Contents

• How To Complain To The Spammer's Provider
• Where are the whois databases and what do they contain?
• What does the APNIC Whois Database contain?
• How do I use the APNIC Whois Database?
• What do the query results mean?
• Where do I go from here?
• Are there any exceptions?
• I'm ready to query the APNIC Whois Database

How To Complain To The Spammer's Provider

The first step is finding out who to complain to.  Do NOT complain to the guilty party.  This will only tell them that your e-mail address is real.  Many spammers are only guessing at e-mail addresses, and once they get a reply from you, they will add your name to a list of confirmed list which they sell to other spammers.  Complain to whoever is providing them with internet access.  Be careful though, because their "provider" may not really be a provider.  They may be a front for the spammer.  Work your way up the ladder until you find out who has the power to shut them down.

Finding out who to complain to can be broken down into several steps. The first one is determining the domain name the spammers are using. One good place is if the body of the message includes an email address to reply to or a web page to look at. This will often be via a different provider than the one used to send the spam, but many providers forbid either use of their services by spammers.

To find out where the spam originates, tell your mail reader to display all the headers and look at the "Received" lines. Then read the Received lines from top to bottom. For example:

To: poor_me@mydomain.com
Received: from relay.yoyolink.net (ns2.yoyo.com [127.10.58.3]) by legit.com with SMTP id WAA12684 for <kingdon@legit.com>; Thu, 21 Nov 1996 22:28:08 -0800
Received: from forged.example.com (slime.spammer.com [10.71.84.44]) by relay.yoyolink.net (8.8.3/8.8.3) with SMTP id GAA02044 for <kingdon@legit.com>; Fri, 22 Nov 1996 01:23:46 -0500

Your own site (legit.com) got this message from ns2.yoyo.com, which in turn got it from slime.spammer.com. Intermediate sites, such as yoyo.com in this example, may simply be sites which allow anyone to forward mail using their mailer. Don't assume they are connected with the spammer or the spammer's provider, but you might want to let them know their system is being used for this purpose. You can ignore all the stuff about with and id and so on.

With experience, and/or by consulting various sources, you will learn more about Received lines, and the ways that they can vary. But the basic principle is still to read them from top to bottom, and to understand that each computer which handled the message added one or more Receieved lines. Thus each Received line may originate from your site, the spammer's site, or somewhere in between.

Once you have a suspect domain name, try to find out what kind of organization has that name. One way is to look on the various anti-spam web sites, newsgroups, and other resources. If the site has a reputation as a site which does a good job of fighting spam, you complain to them. If it is a site which is known to not respond to complaints, despite persistent and repeated attempts, you complain to their upstream provider (see section on traceroute below).

You can see if an entity has a web page by taking the domain name and add "www." to the start (use of "www." is just a convention, but it is a widely followed one). If you see a page with content similar to the email spam you received, you've probably identified the bad guys (however most, but not all, spammers are too lazy to write a web page). If you see a page telling you about internet access services and other types of legitimate business, you've probably identified the proper party to complain to.

If you have identified the offending site and you want to find who their upstream provider is, use the "traceroute" tool. You need to give it the machine name to trace to, for example slime.spammer.com in the above example. If traceroute is accessible to you on your local system, simply invoke "traceroute slime.spammer.com". If not, there are many web->traceroute gateways; searching for "traceroute" in one of the internet search engines should find one. Either way, the output from traceroute will look something like this:

traceroute to slime.spammer.com (127.126.32.23), 30 hops max, 40 byte packets
 1  siamese.legit.com (127.39.1.134)  206 ms  177 ms  198 ms
 2  persian.legit.com (127.39.1.129)  203 ms  191 ms  188 ms
 4  SR1.gotham-city.major.net (127.39.100.73)  174 ms  190 ms  208 ms
 5  core4.gomorrah.major.net (127.39.33.133)  180 ms  182 ms  159 ms
 6  retrolink-gw.gomorrah.major.net (127.157.77.25)  169 ms  185 ms  189 ms
 7  router1.retrolink.net (127.70.1.122)  469 ms  365 ms  239 ms
 8  spammer-gw.retrolink.net (127.70.1.122)  429 ms  242 ms  239 ms
 9  slime.spammer.com (127.70.3.98)  519 ms  275 ms  309 ms

This means that to get from your site (or the site hosting the web->traceroute gateway) to slime.spammer.com, data first passes through legit.com, then major.net, then retrolink.net, and finally to spammer.com. So if spammer.com is the guilty party then normally you would complain to retrolink.net. If you have reason to believe that retrolink.net is uncooperative then you could escalate by complaining to major.net. This should be done only after repeated attempts to persuade retrolink have been unsuccessful. Even sites with good spam control policies will occasionally get a spammer, so the mere fact that you have received one spam, or a handful of unrelated spams, is not by itself sufficient reason to escalate.

If you are unsure about whether you are complaining to the right party, it is good to say this in your complaint, and ask the complainee to forward the message to the appropriate party if need be. In general, especially if you are unsure, you should err on the side of complaining to only one site, and not involving sites with a distant relationship to the spammer. Help give spam-fighting a good name among providers.

You can find the email address to complain to by first seeing if the organization in question has a web page with a contact address. Generally you want the network abuse address if there is one, or if not try to figure out what the closest choice is. An alternative is the complaint forwarding service at abuse.net. If none of these seem feasible, you can always try postmaster@<the provider's site>. According to the internet standard RFC822 (STD 11), all sites are supposed to have such a mailbox.

Be polite. This is very important--you catch more flies with honey than vinegar. A good generic wording is "This is unsolicited, undesired email. Please take appropriate actions to stop it, or see http://spam.abuse.net/ for how/why you should" or take a look at a sample complaint letter. You might want to tailor your message if you have more knowledge of the provider's position on spam. Keep in mind that the people who read the abuse alias are not there to be abused, they're there to stop the abuse.

Include the full headers of the message you are complaining about, if possible. In most mail readers there is a special command to display all the headers. Make especially sure you include the Received headers - the provider can take no action without them.

After you send your complaint you probably won't get any response. But this doesn't necessarily mean that the provider has taken no action; often when there is a spammer at their site they are overwhelmed with complaints and find it difficult to acknowledge each one.

If you do get a response (such as "this would appear to violate our terms of service and we're looking into it" or "we have terminated the account of the spammer"), either send back a thank you or not, at your option. There is something to be said for letting the providers know that we appreciate their actions, but on the other hand these people get a lot of e-mail about spam complaints and it might be preferable not to increase the volume.

Where are the whois databases and what do they contain?

There are four RIRs, each maintaining a whois database holding details of IP address registrations in their regions. The RIR whois databases are located at:

• ARIN (North America and sub-Saharan Africa)
• APNIC (Asia Pacific region)
• LACNIC (Southern and Central America and Carribean)
• RIPE NCC (Europe and northern Africa)

For historical reasons, the ARIN Whois Database is generally the starting point for searches. If an address is outside of ARIN's region, then that database will provide a reference to either APNIC or RIPE NCC.

Unfortunately, many people misinterpret this referral to mean that either APNIC, LACNIC, or RIPE NCC is the network from where the problem arose. In fact, APNIC, LACNIC, and RIPE NCC perform the same function as ARIN. To get more specific information you must follow the referral and search the appropriate database.

Top

What does the APNIC Whois database contain?

The APNIC Whois Database contains registration details of IP addresses and AS numbers originally allocated by APNIC. It contains details of the organisations that hold the resources, the country where the allocations were made, and contact details for the networks. The organisations that hold those resources are responsible for updating their information in the database.

Please note, the APNIC Whois Database will be able to identify the details of the network routing the IP address you are searching for. In general it will not identify the individual actually using the specific address. Only the network administrator will have access to user information.

Top

How do I use the APNIC Whois Database?

To find details about the IP address you are searching for, simply enter it into the text box and click "Search Whois".

There are many other options available in the advanced Whois interface, but for simple IP look-ups you should just use the default settings.

Top

What do the query results mean?

A. Which are the most important parts to look at?

For spam and hacking complaints, you really only need to consider the admin-c and tech-c fields.

These two fields show the administrative and technical contacts for the organisation holding the relevant address range. Click on the hyperlinked entry (it looks like "AB12-AP"). This takes you to the address details of the contact.

B. What do all the other fields mean?

The other fields are included as part of the proper registration of public resources. If you're just using the database to look for the organisation responsible for network abuse, these other fields should not be relevant.

C. Your database says APNIC is the "source" of the IP address I've looked up

The source field shows the RIR responsible for keeping records of the IP address allocation. It does not show the organisation responsible for the administration or operation of the network.

Also note that the changed field is not a network contact address, as it merely records who made the most recent change to the registration information. All APNIC addresses will initially record an APNIC address in this field, as APNIC creates the first database object.

Top

Where do I go from here?

To contact the network responsible for the IP address of the spammer or hacker, you will need to contact the admin-c or tech-c.

See what if the registered contact details are wrong? for more information.

Our friend, LMI.net, has an excellent help page on How To Complain About Spam.

Top

Are there any exceptions?

In many cases the APNIC Whois Database will refer you to a National Internet Registry (NIR). The NIRs perform a similar function to APNIC, but on a national level only. If the netname in the Whois record shows one of the following NIRs, you will need to access their databases to find out which ISP they allocated the address space to and contact the admin-c or tech-c of that ISP. Only contact the NIR itself if there are problems with the contacts registered in their database.

*KRNIC maintains a list of ISP network abuse contacts.

Top

I'm ready to query the APNIC Whois Database

The APNIC Whois Database is located at http://www.apnic.net/apnic-bin/