Would You Like Spam with Your Pizza Pie?

Have you ever wanted to know where your spam is coming from? Better yet, would you like to visit the location, or even the neighborhood, of the person or computer who sent it to you?

I find it pretty amazing how spam message origination locations are spread across the world. It would seem that spam has no international boundaries. Doing some brief research, I found messages in my Google Apps Spam Label from South Korea, Malaysia, Belgium, Brazil and Minnesota. I was particularly impressed with the Google Maps Satellite view of Seoul, South Korea.

If you would like to use Google Maps to find the approximate geographic source location of a piece of spam, there are a few steps involved. In this exercise I did the following:

• Received a spam (junk email) message.
• Identified the source IP address from whence it came.
• Looked up the source IP address and discovered information about it, like its global coordinates in latitude and longitude.
• Looked up the location on Google Maps using the provided latitude and longitude.
• Reviewed the ‘Map View’ in Google Maps
• Reviewed the ‘Satellite View’ in Google Maps
• Found pizza places nearest the approximate location I have identified as the source of my spam.

Receiving spam sure doesn’t seem to be a problem. I currently have 116 messages in my account labeled as spam (some colleagues have over one-thousand; 92% of all email received at the University is spam). The Gmail spam filter is doing a great job of catching junk email.

One can easily view the source IP address from any Gmail email by choosing “Show Original” from the Reply drop-down menu in the upper-right corner of the message:

Here you’ll see the guts of your email header. In the specific case of one of my spam messages (“Hello” from “Melba”), I copied the following information from ‘Show Original’:

Delivered-To: helperdesk@boisestate.edu
Received: by 10.100.232.5 with SMTP id e5cs32834anh;
        Wed, 27 May 2009 03:16:04 -0700 (PDT)
Received: by 10.114.192.17 with SMTP id p17mr19541801waf.196.1243419362912;
        Wed, 27 May 2009 03:16:02 -0700 (PDT)
Return-Path:
Received: from ?125.251.77.18? ([125.251.77.18])
        by mx.google.com with ESMTP id 34si11221188pxi.37.2009.05.27.03.16.01;
        Wed, 27 May 2009 03:16:02 -0700 (PDT)
Received-SPF: softfail (google.com: best guess record for domain of transitioning etzemil@us.ibm.com does not designate 125.251.77.18 as permitted sender) client-ip=125.251.77.18;
Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning etzemil@us.ibm.com does not designate 125.251.77.18 as permitted sender) smtp.mail=etzemil@us.ibm.com

That this is most likely a spam message is indicated by the line google.com: best guess record for domain of transitioning etzemil@us.ibm.com does not designate 125.251.77.18 as permitted sender. Notice that the email address ends in us.ibm.com. Google is saying that the source IP address is not valid for that domain. This is almost always the case in spam and phishing emails.

Now, I wanted to see where the source IP address of my message actually came from, so I went to the following site: http://whatismyip.com/tools/ip-address-lookup.asp and pasted 125.251.77.18 (the source IP) into the Lookup box.

This is what I got:

Notice the latitude and longitude provided for the IP Address. This took me to the next step of using Google Maps to find out where this location really is. I visited Google Maps and added the latitude and longitude to the search bar in the following format: 37.567 , 127 and then clicked the Search Maps button.

Low and behold it took me to the map of Seoul, South Korea. Using the ‘Satellite View’ I can actually zoom in and see the approximate house from whence the spam message may have originated. Here’s what I found:

Do you suppose the spammer has ever sampled pizza from http://www.dimatteo.co.kr/ ?

Note IP addresses can be dynamic and can change. Spammers often send emails from locations that do not belong to them. It is highly possible the location discovered is not the actual location from where the email originated. This article is by no means a method that can guarantee the true source of your spam. Your mileage may vary.