I reported a spammer and got his account shut down!

On Monday I received a curious variant of the Nigerian bank fraud scam, apparently modified to take advantage of the emotions evoked by recent news headlines concerning human rights abuse in Sudan. The e-mail headers gave an originating IP address, which I traced using the command whois -h whois.ripe.net 192.116.114.0 to an IP block owned by Gilat Satcom in McLean, Virginia. I forwarded the spam to the abuse reporting address given by the output of the whois command, and on Tuesday I got a reply saying that the spammer’s account had been shut down. It would have been nice to see Virginia’s tough anti-spam legislation put to the test, but I can settle for a blocked spammer’s account.

It’s nice to know that old-fashioned proactive solutions are still effective in the never-ending war on spam, which lately seems to have been relegated to Bayesian filters and other passive solutions.

Nice work. I did this once too, and it feels great. Not as great as it would feel to light the spammer’s car on fire though.

I’m curious about your success in this. It’s been my understanding that it’s very difficult to trace a spam back to its real source. How did you happen to try this one? And what do you mean by “using the command …” and all that code, used that command where? I’m not trying to grill you, but I’d be interested in trying the same thing on occasion.

Anyway, good job. I wish more people would be this proactive.

If there’s one thing it’s nearly impossible for a spammer to spoof, it’s the IP address of the machine where the spam originated. Thankfully my mail client puts this information in a prominent place, among the other essential headers (From, To, CC, Subject, and Date). So I opened a command prompt/terminal window/console on one of the Solaris machines in the computer lab where I work, and typed in the whois command exactly as quoted in the OP. The output of this command revealed which company owns the IP block on which the spammer lives, along with contact information for reporting abuse. The story then proceeds just as described in the OP.

Thanks, FlyingDragonFan (and neuroman too).