Tracking the Source of Spam E-mails

August 31, 2003

Spam e-mails are the curse of the internet.

Many spam filters only block e-mails from particular sources, and do not filter the content. One reason spam may be getting through your filters is that the immediate text of the e-mail is innocuous, but the e-mail contains code which on opening calls an image down from a Web-site (what is known in the trade as “beaconing”).

One common spam at the moment promises male anatomical enlargement. Part of the irritation and difficulty in dealing with the problem is that the senders are anonymous. That requires a little Web detective work.

If you are using Microsoft Outlook and right click anywhere on the e-mail, you will bring up a menu including a “view source” option. Clicking to choose that function opens a text window and you will see a series of lines of html code.

In my example investigation, the important line was one that read < a href=”http://www.gpro.tc/gp/?action=home&id=oxygen”> – you should find something similar.

www.gpro.tc is the name of the Web-site from which the material originates. In this case, the “.tc” ending indicates that this is a domain relating to the Turks & Caicos Islands in the Caribbean. In fact, the Turks & Caicos domain name registry is run rather closer to home, by a company called AdamsNames Limited, a company registered in England no 3714632. Their contact details are 3, Adams Rd, Cambridge, Cambridgeshire, CB3 9AD, tel: 01223 353203 and there appear to be two directors, Michael Oldfield and Sean Jackson, whose addresses are available from Companies House.

Adams Names claim that it is not their responsibility to police the site. They say that they have merely registered the domain name to a re-seller, in this case Network Solutions. However, at least the company Adams Names Limited and its directors are within this jurisdiction.

Network Solutions Inc is a subsidiary of Verisign, a publicly-quoted US company, based in Virginia. Its contact details are Network Solutions, Inc. 21355 Ridgetop Circle, Dulles, VA 20166 US tel: 001-888-642-9675. If you complain to Network Solutions, you are likely to receive (as I did) a standard email reply stating: “Network Solutions is responsible for administration of the name space, not for policing its content or use”. That remains to be seen – the law in the United States is developing rapidly in this area at both State and Federal level.

You can also use “WHOIS” (in this case, on the Network Solutions Web-site) to look up the gpro.tc domain name. It is registered to Cipher Hosting, 8133 Vineland Ave, Los Angeles, CA 91608 US, tel: 001-877-840-1928. And the sites are on the following domain servers:

NS1.GPRO.TC 200.206.183.223

NS2.GPRO.TC 200.206.193.190.

So it turns out that the source of these particular e-mails is a California-based ISP taking advantage of a Turks & Caicos domain name administered by a registry in England.

Can we do anything about it? That remains to be seen. But at least we are closer to knowing who the culprit is!

Glen Davis is a barrister at 3/4 South Square, a Trustee/Director of Society for Computers & Law and chairs the Society’s Media Board.