Did you come here from a search engine? Click here for my main page.

What are we doing here?

In some cases, spammers actually are the registered owners (in IP-whois) of the addresses they use, and a normal IP-whois lookup would give us contact info for the spam gang. Even if this contact info is valid (which isn’t guaranteed), we generally don't want to send any mail to such persons (rule #3), so instead we find out who sold them the block (i.e., their upstream provider) and complain to that outfit instead.

What's an "upstream provider" and why do you care?

Virtually everyone who has any presence on the internet, from General Motors to your Aunt Edna's quilting club, is buying that presence from another provider; these other providers are usually called "upstream providers" or simply "upstreams." To get a grasp on this term, you can visualize a packet originating here from www.rickconner.net making its way "upstream" through my hosting provider's (my upstream's) facilities, and thence through my hosting provider's upstream, onto the big backbone, and thence back down some other "downstream" path to your computer.

It's not hard to find the upstream providers for most spammers, because these spammers have a pretty minimal net presence; they may use a single IP address for their websites (or they may even share an address with other spammers via a "virtual domain" setup). They typically don't have conventional SMTP hosts with fixed IP addresses, but instead steal their mail services, using "zombies" or open proxies for mail delivery. When you look up these various IP addresses they use (using IP-whois), you'll see that they belong to an offshore web hosting service here, a cable-internet provider there, and so on.

Occasionally, however, ambitious spam gangs can actually get control of entire blocks of addresses; they buy them from large "wholesale" ISPs, who sign the blocks over to them such that the spam gang shows up in IP-whois as the owner of the block (this isn't cheap by any means, but some of these weasels have money to burn). When you trace down one of these spams, you'll eventually be led to this information, and the only abuse contacts you'll find will appear to belong to the spam gang itself. Needless to say, you really shouldn't report anything to these addresses. Instead, you need to find out the spammer's upstream provider and file your reports with them.

When should you go upstream?

Doing one or more upstream searches on every spam you receive would become very tedious indeed. Fortunately, this isn't really necessary in the majority of cases (i.e., because very few spammers actually own their own IP blocks). You might, however, want to consider it in the following situations (but do exercise some good judgement):

If a sufficient number of these are true, then you might want to get contact info for the upstream provider and direct a complaint to them, rather than to the block's owners.

When do you not want to go upstream?

The whole point of finding a spammer's upstream provider is that you expect that this upstream provider will respond favorably to spam reports. If they probably won't, then it is arguably a waste of your time to bother finding them.

Trying to unravel traceroute paths inside some parts of the world (such as mainland China) can be an exercise in severe frustration. You'll find that many addresses won't work well with traceroute (necessitating several tries to get a complete path free from the dreaded " * * * " lines), and they won't have reverse DNS (so you'll have to dig up the information yourself using IP-whois). Even then, trying to unravel the relationships among providers and net blocks in these parts of the world can be a bit like herding cats.

Ultimately, even if you persevere and isolate a particular spam-friendly net block and its upstream provider, the odds are usually very great that this provider will simply toss your report into a nearby trash can (or /dev/null) with a blasé shrug.

The message here is that reporting to an upstream provider works best when that provider has a good reputation to defend, a well-enforced anti-spam policy, and a well-engineered network setup. Otherwise, it could be a waste of your time.

Using IP-whois to find the upstream provider

Sometimes you can find out who the upstream is just by using IP-whois; the information may be listed in the response. For example, I get a lot of spam referring to websites at 63.243.148.126, part of a block controlled by a known spam gang. Here's an IP-whois lookup for this address:

[G4733:~] rconner% whois 63.243.148.126
Teleglobe Inc. TELEGLOBE-3BLK (NET-63-243-128-0-1)
63.243.128.0 - 63.243.255.255
MailCompanyX, Inc MAILCOMPANYX-TGB (NET-63-243-148-0-1)
63.243.148.0 - 63.243.148.255

# ARIN WHOIS database, last updated 2005-10-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

There are two net blocks listed here; the larger one (63.243.128.0 - 63.243.255.255, or 63.243.128.0/17 to use CIDR notation) appears to belong to the Canadian wholesale ISP Teleglobe, Inc. The smaller one (63.243.148.0 - 63.243.148.255 or 63.243.148.0/24 in CIDR notation) belongs to the known spam outfit named MailCompanyX. Since the smaller block fits entirely inside the larger one, we can readily conclude that Teleglobe is the upstream provider to MailCompanyX.

Using traceroute to find the upstream provider

You might not always be lucky enough to be able to get the upstream info from IP-whois. Fortunately, however, there's more than one way to flay the feline: we can use traceroute to find a route to the site, and then deduce the identity of the upstream provider from the tail end of the traceroute output.

Continuing with our example from above, then, let's run a traceroute to the offending website address (63.243.148.126):

[G4733:~] rconner% traceroute 63.243.148.126
traceroute to 63.243.148.126 (63.243.148.126), 30 hops max, 40 byte packets
1 10.1.65.1 (10.1.65.1) 105.392 ms 29.852 ms 60.024 ms
2 at-1-1-0-1714.core-rtr1.res.verizon-gni.net (130.81.11.17) 127.498 ms 100.183 ms 133.181 ms
3 so-6-0-0-0.bb-rtr1.res.verizon-gni.net (130.81.20.16) 181.758 ms 47.063 ms 83.357 ms
4 130.81.10.90 (130.81.10.90) 113.579 ms 15.059 ms 62.433 ms
5 dcx-edge-02.inet.qwest.net (208.46.127.253) 80.267 ms 82.062 ms 23.72 ms
6 dcx-core-01.inet.qwest.net (205.171.251.13) 92.907 ms 37.094 ms 39.979 ms
7 dcp-brdr-02.inet.qwest.net (205.171.251.34) 39.738 ms 38.037 ms 90.291 ms
8 if-4-1.core1.aeq-ashburn.teleglobe.net (63.243.149.113) 41.992 ms 46.141 ms 62.246 ms
9 if-2-0.mcore3.njy-newark.teleglobe.net (216.6.57.41) 130.507 ms 168.537 ms 152.942 ms
10 if-4-0.mcore3.laa-losangeles.teleglobe.net (216.6.84.1) 134.866 ms 98.31 ms 192.195 ms
11 if-6-0.core1.lxe-losangeles.teleglobe.net (216.6.84.6) 173.225 ms 132.92 ms 95.979 ms
12 vlan3.msfc1.lxe-losangeles.teleglobe.net (64.86.80.68) 163.306 ms 132.025 ms 129.631 ms
13 vlan107.msfc1.lxe-losangeles.teleglobe.net (63.243.155.30) 128.806 ms 128.781 ms 97.097 ms
14 mx10.keepthemforfree.info (63.243.148.126) 123.568 ms 116.897 ms 165.117 ms

The very last entry in the trace (blue highlight) is our destination, which is (of course) in the spammer's private net block. Immediately above it, however, is an address (orange highlight) having a host name within the Teleglobe domain. Let's do our own both-ways host lookups on this "next-door" address just to be anal:

[G4733:~] rconner% host 63.243.155.30
30.155.243.63.in-addr.arpa domain name pointer Vlan107.msfc1.LXE-LosAngeles.teleglobe.net.

[G4733:~] rconner% host Vlan107.msfc1.LXE-LosAngeles.teleglobe.net
Vlan107.msfc1.LXE-LosAngeles.teleglobe.net has address 63.243.155.29
Vlan107.msfc1.LXE-LosAngeles.teleglobe.net has address 63.243.155.30

We have a match both ways; on this basis, we could be pretty confident that Teleglobe is the upstream provider for the folks at MailCompanyX.

This was a pretty easy job, as it happens, since traceroute could quickly match all of the addresses to host names via reverse DNS. This may not always be the case (especially if the spam block and the upstream are located in the, ahem, Developing Nations). If traceroute could not get reverse DNS on these addresses, you will have to match them to providers yourself using IP-whois. Here's an example for our "next-door" address:

[G4733:~] rconner% whois 63.243.155.30

OrgName: Teleglobe Inc.
OrgID: GLBE
Address: 1441 Carrie-Derick
City: Montreal
StateProv: QC
PostalCode: H3C-4S9
Country: CA

NetRange: 63.243.128.0 - 63.243.255.255
CIDR: 63.243.128.0/17
NetName: TELEGLOBE-3BLK
NetHandle: NET-63-243-128-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: CASTOR.TELEGLOBE.NET
NameServer: POLLUX.TELEGLOBE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-08-17
Updated: 2002-07-30

TechHandle: ZT129-ARIN
TechName: IP Admin
TechPhone: +1-514-868-8308
TechEmail: ip-addr@teleglobe.ca

OrgTechHandle: ZT129-ARIN
OrgTechName: IP Admin
OrgTechPhone: +1-514-868-8308
OrgTechEmail: ip-addr@teleglobe.ca

# ARIN WHOIS database, last updated 2005-10-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

This lookup conveniently also gives us the contact info for Teleglobe, which we can use to direct our upstream report.



 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2008, Richard C. Conner ( )

14088 hits since March 28 2009

Updated: Wed, 11 Jun 2008