The SPAM-L FAQ

Version: 3.3.1

Last Modified: Wednesday July 08, 1998 10:08:07 AM EDT

 This is the SPAM-L FAQ, a document dealing primarily with how to post to the SPAM-L mailing list, what to post, and what not to post. It also includes technical information on how to track down spammers, decipher message headers, perform traceroutes, etc. If you are a newbie and these terms confuse you, don't worry. Everything you need to know is explained here, though it may take some time to understand it all. If there's something you don't understand, feel free to ask me directly or ask in SPAM-L. We'll be happy to help, that's what we're here for.

 Contributions, comments, corrections, flames, and any other correspondence regarding this FAQ should go to:

 Doug Muth <dmuth@ot.com>

 The latest versions of this FAQ can be found at:

You are visitor  to this FAQ since December 28th, 1997.

 

What's found in this document:

 

  1. SPAM-L (Newbies to SPAM-L should read this first)
  2. Posting to SPAM-L (Please read this section before posting)
  3. Tracking spam (Technical stuff)
  4. Blocking spam
  5. Miscellaneous
  6. Resources
  7. Credits
  8. Changes from previous versions
SPAM-L (Newbies to SPAM-L should read this first)

 This section deals with SPAM-L itself.

 What is the purpose of this FAQ?

 This is not a "spam" FAQ. It is a SPAM-L FAQ, and as such does not deal with questions like "What is spam?" or "Why is spam bad?" except to point to other resources, of which there are plenty.

 The table of contents from this FAQ, along with a brief revision history, is posted to the SPAM-L (hopefully) every Saturday.

 What is SPAM-L?

 SPAM-L is a LISTSERV mailing list created on August 19th, 1995 and is dedicated to "Spam prevention and Discussion". That means discussion of spam-prevention, not debating the merits (or lack thereof) of spam. Tips, tricks, procmail recipes, resources for fighting spam, etc. are all welcome. In addition, many people copy SPAM-L on their response to a given spam. This is OK, within certain guidelines What is not welcome is discussion along the lines of "Spam is here, get used to it!" or "Why can't spammers and everyone else just get along?", etc.

 How do I subscribe?

 Send an email message to LISTSERV@peach.ease.lsoft.com with the words "subscribe SPAM-L <First name> <Last name>" in the body of the message (no quotes).

 How many people are on it? (As of Saturday, February 14, 1998, 7 PM)

 There are currently 500 members of the list with an additional 103 subscribers who are "hidden".

 Therefore, the total number of people on the list is 603, from about 31 countries. Please note that the confirmations that the listserv sends when you post something only show the number of non-hidden subscribers to the list.

 Who owns/maintains it?

 The owner of SPAM-L prefers to remain semi-anonymous to keep from getting flooded with e-mail requests for help regarding spam. It's my job to get flooded with requests for help regarding spam! ;-)

 Seriously, if you would like to contact the owner, the convention is the same as with all LISTSERV lists. Just send e-mail to spam-l-request@peach.ease.lsoft.com.

 How many messages does SPAM-L get each day?

 Roughly 100 to 125 messages per day. Be sure that you can handle the increased mail load. If this is too much, you want to consider either subscribing to individual topics or getting the list in digest or index form.

 How can I stop from getting so many messages from the list?

 You would need to set your options for SPAM-L in digest mode, index mode, or post-only mode.

 To subscribe to digest mode, where all the messages are sent in one e-mail, send an e-mail to listserv@peach.ease.lsoft.com with the command SET SPAM-L DIGEST in the text.

 Once subscribed in digest mode, you can use the following procmail recipe to split the digest back into individual messages: 

:0 :
* ^From:.*Automatic.*LISTSERV@PEACH.EASE.LSOFT.COM
| formail -I "To: spam-l@peach.ease.lsoft.com" -ds \
>>$MAILDIR/spam-l
To subscribe to index mode, where you only get a list of the subject lines for posts sent to you, send an e-mail to listserv@peach.ease.lsoft.com with the command SET SPAM-L INDEX in the text.

 If you want an HTML version of index mode, where you can click on the item and view it on the website, send an e-mail to the LISTSERV address with SET SPAM-L HTML INDEX in the text.

 To have "post-only" access, where you are a member of the list and can post to it, but won't receive any messages, send the command SET SPAM-L NOMAIL to listserv@peach.ease.lsoft.com

To get back to receiving postings as they are made, send the command SET SPAM-L MAIL to listserv@peach.ease.lsoft.com

How can I determine my current subscription options?

 To do this, send the command QUERY SPAM-L to listserv@peach.ease.lsoft.com and a list of your subscription options will be mailed to you.

 OK, what is "spam", then?

 Unsolicited email or USENET postings, generally of a bulk or commercial nature, although not always. Proselytizing, racist tracts, and shady pyramid schemes qualify as spam, as does more "traditional" junk mail. There's always discussion on what is and is not spam, and this FAQ is not about the definition of it. Read http://spam.abuse.net for more information about spam in general.

 I want to unsubscribe, but forgot how!

 Send an email message to LISTSERV@peach.ease.lsoft.com with the words "SIGNOFF SPAM-L" in the body of the message (no quotes). You MUST send this from the address you originally subscribed with!

 I want to join, but I'm worried that a spammer will get my e-mail address!

 SPAM-L subscriber list is NOT retrievable either by the public nor subscribers i.e., REVIEW=OWNERS. The archives are retrievable by subscribers. Thus if you don't post, it is highly unlikely that most people will know that you subscribed.

 Having said this, setting your subscription options to "concealed" is really unnecesary.

 

Posting to SPAM-L

 This section deals with the posting guidelines for SPAM-L.

 What should be posted?

 Discussion of spam-fighting and prevention techniques, discussion of ongoing legislation and the pros/cons of same, and other spam-related discussion.

 Posting spam you receive is OK, as long as you follow these guidelines:

 

Some posting guidelines

 Here's a few other guidelines for posting to SPAM-L:

Off-topic posts, etc. are also generally frowned upon; although we all like the occasional joke to liven up our days. :-)

 Please do not feed the trolls

 On at least one occasion, a spammer has shown up in SPAM-L and caused considerable disruption by posting messages like "why not hit delete" (he obviously was too good to read this FAQ before posting), calling us all sorts of names, and just causing general disruption.

 The best way to deal with such an individual is to ignore them, and they will usually get mad, and leave the list on their own. Of course, if they are creating excessive disruption, feel free to e-mail your friendly list owners and the matter will be looked into, and the troll be unsubbed from the list if absolutely necessary.

 A word about using profanity

 Since a large number of the members of SPAM-L are sysadmins and UNIX gurus, it's safe to say that this mailing list can be considered a professional resource with all the rights and resonsibilities thereof. An important part of acting in a professional manner is using profanity very sparingly. There are many, many ways to communicate your message without having to resort to vulgarity, no matter how upset you may be at the spammer who crashed your mailserver and caused you hours of downtime.

 Also, since people are using search facilities on the web more and more (employers, potential customers, etc.), and SPAM-L is archived, using excessive profanity could come back to haunt you someday.

 How topics work

 There is a list of topics which one should place at the beginning of the SUBJECT: line of messages to SPAM-L. This helps people determine more easily what the message is about, plus it facilitates LISTSERV's topic-sorting mechanism. However, topics do not apply in the digest or index form of distribution.

 Be sure have have a colon and a space ": " following the topic so that the LISTSERV will recognise that posting as belonging to that topic. Also, a message can have multiple topics like:

  

Subject: ABUSE,ABUSE-RE: My correspondence with AGIS
and the message will then belong to both topics.

 There are "implicit" topics too: ALL, NONE, and OTHER. If a message is posted without a topic, or with an undefined topic, it will automatically fall into OTHER.

 The topics for SPAM-L

 

ABUSE
"I sent the following nastygram to ABUSE@spam_haven.net".
ABUSE-RE
"I received the following response from ABUSE@spam_haven.net".
BLOCK
Mail blocking/filtering discussion/issues.
CC
This topic no longer exists, please use SPAM instead.
COURT
Text related to law/statutes or pending litigation.
FAQ
The SPAM-L FAQ.
HELP
If you need assistance in either decoding a received SPAM (not SPAM-L) message or need assistance in contacting a service provider/system administrator.
MEDIA
What the popular press has to say about SPAM.
META
Discussion about the use, operation, and management of SPAM-L itself.
ME-TOO
"I also received this SPAM".
NUKE
A report of a spammer losing their account/webspace. (It's also a powerful spell in Final Fantasy. ;-)
SPAM
This topic was created on 3-14-98 to replace CC. It is used for reporting spam. If you are interested in seeing the full text of spams, visit http://www.spam-archive.org.
To arrange to receive messages that are only in specific topics, send the following command(s) to the listserv:

  

set SPAM-L topics: all|(+|-)topic

Examples:

SET SPAM-L TOPICS: ALL          (To get all the topics)
SET SPAM-L TOPICS: -FAQ         (To stop getting postings of the FAQ)
SET SPAM-L TOPICS: +NUKE        (To start getting NUKE if you didn't 
                                        previously)
Just how do I post to SPAM-L, anyway?

Having read the rest of section 2, you are now ready to post to SPAM-L. To make a post to the list, send e-mail to SPAM-L@peach.ease.lsoft.com.

 How do I receive my own postings to SPAM-L?

 By default, new subscribers to SPAM-L will see their own postings to SPAM-L. To change this default, e-mail listserv@peach.ease.lsoft.com the single line of text:

  

SET SPAM-L NOREPRO
which will not send you copies of your own posts.

How can I distinguish posts to SPAM-L from other e-mail that I get?

 Since you may get large amounts of e-mail from other mailing lists, you may wish to have some way to tell messages from SPAM-L apart from other e-mail. If you are using a UNIX system with Procmail installed, the following recipe will store e-mail from SPAM-L in a seperate folder: 

:0 :
* ^Sender:.*SPAM-L@PEACH.EASE.LSOFT.COM
$MAILDIR/spam-l
Or, you can send the command SET SPAM-L SUBJECTHDR to listserv@peach.ease.lsoft.com which will prepend the Subject: headers of all postings to the list with the text [SPAM-L]. For example, a subject line of:
Subject: MEDIA: Cnet article on spam
becomes:
Subject: [SPAM-L] MEDIA: Cnet article on spam
Should I forward every spam I get to the list?

 No. See the section titled What should be posted for posting guidelines.

 I just posted a spam I got, and got flamed. Why?

 Well, if it was from someone other than a list member, it's a good bet that

  1. they're the spammer,
  2. they are a spam-haven domain, or
  3. you got a highly underpaid, highly overworked sysadmin (or BOFH :-) on the other end of your complaint, which is one of about 3,000 they got today.
If you get flamed (chastised?) by a list member, you probably violated one of the posting guidelines above.

 I just posted something to the list, and it got rejected, why?

 Recently, a limit of 200 lines per message has been imposed on SPAM-L. This took place because of a few very large files which were posted to the list over the last few months.

 Can we advertise anti-spamming products/services in SPAM-L?

 There hasn't ever been much advertising of anti-spam products/services in SPAM-L so here are a few pointers that it is suggested you follow. This section will be revised as necessary. I'm also open to comments regarding this section.

 

How do I search the SPAM-L archives?

 Send E-mail to listserv@peach.ease.lsoft.com with the text of your message reading:

search <string(s)> in SPAM-L
and you will be e-mailed back a document that contains the matches of your search as well as instructions on how to retrieve copies of the original posts.

There is now also a web-searchable archive at http://peach.ease.lsoft.com/archives/spam-l.html (the archive requires you to register a password before you can use it)

 People can't verify my PGP signature, why?

It seems that the LISTSERV software munges postings made to the list in some way. Since verifying a PGP signed message involves computing a hash and comparing it to a signed hash, any change in the message will cause the verification to fail. Since I use PGP whenever I send out e-mail, my postings will always fail to verify.

 This does seem to be platform specific as I use UNIX while another user that I talked to used Win 95 to post to SPAM-L and his signature verified with no problems.

 If anyone has any further information concerning this, please e-mail me.

 

Tracking spam (Technical stuff)

 This section deals with the technical aspects of spam, like telling where it came from. Having a UNIX shell account will be extremely helpful as a lot of the utilities are native to UNIX; however, you can perform most of these functions with other operating systems using third-party (usually shareware) tools, unlike UNIX, which comes with many of the tools mentioned already installed.

 Attempts have been made in this section to detail how to do the functions described on your computer, with alternatives listed at the appropriate points.

 OK, I just got spammed. Now what?

 First, please make sure that it is indeed spam and that you didn't subscribe yourself to a list and ended up forgetting about it. This is more common than you might think -- ever fill out one of those web forms and forget to check whether the "Send me Info" box was checked or unchecked? It's usually set on by default.

 Also make certain that it's not from someone you met or corresponded with briefly, and have since forgotten. (It's happened to me!)

 Here's a list of things to look for:

If you're certain it's spam, continue on!

 What are these "headers" you folks keep talking about?

 An e-mail message is divided into two parts, the headers and the body. The headers contain all the technical information, such as who the sender and recipient are, and what systems it has passed through. The body contains the actual message text. The headers and body are separated by a blank line. In some mail programs, the headers are shown separately.

 How do I read them?

 This depends on your mail reading program. Most programs have an option that will display all the headers of the message. Another technique is to read your e-mail with a standard text editor as opposed to an e-mail program. Check the docs that come with your email reader or read the online help. You could also contact your ISP for assistance or talk to your help desk if this takes place at work.

 I have crappy mail reading software, but I would still like to see some sample headers

 Well, if you would like to see what the headers from your messages look like, you can take advantage of an autoresponder that I have set up for that purpose.

 Simple send a (prefarrably blank) e-mail to dmuth+headers@oasis.ot.com which is an autoresponder of mine. It will quote your message, with full headers, and send it right back to you.

 What does "forging" mean?

 "Forging" means trying to disguise where the message came from. Spammers do this a lot so that you won't know whom to complain to. It can be done by a variety of methods, from simply placing deliberately erroneous information in their email program, to manually sending mail using Telnet to an SMTP server (port 25). This requires fairly intimate knowledge of the SMTP protocol, which is, unfortunately, not hard to understand. (RFC 821)

 Forging e-mail headers is not presently illegal in the US. Some argue that it should be.

What is the "point of injection"?

 In a typical spam, there are two different kinds of systems involved:

 

How can I track down the sending system?

 Look in the headers and you will find a series of lines starting with the line "Received:". One of these is added for every system the e-mail passes through.

 The syntax for a Received: header is:

 Received: from <one system> by <the next system> <the current date>

 Therefore, the following example headers:

  

--------QUOTED HEADERS-------------
Received: from hermes.ntview.com by oasis.ot.com (8.7.6/8.7.3) with ESMTP
  id CAA26482 for <dmuth@ot.com>; Tue, 28 Jan 1997 02:25:42 -0500 (EST) 
-------END QUOTED HEADERS----------
demonstrate that the original message was sent by hermes.ntview.com.

 The Received: headers are added at the top of the message, so that your own system's Received: line should be the first you read, and the spammer's will be somewhere down the list. The list should form an unbroken path (i.e. from B by A, from C by B, from D by C). If the path is broken somewhere, it is often a sign that the rest of the Received: lines are forged.

 One other way to get an idea of the sending system is to look for the first occurence of a PPP or SLIP hostname, or something similar indicating a dialup connection. Spammers don't relay through dialups very much. :-)

 What about these "stealth" mailers?

 Some of the newer spamming programs put in fake Received: headers in order to prevent users from finding the first ones. This is rather foolish, as most spammers don't understand the net and put in wildly bogus values.

 Here are a few things that let you know a header has been forged:

A few examples of spoofed headers:

  

Received: from email4all@aol.com by email4all@aol.com (8.8.5/8.6.5) with 
  SMTP id GAA02084 for <email4all@aol.com>; Thu, 26 Jun 1997 
  10:52:37 -0600 (EST)
Received: from lconn.net (alt1.lconn.net(206.25.61.0)) by lconn.net 
  (8.8.5/8.6.5) with SMTP id GAA06154 for <gpg@lconn.net>; Wed, 25 Jun 1997 
  23:00:38 -0600 (EST)
A word about firewalls and forwarders

 If your ISP has a firewall, or you have some sort of forwarding from another e-mail address, there will be one or more extra sets of Received: headers present. Please mention this when reporting a spam to the list.

 For example, if I have an e-mail address of dmuth@forwarder.com which forwards e-mail to the address dmuth@myhost.com, there will be an extra Received: header put in by forwarder.com:

  

Received: from forwarder.com (forwarder.com [201.96.1.32])
        by myhost.com (8.8.7/8.8.7) with ESMTP id SAA02629
        for ; Thu, 18 Sep 1997 18:31:46 -0400 (EDT)
What's this stuff in parenthesis in the Received: header?

 When there is stuff in a set of parenthesis, it is due to the receiving host adding in the IP address (and possibly a reverse DNS as well) of the host which sent them the e-mail. This prevents the sending host from lying about its name (A Good Thing).

 For example:

  

--------QUOTED HEADERS-------------
Received: from q.qqq.com (ppp-206-171-250-20.vntrcs.pacbell.net
  [206.171.250.20]) by mail.themall.net (8.8.5/8.8.2/IIAM 1.0 (DCH)) with
  SMTP id IAA00719; Wed, 5 Mar 1997 08:40:22 -0800 (PST)
-------END QUOTED HEADERS----------
mail.themall.net did a reverse DNS and determined that this mail really came from pacbell.net as opposed to qqq.com, which is really in the Netherlands. Whoever sent this lied about their origin, but the system did a "callback" of sorts.

 Just a note though, a forged header could have a forged "reverse DNS" lookup as well.

 How do I track down the point of injection?

The point of injection is usually the second host in the mail path (i.e. the second bottom-most Received: line); the first is usually the spammer's machine. Remember, if the spammer is trying to cover their tracks, they won't use their own ISP's mailserver.

 For example:

  

--------QUOTED HEADERS-------------
Received: from smtp.gte.net (radius3.gte.net [206.124.68.25]) by 
  oasis.ot.com (8.7.6/8.7.3) with SMTP id SAA18708 for <dmuth@ot.com>; 
  Wed, 5 Mar 1997 18:41:30 -0500 (EST)
Received: from r9892423 (Cust118.Max60.Los-Angeles.CA.MS.UU.NET 
  [153.34.100.118]) by smtp.gte.net (SMI-8.6/) via SMTP id QAA16410; Wed, 5 
  Mar 1997 16:31:34 -0600
-------END QUOTED HEADERS----------
The spammer set their smarthost to smtp.gte.net, an innocent system. Also, as you can see, smtp.gte.net did a reverse DNS, which is good as the spammer put a bogus name in for their system (r9802423).

 Why should I bother to track down the point of injection?

 Most sysadmins do not like it when another user sends out hundreds of thousands or even millions of pieces of e-mail through their system without their permission. Therefore, they will appreciate you telling them that their system was/is being abused in such a manner.

 Secondly, it is also a theft of service to use another system for sending your e-mail. When Cyberpromo sends out its 2 million bulk e-mails, all they send to the innocent mailhost is the text of the message and a list of the recipients. This poor system now has to create one copy of the message for every address on that list and deliver them, which is a huge waste of resources on that system. At this point, the sysadmin may want to sue the spammer.

 What's traceroute, and how do I use it?

Traceroute is a UNIX tool (there are versions for other OSes) for determining the path that your data packets take from one system to another. In the case where a spammer has their own domain, you can use it to determine who their ISP is and complain to them directly.

 The synopsis of the traceroute command on UNIX is:

 traceroute <hostname>

 For example:

  

$ traceroute whitehouse.gov

traceroute to whitehouse.gov (198.137.241.30), 30 hops max, 40 byte packets
 1  milo.ot.net (199.234.240.100)
 2  slab.ot.net (199.234.240.1)
 3  ucsc2-gw-hssi1-0.phl.prep.net (129.250.201.1)
 4  ucsc1-gw-fddi-1-0.phl.prep.net (192.204.183.1)
 5  border2-hssi1-0.WestOrange.mci.net (204.70.66.5)
 6  core1-fddi-1.WestOrange.mci.net (204.70.64.33)
 7  somerouter.sprintlink.net (206.157.77.106)
 8  sl-pen-18-P4/0/0-155M.sprintlink.net (144.232.0.73)
 9  144.232.8.2 (144.232.8.2)
10  sl-dc-17-F0/0.sprintlink.net (144.228.20.17)
11  sl-eop-1-S0-T1.sprintlink.net (144.228.72.66)  **The upstream** 
12  whitehouse.gov (198.137.241.30)
As you can see, whitehouse.gov has sprintlink.net as an ISP, also known as their "Upstream Provider".

 I don't have/use/understand UNIX. Can I still use traceroute?

 Yes. Most operating systems, including Win 3.x, Win95, and WinNT, have a traceroute tool. On Windows systems, open a DOS session and use the command

 tracert <hostname>

 This tool is present on most Win95 and WinNT machines, and on Windows for Workgroups 3.11 with the TCP/IP-32b drivers installed. (Hint: Try it. If it doesn't work, it's probably not installed. Easier than figuring out the gibberish above) ;-)

 On the Macintosh, you can use the shareware product called IPNetMonitor, which has a full suite of I.P. tools, including Trace Route, Whois, NS Lookup & Ping. It is available at: http://www.sustworks.com

Also available is Peter Lewis' shareware MacTCP Watcher (also does Open Transport) available from http://www.stairways.com although the latter does not do Whois.

 Another tool worth checking out is AGNetTools, which is availible at http://www.aggroup.com/AGNetTools/. It's available for Win 95, NT, and the Macintosh, performs ping, traceroute, nslookup, etc. and is free.

 The rest of the information on traceroute applies. Note that you may not have this program installed, especially if you use a third-party TCP/IP stack. In this case, see the section on web based traceroutes for Web-based gateways to traceroute.

 Traceroute says "unknown host", now what?

 You probably have chosen a mail alias -- a system that handles mail for a given Internet domain. Use the nslookup command to search for MX records and run traceroute to the resulting system(s).

 The syntax for using nslookup is:

 nslookup -q=mx <hostname>

 Although nslookup's output is verbose and a bit cryptic to the neophyte, you should be able to glean some good host names from the list you get.

Example:

  

dmuth:~$ nslookup -q=mx ot.com
Server:  ns.ot.com
Address:  199.234.240.5

ot.com  preference = 10, mail exchanger = mail.ot.com
ot.com  nameserver = ns.ot.com
ot.com  nameserver = dns-east.prep.net
mail.ot.com     internet address = 199.234.240.2
ns.ot.com       internet address = 199.234.240.5
dns-east.prep.net       internet address = 129.250.252.10
In this case, the mail alias for ot.com is mail.ot.com, which you could then do a traceroute to.

 Traceroute hangs, now what?

Since traceroute does a reverse DNS on every host it encounters, there may be a DNS server not responding that prevents traceroute from finishing the trace. Try a "traceroute -n" to display only the IP addresses. You can use nslookup later to determine the host names.

 I get a bunch of asterisks (**), now what?

 This means that the host you're trying to reach didn't respond. This may indicate that the spammer has been disconnected! (Joy!)

 Of course, it could be that the system is just down for a while.

 Web Based Tracerouting

 Point your web browser to http://www.Boardwatch.com/isp/trace.htm for a list of traceroute servers you can use.

 What's WHOIS, and how do I use it?

Whois is a program to access a database maintained by InterNIC of the com, edu, net, org, and gov domains. You can find out who owns a domain this way and what their e-mail address is. It will also tell you which site provides DNS service to a domain.

 The synopsis of the whois command is:

 whois <domain name|search string|netblock>

 the whois program can also search based on strings and netblock numbers. Here are some examples:

  

$ whois suck.com

The Vacuum Cleaner Company (SUCK-DOM)
c/o HotWired Ventures LLC
510 Third St., fourth floor
San Francisco, CA 94107
USA

Domain Name: SUCK.COM

Administrative Contact:
   Steadman, Carl  (CS259)  carl@FREEDONIA.COM
   (415) 222-6352 (FAX) (415) 222-6369 (FAX) (415) 222-6369
Technical Contact, Zone Contact:
   Gaudet, Dean  (DG640)  dgaudet@HOTWIRED.COM
   (415) 276-8437 (FAX) (415) 276-8499
Billing Contact:
   Steadman, Carl  (CS259)  carl@FREEDONIA.COM
   (415) 222-6352 (FAX) (415) 222-6369 (FAX) (415) 222-6369

Record last updated on 20-May-96.
Record created on 24-May-95.

Domain servers in listed order:

NAIL.FREEDONIA.COM           204.62.130.117
A.DNS.MULTIVERSE.COM         207.170.128.10
B.DNS.MULTIVERSE.COM         207.170.128.11
Internic has fraudulent info listed, now what?

 Feel free to complain to hostmaster@internic.net but don't expect them to do anything about it. InterNIC won their contract from the government (the NSF) and as such, are just a lazy bureaucracy...

 The next best thing you can do is to use traceroute to see who the upstream of that domain and complain to them about the spam, and about the fact that the domain has invalid info listed.

 I don't have a UNIX shell account, can I still use whois?

 Sure. Telnet to rs.internic.net and use the whois command as you would at a UNIX prompt.

 You can also go to the InterNIC's Website and use their Web-to-Whois gateway at http://rs.internic.net/cgi-bin/whois.

 An alternate server for whois:

http://www.inet.net/cgi-bin/whois

 Another related site is a list of domain name registries from various countries found at http://www.uninett.no/navn/domreg.html

 What are netblocks, and how are they useful?

 A netblock is a group of IP addresses which are all on the same network and therefore owned by the same entity. There are several kinds of netblocks:

 

Class A
A class A network uses the first number as the network address, so you can have 16.7 million nodes in that network. The network address must also be between 1 and 126. (127 is loopback). For example, net 38 is owned by psi.net.
Class B
A class B network uses the first 2 numbers as a network address which makes for 64K possible nodes. Class B networks range between 128.0 and 191.255. For example, 153.34 is owned by uu.net.
Class C
Class C networks use the first 3 numbers as a network address with 256 possible nodes. Class Cs range between 192.0.0 and 223.255.255. For example, 199.234.240 is owned by Oasis Telecommunications.
Class D and Class E
Class D is for networks 224 to 239.255.255.255. Class E is for networks 240 to 255.255.255.255. Class D is for multicast messages and class E is reserved for experimentation and development. (Reading out of my UNIX manual now :-) If you see one of these IP addresses in a header, you can be quite certain that the header has been forged. (Or there is a serious configuration problem.)
To do a whois on a netblock, all you need to do is type "whois <net number>@whois.arin.net". You can have zeros trailing after the net number if you like.

 For example:

  

dmuth:~$ whois 153.34.0.0@whois.arin.net
[rs.internic.net]
UUNET Technologies, Inc. (NET-UUNETCUSTB)
   3060 Williams Drive
   Fairfax, VA 22031
   US

   Netname: UU-153-34
   Netblock: 153.34.0.0 - 153.34.255.255
   Maintainer: UU

   Coordinator:
      Uunet, AlterNet [Technical Support]  (OA12)  help@UUNET.UU.NET
      +1 (800) 900-0241
   Alternate Contact:
      UUNET Postmaster  (UUPM)  postmaster@uunet.uu.net
      703-206-5440

   Domain System inverse mapping provided by:

   HUGIN.UU.NET                 153.39.242.112
   MUNIN.UU.NET                 153.39.242.113
   AUTH60.NS.UU.NET             198.6.1.181
Another interesting note is that you can find groups of netblocks with whois. Type <whois 153@whois.arin.net> will give you a listing of all of the class B networks from 153.0 to 153.255.

 What's nslookup, and how do I use it?

Nslookup will perform DNS and reverse DNS queries for you. DNS is the Domain Name System, which is what associates human-friendly host names ("www.ot.com") with IP numbers (subject to change -- at the time of writing, www.ot.com is 199.234.240.8).

When a mailhost in the Received: header has only an IP address listed, you may want to do a DNS query to find out what host name the IP number corresponds to.

The synopsis for nslookup is:

 nslookup (IP address|machine name) [dns server]

 Here's a reverse DNS example:

  

$ nslookup 199.234.240.8

Server:  ns.ot.com
Address:  199.234.240.5

Name:    www.ot.com
Address:  199.234.240.8
Your server: and address: lines will vary as per your ISP but the resulting name and address will be the same.

 Here's a DNS example:

  

$ nslookup ans.net

Server:  ns.ot.com
Address:  199.234.240.5

Non-authoritative answer:
Name:    ans.net
Address:  147.225.5.5
The "non-authoritative answer" is because I used my ISP's DNS server (ns.ot.com) instead of one of ans's servers. Here, I correct that and use ns.ans.net as my DNS server:

  

nslookup ans.net ns.ans.net

Server:  ns.ans.net
Address:  192.103.63.100

Name:    ans.net
Address:  147.225.5.5
You can find out the name of an authoritative server from the whois info for a domain.

 How to do some web-based spam tracking

If you don't have access to any of the afore mentioned tools (maybe you are using a public terminal at a library), you could use Sam Spade, which can be found at http://www.blighty.com/spam/spade.html. Sam Spade can do a nslookup, whois, traceroute, and find out who owns the netblock of the machine.

 This tool will benefit novices the most.

 How can I test a system to see if it relays e-mail?

 Since mail servers usually reside on port 25, you need to telnet to port 25 of the host that you suspect to be relayable. Once connected, you should see something like this:

  

220 relay.com ESMTP Sendmail 8.8.7/8.8.7; Sun, 4 Jan 1998 17:54:11 -0500 (EST)
                    ^^^^^^^^^^^^^^^^^^^^
Take note of the MTA and its version number. To start, type:

  

        
HELO somesite.com
with whatever domain name you want. While the name doesn't matter, I like to use "forged" or something similar so I can tell apart this e-mail when I get it. This value will appear in the Recieved: header that the site generates.

 Now type:

  

mail from: address
with whatever address you want. This is the address that will appear in the From_ header at the start of the e-mail.

 Type:

  

rcpt to: 
This will tell the system where to send the e-mail. Note that you can type this line multiple times with multiple e-mail addresses. This is how a spammer sends an e-mail to thousands of people at once.

 Now, type:

  

DATA
At this point, you can enter in your e-mail message. I would suggest putting in at least a Subject: header, with a space after the colon and seperating the headers from the body by an empty line. However, no headers are necessary.

 To finish the e-mail, type a period at the start of a line and hit enter. If you made it this far and the server returned a message saying that the message was accepted for delivery, then the server allows relaying, at least from your particular IP address. To see if it logs the original IP address and does a reverse DNS on your host, check the Received: header that the server generated.

 For further information, read RFC 821 (SMTP Commands) and RFC 822(The format of e-mail).

 

Blocking spam

 This section covers ways to block spam.

 How do I "block" spam?

 If you're on Unix, use procmail, a general purpose mail filtering package. You can find more info on it at http://www.ii.com/internet/robots/procmail/. Another good place to find information on Procmail is at http://www.iki.fi/~era/procmail/links.html.

 If you're on Windows or Macintosh, see if you can find a mail client which will do filtering for you. Better yet, ask your ISP if they can filter your mail for you so that you don't have to download spam only to have it filtered.

I see this funny header which seems to occur only in spam e-mail. Could I filter on that?

 RFC 822 is an official Internet document which describes all the standard headers. There are of course many non-standard headers which are inserted by some mail programs. Some of those are merely a strong hint that a message is spam, others only under certain circumstances, and some are only added by bulk e-mail programs.

 Here are a few examples that are frequently brought up:

 

X-PMflags
This is inserted by Pegasus. The only time it should appear on incoming e-mail is when someone who uses Pegasus is forwarding e-mail to you.
X-UIDL
This is used by POP3 clients and servers to provide unique identification for messages to eliminate any possibility of duplicates. If legit e-mail that you receive doesn't have this header present, then you can safely filter on it as this header shouldn't be inserted by any entity other then your POP3 client or your ISP's POP3 server.

 Here's a valid header, for reference:

X-UIDL: b07a13a309dff618f53a09eeb9b966cc
Comments: Authenticated sender ...
This is inserted by Pegasus. If the message doesn't also have
X-Mailer: Pegasus
the information here is bogus and the message was sent using one of the broken bulk e-mail programs.
How do I "block" spam in a LAN?

Since more and more LANs are running Windows NT on their servers, they have MTAs that aren't quite as configurable as sendmail, so it may be more difficult to filter out unwatned spams.

 A way around this is to set up a UNIX box to handle e-mail, and create an MX record pointing to it in the DNS database for that domain so that all e-mail gets sent to the UNIX box, which can filter out spam with procmail, sendmail, or whatever, and then pass it on to the LAN.

 If you are trying to keep costs down, I would recommend that you check out Linux.

 Another alternative would be to investigate the possibility of getting the Realtime Blackhole List.

 How can I "block" a site?

 Blocking a domain is a serious step, and can generally only be done by the sysadmin. It involves configuring one's router to ignore any and all TCP/IP packets from a given network, regardless of type. This means they can't even browse your website. See IDP. An automated method for doing this is by joining the Realtime Blackhole List, which has proven effective in keep spam down on the sites that have joined it. More information can be found at http://maps.vix.com/rbl.

 Your administrator could also configure their MTA (mail transport agent) to refuse mail from a spammer's site. This is not 100% effective, because the spammers can route their mail via an innocent third party's server. More and more sites are disabling the relay feature from their servers, though, making it harder for the spammers to get through.

Another step some administrators take is to block a site by way of Procmail, which can filter mail by the IP address of the originating site (provided this information is present in the message headers).

 What's a UDP?

 Usenet Death Penalty. This is used only in the most extreme of cases where NNTP servers are configured to refuse any and all postings coming from a certain system. This happened to Prodigy in September of 1995 due to them refusing to take action against phone sex spammers. When they started nuking the accounts, the UDP was lifted.

 UDP also stands for User Datagram Protocol, part of the TCP/IP protocol suite, so the use of this acronym can be a bit confusing; however, it is usually possible to determine which one is being used from the context.

 What's an IDP?

 Internet Death Penalty. Used when a site refuses to do anything about abuse coming from them. What happens is that other sites will refuse connections of any sort coming from this site. The premise behind this is that users on that site will start complaining to their system administrators and the sysadmins will have to deal with their spammer problems or lose customers.

 This happened to ibm.net at one point for not taking any action against a series of spams being sent through their systems. Read more about this incident at http://www.ca-probate.com/yuri.htm.

 What's a plussed address?

 Plussed addresses are available for UNIX boxes running newer versions of sendmail. You can add a plus sign and any string you want after the username and before the '@' and the mail will still be delivered properlly. For instance, dmuth+spamford-wallass@ot.com will reach me just fine. :-)

 However, before you attempt to use plussed addresses in your e-mail, I would suggest trying to e-mail yourself with a plussed address to make sure your ISP supports them.

 How can I use it effectively?

In terms of catching spammers, I have "dmuth+virus@ot.com" on my anti-virus homepage and NOWHERE else. I got a spam to that address about something that had nothing to do with viruses so it _really_ served to prove that spammers don't check their lists. Also, it proves that they look for 'mailto:' links.

 Furthermore, if you start getting lots of spams to a plussed address (maybe after posting to Usenet with it), you can easily write a procmail recipe to dump all mail to that address to /dev/null.

 

Miscellaneous

 Calling an ISP voice and complaining - Why and How?

 Calling an ISP voice is one of the best ways for dealing with spamming problems involving their site. For one thing, a phone call will get an ISP's attention much more than an e-mail will as phone calls generally take more time. Any legit business will always take the time to listen to complaints against them.

 When calling an ISP voice, you should be sitting in front of your system with all the necessary information handy before you place the phone call. Nothing frustrates an anti-spam ISP more than a clueless complaint.

 Keeping calm and collected also cannot be emphasized enough. If you call up an ISP and start yelling at them, they will brush you off as some sort of lunatic instead of taking your complaint seriously. It can also have the negative side effect of having an ISP start to ignore complaints, which is a bad thing. [tm]

 A good place to get ISP phone numbers from is either by using whois or by visiting thelist.com.

 Calling a spammer's 800 number, be careful!

 All 800 numbers have something known as Automatic Number Identification, or ANI. This is so that the telephone companies will know where the 800 number calls are coming from so they can bill the owner for the correct amount.

 However, the owner of the 800 number can also get access to this list of numbers, which means that if you call a spammer to complain, it would be trivial for him to get up with your phone number!

 Therefore, it is recommended that you call for free from a pay phone. :-)

 Getting more information on a spammer.

 Often you'll see spams that list the only point of contact as a fax number. Of course, especially for the repeat spammers, we all like to find out who they are so we can call them up and tell them just what we think of their business practices. Well, there are a number of places on the Internet which have this sort of information available:

 

Of course, this should go without saying that it is not a smart idea to harass a spammer. The point in getting their phone number is to call them up and tell them what you think of their business practices, not to call them repeatedly and terrorize them. Going ballistic on a spammer only makes the entire anti-spam community look bad, so please don't do it.

 Complaining to the postal service - Why and How?

 Since a good portion of spams are involve chain letters, which you send money to everyone on the list and add your name at the bottom, complaining to the postal service can be quite helpful, namely since these kinds of chain letters are illegal. More information on the laws concerning chain letters and their illegality can be found at http://www.usps.gov/websites/depart/inspect/chainlet.htm.

 Need to find which postoffice to complain to about a particular spammer? A good place to start is http://www.yahoo.com/Reference/Postal_Information/.

 Complaints can also be made over the Internet by sending e-mail to fraud@uspis.gov.

 I got flamed by a spammer I complained to. What do I do?

 If they doesn't have their own domain, use whois and complain to their administrator. If they do however have their own domain, use traceroute followed by whois to complain to their upstream.

 I got flamed by the sysadmin of a site. What do I do?

 More of the same; you traceroute and complain to their upstream. At this point, I would suggest CC'ing your response to SPAM-L.

 Help! Am I being spammed by a list member?

 No; most likely, what is happening is that your mail software reacts on unquoted From_ lines in spam messages forwarded to the list.

 For example, this message, if seen by your e-mail program, could be dangerous:

  

    From deathspam@hell.gov
    Received: from italy-c.earthlink net by forwarder's site etc.
    Received: (more Received lines ...)
    From: Daisy J. Duck 
    Subject: Big Ole Plastic Shoes You Can Count On! 
    ...
Most UNIX MTAs, such as sendmail, begin new e-mail messages by starting a line with the string "From ". Note the capitalization and following space.

 Therefore, if you posted such a message to the list, the receiver would see the message you posted, then another message which contains the headers of the spam and possibly some of the body, plus anything your wrote after the spam, such as your signature.

 Fortunately, most UNIX MTAs add a '>' (wedge) character in front of a "From " on an outgoing message, but just to be safe, you should always quote spams that you report.

 I seem to receive more spam now that I'm subscribed to this list!

 Interesting observation. This comes up from time to time. There is no particular reason to believe that spammers would target members of Spam-L, and some reason to think they ought to try to avoid hitting us (we're armed and dangerous. :-) Meanwhile, you should be aware that anybody is allowed to subscribe to the list and search the list archives, so it's in principle no more safe to post to Spam-L than to any other mailing list, or to Usenet for that matter.

 It would of course be interesting if somebody could prove a strong correlation between joining Spam-L and receiving higher amounts of spam. So far, rumors like this have usually been rejected on the grounds that the new subscriber probably would also simultaneously have become more active in one of the news.admin.net-abuse newsgroups, something that is highly likely to increase the amounts of spam you receive (not because spammers usually want to revenge-spam NANA* posters, but because they're too lazy or stupid to filter out anti-spam newsgroups when culling addresses off Usenet).

 

Resources

 This section contains a short glossary and a list of helpful URLs.

 Glossary

 

24/7
A system that is connected to the net 24 hours a day, 7 days a week. Most ISPs and webservers fall into this category.
AGIS
A backbone site in the US that was under massive fire for their unwillingness to stop their customers from spamming. See also the AGIS FAQ.
AUP
Acceptable Use Policy, something all ISP's should have.
C&S
Canter and Siegel, aka the "Green Card Spammers" who spammed the net repeatedly.
CAUCE
The Coalition Against Unsolicited E-Mail. An organization that is trying to amend the United States junk fax law to apply to spam. Corey lives there now. ;-)
DNS
Domain Name System; how the Internet keeps track of which host name corresponds to which IP number (which is what the computers use internally).
DOS
Denial of Service. A type of attack against another system which cripples it. Examples include mail-bombing, ping flooding, and SYN flooding. More info can be found at http://www.student.tdb.uu.se/~t95hhu/c-war.html.
ECP
Excessive Cross-Posting (USENET term), aka Veleeta.
EMP
Excessive Multi-Posting (USENET term), aka Spam or Usenet Spam.
ISP
Internet Service Provider -- a company selling Internet access.
LART
Luser Attitude Readjustment Tool -- A fictional UNIX command for which the manpage can be found at http://www.winternet.com/~eric/sysadmin/lart.1m.html. Often used in conjunction with removing a spammer's account.
LAN
Local Area Network. An environment where a bunch of computers are hooked together so they can talk to each other, and the Internet if there is an Internet conection.
Mallet
Imaginary peice of hardware using for hitting Whack-a-Mole spammers. :-)
NANAE, n.a.n.a.e
news.admin.net-abuse.email; a USENET newsgroup which talks about e-mail spamming.
NIN
Nine Inch Nails [Had to, I just had to! ==Ed.]
MLM
Multi Level Marketing. A system where "sales reps" are really trying to recruit new salespeople instead of selling an actual product. Seen in a good number of spams. Read more about MLMs at http://www.falseprofits.com.
MMF
Make Money Fast, aka chain letters. Illegal in most civilized countries
MDA
Mail Delivery Agent. Delivers incoming e-mail. Examples include /bin/mail and procmail.
MTA
Mail Transport Agent. Commonly used on a UNIX system, where an e-mail program merely passes an outgoing message to the MTA, which usually runs 24/7 and handles getting the message to the other site. Examples include sendmail, qmail, smail, etc.
MUA
Mail User Agent. What you use to read and submit e-mail. Examples include Elm and Pine for UNIX systems, Eudora and MS Outlook for Windows 95 systems.
PGP (Pretty Good Privacy)
A popular encryption program which allows for users to send encrypted e-mail that only the recipient can read as well as allow a user to post a message that is "digitally signed" by them so that others can verify that the user actually sent that message. More information can be found on the International PGP Page at http://www.ifi.uio.no/pgp/.
Ponzi scheme
A type of pyramid scheme where money from new "investors" (read: marks) is used to pay off older ones who think they made money. Eventually, too many people demand their money at once and the pyramid falls apart, resulting in chaos.
Pyramid scheme
The fundamental idea behind chain letters and MLM -- you know, send this to four of your friends and do not break the chain. A graphic model of this might look like a pyramid, where each new participator has to build their own "pyramid" of new participators in order for the scheme to work.
Remove list
An offer a spammer makes to put you on a special list so that you don't get any more spam from them. Signing up on a remove list is more than useless as spammers have been known to spam the addresses on them.
Reverse DNS
The reverse of a DNS lookup. That is, you enter an IP number, and you are told what name, if any, corresponds to it. If there is no name, you can always use whois or traceroute to determine who owns the system.
Sendmail
The most popular MTA for UNIX because it is very configurable. Until recently, there was no way for sendmail to prevent relaying which spammers usually take advantage of. More information on sendmail can be found at http://www.sendmail.org.
Spammy
Sanford Wallace, the spammer who runs Cyberpromotions. See also the CyberPromo FAQ.
Troll
A user who shows up in mailing lists and Usenet newsgroups who has nothing better to do but stir up arguments and flamewars between them and the users of that group. Most trolls just want the attention and will go away if they are ignored. SEE ALSO: Kook, Net.Scum, Freedom Knights, and http://www.netscum.org.
UBE
Unsolicited Bulk Email, aka spam.
UCE
Unsolicited Commercial Email, aka spam.
Whack-A-Mole
What spam is called when the spammer keeps jumping from ISP to ISP and is next to impossible to filter!
Web Sites

 This section lists various anti-spam web sites. Please e-mail me if you would like me to add a URL.

 Information

 

Tools

 

Credits

 Credits and thanks go to:

Changes from previous versions

 Significant changes that occurred over various versions of this FAQ

 

END OF FAQ - Thanks for reading