Quick Tour

Product Info

  Freeware eMail CRM Maximize the life-time value of your clients and getting them to smile at you Art of eMail CRM Applying minimum efforts for maximum result, at the shortest time? emails eMail Bolts & Nuts Interesting emails stuff that you should  know eMail Broadcast FAQ's eMail Marketing Tips
Great email strategies to help you increase sales
Email Spam tracking 101 - Meaning of email headers
Email Spam tracking 102 - The many uses of DejaNews
Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing - Consequences of spamming?

Figuring out fake eMail - Deciphering fake email or posting?

WHOIS tool for Email Spam tracking 103
by Bill Mattocks

WHOIS database is a compendium of domain names and does not speak "human" or "English" but in IP (Internet Protocol) addresses

Many thanks to all; I have received a warm response to Spam-tracking 101 and 102 I was intending to do 103 (this site) in a few days, but what the heck, you all have warmed the cockles of my heart! (What exactly is a cockle, anyway?)

So here it is - Spam-tracking 103 , the WHOIS tool

By the way, there are a lot of folks out there who know MUCH more about spam-tracking than I do. Please feel free to put out your own curriculum. The important thing is that we educate this flood of newbies and lurkers who hate spam as much as we veterans do. We want everyone to get into the the spam-fighting biz, don't we?

Are you sitting comfortably?.... Good, then I'll begin.

Since the Internet was essentially started by stringing together a bunch of computers that spoke the Operating System known as Unix, most of the administrative and client tools that act over the internet were originally Unix tools, as well.

eMail Bolts & Nuts FAQ's
How to manage and clean bounced or undelivered emails? Understand why emails get bounced
How to use your desktop PCs as an email server and bypass your ISP email server, a simple process using a free mail server program
How to test your message and see if it gets deleted by broad based anti-spam filters?
A one page email course. Everything you wanted to know about emailing in a "nut shell"
Quick guide to: dig finger traceroute ping whois nslookup IP block FTP SMTP relay TCP/IP Port
How to embed email tracking code into your email? Invisible counters, codes, scripts to track viewer
Send HTML or TEXT email using formatted HTML email, you can send an entire webpage
How to embed images into HTML email for faster emailing? Prevent displaying linked-site in recipient email client status bar
RFC defined ESMTP, SMTP Status Email Error Codes? These codes are used to provide informative explanations of error conditions
How email works?  Delivery of each email is done
by your ISP mail server, first establishing a conversation through your recipient port 25
Some spiders visit site after site, collecting email addresses and controlling these rogue spiders spam bots or email harvesters with robot.txt
About TCP/IP and mail server port numbers? It is a number between 1 and 65535 which identifies to the receiving computer what function you want to perform
Even UseNet was at one time only readable by Unix machines and those who had mastered its arcane command set. There are still a bunch of us old grizzled veterans around, and you will see us speaking to each other in bizarre terms and buzzwords, and you might wonder what the heck we're talking about.

Fortunately, most, if not all, of the tools that are used on the Internet have been reproduced in a more user-friendly, graphical, way in the Windows, Windows 95, and MacIntosh arenas. This, then, is an introduction to the major tools that systems administrators (sysadmins) use to track down Internet problems. Also fortunately, most of them are readily adaptable to search out the roots of spam.

In this lesson, we begin with WHOIS

WHOIS database is a compendium of domain names. You may already know that the Internet itself does not speak "human" or "english." It speaks in IP (Internet Protocol) addresses.

Those addresses have to be linked to the human domain names in a database in order to be useful. If I were typing from a Unix prompt, I would type the commands like this:

whois comp-sol.com





The point here is that WHOIS can be used in a variety of ways to query the information contained therein.

eMail Bolts & Nuts FAQ's
The function of URL or Uniform Resource Locator?
A command for your email address, some mail clients may not be able to translate it into an email address
A standard client server protocol for receiving email. POP3 is use for retrieving Internet email from ISPs mail server...
Collections of important useful emails related sites? Free email stuff, real cool, give it a try
Advanced DNS (dig) for the DNS records of a host or domain showing all the DNS records
All about IP Addresses, DNS, Internet addressing. Serious stuff, perfect remedy if you can't sleep
Email history, email netiquette, improving email presentation, email with sound, pictures--give it a try
101 Email spam tracking and meaning of message header? 102 DejaNews the most powerful dedicated spam-tracker's tool 103 The spam tracker tools: Whois, nslookup, traceroute, dig 104 Spam tracking
Never use ISPs that hosts your web site to send out newsletter. If they cancel your account, you will lose all your web pages
Warning: If you publish an online newsletter or email to any opt-in list (including your own list), it is critical that you read this
The history of Spam starts with Monty Python's Flying Circus and Vikings singing Spam
A list of return error codes by Windows Sockets API returned by WSAGetLastErrorcall with descriptions
Meet The Kings of SPAM - You don't need rocket science to figure out how to send spam emails

Sometimes, you may get a bewildering response from Internic, but there is usually something further that you can query to track a source of spam. If you don't know how to begin, try just typing in
whois "anything" and see what you get. You won't break it or make anyone mad at you.


If you query a domain name, say "spamlovers.com" and get a "No Response Found" reply from Internic, that means that it is NOT a legitimate domain name, because Internic has authority over all domain names that end in .com.

Same for .net , .org , and .edu . Notice, please that you must enter spamlovers.com and not www.spamlovers.com or spammachine.spamlovers.com to get a positive response.

It is just the last bit of the domain name in front of the dot that we are interested it. The bit in front of spamlovers.com denotes a machine belonging to that organization, but it is named locally, not by Internic.

Now, on to the domain name. If you are querying a US domain name, and it is legitimate, you should get back a response, and it may look something like this:

whois comp-sol.com

Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140

Domain Name: COMP-SOL.COM

Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM

Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.

Domain servers in listed order:


The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.







Spam-tracking 103 WHOIS tool nslookup and traceroute freeware download
whois.internic.net or network solutions are network registries to find out contact info for current domain or IP address
nslookup a DNS tool that Perform forward and reverse DNS queries for the current address (this will usually give you the IP address of a hostname)
traceroute finds the route packets take between you and the selected address
Email in a "nut shell" a one page course about emailing. Everything you wanted to know about emailing.
How email works? Delivery of each email is done by your ISP mailserver establishing a conversation through (port 25) of your recipient mail server
Free2-Try 100% effective. The easiest way to Stop Spam getting into your PC. I recommend it. stop spam
Free eBook Sun Tzu Art of War Commanders without thoughtful strategy invite defeat.

Sun Tzu

Free eBook Great online Stealth Marketing strategies to help you increase sales email tips


Dolly Kee Managing Director
Image Power

eMail CRM maximize
the life-time value of  my customers, I recommend it.

Freeware for home, office PC


Let's deconstruct the information and see what it means:

Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140

OK, so this is a supposedly a business, called Computer Solutions of Kenosha, in Kenosha, Wisconsin. The "(COMP-SOL-DOM)" bit indicates that comp-sol.com is indeed the domain name. Please bear in mind that spammers are becoming educated about domain names and whois.

They often put bogus information in when they register with Internic to get their domain name. That's against the rules, but Internic won't do anything about it at this time. We live with what is. Still, many times this information will be correct.

If nothing else, Internic has to have a way to bill the domain. If the information given is totally bogus, the spammer probably intends not to pay the bill, but merely to use the domain name until it expires, and then register a new one. Let's move on:

Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM

This bit tells us who is responsible for the domain, who pays the bills, who keeps it running, etc. Again, it is supposed to contain legitimate information, and again, it often does not. Just the same, if the information is accurate, we now have an e-mail address to complain to.

Hmm, happens to be me, doesn't it. Well. Please don't take me too literally. We also have a telephone number to call if we wish to register a complaint that way.

Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.

This bit is not too exciting. It is as it appears, showing us when the domain was created, and when it was last changed.

NOTE: Remember our last lesson about DejaNews? If the "Record last updated" date is fairly recent, this would be a good time to search for the offending domain name using Dejanews http://www.dejanews.com to see if any other anti-spammer has posted similar WHOIS information.

As a spammer hops from ISP to ISP, they take their domain names with them, and that will show up. Just a tiny bit of information, but it may help to prove to your satisfaction that a spammer is indeed a spammer, and that a particular domain is or is not a spamhaus. It's the little things...

Domain servers in listed order:


Finally, we have the bit about the Domain servers. A domain server is simply the machine that does lookups for a particular domain name when someone sends anything to that domain, like when you go to a web page or when you send mail to a particular domain.

In this case, if anyone goes to a web page at www.comp-sol.com their request will be "looked up" by one or both of the machines above. This is important, because a spammer may receive his upstream account (or feed) from one source, and have another source do his DNS or Domain Name Service. It could be another source to complain to. Many times, when you are dealing with a spammer, you will see this:

Domain servers in listed order:


And you know you are dealing with the deathstar itself. To many of us here on NANAE, seeing this is final and irrevocable proof that the domain in question is a spamhaus, and the sender of the e-mail is a spammer.

We tend not to believe that there are any legitimate domains hosted by Cyberpromo. When you see this, it is like swimming in the ocean and seeing a dorsal fin rise up out of the water and start towards you.


As we mentioned above, whois can be used in other ways, not simply to look up a domain name. For example, we can use it to find out who a particular IP address belongs to:

[No name] (NOMAD4-HST)

Hostname: NOMAD.NET
System: IBM PC 486/66 running DOS/IPAD

Record last updated on 03-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.

This in itself doesn't give us much information (In fact, this information is out of date, and needs to be updated.) Ah well, another task, another day. What's more important than spam-fighting?

IP Blocks
(You can do an IP Block lookup automatically using the IP block lookup from www.SamSpade.org tool (Freeware) rather than using the following manual process.)

So, we can look for the owner of the license in question by stripping off the last digit of the IP address and replacing it with a zero. In this case we would do:

No match for "".

OK, so we didn't get a match. Still, someone owns the IP range in question. So, now we take off the last two IP "octets" and replace both of them with zeros. Thus:

alpha dot net, corp. (NET-ALPHA)
324 East Wisconsin Avenue, Suite 609
Milwaukee WI, 53202

Netname: ALPHA

Chase, Tim (TC15) support@ALPHA.NET

Domain System inverse mapping provided by:


Record last updated on 10-Jan-96.
Database last updated on 12-Sep-97 04:47:08 EDT.

Here is some useful information! We see that the actual IP range (often called a "Class C license") is owned by someone else entirely. In this case, it is owned by alpha dot net corp, in Milwaukee, Wisconsin. We have a contact name and e-mail address, and we have a telephone number.

Remember, this will be an upstream provider for the spammer in question, and possibly not spammers themselves. We phrase our complaint accordingly, so as to not offend the good guys.

If that failed to get a result, we could simply keep replacing octets with zeros until we got the owner of an entire block of licenses, and again, we would have someone else to complain to.

The further away we get from the spammer, the less likely it is that we are dealing with spammer-friendly folks. If they get enough complaints, they MAY decide to take action, and we have all heard the phrase, "Shit rolls downhill." Eventually, someone has to take the heat and perhaps terminate the spammer. Keep this in mind.


Sometimes, when we use whois we get many responses, not just one. Here is an example:

whois mattocks
Mattocks E-mail Service (MATTOCKS-DOM) MATTOCKS.COM
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Bill (BM1199) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Christopher (CM3732) kolis@LVWEBMASTERS.COM 6024884305
Mattocks, Darryl (DM812) darryl.mattocks@BOOKSHOP.CO.UK
Mattocks, Jeff (MJ100-ORG) JeffMattocks@MSN.COM (360) 896-8150

To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.

And sure enough, there are instructions right there as to how to narrow down your search. Simply type in an "!" followed by the information shown in the parenthesis. In my case, it would be:

whois '!BM561'

and that would bring up my information.


What about domains located outside the US? Well, our information is a bit spotty there. There are equivalents of Internic outside of the US, and they work the same way. Some of them can be searched using the WHOIS tool, but just telling it to point itself at a different database.

Other times, a search of the web using something like www.yahoo.com will bring you to a web page that will let you do a foreign whois search directly from that web page.

List of foreign servers snipped - Sam Spade handles these for you.
Freeware download at www.samspade.org


That concludes the lesson for today.

Please feel free to throw roses or brickbats, as you see fit. Permission is hereby granted for anyone who wishes to publish this information in any form, as long as it remains intact and attribution to the author is given. I maintain copyright and transfer all other rights to the public.

Best Regards, Bill Mattocks, CIIU

Derived from an HTML translation by Marek Jedlinski www.lodz.pdi.net/~eristic of a usenet post by Bill Mattocks


Shameless Plug (I have nothing to do with this company, but I like their software):  My personal favorite is NetScan Tools for Windows 95. It has a very nice user interface, and it contains all kinds of tools other than just whois - we will cover those in future lessons, since WHOIS is a big topic.

You can get a shareware copy of it at: http://www.nwpsw.com/  It is a free 30-day evaluation copy of the tool. It is expected that you will register and pay for it if you use beyond 30 days. It costs $US25, and I believe it is money well spent. End of plug

You can obtain these tools from a variety of sources. I recommend taking a look at http://www.tucows.com/  but there are many other sources, such as http://www.download.com/ and http://cws.internet.com/  

Besides Unix, I am most familiar with Windows/Win95, so these are the tools I will refer to. If anyone knows of their Mac analogue, perhaps they would post those tools as a follow up to this message.

Email Spam tracking 101 - Meaning of email headers
Email Spam tracking 102 - The many uses of DejaNews
Email Spam tracking 103 - The WHOIS database <This site
Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing - Consequences of spamming?

Figuring out fake E-Mail  -  Deciphering fake email or posting?

Bounce eMail

"A valued contribution that
I and the rest of my team sincerely appreciate it. We have checked your software twice and it is good." Alex



100% effective.
I recommend it.

  The easies way to stop email spam, virus getting
into your PC



Sun Tzu Art of War "Leaders who takes on the role of the commander without understanding the strategy of warfare, invite defeat." Free eBook


Can't find
what you want?

Try Google...







Suggestions or feed-back, please drop us a note  |  eMail CRM Freeware  | This site>>eMail Bolts & Nuts

Home | Guest Book | Refund Policy | Privacy Policy | Contact Us | Support | Purchase | Product Info | Quick Tour

Minute WisdomSun Tzu Art of War | Useful Sites | eMail Broadcast FAQ's | Art of eMail CRM | eMail Marketing Tips