Sam Spade: A Multifunction Information Toolkit

Gary C. Kessler
May 2001

An edited version of this paper with the title "Sam Spade, Systems Detective" originally appeared in the September 2001 issue of Information Security Magazine ( Copyright © 2001. All rights reserved.

Systems and security administrators have a number of useful tools at their disposal to obtain information about computers attached to other networks on the Internet, as well as information about the Internet itself. Ping, traceroute, whois and nslookup are among the essential utilities for even rudimentary maintenance and testing. But the native Windows environment includes only a few of these tools and they are, by and large, individual command line utilities and one has to go to third parties to obtain many of the missing utilities. Sam Spade is a nice piece of software that combines many of these common tools -- and several more uncommon ones -- into a single, integrated, Windows-compatible package.

Jack of All Trades

Sam Spade runs on all versions of Windows starting with Windows 95 and makes it simple to do a lot of investigation and analysis quickly, from determining the owner of a particular IP address block to examining the contents of a Web page. It also has several features that are specific to the detection of spam and sites that relay spam. Like a real private detective, Sam Spade doesn't do anything that you couldn't do yourself if you knew how and had the right tools; this software integrates the capabilities found in ping, traceroute, time, whois, nslookup, finger, DIG, a packet sniffer, a port scanner, a scripting language, and more, all with a nice GUI to boot.

FIGURE 1. The Sam Spade command console.

Figure 1 shows the Sam Spade command console. The various tools can be accessed via the pulldown menus, and several from the icons on the left side of the window.

FIGURE 2. Sam Spade configuration dialog box.

Although most of Sam Spade's features will run immediately upon installation, the more interesting and useful features require some minimal configuration. The configuration dialog box (Figure 2) is accessible from the Edit, Options pulldown menu. Key features to configure are your default name server, e-mail address, and Web site on the Basics tab; the network news server on the News tab; and e-mail information for abuse e-mails on the Mail tab. Users can also configure a time server (Miscellaneous tab), log file locations (Logfiles tab), and scripting file locations (Scripting tab). Advanced users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking is allowed (Advanced tab).

Although most of Sam Spade's features will run immediately upon installation, some functions require configuration, including your default name server, e-mail address, Web site, network news server, time server, and log file locations. Users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking are allowed;. these may be useful features for a knowledgeable user but can be mistaken as an attack by a remote system, so their use should be limited.

All of the functions become available when the user enters a host name, domain name, or e-mail address in the address window, seen at the upper left of the main console screen. One of the advantages of this bundle of tools in one package is that once you enter a name or address, you can merely click on different tools to quickly obtain information.

Tools for Address, Domain, and Host Information

The bulk of Sam Spade's utilities allow the user to look up information about a remote host or domain, generally for the purpose of initial reconnaissance or forensic analysis:

Tools for E-mail and Spam

Several of the Sam Spade utilities are targeted at e-mail, allowing an end user or security administrator to determine the validity of e-mail header information as well as to fight back against spam. The program also provides an extensive tutorial on tracking and combating spam. These tools include:

Tools to Examine a Server or Web Site

Several Sam Spade tools allow a user to more closely examine the services available from another host, with particular attention to obtaining information about Web servers:

Miscellaneous Tools

Sam Spade's additional tools include:


I wanted to write about Sam Spade because it is one of the most common security tools that I use. It is versatile and it quickly provides a lot of the basic information that I need at the beginning of any analysis that I am going to do. Indeed, I don't try to fight back against every spam message I get nor do I check out the HTML code from every Web site I visit, but I do use those tools when I need them.

Sam Spade, however, is but one tool in my toolkit. What it does, it does well, but it doesn't do everything. If I am doing serious port scanning, I usually use nmap. If I really want to see the packets on the line, even from a Web site, I run to tcpdump or Sniffer. And I really do wish Sam Spade would tell me who owns an individual IP address block. Nevertheless, Sam Spade is a great tool; it is my 11-in-1 LeatherMan® security utility.

Sam Spade v1.14 is available at no cost from the Sam Spade Web site at Most of these functions are also available directly via a Web interface at the same site (

ABOUT THE AUTHOR: Gary C. Kessler is an Assistant Professor and program director of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is