INTERNIC WHOIS
www.networksolutions.com/cgi-bin/whois/whois to check out who owns a domain name. Make sure you only put in the last part of the domain name - example: if you get a spam for members.junk.com, you should only put in junk.com.
ARIN WHOIS
http://www.arin.net/whois/index.html to check out who owns an IP address (or at least, who's responsible for it). There are also links to the RIPE and APNIC (European and Asia/Pacific) firms responsible for for those segments of the world on ARIN's main WHOIS page. I have direct links to those, and they're listed a few lines below this segment.
TRACEROUTE (1st level)
www.ntplx.net/traceroute to trace a website down to it's actual location. I call it 1st level because it's my "first" tool I use for tracerouting. There are some sites that hide themselves, making it difficult to actually determine their location. That's when I go to 2nd Level (see next link). Lots of times, when you see a website's InterNIC registration, it'll tell you who owns it, who gives it DNS (Domain Name Service), but not where it's actually hosted. Once you get an IP address indicating where a website is actually hosted, you can go to ARIN and see where a spam site is actually living. This site can also help you find the actual IP address when they give you the numeric version, i.e., 3438189349 = 204.238.155.73. There is a way to figure all this out on your scientific calculator on Windows, but this is much faster, and typically kills two birds with one stone anyway, since there are times you need to see who the upstream provider is. All this stuff will be a little more clear in some of the "hunting expedition" examples, coming up shortly.
TRACEROUTE (2nd level)
http://network-tools.com is a slightly more powerful tool to do several things at once. Usually I'll use it if the "first level" traceroute tool is unable to get any useful information. It's a bit slower, but it can usually get you info the first site can't, or if the spamming domain is a "black hat" this one can usually get past them.
SAM SPADE
www.samspade.org for Sam Spade tools! You can use the web-based tools found there, and there are some tools you can download and use yourself. This is an essential tool for spam-fighters. It can unscrable those %23%24 type URL's, as well as those trying hard to make you complain to the wrong place. Also looks up rDNS listings, if they're available, and a look-up utility to see if an IP address is in the RBL.
ASIA-PACIFIC IP ADDRESSES
http://www.apnic.net/apnic-bin/whois.pl for anything in the Asia/Pacific area. NOTE: Japan and Korea, you'll have to look up specific information on the two following links:
JAPAN IP ADDRESS LOOK-UP
http://whois.nic.ad.jp/cgi-bin/whois_gw
KOREAN IP ADDRESS LOOK-UP
http://whois.nic.or.kr/english/index.html
RIPE (EUROPEAN IP ADDRESS LOOKUP)
http://www.ripe.net/cgi-bin/whois
DIG, and other useful tools!
http://kryten.eng.monash.edu.au/gspam.html Note that this site is not always available.
Domain links for registries around the world.
www.uninett.no/navn/domreg.html
There are some websites set up as click-throughs that don't want you looking at the source code of their web pages. They use something called Javascript and/or HayWire! to make it impossible for a human to read. If you come across that type of thing, cut and paste the source code of that page into the little decoding box found here: http://hesketh.com/schampeo/spam-l/decode_haywyre.html
There are now several ways to encode the source code of a website to hide what they're doing or sending the information to. This site will decode several types of codes:
www.swishweb.com/dec.shtml
The latest type of scrambling is Windows script. Here's a link to the decoder program - make sure you read the readme.txt after you download it so you know how to use it:
http://www.virtualconspiracy.com/scrdec.html
Really complex URL, and can't figure out where it is? http://www.netdemon.net/decode.html should help.
Often a website will come up, then re-direct you to someplace else. To see what is happening, use this site - be sure to click the "verbose" box so you can see what is happening:
http://www.locus.halcyon.com/gspam/ NOTE: this link is down, currently looking for a replacement for it. Sorry!!!
Go HERE for a few words of advice on how to proceed once you get all the information.
http://www.ecst.csuchico.edu/~atman/spam
"white hats" (Know your friends).
http://www.sengir.demon.co.uk/spam_sites.html is a list of spamware selling sites. These are the enemy, the bad guys, those who love making money as you and your family are annoyed by spammers who buy their software. Know your enemies.
Registry of Known Spam Operators (ROKSO). Find a listing of them, and their supporting ISP's HERE. This is the REAL low-down on who's making it possible to spam you. Again, know your enemies.
http://www.rahul.net/falk/quickrefa.html is a who's who of everyone in this little battle. Note that some of the links are old.
Info from the Federal Trade commission can be found here.
Were you given a phone number to call to remove yourself from future spam? If so, click here for the low-down on THAT scam!
There be trolls here!
Humor: a Make Money Fast parody!
You gotta know who and what you're talking about:
http://www.utdallas.edu/ir/tcs/techsupp/acronyms.html
http://www.ncf.carleton.ca/ip/freenet/subs/complaints/spam/jargon.txt
http://www.idir.net/~medintz/antispam/glossary.html
This is a listing of some of my special people. Adopt a spammer yourself and make their life as misserable as they make yours.
Gotten a spam saying "We'll stealth bulk e-mail for you" or "GET BULK E-MAILING DONE"? Did it start off "I am sorry if this ad as offended you. Please go to removeall@china.com to be removed."? Did it have the following statement in it: "We can also send some form of verification, so why not give us a call and see what it is that we can do for you. call anytime 209-669-0176, we are in California. METHOD OF PAYMENT, CASHIERS CHECK MONEY ORDER OR BANK WIRE."? It's Cybernet. His latest e-mail address is netvision@wac.com (a free internet access site). His other phone number is 209-656-9143. If you received a spam advertising some site, and it said:
---quote---
To be removed from this mailing please go to removeall@china.com
This e-mail is being sent by Cybernet enterprise..in compliance
with the law. We at Cybernet will prosecute any harm brought by
anti-spamers.
---end quote---
then you want to go here to find out more about this friendly spammer.
Info on Dana Jones, the goofball, er, GOLFball spammer: