Spam investigating methods you might not know about
This is what I do with quite a few of the emails that manage to get through to me. Before we start into the late night antics of tracking down a spammer, I should note the following.
- email addresses are almost always spoofed – don’t reply with profanity as it’s likely just the spammer spoofing a legitimate person’s email address.
- Text messages you get are generally also fake reply addresses. Any time you hear of someone dumping 60,000 messages back to a number they think spammed them, it’s probably flooding some innocent’s SMSs which can charge on some plans.
- URLs in spam are generally fake. Hovering a mouse over them will usually reveal a different URL as one’s the display text (what you see,) and one’s the link.
Investigating a domain name
Ever wonder about a domain name, like how legitimate it might be. Oh, someone says there’s a bad review about Pocketables going viral at “badreviewssharing.website” – oh no, I’m devastated. Really, you can’t imagine how scared I am. That’s not sarcasm. I’m soooo scared.
So I got this spam saying I should check out the video hosted at the above unlinked website and here’s what I do when there’s ever any question before clicking anything.
First I dropped by whois.com. I enter the website name in question and I get back the registry report.

Yes, a domain that was first registered 4 days ago has a bad review of my website going viral. Whatever shall I do? (seriously guys, support me on Patreon, don’t know if I can handle the financial damage caused by that 4 day old website).
What’s hidden in that message header?
Secondly, assuming that was something registered more than 4 days ago I would look at the headers of the email. These will tell you where the message actually came from.
Google has a really good message header analyzer tool you can use for free.
We’re going to use a different spam email as the above website was sent via a contact form, so we’ll move on to some Ashley Madison spam that someone’s sending Pocketables:
Delivered-To: [email protected]
Received: by 2002:a81:3dd4:0:0:0:0:0 with SMTP id k203csp908078ywa;
Thu, 7 Feb 2019 11:09:51 -0800 (PST)
X-Google-Smtp-Source: AHgI3Ia4vrohxa4bYtgU7eToNE5FuhNNfbSF8T+DrcnHPTMO0hSO4iuNWYKERBH8kfB0z0eQyRvy9PoV2Ls=
X-Received: by 2002:a25:6041:: with SMTP id u62mr14815946ybb.149.1549566590660;
Thu, 07 Feb 2019 11:09:50 -0800 (PST)
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 185.63.35.2 as permitted sender) [email protected];
dkim=pass [email protected] header.s=mail header.b=cqSWjRhl
Received-SPF: pass (google.com: domain of [email protected] designates
And about 200 more lines below that. Plug that into Google’s little thing and I get that the email is coming… from INSIDE THE HOUSE… no, really an IP address of 185.63.35.2 is the source.
Where’s that mail server?
Next, we take a look at that ol’ IP address at ARIN – this is the American Registry for Internet Numbers. In this case we get that the Ashley Madison spam is coming from the RIPE network.
Pop over to RIPE, plug in the IP address, and now I’ve got a physical contact for where this company is located. In this case it’s coming from the Ukraine and so now we call up Carl who’s over in the Ukraine and see if he can go knock on their door and tell them to stop it.
We’ll know about Carl’s adventures probably next week.
I check the email for links, it’s a domain hidden behind Cloudflare (which has legit purposes as well, we use it,) registered in Panama, and the link definitely will know it’s me if I click it to attempt to get an affiliate ID out of them. That’s a dead end.
What’s in the box?
But sometimes you’ve got to open a link… for that I’m using the TOR browser with Javascript off and a few other tweaks and that bad review website we were first spammed with dumps me to a … gearbest landing page.

Gearbest, as a note, is a company we’ve occasionally worked with. And one of the people in their affiliate programs just spammed me with a bad review website. Wonder who ?lkid=18124852&cid=120172650046689282 is. Let’s ask Gearbest!
So we go over to gearbest.com, open a ticket with the full URL, and ask them for who that affiliate is. Let’s see what happens.