol.com.

[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for ; Fri, 27 Dec 1996 21:39:19 -0500 (EST)
Also, the numbers in the brackets, [169.132.96.55], are actually an IP address, which verifies that this e-mail originally came not only from IDT, but from New York City, as follows: ppp-55.ts-1.nyc.idt.net

How was that deduced? There is a web page that allows one to input an IP address and get the real location and/or ISP of the spammer/abuser, located at Sam Spade

Now, let's look at a newsgroup posting. We'll use the most recent spams Woodside has been flooding Usenet with as the example. You would normally see the following in a newsreader such as Agent if you tried to reply or forward the spam:

On Fri, 4 Jul 1997 02:49:09, hdt54@idt.net wrote:

>We are a New York based international literary agency with two branch offices, one of
>which is in Florida. We are seeking new and> previously published authors, so please
>adhere to the following-- guidelines.
>All fiction: send brief >envelope (SASE).
>All nonfiction: brief synopsis, first chapter, SASE.
>Short-Stories: brief synopsis, 3 pages, SASE.
>Poetry: send 3 poems, SASE.
>Please do not send complete manuscript unless we ask for it.
>

>Send to: Woodside International Literary Agency>>
>=XX-XX XX Street>>>>>>>>
>=Woodside, New York>>>>>>>>
>=11377>>>>>>>
>=Phone (main office):
>=718--XXX-XXXX>>>>>>>
>

This leads the average Internet user to assume the spam came from IDT and that is where they would send their complaint to. But if they went to the OPTIONS pull-down menu in Agent and clicked on "Show Full Headers," the spam would now look like:

Date: Fri, 4 Jul 1997 02:49:09
From: hdt54@idt.net
Newsgroups: rec.arts.books.childrens
Subject: writers>seeking.publication
NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>
Lines: 20
Path: ix.netcom.com!enews.sgi.com!su-news-feed4.bbnplanet.com!su-news-hub1.bbnplanet.com!cpk- news-hub1.bbnplanet.com!news.bbnplanet.com!newsm.ibm.net!ibm.net!news1.ibm.net!129.37.1 13.108
--------------------------------------------------------------------------------------------
We are a New York based international literary agency with two branch offices, one of
which is in Florida. We are seeking new and> previously published authors, so please
adhere to the following-- guidelines.
All fiction: send brief envelope (SASE).
All nonfiction: brief synopsis, first chapter, SASE.
Short-Stories: brief synopsis, 3 pages, SASE.
Poetry: send 3 poems, SASE.
Please do not send complete manuscript unless we ask for it.

Send to: Woodside International Literary Agency>>
=XX-XX XX Street>>>>>>>>
=Woodside, New York>>>>>>>>
=11377>>>>>>>
=Phone (main office):
=718--XXX-XXXX>>>>>>

The full headers now show the real ISP where the spammer is coming from, IBM, as follows:

NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>

Again, the numbers listed after "NNTP-Posting-Host" can be popped into the above-mentioned web page and walla! Like magic, the numbers translate into "slip129-37-113-108.pa.us.ibm.net" -- NOTE the "pa" in this translation. That means the spam was sent through the Pennsylvania arm of ibm.net.

A good rule of thumb when sending complaints to ISPs is to always send the complaint to the postmaster. For example, the above spam would be sent to postmaster@ibm.net. Most ISPs also have an abuse department, so you can probably send a complaint to them, too. Some even have a spam complaints department (such as InternetMCI). All you would do is replace the word postmaster with "abuse," "spamcomplaints" or whatever address you can find that is appropriate to send a complaint to. Going to an ISPs web site/page is also helpful, as they usually have a page devoted to their posting guidelines that will have an e-mail address to send complaints to.

Helpful Hints on How to Show Full Headers on Other Newsreaders/Email Programs

Jump to:
AOL
Lotus Notes 4.6
Outlook Express 5
Yahoo! Mail
Hotmail
Compuserve
Free Agent/Agent (newsgroup programs)
MS Outlook 98 and Outlook 2000
Pine
Microsoft Outlook Express
Netscape Navigator/Communicator
Microsoft Internet Explorer
Microsoft Exchange
UNIX
Pegasus
Newswatcher
Eudora
Microsoft Internet News
Return to hints

Remember, where there is a will, there is a way. Don't let spammers and other online abusers get away with what they are doing! If you have any tips that you feel should be added here, some links, etc., please feel free to drop a line to Header Info

Back