Fighting Spam

Home   ·   Fighting Spam   ·   Banned IPs   ·   Banned Domains



This article was developed for those seeking basic information about spam and how to deal with it. Here, we will discuss the following:

    What is Spam?
    How to Avoid Spammers
    How to Identify Spammers
    How to Report Spammers

What is Spam?

For purposes of this article, we will define Spam as any form of email communication you recieve that you have not requested and do not want. There are many types of emails you may not desire to receive or read. Keep in mind that these are different than what computer professionals refer to as spam. They primarily deal with illegal email spam.

A general definition of illegal email spam is "attempts to deceive by falsification of seller identity or email address, and use of other fraudulent means in the attempt to gain monetary advantage from the email recipient and other parties".

Like virtually every email user, when you open your email account, the first thing you notice is a whole stream of unwanted, unsolicited emails. Some of the email is offensive, some abusive, and some are an attempt to scam you into buying unwanted services or products. Even worse than this, some may contain viruses, trojans, worms, or other malicious programs that can really mess up your day.

So what can you do about it? Do you just mark all the malicious email for deletion? Buy an anti-spam email program? Buy a new virus checker? Complain to AOL, Hotmail, or other Internet Service Providers? Or are you hoping that someday there will be a law that stops it?

Maybe like most people you have taken several of these approaches, however you still wish you could do something more to stem the tide of all that garbage that continuously fills up your inbox.

The first thing you must do to fight back against spam and hackers is to secure your computer from malicious Internet attacks of all types. To do this you absolutely must have a full-time antivirus program and Internet firewall running on your computer at all times. You also need to make sure that you have the latest versions of these programs which requires that you receive updates from the software manufacturer on a regular basis. If you do not have these basic tools installed on your computer, you need to do so as soon as possible.

If you are not sure what to use, I recommend dowloading and installing the following three tools:


Avoiding Spammers

One of the easiest things you can do to avoid spam is to never give out your real email address. Your real email address should only be used with trusted friends and coworkers. For all other types of email, and for situations that require an email address from you, you should setup and use a junk email account. A junk email account is usually obtained from a free web based email provider like Hotmail or our InfoHQ.com free email.

A junk email account is used for all types of correspondence when the end-user can not be trusted with your real email address. So use your junk email account for entering contests, shopping, registering on web sites etc. When your junk email address becomes so full of spam that you get tired of managing it, you delete it and get a new email account. Spam problem solved, you start spam free with a new email address.

Don't open junk email. The safest thing to do with junk email is to delete it.

Bad things can happen by opening junk email such as; the impossible to close window scam, resetting of your homepage to the spam site, and loading of unwanted or hostile programs. You should not even consider opening junk email unless your computer is thoroughly protected and you want to take action against the sender of the spam. Never open email attachments unless you trust the sender and you expected an attachment. Computer viruses and other hacker software is mainly transmitted through email attachments.

Opening email attachments is dangerous. When you open attachments you are putting your computer at risk. Unless you are absolutely sure an email attachment is safe, you should delete the entire email. If it was something important, it can always be resent.

Never click on "remove" from mailing lists. If its a mailing list you subscribed to, or a store you trust, then you should use the email's unsubscribe feature. For any other type of spam, you shouldn't unsubscribe from it as this just invites more spam, nor should you be reading it in the first place.

Use your email program's spam blocking features. All email programs have spam blocking features. Take some time to figure out how to block email from spammers. With many email programs it is possible to specify exactly who is allowed to send you email. You can also download or buy programs that will block email spam, however these programs will take time to "train" on what is spam and what isn't.

Fighting Email Spammers

Most spam emails (and virtually all current viruses) arrive with fake sender addresses, making it difficult to notify the service provider of the person really responsible for this nuisance. Most spam these days is sent with a fake return address. In these cases, complaining to the administrator of the sender domain is a waste of time. You first need to figure out where the spam really came from before you can complain to the administrators of the servers involved in sending the spam so they can deal with the spammer.

How to expose the Spammer:

First, you need to display the header portion of the email. This is where all of the transportation information is found. How to do this depends on your email client:

  • Outlook Express: File / Properties / Details / Message Source.
  • Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
  • Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
  • Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
  • Other mail programs: See here

You'll see something similar to the following (not all fields will be present):

Return-path: <angelicohattersley@yahoo.com>
Envelope-to: mail@recipient.com
Delivery-date: Thu, 05 Jun 2003 14:06:15 +0200
Received: from [213.165.64.100] (helo=mx0.gmx.net)
	by mxng15.myprovider.com with smtp (Exim 3.35 #1)
	id 19NtVS-00089g-00
	for mail@recipient.com; Thu, 05 Jun 2003 14:06:10 +0200
Received: (qmail 30356 invoked by alias); 5 Jun 2003 12:06:10 -0000
Delivered-To: GMX delivery to recipient@gmx.net
Received: (qmail 30132 invoked by uid 65534); 5 Jun 2003 12:06:08 -0000
Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
  by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
From: "Dieter Wroblewski " <angelicohattersley@yahoo.com>
Reply-To: "Dieter Wroblewski " <angelicohattersley@yahoo.com>
To: joevicki2000@yahoo.com
Date: Fri, 21 Feb 2003 07:55:25 -0800
Subject: SilkSnake.com - Porn, Games, Movies and Much More
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20030605120609.30223gmx1@mx010-rz3.gmx.net>
X-Resent-By: Forwarder <forwarder@gmx.net>
X-Resent-For: recipient@gmx.net
X-Resent-To: mail@recipient.com

Find out from where the mail reached your mailserver. In this case the mail claims to be from a yahoo.com customer, but it never passed through a yahoo.com mailserver. This means it is not really from Yahoo.

Looking at the Received: lines will reveal all of the information you need. Generally you want the very first line starting with Received: from, but if your mail is automatically resent through a mail forwarder such as GMX or POBOX (indicated by Delivered-To: lines in this example) then look for the first Received: from line after the last Delivered-To: line. In this case that is:


Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
  by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200

Make sure the from address is from an outside server, not your own provider. Sometimes mail gets internally forwarded at your mail provider.

The sender's computer claimed to be server called fw.muan.chonnam.kr (in Korea), but you can't trust HELO values - they can be faked. More significant is the IP address that follows (in other cases the IP address may preceed the server name or may be enclosed in square brackets such as [211.34.18.231]). It's always a sequence of four numbers from 0 to 255, separated by dots. The string "unknown" in that same line indicates that the receiving mailserver tried to do a reverse lookup to get a name for the number and couldn't find one. Well-administered networks provide name lookups for all their IP-addresses.

For domains outside the United States, you will get a listing of the NIC of the country or region (for example RIPE for Europe, APNIC for addresses in Japan, Australia, Singapore, Korea and China or LACNIC for Brazil and Argentina). In that case, use your browser's BACK button, change the setting of the WhoisServer to the corresponding value (e.g. RIPE, APNIC, LACNIC) and reissue the request. A regional server may provide the results you want, or it may first give you the national server (such as KRNIC), which will finally disclose the company. Usually that company will be a cable provider or other telecommunications company.

In this example, the first search reveals that the IP address is from the APNIC region. Repeating the search with APNIC as the WHOIS server, we find that the IP comes out of the KRNIC pool. Repeating the search via KRNIC will give us what we want:


     [ ISP Network Abuse Contact Information ]
     Name               : Pubnet Abuse Manger
     Phone              : +82-2-710-1457
     Fax                : +82-2-710-1411
     E-Mail             : abuse@pubnet.ne.kr

Soon you'll know who to complain to. You should paste the complete message source (with full headers, see above) into your email and leave the subject line unchanged from the spam. Most domains have an abuse contact such as abuse@domainname. If mails to that address bounce, write to postmaster@domainname instead. Write a short and polite complaint, followed by the unmodified spam message.

Reporting Spammers

Report threats, harassment, frauds, and other crimes to law enforcement agencies. If you believe a spammer or hacker is trying to commit a crime against you or your family then complain to law enforcement officials. You can complain to local police, state agencies, and federal agencies.

Online complaints can also be made to the following agencies.

1. Follow state procedures for reporting illegal spam or hack attempts. There are currently 21 states that have laws regulating unsolicited bulk email (UBE). You should become familiar with your state's laws and determine if there are any designated state agencies that you can report the spam to. If your state doesn't have a UBE law, you can still report illegal spam to your state's attorney general.

2. Complain to the FTC. The Federal Trade Commission has an online consumer complaint form which you can use to report spam. They amass the spam in a law enforcement database and track down major illegal spammers. They do not resolve individual complaints. If you want to complain to the FTC, I suggest you just forward your spam to them at UCE@FTC.GOV and save yourself the time of filling out the form. You can forward any type of spam to the FTC as they keep a spam database for law enforcement purposes.

Finding a Spammer's ISP

In order to complain to a spammer's ISP, you first have to find the spammer's true ISP in the email header of the spam. This process can become complicated because:

  1. Spammers almost always use a free email account as their reply address e.g. givememoney@hotmail.com. While complaining to the free ISP will kill the Hotmail account (a good thing), it still doesn't get the spammer off the Internet as they still have an ISP that gives them Internet access.
  2. They will try to conceal their ISP by falsifying it in the email header e.g. givememoney@hotmail.com actually is a fictitious email address.
  3. They find unsuspecting servers to relay their email, which gives the appearance that the relaying server is the originating ISP.
  4. Their ISP's are in foreign countries that may or may not take action against the spammer.

Thankfully, there is an easy way to determine the ISP of a spammer.

The Easy Way to Track Down a Spammer's ISP

The fastest way I've found to complain to a spammer's ISP is to use the services of a website called SpamCop.net. To use SpamCop.net you do the following:

  1. You register for a free account
  2. They send you an address to forward your spam to
  3. You forward any email spam you want to track to the SpamCop address (I suggest you also forward (cc:) the spam to UCE@FTC.GOV so the spam gets included in the Consumer Sentinel law enforcement database).
  4. Spamcop processes the spam and notifies you by email.
  5. You click on a link in the email that takes you to a web page with the processed spam.
  6. You review the web page to see if the spam processed.
  7. You hit the send button to mail SpamCop's automated complaints directly to the spammer's ISP, email provider, relay server etc.

After you have set up your account the process only takes a couple of minutes per email. The only bad part of this process is that you don't receive confirmation that any action has been taken. However, rest assured that all US ISP's and many foreign ISP's do take action on these notices and will kill the spammer's accounts if they can identify the spammer.

(Be advised that while SpamCop is free, they do request small donations.)

SpamCop is a good utility that does a decent job of tracking down a spammer's ISP. It is a tremendous time saver as it can take 30 minutes or more to manually investigate an email header.

How to find an ISP for a specific IP address

Your firewall program probably has tools for tracking down the hacker's ISP with an IP address. However, for the benefit of those that may not have a sophisticated firewall program, I'll show you an easy way to track down a hacker.

I use a whois tool from www.dnsstuff.com, which will trace the hackers ISP when you investigate an IP address. Simply go to the website and type the hackers IP address in the Domain Info look-up box. Then click the Get Info button. The whois tool will display the following information:

IP Address Requested: 
Blacklist Status:   
Whois History:  XX records stored
Oldest:   DATE
Newest: DATE 
Record Type:  IP Address 
IP Location:   Country, State, City, Domain Org Name 
Reverse IP:  How many hosted websites 
Reverse DNS:  Domain name 

Below that, you will get alot more information about the IP address, along with the contact information for that IP.

The whois trace yields a lot of information, however the first three lines and the very last part of the trace yield the most important information. The first lines tell us that the ISP is www.tampabay.rr.com and the email address you complain to which is found in the last part of the whois information, abuse@rr.com.

If you go to the ISPs' websites (www.rr.com or www.tampabay.rr.com) you will confirm that these are both Road Runner sites. So our hacker has originated from the Tampa Bay Road Runner ISP and we should send our complaint to abuse@rr.com.

Now we can send a complaint to the hacker's ISP, rr.com, to have them take action. I composed and sent the following email.

Usually you will receive a form letter in reply from the ISP, like this one:

From: abuse_autoresponder@rr.com 
Reply-To: please_do_not_reply@rr.com 
To: webmaster@infohq.com 
Subject: [Automatic Reply] Hacker from your domain 
Date: Thu, 19 Sep 2002 02:26:13 -0400 


*******************************************************
==DO NOT REPLY DIRECTLY TO THIS MESSAGE==
==ROAD RUNNER WILL NOT SEE ANY REPLY SENT TO THIS MESSAGE==
*******************************************************

This is an automatic reply to confirm that your message has been received
by Road Runner Security (abuse@rr.com) describing an incident of alleged
service abuse. You will only receive this message once per day.

All complaints regarding Earthlink High Speed Users (*.mindspring.com) should
be directed to ABUSE@MINDSPRING.COM - Road Runner DOES NOT handle abuse issues
dealing with Earthlink customers.

If you are a Road Runner subscriber, writing to complain about spam sent
*TO* your Road Runner account, please visit http://security.rr.com/help.htm

*******************************************************
* If your message contains obscenities, abusive, or threatening language
* directed at our abuse staff, it will be discarded without further action.*
* Please remember that the people who read complaints at this address are
* working to assist you with addressing your issue - RR Security 
* ******************************************************

If you sent your message to an address other than abuse/security/fraud@rr.com,
please be aware that your message was automatically forwarded to our centralized
location at the address abuse@rr.com. You may wish to use abuse@rr.com, security@rr.com,
or fraud@rr.com for all future issues. 

Road Runner is dedicated to ensuring that its service is used in a manner
that is consistent with the policies set forth in its Terms of Service Agreement
and Acceptable Use Policy, a copy of which can be found at http://security.rr.com.
Road Runner takes all reported abuse complaints seriously, and will handle
them in accordance with the above policies in a timely and efficient manner.
Should we require further information regarding your complaint, we will contact
you. 

Please note, although it is not always possible for us to provide a direct
human response to your complaint, we do investigate *all* complaints. As
such, please do not interpret a lack of response as a lack of action taken.
If we find that a customer is in violation of our policies, we will take
the necessary action to stop the activity in question.

Thank you for taking the time to contact Road Runner.
----------------

At this point, you have done about all that you can do to stop further hacks from occurring to you and to others. Your firewall's security log will track all hack attempts, so if you are hacked again by the same IP, don't hesitate to send out another letter.

Conclusion

Hopefully, now that you have a better understanding of spammers, how to identify them and how to report them, you will be able to defend yourself and your computer from many types of illegal Internet activity. Some of you will be interested and knowledgeable enough to make attempts to fight back against the spammers and hackers.

The most important thing to remember is to take some kind of action against these spammers. Don't think that by ignoring spam or by using a firewall program that you have solved all your problems. If everyone takes the time to report these activities, it will only help us in the future.