Tracking  the  Spammers® – Dedicated to Cleaning Up the Internet


Secretary of State Websites



How to Track a Spammer

Sometimes it’s easy, sometimes it’s difficult.  Often, you’ll see that the domain names are registered in Hong Kong or someplace else that’s, practically speaking, unreachable.  But not always.

The keys to tracking a spammer – at least the ones in the U.S. – are:
1) The spammer’s own website.  Sometimes they actually give contact information that’s legitimate.
2) The WhoIs lookup function on the domain registrars’ websites.
3) The store locator website for The UPS Store (formerly Mailboxes Etc.) – Lots of spammers register their business addresses at Commercial Mail Receiving Agencies.  In California, at least, anyone who takes out a private mailbox de facto agrees that the operator of that mailbox is the Agent for Service of Process (Business and Professions Code Section 17538.5).  (As an aside – and I haven’t tested this – Florida Title VI Civil Practice and Procedure 48.181, paragraph 1, says that anyone who tries to conceal their whereabouts constitutes an appointment of the Secretary of State for service of process. So, I wonder if registering your business at a UPS Store mailbox qualifies as trying to conceal… )
4) The Secretary of State websites.  Very useful information.  Click here for my list of all 50.
The registrars themselves!  Don't you hate it when spammers use private registration services to hide their true identity when registering domain names that they use to send spam?  It's a violation of federal law to do this, 18 U.S.C. § 1037(a)(4), but then again, since when have spammers been interested in following the law?  I recently learned that under the registrars' agreement with ICANN, if you present the registrar with proof of "actionable harm" (i.e., if your state laws allow for damages for false and deceptive spam), then the registrar has to provide the REAL identity of the spammer, otherwise the registrar itself becomes liable!  Click here for a sample letter to the registrar Demand Media (better known as eNom and Bulk Register) that was successful... the registrar gave me the spammer's real identity.

I use all of these tools together to track them down.  Following are a few examples, as well as tricks that alleged spammers use to hide their websites, and then some advanced techniques for tracing IP addresses.  Note, I say “alleged” on this page because to the best of my knowledge, no one has proven in Court that these parties are spammers, or hire spammers, or enable spammers to sign up as affiliates, and then obtained a judgment against them.

Example 1

This is the easiest kind of spam to trace – when the alleged spammer actually tells who they are.  Just as an aside, the resume-blast spammers really piss me off because they scrape email addresses from Hotjobs, Monster, etc., which is an explicit violation of those websites’ terms of service.

Here’s the spam from WSACorp, as it appears in the inbox.

Don’t worry, I’ve disabled the links.

Note that a visit to the Kansas Secretary of State’s website confirms that address, but more on that later.

From:                                                Sent: Tue 6/3/2003 12:49 PM
Subject: Your Resume Submittal?

Dear Job Seeker,

I saw your resume online and felt that my firm, WSACorp, might be able to help you. I know how difficult this market can be for a professional at your level. Recently, WSACorp helped place a couple of people whose results I thought might be of interest to you.

Dennis was a general manager, downsized from his company during consolidation. He wanted to stay in Colorado or Utah, but preferred not to be in Denver or Salt Lake City. He selected WSACorp to write his resume and produce a targeted mailing to 3,000 companies. Within 2 weeks, he accepted a position at a 40% increase with a company in Logan, Utah. You can see his resume by visiting

Jayne was a consultant with a sales and marketing background earning $175K. WSACorp mailed 3,800 letters. She had 20+ calls and accepted a $300K package offer from a major US corporation. You can see her resume by visiting

These are only 2 examples of our recent success, but you can see many more by visiting our Website at

If you wish to accelerate your job search, perhaps you should take advantage of WSACorp's offer to provide you a NO OBLIGATION resume critique and market evaluation. We have been writing resumes since 1976, and we are in-tune with the current market conditions. Don't delay. This time of year generally provides a bubble of hiring that you do not want to miss. To quote Dennis, "I wish I had started doing this 20 years ago."

Give me a call or send me an email, and I will be happy to set a time to have you visit with one of our Senior Advisors for your free resume critique.

Anna Hanson, Scheduling Coordinator
WSA Corporation
11933 Johnson Drive, Shawnee, KS 66216
Toll Free Phone: 1-800-972-2677 (913-631-3800)
Toll Free Fax: 1-877-972-3294 (913-631-9898)



Example 2

Sometimes it’s not quite as obvious, especially in graphical spams that come from gibberish email addresses, or at any rate email addresses that do NOT match the merchant or even the sender.  Then you need to look at the HTML source code and/or the message headers to see what the links/domains really are.

Here’s the spam as it appears in the inbox.

Don’t worry, I’ve disabled the links.

Note the long text at the bottom beginning with “You are receiving…”.  If this were a legitimate email, that text would have been sent AS text.  What spammers are doing now is sending the text as a graphical image.  That way, a text-based filter that would have automatically trashed any email with text like “you have opted-in to receive” won’t work.

From:                                     Sent: Fri 5/2/2003 6:21 PM
Subject: print cartridges, 8o% off today.    e


Next, I look at the email headers.  Sometimes they’re revealing.  But here, as you can see, it’s from a nonsense email address that doesn’t immediately tell you who the sender or the beneficiary of the spam actually are.

“.cn” means China, incidentally.  You could create a filter in Outlook that automatically trashes any email with a .cn in it and you’d be pretty safe.

X-Apparently-To: [REDACTED] via; 04 May 2003 09:27:32 -0700 (PDT)
Return-Path: <>
Received: from  (EHLO (
  by with SMTP; 04 May 2003 09:27:31 -0700 (PDT)
Received: from ([])
          by (8.11.6/8.11.6) with ESMTP id h4327W402643;
          Sat, 3 May 2003 11:07:37 +0900
Message-ID: <0000111b31c8$000048a2$>
To: <>
Subject: print cartridges, 8o% off today.    e
Date: Fri, 02 May 2003 18:21:15 01700
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: AOL 5.0 for Windows sub 138
Sensitivity: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

Next, look at the html source code.  There has to be a link in here… look for whatever follows “<A HREF=”.  That indicates where the link points… i.e., the spammer’s website.  Note that you’ll sometimes see “<IMG SRC=”.  That indicates the server for the images (see next example), which may or may not be the same… particularly in the case of affiliate programs.

Anyway, in this simple case, Ignore everything after the .com… the destination website is

But alleged spammers are doing tricky things these days to disguise the website identification… see “Spammer Tricks” towards the end of this page.

<div align="center">
  <TABLE WIDTH=450 BORDER=0 CELLPADDING=0 CELLSPACING=0><!-- u vmiwca zeavss dfwxy-->
    <TD> <A HREF=""> <IMG SRC="" WIDTH=290 HEIGHT=50 BORDER=0></A><!-- v gymqq ouftj zcu--></TD>
    <TD ROWSPAN=4> <A HREF=""> <IMG SRC="" WIDTH=118 HEIGHT=183 BORDER=0></A><!-- k zojjdsad mtdonwep ptboo--></TD>
    <TD ROWSPAN=4> <A HREF=""> <IMG SRC="" WIDTH=42 HEIGHT=183 BORDER=0></A><!-- l spwgbx vrb--></TD>
    <TD> <A HREF=""><!-- x evtfqaql bxifgs--> <IMG SRC="" WIDTH=290 HEIGHT=51 BORDER=0></A></TD>
    <TR><!-- g wjtvl gekjm wwun-->
    <TD> <A HREF=""> <IMG SRC="" WIDTH=290 HEIGHT=51 BORDER=0></A></TD><!-- y imauafemi pwhiwyqk-->
    <TD> <A HREF=""> <IMG SRC="" WIDTH=290 HEIGHT=31 BORDER=0><!-- o kzzdjo--></A></TD>
    <TD COLSPAN=3><!-- c sazmkct xzahiph zot--> <A HREF=""> <IMG SRC="" WIDTH=450 HEIGHT=68 BORDER=0></A></TD>
    </TR><!-- l eqitkhz jlxehhs j-->
    <TD COLSPAN=3> <A HREF=""> <IMG SRC="" WIDTH=450 HEIGHT=51 BORDER=0></A><!-- t oaxyux sooxwf ajoqab a--></TD>
    <TD COLSPAN=3> <A HREF=""><!-- k csjlm--> <IMG SRC="" WIDTH=450 HEIGHT=49 BORDER=0></A></TD>
    <TR><!-- d msvzel xvrd-->
    <TD COLSPAN=3> <A HREF=""> <IMG SRC="" WIDTH=450 HEIGHT=48 BORDER=0></A></TD><!-- s zjkziig yadusar gwz-->
    <TD COLSPAN=3> <A HREF=""> <IMG SRC="" WIDTH=450 HEIGHT=101 BORDER=0><!-- z vvqje sounc aaidw --></A></TD>
<div align="center">
  <table width="117" border="0" cellpadding="0" cellspacing="0">
      <td width="117" height="20" valign="top">
        <div align="center"><a href=""><img src="" width="409" height="170" border="0"></a></div>

Now it’s time for a WhoIs lookup.  I usually start with
, since they can often grab registration information from other registrars’ databases.  See sample to the right:

If doesn’t have the information or if it doesn’t accept the code entry – which often happens – then try
Internic.  That site won’t have the registration data but it will tell you who the registar is – spammers often use bulkregister, dotster, enom, godaddy, and tucows.  Then go that that website and do a WhoIs lookup.

The WhoIs lookup will tell you the domain name you just searched on (, who the registar is (; and phone number/address/email.  Often the address is fake and/or a PO Box at The UPS Store (formerly Mailboxes Etc.).  You can check that at

You should forward a copy of the spam to abuse@[] and tell them that the domain holder is a spammer and the domain name should be cancelled.  I’ve done this successfully a couple times.

Incidentally, get used to seeing Florida in WhoIs lookups… I think about 2/3 of my domestic spam is from Florida.  As an aside, one great way to stop the spam problem would be to cut all Internet connections to the Sunshine State.  Too bad we probably can’t do that.

Domain Name: 34BOLOHOUSE.COM
Registered by: $10-Domains
Domain Registration as low as 6.75
Cheap domain registration and Hosting

The Data in Parava Networks' WHOIS database is provided by Parava Networks for information purposes, and to assist persons in obtaining information about or related to a domain name
registration record. Parava Networks does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Parava Networks (or its systems). Parava Networks reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Greg Numark
2198 Princeton St.
Sarasota FL 34231

Domain Name Created On: 2002-11-05 11:01:00.0
Domain Name Expires On: 2003-11-04 23:00:00.0

Name Servers:
Name Server 1:
Name Server 2:

Finally, go to the Secretary of State website for whatever state you’ve determined the spammer is located in and search on the business name.

If you can’t find a business name on the WhoIs lookup, sometimes you can go to the website and click links like “Contact,” “About Us,” or even “Privacy” or “Legal” – and sometimes you’ll see a company name that you can find with the Secretary of State.

here for my list of Secretary of State websites.

Often the Secretary of State website has good (i.e., not UPS Store) addresses for the business.  More importantly, they have addresses for Registered Agents.  When suing an alleged spammer (or any corporate entity for that matter), you can have papers served on the Registered Agent instead of the alleged spammer.

Florida Profit




Document Number

FEI Number

Date Filed



Effective Date

Registered Agent

Name & Address


Officer/Director Detail

Name & Address





Example 3

Sometimes, even when it’s an alleged spammer acting on behalf of a principal, you can find the URL for the principal right in the HTML source code.  As you can see in the html code, even though the alleged spammer routes you back through his own website (for tracking/commission purposes), the email serves up images hosted on the principal’s server –


Here’s the spam, as it appeared in my inbox.

Don’t worry, I’ve disabled the links.

From: Football Madness []                   Sent: Tue 7/29/2003 7:20 PM
Subject: Free 4-Room DIRECTV System Installed

You must use promo code LABCD to receive this special promotion!

If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by clicking here

Here’s the message header, referencing   

X-Apparently-To: [REDACTED] via; 29 Jul 2003 18:20:20 -0700 (PDT)
Return-Path: <[REDACTED]>
Received: from  (HELO (
  by with SMTP; 29 Jul 2003 18:20:16 -0700 (PDT)
From: Football Madness <>
Subject: Free 4-Room DIRECTV System Installed
X-Mailer: 3.1.76-XP/NG [Jun 30 2003, 07:15:19]
MIME-Version: 1.0
Content-Type: multipart/alternative;
Date: Tue, 29 Jul 2003 21:20:12 EST
Message-ID: <244$>

Here’s the WhoIs lookup, showing that is registered to Ultimate Corner in St. Louis, MO.

Domain Name..........
Creation Date........ 2003-07-16
Registration Date.... 2003-07-16
Expiry Date.......... 2004-07-16
Organisation Name.... UltimateCorner
Organisation Address. P.O. Box 28336
Organisation Address.
Organisation Address. St. Louis
Organisation Address. 63146
Organisation Address. MO
Organisation Address. UNITED STATES

Name Server.......... DNS1.CYBERXHOST.NET
Name Server.......... NAME2.CYBERXHOST.NET

The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or completeness. 

Look up Ultimate Corner with the MO Secretary of State and you find full legal information.

Incidentally, Ultimate Corner has admitted to violating California's 2003 anti-spam law by
not starting subject line with “ADV:”, 2) continuing to send spam even after I notified them to stop, and 3) increasing the rate of spamming after I unsubscribed via weblink and their own systems confirmed I would be removed from their database.


Here’s the HTML source code for the email.  Note that appears here too… and the numbers & codes that follow the domain name – which I redacted here – are what the alleged spammer uses to track YOU specifically.

The alleged spammer is routing the click through the website to put an affiliate tracking code on your click… in other words, when you click the link it redirects you though, adds an affiliate ID, and then sends you to the principal’s website.  So you might not know who the principal beneficiary is…


Also in the code is the URL for the principal –  The “img src=” just before it means that the email is grabbing the image from the servers, instead of the spammer hosting the images himself. 

The point is, you now know who’s benefiting from the spam… the “principal.”

<table WIDTH="323" BORDER="0" CELLPADDING="0" CELLSPACING="0" ALIGN="CENTER"><tr></tr><tr>
<td><img src="" width="450" height="486" border="0" usemap="#Map"></td>
</tr><tr><td><div ALIGN="CENTER"><font FACE="Verdana, Arial, Helvetica, sans-serif" SIZE="1"><b>You must use</b></font><font SIZE="1" FACE="Verdana, Arial, Helvetica, sans-serif"><b> promo code <font COLOR="#3333FF"><u>LABCD</u></font> to receive this special promotion!</b> </font></div></td></tr></table><br>

<map name="Map">

<area shape="rect" coords="305,143,372,152" href="[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
<area shape="rect" coords="7,156,448,480" href="[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
<area shape="rect" coords="3,371,5,375" href="[REDACTED]&l=0&.e=[REDACTED]">
<area shape="rect" coords="5,4,445,138" href="[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
</html><P><FONT size=2><FONT face=Verdana>If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by <a href="[REDACTED]&m=[REDACTED]">clicking here</a> <FONT color=#000000><P/>
<br><font color='#ffffff' face='arial,helvetica' size='-5' style='font-size: 1px;'>TM: <4;2x51q5JU5jRr5eYY8TYj;729031></font>
emg src="[REDACTED]&email=[REDACTED]" width="1" height="1" alt="">

So now, a WhoIs lookup on shows:

      Jaserp Satellite, Inc.
      Expert Satellite
      1060 Millbury St
      Worcester, MA 01607
      Phone: 508-752-7230
      Fax..: 508-752-9964

Registrar Name....:
Registrar Whois...:
Registrar Homepage:


     Created on..............: Tue, Apr 03, 2001
     Expires on..............: Sat, Apr 03, 2004
     Record last updated on..: Wed, Apr 09, 2003

Domain servers in listed order:
   NS5.ZONEEDIT.COM                                  not needed       

Look up “Expert Satellite” on the Massachusetts Secretary of State website and you’ll see:


Example 4

One last thing.  Sometimes you want to look at the domain name servers in the WhoIs lookup.  It often reveals interesting information on who else is involved in the spamming – either directly or indirectly.  “Indirectly” in this context might mean the marketer who runs the website for a non-technologically-sophisticated company.  The marketer who possibly contracted out to do an email blast to (allegedly) opt-in consumers.

Here’s the spam, as it appeared in my inbox.

Don’t worry, I’ve disabled the links. 

From: Steaks of St. Louis []                          Sent: Tue 8/19/2003 8:14 PM
Subject: Get a free Cookbook and Andria's Steak



Here’s the HTML source code.

I already traced to Ultimate Corner of St. Louis, MO (in example 3).

Let’s focus on, the beneficiary.

<body bgcolor="#ffffff">
<table width="500" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#ffffff">
<td><a href="" target="_blank">
<img src="" width="279" height="400" border="0">
<img src="" width="221" height="400" border="0"></a></td>
</html><P><FONT size=2><FONT face=Verdana>If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by <a href="[REDACTED]&m=[REDACTED]">clicking here</a> <FONT color=#000000><P/>
<br><font color='#ffffff' face='arial,helvetica' size='-5' style='font-size: 1px;'>TM: <4;9s25u2eK2MYD29bb7.bM;1246031></font>
<img src="[REDACTED]&email=[REDACTED]" width="1" height="1" alt="">

Here’s the WhoIs lookup.  The registrant is Crown Foods, which can be traced through the Missouri Secretary of State website, coming right up.

But look at the bottom: the domain servers are “”  What that means is, Crown Foods may own the domain name “” but you wouldn’t necessarily expect a food company to be very tech-savvy.  It looks like Crown Foods allows the website to be hosted by epointmarketing.  Let’s go find ‘em.

5243 Manchester
St Louis, MO 63110


Administrative Contact, Technical Contact:
Lotz, Karla (KLB311) lotzk@CROWNFOODS.COM
5432 Manchester Ave
St.Louis, MO 63100
(314) 645-5300 fax: 999 999 9999

Record expires on 15-Mar-2004.
Record created on 11-Sep-2002.
Database last updated on 20-Aug-2003 11:20:43 EDT.

Domain servers in listed order:


Here’s the legal information on Crown Foods, which is actually a previous name… current name is M.C.S. Investments, Inc..

Now, on to epointmarketing…


Business Name History



Name Type




Prev Legal


Prev Legal


Charter Number:



Good Standing 



Entity Creation Date:




State of Business.:


Principal Office Address:

No Address

Principal Mailing Address:

No Address

Expiration Date:


Last Annual Report Filed Date:


Last Annual Report Filed:


Report Period:

08/01 : 07/31


Registered Agent

Agent Name:


Office Address:


Mailing Address:



A WhoIs lookup on the Tucows domain registrar website – – for shows the following.

Guess what, the address 8170 South Eastern Ave in Las Vegas is a UPS Store.  A pretty clear indicator that ePoint Marketing is NOT a legitimate business.

But, on the assumption that the company really is incorporated in Nevada, let’s go to the Nevada Secretary of State website and find them.

OpenSRS Whois Lookup Utility


 ePoint Marketing, Inc.
 8170 South Eastern Ave
 Suite 4-506
 Las Vegas, NV 89123


Administrative Contact:
    Webmaster, Webmaster
    8170 South Eastern Ave
    Suite 4-506
    Las Vegas, NV 89123
Technical Contact:
    Webmaster, Webmaster
    8170 South Eastern Ave
    Suite 4-506
    Las Vegas, NV 89123
    702-518-3972    Fax: 702-518-3950

Registration Service Provider:
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Mar-2003.
 Record expires on 08-Dec-2004.
 Record Created on 08-Dec-2001.

Domain servers in listed order:

And here’s the full legal information.


© 2002-present, Daniel Balsam