This page is a little out of date but still helpfull.
This maybe off topic for my electronic site, but unfortunately the delivery of unwanted or unsolicited email, more commonly known as spam, is increasing at an alarming rate. I spend more of my time filtering out emails, and if like me you receive in excess of 1000 spams a day then you may find my solutions helpfull. Please read my disclaimer
Magic Mail Monitor
If you are a windows user and your ISP provides you with a POP3 mail account (most do) than Valeriy Ovechkin's Magic Mail Monitor can help you keep your email under control.
Note that this program will not work with web mail based accounts such as yahoo and hotmail. With magic mail monitor (MMM) you can safely delete messages, and potential mail
viruses without opening them first,and most of all it's completely free. Visit sourceforge
to download a copy. Read the help file and setup details of your mail account before use.
Below is a snapshot of Magic Mail Monitor in use.
You can preview your email with MMM. As can be seen in the "To:" box above, some mail is not even addressed to me. This happens when your ISP allows "multiple aliases" of your email address. In the case of the ISP Freeserve, your email account is the part after the @ symbol, any text before the @ is an alias. It is therefore easy to delete all email not addressed to yourself, i.e. firstname.lastname@example.org in my case. However, this quickly becomes a tedious task depending on your volume of spam. Filters can be added to filter the message header. Read the help file with MMM and setup your account, you should also include any email you do not want to delete in a whitelist.
The email header contains information about your email,including the originator, reply-to
address, email client used to write the message, and the mail servers it has passed through. A good spammer can forge just about any mail header but has no control over the mail servers the message passes through. The header information can be used to trace an email back to its originating source. To display the header in MS Outlook express, right click an email, left click the details tab and click message source. An example is shown below:
An email header consists of a keyword followed by a colon. Depending on your ISP, the order and amount of email headers will vary.
In the highlighted message above, the spammer "Whitney Cates" claims to be using aol and
has a return address of email@example.com. If the email address is not enough to tell you
its spam then the subject line certainly should. A closer inspection of the email header
reveals (line 8) that the message has not originated from aol, but from the domain 184.108.40.206, then routed via comcast and finally to my freeserve email account.
Common Techniques used by Spammers
As well as sending to a fake email alias, other common techniques include Re: in the subject line, no subject at all, random characters or typographical errors in the subject line, and fake X-Mailer or other falsified headers. This list is by no means complete as the determined spammer will become ever more devious and devise new methods
to fool mail filters and try and get his message opened.
The following reduced email headers demonstrate the above points.
Re: in Subject Line
Received: from mwinf3003.me.freeserve.com (mwinf3003.me.freeserve.com)
by mwinb3101 (SMTP Server) with LMTP; Wed, 11 Feb 2004 17:07:53 +0100
X-Sieve: Server Sieve 2.2
Received: from cpe-24-107-225-243.ma.charter.com (cpe-24-107-225-243.ma.charter.com [220.127.116.11])
Received: from [18.104.22.168] by cpe-24-107-225-243.ma.charter.com id 4780919-47879;
Fri, 13 Feb 2004 17:08:15 +0100
Subject: Re: that guy can wait
A genuine email reply to an email you have sent contains Re: on the subject line and has an additional header of either "In-Reply-To:" or "References". If the latter two headers
are missing the message is spam. The solution is to write a filter that denies the subject "Re:" unless the additional headers mentioned above are included.
Random Characters on Subject Line
Received: from [22.214.171.124]
by user-118butp.cable.mindspring.com SMTP id Hp4b4kxejWlaIS;
Reply-To: "Barney Ellis" firstname.lastname@example.org
Subject: xpa madeleine tcj bjxerj
One reason for a meaningless subject is to try and bypass any mail filter that looks for particular keyword; quite common and devious but one way to stop this kind of nuisance is to view the header and block the IP address of the originating mail server.
Subject: *** SPAM *** girlnextdoor would lske to say hello
Date: Wed, 14 Apr 04 03:04:34 GMT
X-Mailer: The Bat! (v1.52f) Business
The X-Mailer: header is sometimes filled with a genuine email client or a made up name. In my case I never receive anything but spam from people using "The Bat!" so I block all email from anyone using The Bat.
No Return Path
Received: from mwinf3108.me.freeserve.com (mwinf3108.me.freeserve.com)
by mwinb3101 (SMTP Server) with LMTP; Sat, 10 Apr 2004 12:00:56 +0200
Typical spam messages sent in HTML often include a link to some website trying to sell you some unwanted product. These messages typically contain no return path or angle brackets as in the above example, the solution filter the <>.
Creating new mailfilters
Here are a few examples of mailfilters that work with magic mail monitor :
Chinese or other Foreign Character Sets
It is annoying to receive spam wrote in a different language, and whose character sets
sometimes do not display properly. The so called "big5" character set is often used.
First display the message header:
The characters "Big5" in the subject line may be used to create a filter. First go to file, then filters then click the "+" sign at the bottom of the filter window. Include a name for the filter (Big5 is a good choice), then the button with three periods (...) Select subject on the drop down header box and includes for the filter criteria. Enter Big5 in the lower input field and click OK:
Finally place a tick in the Big5 filter, and tick the boxes mark as spam and highlight with colour. Chose a colour and click save to save your new filter. Finally check your mail again and any message using the charcater set Big5 should be highlighted, see below. Once you are happy with your filters you can tick the box delete from server to have your messages deleted without downloading them. Un-checking this box is safer and allows
you to verify any highlighted messages first.
Mail not addressed to me.
If you receive mail that is not addressed to you or an unwanted alias, click "+" as
before to create a new filter, use the "To" header then the filter "NOT includes" and
enter your email address on the line below. Choose highlight with a different colour and
save your filter. Only messages addressed to you will now get through. The filter should
be similar to below :
No return address
A filter similar to the one shown below can remove any message containing "<>" in the return path. :
Block a domain or IP range
This requires great care as a mistake here could delete some or all of your email. Using a regular expression allows the greatest flexibility in writing a filter. The help file in magic mail monitor outlines the structure and basic syntax.
The above filter checks the Received: header for occurrences of a particular word. In
this example I have filtered out all mail from "ameritech". The . in the expression
matches a single occurrence of the word in brackets, () the * character matches one or
more appearances of the same word. Note that this expression will also filter results
from ameritech.net, ameritech.com etc or any other suffix.
Finally, after adding a few filters your message box may start to appear multi-coloured
like below. Check the highlighted messages to make sure they are not valid emails, then once you are happy, return to filters and check the delete from server option. Next time
these messages will be removed without you wasting time and money downloading spam first.
Checking Open Ports
If you think you have downloaded or opened a virus and are running windows,open a
command prompt, and type netstat -a This will show you are open connections between
your computer and the internet. (See Below :)
There are five connections to my mail server using pop3 protocol and one other established connection to IP 126.96.36.199 using port 80. This is google and at
the time netstat -a was used my browser was displaying google's home page. If you
do see lots of active connections, you may be running some file share software
like kazaa or bearshare. If you see an unknown connection then a quick browse to
the ARIN database
will allow you to look up the IP that your machine is connected to.
Tracing Email Back to its Source
Below is a snapshot of my mailbox. Eggert Ehmke's Kshowmail
for linux is used to preview new emails. Highlighted is the header belonging to email message 196.
Before you can trace the header you need to know the order of the received mail headers.
This can be found by sending a test message to yourself and viewing the header. In the
case of my ISP Freesere, the order is from the freeserve mail server (line below return path) back to the originators mail server (line above from).
The first received header from the spammer :
Received: from mitedu.freeserve.co.uk (r3.cc70.lsc.net.tw [188.8.131.52])
by mwinf3009.me.freeserve.com (SMTP Server) with SMTP id 41ED1180019C
for email@example.com; Mon, 12 Apr 2004 11:59:18 +0200 (CEST)
In this case the message was sent from a spammer using the above network, 184.108.40.206.
As another example here is just the header from another message :
Received: from mwinf3014.me.freeserve.com (mwinf3014.me.freeserve.com)
by mwinb3101 (SMTP Server) with LMTP; Mon, 12 Apr 2004 13:37:00 +0200
X-Sieve: Server Sieve 2.2
Received: by mwinf3014.me.freeserve.com (SMTP Server, from userid 1003)
id 5DC6D180010E; Mon, 12 Apr 2004 13:37:00 +0200 (CEST)
Received: from host133-209.pool81117.interbusiness.it
by mwinf3014.me.freeserve.com (SMTP Server) with SMTP id C376C1800138
for firstname.lastname@example.org; Mon, 12 Apr 2004 13:36:56 +0200 (CEST)
The return-path and other headers are often forged, but the spammer has no control over the mail server which will deliver his message. The mail server adds details of the email network from which it was received, including the IP address of the mail server and often a translated address of the numeric IP. In this case it is easy to see that the
message has arrived from 220.127.116.11 or Interbusiness.it. Placing the IP address into Spamcops Database
reveals more information
about the source :-
Query bl.spamcop.net - 18.104.22.168
22.214.171.124 is host133-209.pool81117.interbusiness.it
126.96.36.199 listed in bl.spamcop.net (127.0.0.2)
Since SpamCop started counting, this system has been reported about 10 times by less than 10 users. It has been sending mail consistently for at least 37 hours. In the past 35.5 days, it has been listed 2 times for a total of 3.4 days
In the past week, this system has:
Been reported as a source of spam less than 10 times
Been detected sending mail to spam traps
Been witnessed sending mail about 180 times
Other hosts in this "neighborhood" with spam reports:
This is often useful information and can be used to advantage in a mailfilter. However, mistakes can be made so use the information from spamcop with care.
Received: from mwinf3201.me.freeserve.com (mwinf3201.me.freeserve.com)
by mwinb3101 (SMTP Server) with LMTP; Mon, 12 Apr 2004 08:17:17 +0200
X-Sieve: Server Sieve 2.2
Received: by mwinf3201.me.freeserve.com (SMTP Server, from userid 1003)
id 0CDC818000ED; Mon, 12 Apr 2004 08:17:17 +0200 (CEST)
Received: from c232.hallym.ac.kr (c232.hallym.ac.kr [188.8.131.52])
by mwinf3201.me.freeserve.com (SMTP Server) with SMTP id 21E0718000C1
for ; Mon, 12 Apr 2004 08:17:15 +0200 (CEST)
Received: from 184.108.40.206 by 220.127.116.11; Mon, 12 Apr 2004 06:10:03 -0100
From: "Cornell Light" LPEZLQHWCAHMVP@earthlink.net
Reply-To: "Cornell Light" LPEZLQHWCAHMVP@earthlink.net
Subject: i just wnated to say hey
In the message above, the spammer has added a false header (highlighted in green). As
I trust my mail server and know the order of the received headers, this spam has originated from 18.104.22.168. A quick look up on Spamcop or the Arin Database verifies that the IP address belongs to Hallym University, Korea, OR a spammer using that particular network.
Other Links for Dealing With Spam
Ed Falk's Spam Tracking Page
The Spam Patrol