After sending out an appeal to our site's users to report commercial abuse of email services (spam and junk mailings) I received so many responses that it's become impractical for me to deal with each one. I'm hoping that this Web page will enable users to track down the sources of spam and respond themselves -- I would appreciate a Cc to postmaster, by the way, when you do report or respond to the nuisance.
After reading the information below, you may conclude that it's just too much trouble to respond to every minor nuisance... and you are probably right. However, if your personal sense of annoyance and/or outrage drives you to take action, this page can help you get started.
If you receive a particularly illegal-looking message, or any personal abuse, threats, etc., please do report these directly to me as in the past.
So you just received an email message from an unfamiliar but innocuous looking address, with a subject like "Wow, it was good to see you again." Thinking it might be from an old friend with a new handle, you read it and discover (Ack! Pthffftpt!) that it's Yet Another Unsolicited Commercial Email.
UCEs (or Unwanted Crap Email, for the more outspoken among us) are sent by persons with no netiquette to vast mailing lists which they usually cull from netgroup postings. For example, a spammer of this kind may want to sell fishing rods; so he scans all newsgroup names for the string "fish"; then he scans the fishy groups' archives or the online bulk of postings for the email addresses of all posters. He then mails to all 100,000 names on this list some commercial come-on inviting them to buy fishing rods directly from him.
Moreover, being a sneaky SOB and knowing that when you see "Great New Deal on Fishing Rods" in the Subject line you will simply delete the message, he falsifies the return address with a bogus sender address and a misleading subject line, in the hope of wasting more of your time. The bogus sender address is often bogus enough to prevent you from Replying (with an irate request that he shut up). Falsifying email headers, by the way, is a violation of the written policy of just about every site and service provider in the civilized Net.
UCE's fall into a limited number of major categories. The hopeful direct mailer is probably the most innocuous; his cousin, who wants to share a personal religious revelation, is also more annoying than alarming. But they have creepier relatives. Some of the direct mailers are hawking the tools for scraping thousands of email addresses out of newsgroups; others are hawking huge mailing lists that they have already scraped. Descending down the sleaze chain we come to the guy who wants to show you some dirty pictures, sometimes of his underage sister (these guys are worth tracking down if you can, but they cover their tracks pretty well) and the guy who earnestly hopes that you don't know what a Ponzi scheme is. There are plenty of other unlovely parasites in the taxonomy, but these are probably the most familiar.
So what can you do about this darned annoying cruft in your mailbox? Here are some tips on how to read a mail header and how to respond to the appropriate parties.
First you have to find the complete header. Since many mail tools helpfully suppress the difficult long words from the header for you, your safest bet is to use your favourite text editor and edit your mail spool file, mbox file, or whichever mailbox you believe the offending message fell into. Use the editor in READ ONLY mode. Search for a recognizable string in the message. Back up to the header info (everything from the blank line that ended the previous message to the first body line of this message). It might look something like this:
From Mailer-Daemon Sun Mar 16 23:59:03 1997 Return-Path:This is a pretty typical example which I was recently asked to deal with. This header tells us quite a lot. We can see that the "From:" line does not match the "Received:" path; even if the From: line were not obviously bogus, the mismatched domain name would show that it had been falsified.
Received: from shakti.ucolick.org by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1) id AA23377; Sun, 16 Mar 97 23:59:03 PST Received: from mtigwc03.worldnet.att.net (mailhost.worldnet.att.net [22.214.171.124]) by shakti.ucolick.org (8.6.10/8.6.10) with ESMTP id XAA16844 for ; Sun, 16 Mar 1997 23:59:02 -0800 Date: Sun, 16 Mar 1997 23:59:02 -0800 Message-Id: <199703170759.XAA16844@shakti.ucolick.org> Received: from RJIREDFF ([126.96.36.199]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAW6060; Mon, 17 Mar 1997 07:35:09 +0000 From: please@don't.reply Subject: Aren't you the person who...? Apparently-To:
Reading the history of the piece of mail, which is displayed in reverse chronology in the lines of header, we can see that shakti handed it to helios (our mail hub). Shakti received it from mtigwc03.worldnet.att.net, whose mail hub is mailhost.worldnet.att.net. But mailhost.worldnet.att.net received it from something called RJIREDFF, a host whose address is 188.8.131.52.
Let's try nslookup on that address.
de@ronin:/u/de% nslookup Default Server: bigdog.ucolick.org Address: 184.108.40.206 > 220.127.116.11 Server: bigdog.ucolick.org Address: 18.104.22.168 Name: 46.los-angeles-002.ca.dial-access.att.net Address: 22.214.171.124OK, so we know now that this user is a wildcat, using a large public access dialin facility in LA. I send mail to email@example.com, and firstname.lastname@example.org. What do I say? In this particular case I said:
Postmasters: An individual on the host "RJIREDFF" (126.96.36.199) has been using your internet service to mass-mail unsolicited propositions of dubious integrity to random individuals at our site. We strongly object to this waste of internet bandwidth, not to mention the nuisance and wasted disk space at our site. I have not read the attached material closely, but a quick look indicates that it is some kind of Ponzi scheme, which qualifies as fraud under the law. The individual in question is clearly aware of the illegal nature of the scheme, since he/she has gone to the trouble of falsifying the From field in the mail header. We request that you shut down this person's internet access immediately. Here is one of the messages: [etc.]In messages to postmasters and abuse handlers, try to keep the tone professional and the message brief. They have to read an awful lot of this stuff every day.
Just for grins, let's compare this other header of a somewhat different flavour:
From Karenm@usa.us Sun Apr 6 03:46:46 1997 Return-Path:Note the mismatch between Karenm@usa.us and the actual delivery path of the message. The message, needless to say, is a UCE (in fact, one of the kind that wants me to look at dirty pictures of someone's underage sisters), and is apparently signed by
Received: from ucolick.org (lick.ucolick.org) by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1) id AA01890; Sun, 6 Apr 97 03:46:44 PDT Received: from sxx.com by ucolick.org (8.8.5/LICK-GATEv8) id DAA21723; Sun, 6 Apr 1997 03:47:08 -0700 (PDT) From: Karenm@usa.us Received: from pcn-frank (local-2.xsx.net [188.8.131.52]) by sxx.com (8.8.5/8.7 .3) with SMTP id GAA01890 for de@UCOLICK.ORG; Sun, 6 Apr 1997 06:52:41 -0400 (EDT) Date: Sun, 6 Apr 1997 06:52:41 -0400 (EDT) Message-Id: <199704061052.GAA01890@sxx.com> To: email@example.com Reply-To: Karenm@usa.us Subject: I missed you ! Status: RO
Thank You for your time and hoping to see you soon. Mark Stanford Vice President of Marketing W.M.P. Inc(a person whose existence I am somewhat inclined to doubt). If we trace this message's history, we get to local-2.xsx.net:
de@ronin:/u/de% nslookup Default Server: bigdog.ucolick.org Address: 184.108.40.206 > local-2.xsx.net Server: bigdog.ucolick.org Address: 220.127.116.11 Non-authoritative answer: Name: local-2.xsx.net Address: 18.104.22.168Being curious, I proceed to walk around the domain with nslookup...
> 22.214.171.124 Server: bigdog.ucolick.org Address: 126.96.36.199 Name: 158-1.total.net Address: 188.8.131.52 > 184.108.40.206 Server: bigdog.ucolick.org Address: 220.127.116.11 Name: 158-0.total.net Address: 18.104.22.168 > 22.214.171.124 Server: bigdog.ucolick.org Address: 126.96.36.199 Name: local-3.xsx.net Address: 188.8.131.52and eventually discover that xsx.net owns addresses 16 through 23 in that domain. This is not just a wildcat. And furthermore, what about that sxx.com?
> sxx.com Server: bigdog.ucolick.org Address: 184.108.40.206 Name: sxx.com Address: 220.127.116.11 > 18.104.22.168 Server: bigdog.ucolick.org Address: 22.214.171.124 Name: stealth.sxx.com Address: 126.96.36.199 > 188.8.131.52 Server: bigdog.ucolick.org Address: 184.108.40.206 Name: www.webnavi.com Address: 220.127.116.11 > 18.104.22.168 Server: bigdog.ucolick.org Address: 22.214.171.124 Name: www.4wyw.com Address: 126.96.36.199No block of addresses there, but a it is registered commercial site. This is not a wildcat user, but an established commercial enterprise. One somehow gets the feeling that the owners of sxx.com don't plan to be identified publicly (machines called "stealth" don't inspire one with a lot of confidence in their netiquette), so a personal message might have some effect. Time to take a look at the site via the InterNIC page.
I enter "xsx.net" and start my search. I get a result:
Query: whois -h rs.internic.net SUM xsx.net XSX Networks (XSX3-DOM) XSX.NET To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.The "(XSX3-DOM)" text is an HTML link, which I follow to get
XSX Networks (XSX3-DOM) 3860 Notre Dame suite 101 Laval, Qc H7V 1S1 CA Domain Name: XSX.NET Administrative Contact: Tambas, James (JT2447) james@BCS.CA 514-682-1720 (FAX) 514-682-2723 Technical Contact, Zone Contact: TotalNet Domain Registrar (TDR-ORG) hostmaster@TOTAL.NET (514) 481-2585 Fax- (514) 481-2785 Billing Contact: Tambas, James (JT2447) james@BCS.CA 514-682-1720 (FAX) 514-682-2723 Record last updated on 11-Mar-97. Record created on 11-Mar-97. Domain servers in listed order: NIC1.TOTAL.NET 188.8.131.52 NIC2.TOTAL.NET 184.108.40.206We've just found out that XSX.NET is actually administered, or receives some kind of service from, TOTAL.NET. We've found out that it lives in Canada. We have a phone number and a fax number and a real person's email address, which we can use to express our irritation at receiving UCEs. We can write directly to the machine called "stealth" or to the official contact (that's what I did).
Some of these messages will contain weaselly little apologies like "Sorry if you aren't interested in this, but we really wanted to call your attention to..." or "All you have to do to be removed from this list is not reply...". These weak formulaic disclaimers do not legitimize in any way the falsification of mail headers or the propagation of scams and illegal activities via the Net. Don't feel that a response is not justified because of some insincere pseudo-apology on the part of the spammer. Spamming is bad netiquette, bad bandwidth management, and bad business. If we resist it strenuously enough it may go out of style.
For more discussion on the problem of internet spam, see the groups
Thanks to Steve Allen and all the users at Lick Observatory who have sent in their received spams, offered me access to their mailboxes for mail header analysis, etc.