After you have successfully identified the true origin of a spam message, you need to connect this to the abuse department of the ISP responsible for it. For this, you need a traceroute.
The traceroute tool writes down the path a packet sent via the internet takes. This allows you to find out which ISPs the spam message went through on its way from the spammer to your Inbox.
If you use a Unix system or Mac OS X, the traceroute command is built in. On Windows, the equivalent command is called tracert. If neither is available on your computer, use one of the many web-based traceroute tools.
The spam source we identified when parsing our example spam was 126.96.36.199.
Running traceroute 188.8.131.52 will produce output similar to this:
traceroute to 184.108.40.206 (220.127.116.11), 30 hops max, 38 byte packets
1 hsrp2.cc04-wien.AT.eunet.at (18.104.22.168) 0.952 ms 0.820 ms 3.707 ms
2 r2-ge1-3-0-95-ixi1.vie.at.eu.net (22.214.171.124) 1.556 ms 1.473 ms 1.179 ms
3 so-2-2-0.vie20.ip.tiscali.net (126.96.36.199) 1.388 ms 1.733 ms 1.327 ms
4 so-7-0-0.ams10.ip.tiscali.net (188.8.131.52) 19.123 ms 19.428 ms 19.298 ms
5 he12.core.rtr.gxn.net (184.108.40.206) 27.890 ms 27.575 ms 28.196 ms
6 gb0-1-2-llb-x-many.HE23.core.rtr.gxn.net (220.127.116.11) 29.572 ms 28.312 ms 28.382 ms
7 p8-0-0.tn-cr12.cix.gxn.net (18.104.22.168) 32.931 ms 32.683 ms 32.312 ms
8 f2-0-97.tn-cr57.cix.gxn.net (22.214.171.124) 33.155 ms 34.170 ms 33.110 ms
9 g0-1-91.tn-hg11.cix.gxn.net (126.96.36.199) 34.354 ms 37.704 ms 34.311 ms
10 * * *
11 * * *
The stars at the bottom indicate that the final address could not be reached. This is not particularly disturbing for us. We are interested in the internet service provider the message went through, not whether the point of original can be reached directly. (Additionally, the IP address of the last reachable host is very near our target.)
To read the traceroute output, look at the domain names at the beginning of each line. Data from eunet.at, the starting point, to our (unreachable) target, 188.8.131.52, first goes through eu.net, then tiscali.net and finally gxn.net.
If we reverse this order, we know the path taken by the junk email. Since it first went through gxn.net, we have identified the spammer's ISP. Now we need to find the right person to contact, we need to find the abuse address.