Spam investigation toolkit

Tools to help identify and engage spammers.

I’m often asked what tools are best to use to identify spammers, there are plenty of free tools online that work just as well as the more expensive paid-for tools, or command line tools that most people use. Here’s a quick run down and what to look for…

Annoying or Malicious?

While it’s all spam it is important to clarify that there is a difference between unwanted emails and a scam. You may not want a company to email you without your permission, this is annoying but not necessarily malicious. A scam email is deliberately attempting to fool you into providing personal information to defraud you.

Never engage with spam which is attempting to get personal, financial or company information

Where you should engage is with an otherwise reputable company, which should know better than to send spam.

DNS Lookup

A DNS Lookup will help you determine the ownership of the server an email address or website is hosted on. You will normally find a lazy spammer will attempt to hide where the email is coming from while linking directly to their website. Others will only use a temporary landing page further hiding the spammer.

Start by looking up the domain in the email address, then the domain in the linked websites. Make a note of any A-Records, these will be useful for identifying the host of the website.

→ dns-lookup.com

DNS Lookup 2

Additionally, you may want to run any domain names you encounter through whatsmydns.net, and use the “MX” records search for any domains you’ve encountered to see what email services are being used. The “A” record search against the domains will provide you with more IP addresses to look up below.

→ whatsmydns.net

IP Lookup

An IP lookup will help you pinpoint the hosting infrastructure and mail system used by the spammer. Typically, a spammer will use a different server for their website hosting from their SMTP (email sending) server. If they’re not very good they’ll use the same for both.

Using the IP addresses identified in the DNS lookup, you’ll be able to identify the companies used by the spammer. You should contact these companies directly to alert them to the spammers using their services.

→ ip-lookup.org

Black List Check

This is a tool from MX Toolbox that allows you to check if a server IP or domain name has been blacklisted for various reasons. You most likely won’t receive mail from a blacklisted domain. Usually, your email provider will use multiple blacklists to determine if something is spam, suspicious or malicious.

→ mxtoolbox.com/blacklists.aspx

Engaging with Spammers

You should always think twice about engaging with spammers. But, this can be useful later. You should only engage for as long as you feel comfortable. You’ll find the longer they engage the more information will become available for your investigation.

If you post about the incident on a public website, they’ll not be happy. But the thickest amongst spammers will email you back on the address they spammed you on to complain, thus confirming their complicity.

• Only use the email address they spammed you on
• Don’t provide any “real” personal information
• Keep records and follow up with the hosting/DNS/email provides you’ve identified
• Any threats should be reported to your local police/authorities

Reporting

Spam is illegal in most jurisdictions, however, the laws change region by region. Keep records of your investigation, A quick way to dismiss any complaints to a hosting company is to provide them with a link to your post or a shared document.

The teams that deal with abuse complaints at hosting companies also deal with the spam complaints, so they’ll always be on your side, not the spammers, no matter how much they complain!