Get that spammer!

• warn users about unacceptable net behaviour?
• ban net abuse such as unsolicited junk email broadcasts & newsgroup spams?
• ban the use of your services as a mail drop or name server for spams from throwaway accounts on other sites?
• allow you to immediately suspend an account on reasonable suspicion whilst it is investigated and to terminate the account if proven?
• allow you to charge an offender for any costs incurred in dealing with it?
• apply to your client ISP's?

• If your site receives an unsolicited broadcast email (UBE) send a complaint to the sending site asking them to stop all UBE to your site. EarthLink v. Cyber Promotions has set a clear US legal precedent that UBE after warning is a form of trespass (See Earthlink's `Zero Tolerance' policy against net abuse and anti-spam resource center). Several other US ISP's including AOL, Compuserve, Concentric etc. have all obtained similar though less comprehensive judgements. In addition the reverse also holds; if you receive a request to stop UBE from your site to their site and you haven't taken all reasonable steps (such as an enforced AUP) it could cause trouble.
• If you are a US ISP write a paper letter to your congressional representative and senators and ask them to cosponsor the Smith amendment (H.R.1748).
• Consider asking your customers to do the same.
• Install an abuse@ email address which forwards to an account where it is read promptly. Do this even if you have another account for handling abuse as abuse@ has become a defacto standard and this avoids unnecessary bounced email. Postmaster@ often gets overloaded with accidently misaddressed mail and thus delays prompt resolution of net abuse. It's in your own interest to resolve net abuse as quickly as possible.
• Put your acceptable use policy on a public web page so that the net at large knows your position. It's good advertising for you, helps to make complaints clearer and makes your site less of a magnet for net abusers.
• Consider requiring your new customers to do a small automated quiz on your AUP or to sign off on it before giving them full account privileges.
• Put a `no unsolicited junk email' note into your unknown user email bounce message.
• Log all TCP/IP connections, inbound and outbound email, and outbound news so you can quickly and easily track down net abusers. This can save much staff time.
• Consider joining the MAPS Realtime Blackhole List.
• Stop your email server third party relaying.. See the MAPS Transport Security Initiative.
• If you need to terminate a web or email account because of net abuse replace it with an appropriately worded page or autoresponder explaining why the account was terminated. This can be a strong deterrent to repeat abuse and is good advertising for you.
• Warn other ISP's in your area when you need terminate an account so they can block known net abusers before they get an account. Once net abusers have an account they frequently take advantage of the `30 days notice to terminate account' provision common in many ISP contracts. Make sure your AUP allows immediate termination for premeditated abuse and also penalizes hit-and-run spammers.
• Close your news server. Make sure only your own customers can submit news items and that they are logged so forged items can be determined.
• Make sure your default news posting software makes it hard for users to crosspost to large numbers of newsgroups. Make sure it also warns new users about the potential consequences of posting something like `I know this great nude actress web site' to the world.
• Make sure your mailing list software doesn't give out subscriber email address lists, that it allows only subscribers to submit items to the list, that it verifies subscribe and unsubscribe requests and that every email message has an "Errors-To:" header and subscribe/unsubscribe instructions body signature. A common form of abuse is to subscribe a net naive victim to multiple high volume mailing lists.
• Restrict access to or disable your finger server. Attach a `no unsolicited junk email' message to it's output if appropriate. Finger can be used by a remote site to determine a username's full name and who is currently logged in.
• Run an ident server. This allows others to identify the user name of any open TCP/IP connection from your machine to their machine, thus making any complaints to you less cryptic, making complainants less frustrated and make it harder for net abusers to remain anonymous. Many email transport programs incorporate the user name provided by ident into email "Received:" headers which makes it more obvious when an email is forged. A downside is that some web servers use ident to determine a junk emailable address for anybody surfing their site. This may not be a problem if you're running a caching web server. You could also configure your ident server to only give answers for email and news connections.
• Verify inbound email connections. Query the ident server on the connecting machine if it has one. Compare the hostname give in the HELO/EHLO command with the IP address of the connection partner. Do a domain name inverse lookup on the connecting machine's IP address and if successful put it in the "Received:" header. Flag inconsistencies between ident, HELO and DNS lookup. As all of these can be forged leave the IP address in the "Received:" header. An IP address can be forged too but it's a lot harder. Most recent versions of MTA's, in particular sendmail, do all of these tests.
• Consider disabling the inbound email VRFY (verify) and EXPN (expansion) commands as they can be used by other sites to determine the existence of your usernames, names associated with your usernames, whether email is being forwarded and where email is being forwarded. These commands aren't needed or used in normal operation but are occasionally used by mailing list maintainers to verify addresses. They're not of much practical value because of the widespread use of mail aliases and firewalling.
• Consider installing an email filter program such as procmail to filter inbound email on behalf of your users, removing some of the better known junk emailers such as those on the AOL `PreferredMail' blocked site list. To be legally and ethically on the safe side give your users a means of opting out. AOL filters and if they can, any US ISP can. The judge in the CyberPromo-AOL case in December 1996 explicitly stated that it was okay. In the US `free speech' legal problems are mainly a concern for government, not private organizations, despite the Fear-Uncertainty-Doubt (FUD) campaign of some spammers. See the ACLU's Cyber-Liberties Update for details.
• Consider filtering all inbound and outbound news items that are crossposted to five or more groups. There are patches available to do this for cnews and inn.
• Consider throttling outbound email so that by default individual users can't send more than one email/minute. This needs to be disableable for mailing lists though.
• Consider installing an IP filter such as tcp_wrappers that blocks connections from known unsolicited junk email sites such as those in the Internet Blacklist.
• Setup your email so that if one user is mail bombed their disk space usage is quarantined from other users. Quarantine incoming anonymous ftp files too and make sure system log files have plenty of space.
• Consider getting your system utilities to quickly warn you when an unusually high volume of email or news cross posts is inbound or outbound to a particular user so that it can be checked.
• Delay in a queue high volume news posts and email messages so that they can be checked before being allowed to proceed.
• Set up a net abuse packet sniffer that lets you know and/or blocks when somebody attempts abuse.
• Provide your users with the tools described in this web page so that they can track down net abusers themselves if they have the time and technical ability.
• Consider making informational postings to news.admin.net-abuse.* when dealing with net abusers. It demonstrates to the net at large that you're a good net citizen and it helps to reduce the level of complaints.
• Make sure your list of user email addresses is private so that junk emailers can't suck lists of email addresses off your site. Provide a search page instead.
• Educate your users. Scatter informative web pages around your site so that naivity is not an excuse for causing trouble. Warn your new users about junk email and news spam tactics so that they are immunized from some of the scams.
• Be wary of allowing unsolicited junk emailers on your site or allowing your site to be used as a web/mail drop for unsolicited junk email from throwaway accounts on other ISP's. Some net users feel this is sufficient justification to broadcast email your entire customer base (found with a web search) with a warning that you support net abuse and the suggestion that they complain and/or move to another ISP.
• Keep in mind that some professional spammers lie regularly. As a legitimate business person you may not be used to dealing with such people so be on your guard. Make sure that that any statement you get is precise, in writing and independently verified. Many spammers routinely muddy the waters any way they can.
• Email other tips.

• The Tragedy of The Electronic Commons by Howard Rheingold.
• Introduction to net scams and hoaxes.
• Advertising on Usenet: How To Do It, How Not To Do It by Joel K. Furr.
• Net Abuse FAQ General information and links.
• Email Abuse FAQ General information and links.
• Blacklist of Internet Advertisers Plus other useful links and information.
• The Anti-UMail FAQ Mark Neely's readable answers to junk email justifications.
• Beating the E-mail Spammers Michael A. Banks' introduction.
• Spam FAQ Gandalf's more advanced alternative to this page.
• The Coalition Against Unsolicited Commercial Email wants junk email outlawed in the US.
• US legislation Current and pending.
• SEC Division of Enforcement Where to complain about US financial scams.
• VTW/EFF/FTC junk email survey results
• Spam Hater PC program to automatically analyse & complain. Careful, can be fooled.
• Sam Spade An internet tools page and PC tools program.
• MSWIN95 net tools suites Tucows list.
• Private Citizen Eliminate junk mail and phone calls in the US.
• gspam.zip This page's CGI scripts for mirrors.
• DIG A utility for examining the Domain Name System.
• TRACEROUTE A utility for tracking where net messages go.
• WHOIS A utility for querying the distributed network administrative database.
• Echo What this web server knows about you without even trying.
• Snoop A more aggressive attempt to find out about you.

Step one is to look at all the headers of the message. News/email readers normally show only a subset of the available headers to avoid screen clutter. Select the option that makes the hidden headers visible. In Netscape select Options/Show all headers, in MSWIN Pegasus press ^H, in Pine press H, in VM press t and in NewsExpress select File/ Options/ Compose/ Include Headers. Other news/email readers have similar options.

Important headers are:

• From:
• Sender:
• X-Sender:
• Reply-To:
• Errors-To:
• Return-path:
• Message-id:
• Path:
• Received:
All contain a network host name that may give you a clue as to who the spammer is. However, any or all of them may be faked. It is common for spammers to send email from a throwaway account at one site and solicit replies at other sites, so you may need to track down two or more network locations. Make a list of all host names mentioned in the headers and in the body of the message. These are the parts to the right of the @ sign in email addresses, between // and / in web links, in the last Received: header and at the right end of the Path: between !'s.

Path: gives the list of hosts a news item passed through, from the poster's site at the right end to get to your site at the left end. One or more entries on the right end may be faked so you may need to cooperate with others to track down which host in the Path: list the message was injected at.

Like the Path: header Received: headers are a list of sites the message passed through in reverse order but with only one host name per header. Again, the bottom entries (earlier timewise) in the Received: list may be faked. It is also possible for spammers to relay email via a third party so that the Received: header before your site's Received: headers may be a victim too. They're slack though as they should've configured their mail servers not to relay third party email. Some spammers also pretend to be innocent relay sites by forging additional Received: headers and lying in response to complaints; complain to the so-called `relay' site's ISP if you suspect this is the case.

Since intermediate sites always prepend headers then those higher in the list are much less likely to be forged than those further down. See how to interpret Received: headers for more information.

Even with normal, non-faked operation not all hosts or network routers a message passes through are recorded in the Path: or Received: headers. Use TRACEROUTE (described below) to get a more complete list.

Host names usually have machine name and domain name parts. For example kryten.eng.monash.edu.au has a machine name of kryten and domain name of eng.monash.edu.au (engineering faculty, monash university, education sector, australia) with larger domains monash.edu.au, edu.au and au. Look at your list of host names and see if you can add some local domain names to the list by stripping machine names from host names. This is a trial and error procedure and may not always give a valid result.

Some of the host/domain names you've discovered may actually be a numerical network IP address eg. kryten's is 130.194.140.2. Use DIG ipaddress->hostname to find a host name given an IP address and use DIG hostname->ipaddress to find an IP address given a host name. Add any new host/domain names discovered to your list. IP addresses can have zero, one or several host names. Host names can have zero, one or several IP addresses.

Some hosts and domains designate one or more hosts to handle any email directed to them. Use DIG hostname->mailexchanger to find out if there are any such hosts.

DIG queries domain name servers for information about the host/domain names you've found. It gives a mess of information, most of which you can ignore. You're not normally interested in addresses associated with the site where DIG was run (in this case ?.monash.edu.au and 130.194.?.?) and you're also not interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is in the ;; ANSWERS: section and is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records. If they don't exist then the ;; ANSWERS: section will be empty or non-existent. The ;; AUTHORITY RECORDS: and ;; ADDITIONAL RECORDS: sections tell you what domain name server[s] are responsible for the part of the domain name system (DNS) you have queried.

Any email sent to the queried host/domain will initially go via one of the hosts given by the MX records if they exist, otherwise it will go to the host given by the A record. If there are no MX and no A records then email will normally bounce. The MX and A host names may be in completely different domains. Add any new domains to your list.

If an IP address has no corresponding hostname the SOA `start of authority' record can be used to see which hosts/domains are responsible for that part of the net. Internic.net is responsible for unallocated addresses so if you get this it usually means the queried IP address is faked or in error. If there is no SOA record try doing a DIG ipaddress->hostname on another IP address which is in the same subnet as the one you're interested in ie. vary the last number from 1 to 254. eg. For 130.194.140.37 you might try 130.194.140.66. Some machines are configured by accident or by design to not reveal who is responsible for them. Alternatively, look for the owner of the subnet by stripping off one or more right elements (eg. 130.194.140.2 -> 130.194.140 -> 130.194 -> 130).

Use WHOIS to find the administrative and technical contacts for the hosts/domains/ip address ranges you've discovered. This will give more contact information including email addresses. If there is more than one WHOIS entry for the domain you've entered you'll get a list of abbreviated entries. To get full information use an entry's key as a query string (eg. mci.net gives keys MCI8-HST and MCI2-DOM). Add the host/domain names of the email addresses to your list. You may need to strip off one more left elements of each domain before you get a domain that WHOIS knows about (eg. eng.monash.edu.au -> monash.edu.au -> edu.au -> au). Similarly, you may need to strip off one or more right elements of each IP address range before you get an IP address range that WHOIS knows about (eg. 130.194.140.2 -> 130.194.140 -> 130.194 -> 130). WHOIS also knows about company names and some user names. This WHOIS covers US non-military domains only. For other domains see other WHOIS servers.

Use TRACEROUTE to get a list of sites handling messages between this web server host and each of the host/domain's. This can take several minutes. Ideally it should be from your mail host but this should do. Alternatively, if you're running MSWindows 95 it comes with a TRACEROUTE; run TRACERT in an MSDOS window. The last entry in the TRACEROUTE results list should be the host/domain you're querying. The next-to-last should be the Internet Service Provider (ISP) for your queried host/domain. The next-to-last for that ISP is their ISP and so on. More than one host at the end of the list may be owned by the spammer and so you need to use some judgement as to whether, when you send email to one of the hosts, you're talking to the spammer or their ISP. Add the hosts at the end of the list together with their domains to your host/domain list. This TRACEROUTE will have trouble if the test link is heavily loaded (likely during Australian working hours). If so you could try other web TRACEROUTE's.

It is possible but rare for a spammer to forge the response to a TRACEROUTE so that sites later in the list may be deceptive. If you suspect this is the case you will need to complain to all the upstream ISP's as only they can determine where the forgery starts.

Use a web search engine to look for references to the domain names you've found. Look for `domain' and `www.domain' Virtually all ISP's have web sites like this and you can use the web pages to get some idea of whether it's actually the spammer or the ISP, together with the size, contact addresses and the email/news policy of the ISP. In addition if it's a .net domain try a .com domain and vice-versa; many companies use both. Be careful though as there are also many completely unrelated companies using domain names differing only in the .net and .com ending. You can check by looking at the WHOIS contact information and the IP addresses.

You can also use a general web search engine to find out other information about the spammer.

You should now have a list of hosts and domains with a fair idea of the spammer's addresses and their ISP's addresses. Send an email to the spammer's ISP (this may or may not have the same domain name as the spammer themselves) using the abuse@ address and a copy to the spammer themselves. Be polite. You want results don't you? In the message include a copy of the spam with full headers, detail the reasons why you find the spam unacceptable, tell them about the Net Abuse FAQ and the Advertising FAQ and request that they not do it again. A sample is appended but use your own words if you can so that they know this is you saying it and not some form letter. If abuse@ bounces send the message to admin@, root@ or postmaster@ and additionally ask them to configure an abuse@ address which forwards to their person responsible for handling net abuse. If the email addresses aren't working you could try a fax gateway or check out the email search FAQ.

Large ISP's will generally not reply to you because they're too busy but if they receive enough complaints (and with full on spammers they usually do) it is likely the spammer will be dealt with. Most ISP's are good net citizens because it's in their own interest to maintain a good reputation. If you see the spam again send another message but this time post a copy of the spam with full headers to the news.admin.net-abuse.sightings newsgroup and let the experts have a go. You may also want to email the ISP of the ISP. You should read the news.admin.net-abuse.* newsgroups for week or two to get a feel for how spammers operate and are dealt with. Be warned that these newsgroups include plenty of argumentative and intentionally deceptive and disruptive posts from spam supporters in addition to posts from people trying to reduce spam.

If the above procedure doesn't handle junk email/usenet postings to your satisfaction you may want to set up a filter to delete email/news items at your site before you see them. Not terribly effective generally unless you're willing to bounce every unauthorised address but it works for some persistent spammers. For reading news items look for a feature called kill-files. Not all news readers have them though. For reading email look at the filtering features your email program possesses or get an email filtering program which deletes email items before the email reader program sees them. Talk to your system administrator or ISP too; they may have some ideas specific to your site.

A final warning: Any message on the internet which doesn't use strong encryption/authentication techniques like PGP can be completely fake. Occasionally enemies on the net attack each other by tricking a third party into doing their dirty work for them. Treat any address you get with suspicion until proven otherwise.

• Join The Coalition Against Unsolicited Commercial Email (CAUCE). It's free and they support US law banning UCE.
• If you are a US citizen write a paper letter to your local congressional representative and senators asking them to co-sponsor, if they haven't already, The Netizen's Protection Act H.R.1748 from Rep. Chris Smith, R-NJ. It proposes amending the US federal law banning junk fax (US Code 47.5.II, section 227) to ban unsolicited commercial email as well and the more sponsors a bill has the more likely it is to pass. There are three other federal spam bills being proposed; Tauzin's (H.R.2368), Murkowski's (S.771) and Torricelli's (S.875). You should carefully consider which bill to support, if any, but keep in mind that splitting anti-spam support four ways might mean that all four bills get dropped, they may die anyway due to lack of interest before this congress ends and at the time of writing Smith's bill had 24 house sponsors out of 303 members, Tauzin's had 2 house sponsors, Murkowski had 3 senate sponsors out of 100 members and Torricelli had 1 senate sponsor. Thomas should have up-to-date information concerning these bills. There are also several US state spam bills. Spammers and The US Direct Marketing Association have a history of short-circuiting legislation at the last moment so don't be complacent.
• Ask your ISP to do the same.
• If you live in the US and you receive an email spam from what you believe to be a US based `spam factory', not just a `hit and run', ask your ISP to tell the sending site to stop all UBE to your site, citing the clear US legal precedent set by EarthLink v. Cyber Promotions. This should only be done if your ISP is willing to legally follow through. However, with the precedent already set it should be legally straight forward.
• Check that your ISP has an `Acceptable Use Policy' that you're happy with. If not make suggestions about how it could be improved. See ISP's for some ideas. Many smaller ISP's while technically competent don't have much net experience and could do with a net abuse `heads up'.
• If you see a cross or multi post to ten or more newsgroups post a copy to the newsgroup news.admin.net-abuse.sightings. This is particularly important for `slow spams' (multi posts with slightly varying subject and contents spread over several days) as the automatic tools professional anti-spammers use have difficulty spotting these. You can use a news search service to see how many copies there are of an article. The threshold at which the professional anti-spammers normally trigger is an extremely conservative twenty multi posts within a forty five day period but it varies depending on the newsgroup hierarchy.
• If you see a single copy of a make-money-fast (MMF) pyramid scam or chain letter send a complaint to the user, their email postmaster and their paper mail postal inspector (US) with a reference to the US Postal Service's views on pyramid selling and request that the news item be cancelled and the proceeds, if any, be given to charity. Most MMF's say they're legal or `different'. They're lying. MMF's are illegal in almost all countries.
• If you see an illegal Multi-Level-Marketing (MLM) web site report it to their ISP and the authorities (US online, paper & phone). Most so-called MLM sites are actually illegal pyramid schemes. Any business whose primary purpose is to develop a selling downline or matrix is pyramid selling. The `product' is irrelevant. As with MMF's they often lie and obfuscate to avoid the law. There are a few legal, well meaning MLM sites but be careful.
• When making a complaint if the spam includes a freecall 800 phone number then you may want to use it. They are paying for that number and this transfers the costs where they belong. Keep in mind that 800 numbers frequently use unblockable caller-id to get the caller's phone number so you may want to call from a public phone. Never war-dial (repeatedly dial) phone numbers as this is illegal. Be wary of non-800 numbers as some area codes that are apparently local are actually international and have exorbitant charge scams associated with them.
• In the US if a P.O. Box is used as a business address then the associated street address is not private. Send a a paper copy of the spam with the P.O. Box circled in red and a cover letter requesting the real address to the local postmaster.
• Forged email and newsposts are sometimes grounds for instant account termination. Many unsolicited junk email messages and spams are forged to reduce the level of effective complaints. If you see one and can work out what's going on let the relevant ISP's know.
• When posting news items use a From: or Reply-To: address like one of these:
• NO_JUNK_EMAIL@NOWHERE
• Julian.Byrne@eng.monash.SPAM_BLOCK.edu.au
• Julian.Byrne@eng!.monash.edu.au NO JUNK EMAIL
• Julian.Byrne@eng.monash.edu.au@removethistoemailme
• NO JUNK EMAIL <Julian.Byrne@eng.monash.edu.au>
• Julian.Byrne@eng.monash.edu.au (NO JUNK EMAIL)
The first four are illegal email addresses (note the "!") but the automated email address collectors that junk emailers use will generally not recognise this while individuals hoping to contact you should be able to correct it easily. The last two are legal email addresses. Everything outside of the <>'s and in between the ()'s is a descriptive comment which email programs will ignore but hopefully more responsible junk emailers won't.
• When posting news items use a From: or Reply-To: address like one of these:
• bounce@[127.0.0.1]
• bounce@localhost
• postmaster@[127.0.0.1]
• postmaster@localhost
[127.0.0.1] and localhost are often synonyms for `the current host'. If you're lucky the first two addresses will cause a bounce on the sender's machine as it tries to deliver to the non-existent user bounce. The last two addresses will cause the spam to be delivered to the email administrator of the machine sending the spam. If you're lucky that will be the ISP and not the spammer themselves. So that you can be contacted make sure your posting body includes a signature that gives your true email address, perhaps in encoded form to confuse automated address collectors that scan news article bodies as well as article headers.
• When posting include one of these signatures:
• Unsolicited commercial e-mail will be proof-read with the help of the mailer, his postmaster, and if necessary, his upstream provider(s).
• The sender of any unsolicited email sent to this address agrees to pay $500/email for proofreading services.
• Any junk email sent to this address will be placed in the junk email blacklist at ... Sender agrees to pay $75 for each such email archived.
At the time of writing nobody using these strategies had reported collecting but it did drastically cut down on junk email messages and you never know... The consensus is that it'll be difficult to collect because the sender has not explicitly agreed to a contract but you might succeed in a small claims court if the junk emailer doesn't bother defending it.
• When posting don't include a valid email address. Instead have a web link to a page which has a detailed description of your unsolicited junk email policy together with your email address.
• If you know how check whether your ISP relays third party email. If they are relaying ask them not to as they are wide open to abuse.
• If your site runs a finger server make sure the text put out by the server on your behalf includes a no junk email message.
• When dealing with any organization on the net that might sell your email address to others make sure that they have some simple mechanism for blocking your email address from being sold. Use it. One mechanism is to have a special email address which when emailed to causes the return address to be put on to a stop list. Another is to have a tick box on a form. Don't deal with that organization until they have such a mechanism in place.
• Use slightly different names and email addresses with different organizations to help track down the culprit if your address is sold.
• Use special email addresses that are only valid for a limited time period, that are only valid when used by a particular correspondent or are only valid for a single return email message. These approaches require sophisticated use of email filtering programs and probably only make sense for somebody technically literate and with a high volume of junk.
• Use an email filter program to bounce email messages from an address not on an `ok' list with one of the following messages:
• Sorry for the inconvenience. To control unsolicited junk email this email address automatically bounces email messages from an unknown address. Simply reply to this notification within 24 hours and your original message and any new messages from you will get through as usual. I enjoy receiving messages from anybody except junk emailers so please don't hesitate. My junk email policy is ...
• ... Enter your email address and/or message on the web form at <URL:...> and any future messages from you will get through. The form includes my junk email policy. ...
• You have reached ...'s email public contact address. To send email to me please use `pseudo_user@my_host' instead. This is a special; it'll only work with from your address `user@your_host'. Sorry about the inconvenience; I receive a lot of junk email.
The problem with these approaches is that it wastes the time of the person trying to contact you but if you're unusually popular or have a major problem with junk it might make sense.
• Set up traps on your web pages or news postings, email address links that you never use but which might be picked up by a junk emailer's automated address collection program. Trigger an automatic complaint if any email is received at that address. If you are a US user try setting up a clearly sign posted, advertised and witnessed email address link that forwards to your printer or to your fax machine (via a FAX gateway) and you may be able to apply the US junk fax law and make US$500. Untested at the time of writing. Alternatively, set up the trap address to forward to your local government representative, hopefully making them more aware of the junk email problem.
• You can submit your email address to several `no junk email' lists. In theory junk email will no longer be sent to that address. In practice most junk emailers ignore these lists and there is a risk that net abusers will use the contents as targets. Keep in mind that the presumably reduced level of junk email received at such addresses make them more attractive targets for junk emailers willing to break the rules. Some junk emailers even run lying `no junk email' lists to collect new email addresses.
• Educate people about acceptable net behaviour. There are people of all ages on the net. Never underestimate how naive people can be and remember that there is a first time to learn for everyone. Many net abusers simply don't realize how much trouble they're causing. The critical test: Would you do this to somebody face-to-face? Newsgroup spamming is like shouting in a movie theatre. Junk email is like using a loud hailer at 3am outside somebody's home. Free speech advocates should remember that an effective way to compromise free speech is to bury it in noise and misinformation.
• Educate people about net economics. Paper junk mailers pay for their postage. Junk emailers force their targets to pay for it. News cross and multi posts occupy thousands of computers' disk space and can add up to significant money and a waste of tens of thousands of people's time. Entire countries (eg. New Zealand) and many ISP's push international incoming and outgoing link volume costs onto individual users. Also, unlike the US, many countries have timed local call charges. Even users who don't pay volume charges get hit by reduced bandwidth.
• Sales people often truly believe their product is the best thing since sliced bread and that they are doing everybody a favour by advertising as widely as possible. It takes a lot to convince them that the average person doesn't give a damn. Convince sales people to face facts; that they are costing people more in time and money than they are offering in a potentially useful product. Keep in mind that sales people are good `people' people but are often numerically illiterate and as a result are more emotive than objective when estimating a balance of pro's and con's.
• Never give spammers the attention they are seeking. Don't post followups unless you're sure it'll help. Do your best to bore them to tears. If it's a premeditated commercial spammer waste as much of their time as you can. If it's a certified net.kook trolling (trying to to start an abusive argument) start other interesting news threads (conversations) which have nothing to do with the troll ie. distract others from the troll. You can also email trollee's to warn them they've been suckered without alerting the troller.
• Some abusive news posts are placed by practical joking `friends' of students who accidently left their accounts logged in in shared computer labs. If you suspect this is the case email them a copy of the post and ask them to tell off their `friends' and to cancel the post, requesting help from their system administrator if necessary.
• Keep in mind that many net users and abusers have multiple `net identities' and that forgery of other user's identities is fairly common. Forgeries might be abusive, trying to wreck some user's reputation, or more subtle, like pretending to be a responsible ISP but actually ignoring complaints. The lack of legal consequences means that some net abusers engage in wholesale deception. Keep an eye on your own `net identity' by using news and web search services to look for articles referring to you or purporting to be by you.
• Never mail bomb (send many large email messages). While tempting it doesn't work very well. For an experienced net user being on the receiving end of a mail bomb is a non-event. If you're lucky you might slow down your target for a few hours but you will also cause trouble for many innocent bystanders (all the intermediate sites between you and the target) and the target is probably better equipped to handle it than anyone else anyway. You also risk losing your own account for net abuse.
• Never flame (be abusive). While also tempting keep in mind that with the current state of net [dis]organisation and the commonness of forgeries it's easy to target the wrong person or misjudge the situation. Do this and you'll end up wasting time apologising and you also reduce your credibility. Also remember that a flame is more likely to antagonise a person than to achieve results. The majority of net abusers are not malicious, merely naive and/or self centered.
• `Adopt' a particularly persistent net abuser and become a mini-expert on them. Use the information you've learned to help others deal with them.
• Whenever you see an erroneous opinion in the general press (eg. confusing spam with free speech, anti-commercial interests, conventional advertising or content based censorship) write a letter to the editor letting them know of the error. Better yet, write an article.
• Report significant illegal activity in the US to the US National Fraud Information Center.
• Do a web search for "bulk email" and let these vendors and their ISP's know what you think of unsolicited junk email.
• Mirror or point a link to this or other net abuse sites.
• Email other tips.

When any of tens of thousands of small businesses and other special interest groups can send tens of thousands of email messages or news postings per day for peanuts, when they need to do it because their competitor is already doing so and when they are allowed to do it the above scenarios are only a matter of time.

There are already reports of individuals in the US receiving more than one hundred unsolicited junk email messages per day. Some useful alt.* newsgroups have become completely unreadable because of hundreds of irrelevant crossposted news items per day.

The drop in cost effectiveness with increased advertising is lower on the net. The marginal cost of running an email address grabbing and spamming program overnight while a net account would otherwise be idle is almost nil. Posting a duplicate news item to multiple newsgroups is trivial. A business can afford to waste hundreds of thousands of people's time for only minor profit to themselves and still come out ahead. Only if there are other constraints (eg. an ISP volume charging or terminating their access) will this one-sided tradeoff change.

If you post news items infrequently, your email address isn't on a publicly accessible web page and you don't often web surf commercial sites you may only have received a few junk email messages. Don't be fooled. Hundred thousand email address lists are already in wide circulation and when your email address gets on one as the result of web surfing the wrong site, paying a bill or making a sales query you will find it very hard to get off.

Incidently, if you want to do mass unsolicited junk email think about this: Most junk emailers only do it once. Creating thousands of angry instant enemies isn't a smart way to run a business. Unprofitable too.

So, the appropriate place for a commercial message is a single on topic post with a meaningful subject heading in one of the biz.marketplace.*, comp.newprod (moderated) or clari.biz.products newsgroups. For obvious reasons people rarely read these. This is the balance between commercial advertisers and other people's rights though.

So you're left with web pages and news signature advertising. The former is okay because only those people interested in a topic will go looking for them and other people's net resources are not unnecessarily wasted. The later is okay because you will have contributed something back to other newsgroup participants with the posting itself, paying for the general reduction in utility of the news caused by your small signature ad. If not then it is also abuse of net resources.

Note: I'm using the term net resources in the more general sense of not only bandwidth and disk space but also of the general utility to the people participating. The general utility of the net and it's facilities is reduced by every off topic post, useless email message or deceptive web page. Incrementally each loss is small but the total loss is massive and that is why so many people are willing to spend time fighting this scourge.

The best way to advertise on the net is to give away value so that people will want to visit you and also to pay for your use of other people's net resources. You can create value in small ways by competitions, games, prizes and freebies. The expected return on these things to the participants is usually terrible though. It's better to create value in a larger way by sponsoring `good works'. The advertisers on the search engines, NetScape and Id software have all done very well using this approach. On a smaller scale sponsoring a useful FAQ, piece of software, moderated news group, community service web site, entertainment web site or industry service web site are good approaches. If this is done in an innovative way it can be a very effective. Like everything else in life though remember that you don't get something for nothing; make sure it really is a useful/interesting resource and not just a deceptive advertising ploy likely to turn off a very advertising aware population. Once you have a useful resource you can legitimately announce it in the relevant newsgroups and in non-net advertising and build up a client base via sponsor advertising in the resource. Everybody wins. This is the right way.

From: Julian.Byrne@eng.monash.edu.au (NO JUNK EMAIL)
To: xxx
Subject: UBE COMPLAINT
Date: Wed, 15 Oct 97 09:46:45 AEST

Could you please deal with the appended unsolicited bulk email (UBE).
Thanks. Keep in mind that:

- Spammers steal at least $1000 from the net community every time they spam.
  (1c/recipient, 100000 recipients, other costs ignored)

- Theft doesn't scale.  The numbers show that any solution that legitimizes
  opt out can't work.  (tagging, making forgery illegal, `remove lists' etc.)
  <http://kryten.eng.monash.edu.au/articles/ube_numbers.txt>

- Already the news system is 70% spam+cancels and the email system is
  40% spam+complaints.

- Spam will always be junk because there is no financial incentive to target.
  The whole point is big numbers, small response, others pay.

- Property rights outweigh free speech rights.  Several US judges have said so.
  <http://kryten.eng.monash.edu.au/articles/free_speech_judgements.txt>

- It's not inevitable.  When was the last time you saw a door-to-door
  salesman or junk fax?  Support the Smith amendment: <http://www.cauce.org/>

- Politicians act on the votes, whether informed or uninformed.  Make sure
  your customers, colleagues and the press are informed.

- The only technical solution likely to work long term is a whitelist.
  <http://kryten.eng.monash.edu.au/articles/why_filtering_wont_work_long_term.txt>

- Are you being forged?  Don't allow the spammer to give your company a bad
  name and to waste your time with the resulting complaints.
  <http://www.jmls.edu/cyber/cases/spam.html>

- Being relayed through? Configure your mail servers to stop relaying.
  <http://kryten.eng.monash.edu.au/stop_relay.html>

Many thanks for all your efforts,

Julian Byrne <Julian.Byrne@eng.monash.edu.au> (NO JUNK EMAIL)

Anti-spam tips: http://kryten.eng.monash.edu.au/gspam.html

------- start of forwarded message (RFC 934 encapsulation) -------
...