Dealing with Spam
Article:  Andy Collinson
Email :

This page is a little out of date but still helpfull.

This maybe off topic for my electronic site, but unfortunately the delivery of unwanted or unsolicited email, more commonly known as spam, is increasing at an alarming rate. I spend more of my time filtering out emails, and if like me you receive in excess of 1000 spams a day then you may find my solutions helpfull. Please read my disclaimer before use.

Magic Mail Monitor
If you are a windows user and your ISP provides you with a POP3 mail account (most do) than Valeriy Ovechkin's Magic Mail Monitor can help you keep your email under control. Note that this program will not work with web mail based accounts such as yahoo and hotmail. With magic mail monitor (MMM) you can safely delete messages, and potential mail viruses without opening them first,and most of all it's completely free. Visit sourceforge to download a copy. Read the help file and setup details of your mail account before use.

Below is a snapshot of Magic Mail Monitor in use.

You can preview your email with MMM. As can be seen in the "To:" box above, some mail is not even addressed to me. This happens when your ISP allows "multiple aliases" of your email address. In the case of the ISP Freeserve, your email account is the part after the @ symbol, any text before the @ is an alias. It is therefore easy to delete all email not addressed to yourself, i.e. in my case. However, this quickly becomes a tedious task depending on your volume of spam. Filters can be added to filter the message header. Read the help file with MMM and setup your account, you should also include any email you do not want to delete in a whitelist.

Email Headers
The email header contains information about your email,including the originator, reply-to address, email client used to write the message, and the mail servers it has passed through. A good spammer can forge just about any mail header but has no control over the mail servers the message passes through. The header information can be used to trace an email back to its originating source. To display the header in MS Outlook express, right click an email, left click the details tab and click message source. An example is shown below:

An email header consists of a keyword followed by a colon. Depending on your ISP, the order and amount of email headers will vary. In the highlighted message above, the spammer "Whitney Cates" claims to be using aol and has a return address of If the email address is not enough to tell you its spam then the subject line certainly should. A closer inspection of the email header reveals (line 8) that the message has not originated from aol, but from the domain, then routed via comcast and finally to my freeserve email account.

Common Techniques used by Spammers
As well as sending to a fake email alias, other common techniques include Re: in the subject line, no subject at all, random characters or typographical errors in the subject line, and fake X-Mailer or other falsified headers. This list is by no means complete as the determined spammer will become ever more devious and devise new methods to fool mail filters and try and get his message opened.

The following reduced email headers demonstrate the above points.
Re: in Subject Line
Received: from (
by mwinb3101 (SMTP Server) with LMTP; Wed, 11 Feb 2004 17:07:53 +0100
X-Sieve: Server Sieve 2.2
Received: from ( [])
Received: from [] by id 4780919-47879;
Fri, 13 Feb 2004 17:08:15 +0100
Message-ID: l51q6$pfj$42$n3$f2$9q2@4hl78.6.2i
Subject: Re: that guy can wait

A genuine email reply to an email you have sent contains Re: on the subject line and has an additional header of either "In-Reply-To:" or "References". If the latter two headers are missing the message is spam. The solution is to write a filter that denies the subject "Re:" unless the additional headers mentioned above are included.

Random Characters on Subject Line
Received: from []
by SMTP id Hp4b4kxejWlaIS;
Message-ID: p3a1os$t$bo8y2m$184$543l8nh@q7udm26m
Reply-To: "Barney Ellis"
Subject: xpa madeleine tcj bjxerj

One reason for a meaningless subject is to try and bypass any mail filter that looks for particular keyword; quite common and devious but one way to stop this kind of nuisance is to view the header and block the IP address of the originating mail server.

Mail Clients
Subject: *** SPAM *** girlnextdoor would lske to say hello
Date: Wed, 14 Apr 04 03:04:34 GMT
X-Mailer: The Bat! (v1.52f) Business

MIME-Version: 1.0

The X-Mailer: header is sometimes filled with a genuine email client or a made up name. In my case I never receive anything but spam from people using "The Bat!" so I block all email from anyone using The Bat.

No Return Path
Return-Path: <>
Received: from (
by mwinb3101 (SMTP Server) with LMTP; Sat, 10 Apr 2004 12:00:56 +0200

Typical spam messages sent in HTML often include a link to some website trying to sell you some unwanted product. These messages typically contain no return path or angle brackets as in the above example, the solution filter the <>.

Creating new mailfilters
Here are a few examples of mailfilters that work with magic mail monitor :

Chinese or other Foreign Character Sets
It is annoying to receive spam wrote in a different language, and whose character sets sometimes do not display properly. The so called "big5" character set is often used. First display the message header:

The characters "Big5" in the subject line may be used to create a filter. First go to file, then filters then click the "+" sign at the bottom of the filter window. Include a name for the filter (Big5 is a good choice), then the button with three periods (...) Select subject on the drop down header box and includes for the filter criteria. Enter Big5 in the lower input field and click OK:

Finally place a tick in the Big5 filter, and tick the boxes mark as spam and highlight with colour. Chose a colour and click save to save your new filter. Finally check your mail again and any message using the charcater set Big5 should be highlighted, see below. Once you are happy with your filters you can tick the box delete from server to have your messages deleted without downloading them. Un-checking this box is safer and allows you to verify any highlighted messages first.

Mail not addressed to me.
If you receive mail that is not addressed to you or an unwanted alias, click "+" as before to create a new filter, use the "To" header then the filter "NOT includes" and enter your email address on the line below. Choose highlight with a different colour and save your filter. Only messages addressed to you will now get through. The filter should be similar to below :

No return address
A filter similar to the one shown below can remove any message containing "<>" in the return path. :

Block a domain or IP range
This requires great care as a mistake here could delete some or all of your email. Using a regular expression allows the greatest flexibility in writing a filter. The help file in magic mail monitor outlines the structure and basic syntax.


The above filter checks the Received: header for occurrences of a particular word. In this example I have filtered out all mail from "ameritech". The . in the expression matches a single occurrence of the word in brackets, () the * character matches one or more appearances of the same word. Note that this expression will also filter results from, etc or any other suffix.

Finally, after adding a few filters your message box may start to appear multi-coloured like below. Check the highlighted messages to make sure they are not valid emails, then once you are happy, return to filters and check the delete from server option. Next time these messages will be removed without you wasting time and money downloading spam first.

Checking Open Ports
If you think you have downloaded or opened a virus and are running windows,open a command prompt, and type netstat -a This will show you are open connections between your computer and the internet. (See Below :)

There are five connections to my mail server using pop3 protocol and one other established connection to IP using port 80. This is google and at the time netstat -a was used my browser was displaying google's home page. If you do see lots of active connections, you may be running some file share software like kazaa or bearshare. If you see an unknown connection then a quick browse to the ARIN database will allow you to look up the IP that your machine is connected to.

Tracing Email Back to its Source
Below is a snapshot of my mailbox. Eggert Ehmke's Kshowmail for linux is used to preview new emails. Highlighted is the header belonging to email message 196.

Before you can trace the header you need to know the order of the received mail headers. This can be found by sending a test message to yourself and viewing the header. In the case of my ISP Freesere, the order is from the freeserve mail server (line below return path) back to the originators mail server (line above from).
The first received header from the spammer :
Received: from ( [])
by (SMTP Server) with SMTP id 41ED1180019C
for; Mon, 12 Apr 2004 11:59:18 +0200 (CEST)

In this case the message was sent from a spammer using the above network, As another example here is just the header from another message :

Received: from (
by mwinb3101 (SMTP Server) with LMTP; Mon, 12 Apr 2004 13:37:00 +0200
X-Sieve: Server Sieve 2.2
Received: by (SMTP Server, from userid 1003)
id 5DC6D180010E; Mon, 12 Apr 2004 13:37:00 +0200 (CEST)
Received: from
( [])
by (SMTP Server) with SMTP id C376C1800138
for; Mon, 12 Apr 2004 13:36:56 +0200 (CEST)

The return-path and other headers are often forged, but the spammer has no control over the mail server which will deliver his message. The mail server adds details of the email network from which it was received, including the IP address of the mail server and often a translated address of the numeric IP. In this case it is easy to see that the message has arrived from or Placing the IP address into Spamcops Database reveals more information about the source :-

Query - is listed in (

Since SpamCop started counting, this system has been reported about 10 times by less than 10 users. It has been sending mail consistently for at least 37 hours. In the past 35.5 days, it has been listed 2 times for a total of 3.4 days

In the past week, this system has:
Been reported as a source of spam less than 10 times
Been detected sending mail to spam traps
Been witnessed sending mail about 180 times

Other hosts in this "neighborhood" with spam reports:

This is often useful information and can be used to advantage in a mailfilter. However, mistakes can be made so use the information from spamcop with care.

Fake Headers
Received: from (
by mwinb3101 (SMTP Server) with LMTP; Mon, 12 Apr 2004 08:17:17 +0200
X-Sieve: Server Sieve 2.2 Received: by (SMTP Server, from userid 1003)
id 0CDC818000ED; Mon, 12 Apr 2004 08:17:17 +0200 (CEST)
Received: from ( [])
by (SMTP Server) with SMTP id 21E0718000C1
for ; Mon, 12 Apr 2004 08:17:15 +0200 (CEST)
Received: from by; Mon, 12 Apr 2004 06:10:03 -0100
From: "Cornell Light"
Reply-To: "Cornell Light"
Subject: i just wnated to say hey

In the message above, the spammer has added a false header (highlighted in green). As I trust my mail server and know the order of the received headers, this spam has originated from A quick look up on Spamcop or the Arin Database verifies that the IP address belongs to Hallym University, Korea, OR a spammer using that particular network.

Other Links for Dealing With Spam
Ed Falk's Spam Tracking Page
The Spam Patrol

Return to Media Section