Sending Virus or Spam Abuse reports

It occured to me that I may not have brought things to a neat conclusion on the post earlier about tracking email header data. I did make reference to sending an abuse report. Here’s an attempt to clear up a few things that might still be fuzzy.

1) usually the correct address is ab use@ser *(spaces inserted to prevent scraping.) It’s worth checking to verify that is correct for the domain you’re looking to report to (abuse is an email address that is required to be working for a domain.)

2) don’t send reports on every single message, you essentially overwhelm the abuse desks ability to cope. Reserve that for incidents that are a step beyond the normal noise. For instance, multiple messages from the same machine (or a flood) multiple bounces that have been sent in your name (without your ok), threatening messages, the list goes on a bit, but the point is to save this for _serious_ problems.

3) include the message headers of at least one sample (I like to send two headers along just to give corroboration. Since it’s possible to create extra Received: lines it makes an argument much stronger to see two messages with the same originating Received: stamps. In other words it makes it easier to see the “point where the lines meet”.

So the only question I see left is how do I get at the headers?

It varies by mail client. I use Evolution under Linux and with Evolution you go to the View menu, message display and select “show email source”.

Under Kmail/Kontact on Linux you highlight the message and select View, headers, all headers from the main menu.

In Yahoo’s webmail there’s a link when you’re viewing a message to view “full headers” at the right hand side near the top. (If you don’t see it, you may need to troll through the options.)

Microsoft Outlook Express, under windows is a bit trickier… when viewing the list of messages, right click the desired message and select properties, then details and it will show the headers in the box. (It is possible to select and right-click copy from here.) When you’ve opened a message “standalone” (in it’s own window as opposed to the preview mode), you can get to the same box from the file menu, then properties.

In Microsoft Outlook, when viewing the message you have to use that message’s view menu, then select options, and there you should see a box with the headers. (Tested with Outlook 98)

And under Mozilla Thunderbird (for Windows) (not sure if the user interface is identical under linux), you can highlight a message (or open it) and then Select the View menu and “message source” should be near the bottom. (It also has a shortcut ctrl-u) I presume that would work while viewing or previewing a message.

Once you can see the headers, all you have to do is copy and paste them into a brief message. It’s best to be kind to the abuse admins, I suspect they get a lot of abuse themselves, so try and avoid the nasty rants about how their flood of junk from a viral system has paralyzed your work for the day. Straight and to the point is how I usually go.

Subject: Machine in **SERVICE PROVIDER DOMAIN** has been sending a flood of junk|virus mail my way

Hi, my name is Avery and I’ve been receiving a large number of viral/spam messages from a machine that appears to be in the **SERVICE PROVIDER DOMAIN** network. Below you will find headers from two messages that seem to have originated from **IP ADDRESS of sick system**

paste header 1

paste header 2

Thanks for your attention in clearing the matter up,


blah blah blah

I tend to like giving the IP of the system that I suspect in the text to keep them from having to connect the dots themselves. Also, if it’s a virus and I know what virus it is (my mailserver AV scanner named it for instance), then I’ll mention that in the email as well. I feel like if nothing else it gives them a bit more information, gives an idea you have a clue and hopefully helps things to get cleared up quick.

Some providers send a quick auto-response back with general info (Telling what “jurisdiction” this email account has, where to take other specific matters, etc.) Sometimes though you hear nothing at all. I don’t think I’ve ever heard anything back outside of the auto response “thank you for your message” stuff. One provider I’ve dealt with several times is pretty good with their response and I can see the flood stop within 24-48 hours usually. On that point your mileage will likely vary wildly.

   Send article as PDF   

Similar Posts