Legend:  new window    outside link    tools page  glossary link   

Preparing and submitting spam reports

What we’re doing on this page: Preparing reports based on our spam analysis to notify the parties responsible for sending and supporting the spam mail.

After all the hard, dirty work of analyzing your spam, you are now ready to send your reports. Fortunately, this part is much easier than most of what went before, although there are some pointers that I’ll give you on this page.

Gathering your information

If you’ve followed the process I’ve laid out thus far, you will have some or all of the following bits of information about your spam message.

  1. First (and most importantly), you’ll have one or more IP addresses for hosts involved in propagating or supporting the spam message:
  1. Next, in certain cases where the spammer appears to depend upon e-mail response (e.g., 419 scammers), you may also have the e-mail addresses contained in the spam, along with abuse contact addresses for the providers responsible for the addresses.
  1. Finally, if you are really desparate or ticked off, you may also have found an abuse contact for the domain registrar that sold the internet domain name used for spam websites or even (on rare occasions) spam mail hosts.

Let’s pull all this information together for a big all-in-one example. First, here are the various addresses and domains extracted from a fictional spam message (the IP addresses are bogus, and none of the domains named here actually existed when I wrote this):

resource used in spam information about the resource
originating mail host IP address:
(big-cable-internet.com domain)
open relay mail host IP address:
(im-asleep.info domain)
spam sales website host IP address:
host name = chickenlickin.org
(host-anybody.com domain)
spam removal website host IP address:
host name: fsck-off.lv
(dont-care.org domain)
e-mail address e-mail address “ex@annoy-mail.net
e-mail provider: annoy-mail.net
domain name “chickenlickin.org domain registrar: domain-cesspool.com
(the domain registration data looks suspicious)

Here are the abuse contact addresses for each of these resources.

role in the spam abuse contact
originating mail host abuse@big-cable-internet.com
open-relay mail host abuse@im-asleep.info
spam sales website host abuse@host-anybody.com
spam removal website host abuse@dont-care.org
e-mail address “ex@annoy-mail.net postmaster@annoy-mail.net
registrar for “chickenlickin.org abuse@domain-cesspool.com

Now, fire up your mail program and let’s get to work.

Writing the report

Here’s what a spam report might look like for the case above:

To: abuse@big-cable-internet.com,
  abuse@im-asleep.info, abuse@host-anybody.com,
  abuse@dont-care.org, postmaster@annoy-mail.net,

From: [[your e-mail address]]

Subject: Spam report (chickenlickin.com)

I have received the following mail, which my analysis suggests may be spam. The message is quoted at the end of this mail (I deleted most of an attached MIME-encoded image for the sake of brevity).

The message originated from, which I find to be in a block controlled by big-cable-internet.com.

The message was relayed by a host at, which appears to be in the im-asleep.info domain, and may be an open mail relay.

The message refers to a website at chickenlickin.org, which I find to be at in a host-anybody.com net block. It also refers to a website at fsck-off.lv, which I find to be at in a dont-care.org net block.

I find that the domain chickenlickin.org was registered with domain-cesspool.com. The whois data for this domain appears to be suspect, since it gives a contact phone number of (222) 222-2222 which appears to be invalid.

Finally, the message requests an e-mail response to ex@annoy-mail.net, which I find to have been issued by annoy-mail.net.

Please take appropriate action in accordance with your policies to stop this party from sending further unsolicited e-mail.

-- Regards, [[your name & e-mail address]]

(paste in full message, including headers)

This is a much longer spam report than you would typically have to write, since I tried to include examples of many different kinds of contacts. For the typical spam message, you will only need to report to (1) the originating host’s provider (for direct-to-MX mail) and perhaps (2) the web hosting provider (for the sales website). If you have a lot of issues to report, and you have the time, it may be more effective to send several messages, one to each abuse departrment, each one tailored for the particular recipient.

Here are some things to note about this message:

Here are some further tips for writing complaints:

What to expect from your report

So, as soon as these guys receive your report, they’re all going to go running over to pull the plug on the spam hosts, right? Well, frankly, no.

When you send an abuse report these days, you will rarely get a response from a real human (particularly if you’re just complaining about mere spam, as opposed to more insidious cracking and probing activities). At best, you will get an automated pro-forma response (“...we received your complaint and are acting on it...please be assured yadda yadda...”), perhaps including a case file number to use for future correspondence. In many cases, you will get no response at all. This does not necessarily mean, however, that nothing will come of your report.

Let’s face facts for a moment; ISPs don’t make money by handling abuse complaints, they make money by keeping customers online. However, if they see that one of those customers is making an unwarranted and disproportionate nuisance of himself, they will eventually act. I have no illusions that a single report of mine, no matter how well-researched and accurate, will make much difference in the grand scheme. After all, even thoroughly honest online business get the occasional misdirected spam complaint (which is usually ignored). I think the power of reporting kicks in when an ISP receives many, many reports from many different people about the same incidents; that’s why I urge you, if you are able, to join those of us who research and report spam incidents.

If you want to check up on the effectiveness of your reports, you might bookmark some of the spam websites you’ve reported and then check back later to see whether they have been shut down.

Elevating matters

From time to time, I get a message that I think merits special treatment. On these occasions, I will pick up the phone and try to talk to some humans — specifically, those in the network operations center, or NOC, of the ISPs in question. This is certainly not something you want to do for routine spam, but it might be worthwhile if you detect phishing, virus distribution, cracking, or other more serious forms of abuse.

Often, it can be hard to find the phone numbers for the NOC — sometimes they are found in the output of whois, but often you may have to go to the ISP’s website and look up a number. Many larger ISPs have a phalanx of phone minions protecting the people at the NOC who are actually doing the work; you may first have to speak with the general customer support line, and then you might convince them to transfer you to the abuse desk. Even here, you may not actually be speaking with people who can do any more than just take reports over the phone, so see whether you can be transferred to the NOC.

When you speak to the people in the NOC, be cordial and collegial (“...hey, for your information, I think you have a problem.”) Offer to send details to them via e-mail rather than enumerating addresses and host names over the phone. Don’t waste their time or make a pest of yourself — this will make them think you are a kook whose complaints don’t deserve action. Don’t get messianic or obsessive about following up with the NOC on these reports — once you file your report, you have done your duty, and the rest is up to others.


So, that’s it — you’ve filed a spam report! Congratulations, and thanks for doing your part to stop e-mail abuse. Relax and enjoy yourself while you can, for the next spam message is probably on its way to you.

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

03391 hits since March 31 2009

Updated: Fri, 21 Jul 2006