Wednesday, May 30, 2007

The "how to complain about spam" guide

Basic Rules of SpamFighting

#1 - The From: address is almost *always* fake.
If you get a lump of spam from abuse@hotmail.com, then I can *guarantee* that it didn't come from there at all. All spammers forge the From: address - usually to hide, sometimes to punish innocent sites. If your e-mail address appears in the From: header of an e-mail, then you've been joe-jobbed. More on that later.
This means that replying to the message, bouncing the message, or sending a complaint to the administrator of the domain is useless. It's a waste of time.

But... But... How can I complain then?
You must learn to look beyond the headers you can see. You must learn to read the full headers. More on that later.

#2 - Never unsubscribe
You didn't subscribe to it, so don't unsubscribe. Most spammers either provide a fake 'unsubscribe' address, or the better ones make a list of everyone who asked to be unsubscribed and sell them to other spammers as 'Confirmed Addresses'. Unsubscribing from unsolicited mail is the easiest way to quadruple your spam volume in a few days.

#3 - What *is* spam?
Well, first, it's not SPAM®. SPAM® is a trademark of Hormel Foodstuffs, and they've been jolly decent about allowing people to say 'spam' without getting sued. SPAM® all in capitals is a compressed pork/ham luncheon meat I happen to rather like in a stiry-fry.
Spam (lower case, first letter capitalised as the start of a sentence) is Unsolicited Bulk E-mail. Now, if someone sends you a message you don't like, it's not spam. If someone sends you a commercial mailing you signed up for a while back but don't want any more, then it's not spam.
Don't worry about what's *IN* a message - spam is about conSent, not conTent. Did you give permission for a company to send you that e-mail? If the answer is 'no', and it's been sent to more than one person (who also didn't ask for it), *then* it's spam.

#4
Do *NOT*, I repeat do *NOT* bounce spams back. That is the *WORST* thing you can do, and software that allows you to do it should be banned as spamware itself.

Stop using any bounce features in your filter software NOW.

There are a number of things you can do as an end-user to help fight spam.

The first thing you need to be able to do is to view full headers. Depending on your mailreader, you might have to click 'Edit -> Message Source', 'View -> Headers -> All'... Check your documentation. A message with *complete* headers should look something like this one:


Quote:
From - Sat Jun 14 23:01:32 2003
X-UIDL: 1055575258.40440.erebus.uk.clara.net
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Envelope-To: me@mydomain
X-claradeliver-Version: 4.21.1
X-Clara-Filter: xxXWDPgivz9Pw
Return-path:
Delivery-date: Sat, 14 Jun 2003 08:20:53 +0100
Received: from ultra17.uk2net.com ([212.4.208.117])
by erebus.uk.clara.net with esmtp (Exim 4.12)
id 19R5LJ-000AVj-00
for me@mydomain; Sat, 14 Jun 2003 08:20:53 +0100
Received: from [195.166.233.49] (helo=ommo.net)
by ultra17.uk2net.com with smtp (Exim 0.00)
id 19R5LD-0002xO-00
for usenet@mydomain; Sat, 14 Jun 2003 08:20:49 +0100
From: "MR ALEX ISO"
Reply-To: dr_alex1@indiatimes.com
To: usenet@mydomain
Date: Sat, 14 Jun 2003 09:20:57 +0200
Subject: VERY UGRENT
X-Mailer: Microsoft Outlook Express 5.00.2919.7000
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id:
X-UIDL: 1055575258.40440.erebus.uk.clara.net
X-RCPT: myname
Status: U

I am Mr Alex Isu=2C Bank Manager of United Bank For
Africa =2C capetown Branch=2E I have urgent and very
confidential business proposition for you=2E On June 6
1998=2C a gold merchant=2Fcontractor with the
Randgold Exploration Company=2C Mr=2E Jim Smith made a
numbered time =28Fixed=29 deposited for
twelve calendar months=2C valued at US$25=2C000=2C000=2E00
=28Twenty-five Million Dollars=29 in my branch=2E
.

This is an actual spam sent to my mail account a while back. Let's take the headers one at a time.

From - Sat Jun 14 23:01:32 2003
Ignore this - it's a broken header that UK2 put in. You shouldn't see this in yours.

X-UIDL: 1055575258.40440.erebus.uk.clara.net
Anything with X at the start of it is an *optional* header. Sometimes there is useful information in these, but most of the time it's just bumf (and occasionally outright lies to throw you off the scent). You can ignore these.

Return-path:
It's almost certain that this message didn't come from IndiaTimes.com - ignore this.

Delivery-date: Sat, 14 Jun 2003 08:20:53 +0100
I think you can work this one out for yourself.

Received: from ultra17.uk2net.com ([212.4.208.117])
by erebus.uk.clara.net with esmtp (Exim 4.12)
id 19R5LJ-000AVj-00
for me@mydomain; Sat, 14 Jun 2003 08:20:53 +0100

Ah! Now, *this* is the important bit! The 'Recieved From' headers will *always* tell you where the message *really* came from. You read these headers from the top-down, *never* bottom-up - spammers often put fake Recieved lines below the genuine ones to trick you into complaining to the wrong admins.
This particular header is genuine - the message was sent to usenet@mydomain, received by UK2's SMTP server, and redirected to my SMTP server so it gets to my *real* address. So, knowing this is genuine, we move on to the next line down.

Received: from [195.166.233.49] (helo=ommo.net)
by ultra17.uk2net.com with smtp (Exim 0.00)
id 19R5LD-0002xO-00
for usenet@mydomain;

This is the last Received header. This is what we're looking for. But, how do we know where the message came from?

from [195.166.233.49] (helo=ommo.net)
HELO is the SMTP code for "My name is...", and should normally return the hostname of the sending server. In this case, it's claiming to be ommo.net. Put simply, it lies. The *real* server is between the square brackets - 195.166.233.49.

So, looking at the headers, we know that the spammer lied when he said he was posting from 'IndiaTimes.com'. We also know the server lied when it said it was 'ommo.net'. These are innocent people - do not complain to/about them.

So, I know the IP address of the original mailserver. What can I do?
First of all, find out who it is. You can do WHOIS lookups at places like RIPE, ARIN, and many others. The easiest way is to visit a site like SamSpade, where you can do useful things like rDNS and WHOIS from a website. Or even better, download SamSpade for Windows from the same site - a *very* useful bit of freeware for Spam Rangers.

Doing a DNS (Domain Name Server) lookup on 195.166.233.49 doesn't help - there is no reverse DNS set up. So, we do a WHOIS on it instead.


Quote:
07/18/03 20:48:40 whois 195.166.233.49@whois.ripe.net
whois -h whois.ripe.net 195.166.233.49 ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-ser.../copyright.html

inetnum: 195.166.224.0 - 195.166.255.255
netname: NG-LINKSERVE-971217
descr: Linkserve Nigeria Limited
descr: PROVIDER
country: NG
admin-c: TO219-RIPE
tech-c: TO219-RIPE
status: ALLOCATED PA
notify: tunde@linkserve.com.ng
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net

person: Tunde Ogedengbe
address: Linkserve
address: 22 Akin Adesola
address: FATB Plaza
address: Victoria Island
address: Lagos Nigeria
phone: +234 1 2623900
fax-no: +234 1 262 3906
e-mail: tunde@linkserve.com.ng
nic-hdl: TO219-RIPE
notify: tunde@linkserve.com.ng
changed: hostmaster@ripe.net 19971217
source: RIPE


So, our original ISP is Linkserve in Nigeria. Kinda fitting for a Nigerian 419 scam, isn't it?

From this, we get a bunch of abuse addresses we can use. Sending complaints to:
tunde@linkserve.com.ng
abuse@linkserve.com.ng
postmaster@linkserve.com.ng
with copies of the spam (including FULL HEADERS) *might* get something done.

Man, that's a lot of hassle. Isn't there something I can do without cutting into my free time?
Sure! Sites like SpamCop.net allow you to automatically parse mail headers. SpamCop will then send complaints to the relevant people on your behalf, and add the sending SMTP server to a blacklist (the SpamCop BlackList, or SCBL).

Another very useful thing to do is to post to NANAS - news.admin.net-abuse.sightings. First, search out all *innocent* e-mail addresses in the spam and remove them - replace them with an 'x' or the word 'munged'. This means that the bots that trawl USENET looking for addresses to spam won't find them. Then post the munged spam with full headers into NANAS, with the subject line identical to the spam but with [email] tagged on to the front.
A lot of automated systems trawl NANAS for spam samples, and admins often look there to see if anyone else has gotten similar spams. If you do nothing else, posting to NANAS will help. Just remember to remove your e-mail addresses!

LART
Short for Luser Attitude Readjustment Tool, as in "The spammer was sharply LARTed right away and lost his account."

A LART is an email that you send to alert a host/ISP/enduser to highlight the spam and hopefully get them to do something about it.

What makes a good LART?

Okay, here's a quickie guide to writing effective LARTs. First of all, remember that you're responding to a company who has the spammer as a customer, not the spammer themselves. This means that you keep the tone professional and the language clean.

It is a good idea to LART the following people:

Spam Source
Where the spam was sent from (SpamCop can help you find this).
Website Hosts
Where the spamvertised site is.
E-mail Dropboxes
If the mail asks for a reply on a free e-mail account like Hotmail, LART them.
Others
Sometimes a spam requires a heavier mallet. If they want you to ring a premium rate number, try ICSTIS (Google for it). If it's child (or child-like) pornography, try The IWF.

Some good example LARTs for you to use:


Quote:
Spam Source
I recently received a spam on my domain that appears to have originated on your network. The original message, with complete headers, is included below.

Please investigate this issue and take appropriate action according to your Acceptable Use Policy.

Thank you.

-- Insert Original Spam--


Quote:
Website Hosts
You are currently providing hosting for a spammer at the address $SPAMMED_DOMAIN. Included below this message is the spam in question with complete headers. Please investigate this issue and take appropriate action according to your Acceptable Use Policy.

Thank you.

-- Insert Original Spam--


Another good trick is to check the domain registration information - if the WHOIS data contains a false address, LART the registrar letting them know. They then have 15 days to contact the domain holder for updated information, or they have to null-route the domain.

With judicious use of cut 'n paste, reporting spam shouldn't take too long at all, and you'll get the nice warm feeling that comes from spanking spammers.

No comments:

Post a Comment