A Beginner's Guide to Resisting Net Scams, Spams, and Ripoffs

De Clarke

UCO / Lick Observatory

1997-2000: this is a Working Document that changes over time: please comment, complain, etc. to the address below.
Cool Anti-Spam Resource Pages And don't forget another great resource available to us all! When you send those dignified little notes to reputable postmasters, webmasters, etc., deploring junk email activity, make sure you Cc the IRS:
  • net-abuse@nocs.insp.irs.gov
    Everybody's favourite "Care Bears in wingtips," as a Well poster put it, will be interested in those megabucks the spammers claim they are raking in. Turns out that a lot of spammers forget to report all that income :-)
    A note for Lick Observatory's user community:

    After sending out an appeal to our site's users to report commercial abuse of email services (spam and junk mailings) I received so many responses that it's become impractical for me to deal with each one. I'm hoping that this Web page will enable users to track down the sources of spam and respond themselves -- I would appreciate a Cc to postmaster, by the way, when you do report or respond to the nuisance.

    After reading the information below, you may conclude that it's just too much trouble to respond to every minor nuisance... and you are probably right. However, if your personal sense of annoyance and/or outrage drives you to take action, this page can help you get started.

    If you receive a particularly illegal-looking message, or any personal abuse, threats, etc., please do report these directly to me as in the past.


    What's a UCE ?

    So you just received an email message from an unfamiliar but innocuous looking address, with a subject like "Wow, it was good to see you again." Thinking it might be from an old friend with a new handle, you read it and discover (Ack! Pthffftpt!) that it's Yet Another Unsolicited Commercial Email.

    UCEs (or Unwanted Crap Email, for the more outspoken among us) are sent by persons with no netiquette to vast mailing lists which they usually cull from netgroup postings. For example, a spammer of this kind may want to sell fishing rods; so he scans all newsgroup names for the string "fish"; then he scans the fishy groups' archives or the online bulk of postings for the email addresses of all posters. He then mails to all 100,000 names on this list some commercial come-on inviting them to buy fishing rods directly from him.

    Moreover, being a sneaky SOB and knowing that when you see "Great New Deal on Fishing Rods" in the Subject line you will simply delete the message, he falsifies the return address with a bogus sender address and a misleading subject line, in the hope of wasting more of your time. The bogus sender address is often bogus enough to prevent you from Replying (with an irate request that he shut up). Falsifying email headers, by the way, is a violation of the written policy of just about every site and service provider in the civilized Net.

    UCE's fall into a limited number of major categories. The hopeful direct mailer is probably the most innocuous; his cousin, who wants to share a personal religious revelation, is also more annoying than alarming. But they have creepier relatives. Some of the direct mailers are hawking the tools for scraping thousands of email addresses out of newsgroups; others are hawking huge mailing lists that they have already scraped. Descending down the sleaze chain we come to the guy who wants to show you some dirty pictures, sometimes of his underage sister (these guys are worth tracking down if you can, but they cover their tracks pretty well) and the guy who earnestly hopes that you don't know what a Ponzi scheme is. There are plenty of other unlovely parasites in the taxonomy, but these are probably the most familiar.

    So what can you do about this darned annoying cruft in your mailbox? Here are some tips on how to read a mail header and how to respond to the appropriate parties.


    Basic Strategy:
    1. Determine the true delivery path of the mail message (details on How to Read an Email Header below)
    2. Try to find a legitimate service provider in it
    3. Write to "postmaster" or "abuse" at the service provider address
    4. Be sure to include the original complete header and a large enough chunk of the offending message to show what it was about
    Cathartic Strategy:
    1. Try to find the real user name of the sender in the header mess
    2. Write a nasty note to the sender telling him/her exactly how much you don't appreciate this waste of your time and bandwidth (but keep it barely civil, folks, since our site guidelines prohibit abusive/obscene and/or threatening mail messages!)
    Advanced Strategy:
    1. If the originator is not a wildcat user of some legitimate ISP, but lives in an established InterNIC domain, you can look up the contact information for the domain (addresses and phone numbers!) on the InterNIC WhoIs Page.
    2. If you feel that strongly about it you can phone or fax your objections to the contact, or even get your tame lawyer to write a vaguely nasty paper letter for you.

    How to Read an Email Header

    First you have to find the complete header. Since many mail tools helpfully suppress the difficult long words from the header for you, your safest bet is to use your favourite text editor and edit your mail spool file, mbox file, or whichever mailbox you believe the offending message fell into. Use the editor in READ ONLY mode. Search for a recognizable string in the message. Back up to the header info (everything from the blank line that ended the previous message to the first body line of this message). It might look something like this:

    From Mailer-Daemon  Sun Mar 16 23:59:03 1997
    Return-Path: 
    Received: from shakti.ucolick.org by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1)
            id AA23377; Sun, 16 Mar 97 23:59:03 PST
    Received: from mtigwc03.worldnet.att.net (mailhost.worldnet.att.net [204.127.131.3]) by shakti.ucolick.org (8.6.10/8.6.10) with ESMTP id XAA16844 for ; Sun, 16 Mar 1997 23:59:02 -0800
    Date: Sun, 16 Mar 1997 23:59:02 -0800
    Message-Id: <199703170759.XAA16844@shakti.ucolick.org>
    Received: from RJIREDFF ([207.147.201.46]) by mtigwc03.worldnet.att.net
              (post.office MTA v2.0 0613 ) with SMTP id AAW6060;
              Mon, 17 Mar 1997 07:35:09 +0000
    From: please@don't.reply
    Subject: Aren't you the person who...?
    Apparently-To: 
    
    This is a pretty typical example which I was recently asked to deal with. This header tells us quite a lot. We can see that the "From:" line does not match the "Received:" path; even if the From: line were not obviously bogus, the mismatched domain name would show that it had been falsified.

    Reading the history of the piece of mail, which is displayed in reverse chronology in the lines of header, we can see that shakti handed it to helios (our mail hub). Shakti received it from mtigwc03.worldnet.att.net, whose mail hub is mailhost.worldnet.att.net. But mailhost.worldnet.att.net received it from something called RJIREDFF, a host whose address is 207.147.201.46.

    Let's try nslookup on that address.

    [109]de@ronin:/u/de% nslookup
    Default Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    > 207.147.201.46
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    46.los-angeles-002.ca.dial-access.att.net
    Address:  207.147.201.46
    
    
    OK, so we know now that this user is a wildcat, using a large public access dialin facility in LA. I send mail to postmaster@worldnet.att.net, and postmaster@mtigwc03.worldnet.att.net. What do I say? In this particular case I said:
    
    Postmasters:
    
    An individual on the host "RJIREDFF" (207.147.201.46) has been using
    your internet service to mass-mail unsolicited propositions of
    dubious integrity to random individuals at our site.  We strongly
    object to this waste of internet bandwidth, not to mention the nuisance
    and wasted disk space at our site.
    
    I have not read the attached material closely, but a quick look indicates
    that it is some kind of Ponzi scheme, which qualifies as fraud under
    the law.  The individual in question is clearly aware of the illegal
    nature of the scheme, since he/she has gone to the trouble of 
    falsifying the From field in the mail header.
    
    We request that you shut down this person's internet access immediately.
    
    Here is one of the messages:
    
    [etc.]
    
    In messages to postmasters and abuse handlers, try to keep the tone professional and the message brief. They have to read an awful lot of this stuff every day.

    Just for grins, let's compare this other header of a somewhat different flavour:

    From Karenm@usa.us Sun Apr  6 03:46:46 1997
    Return-Path: 
    Received: from ucolick.org (lick.ucolick.org) by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1)
            id AA01890; Sun, 6 Apr 97 03:46:44 PDT
    Received: from sxx.com by ucolick.org (8.8.5/LICK-GATEv8)
            id DAA21723; Sun, 6 Apr 1997 03:47:08 -0700 (PDT)
    From: Karenm@usa.us
    Received: from pcn-frank (local-2.xsx.net [205.205.158.19]) by sxx.com (8.8.5/8.7
    .3) with SMTP id GAA01890 for de@UCOLICK.ORG; Sun, 6 Apr 1997 06:52:41 -0400 (EDT)
    Date: Sun, 6 Apr 1997 06:52:41 -0400 (EDT)
    Message-Id: <199704061052.GAA01890@sxx.com>
    To: de@ucolick.org
    Reply-To: Karenm@usa.us
    Subject: I missed you !
    Status: RO
    
    Note the mismatch between Karenm@usa.us and the actual delivery path of the message. The message, needless to say, is a UCE (in fact, one of the kind that wants me to look at dirty pictures of someone's underage sisters), and is apparently signed by
    
    Thank You for your time and hoping to see you soon.
    Mark Stanford 
    Vice President of Marketing
    W.M.P. Inc
    
    
    (a person whose existence I am somewhat inclined to doubt). If we trace this message's history, we get to local-2.xsx.net:
    [111]de@ronin:/u/de% nslookup
    Default Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    > local-2.xsx.net
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Non-authoritative answer:
    Name:    local-2.xsx.net
    Address:  205.205.158.19
    
    
    Being curious, I proceed to walk around the domain with nslookup...
    > 205.205.158.1
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    158-1.total.net
    Address:  205.205.158.1
    
    > 205.205.158.10 
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    158-0.total.net
    Address:  205.205.158.10
    
    > 205.205.158.20
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    local-3.xsx.net
    Address:  205.205.158.20
    
    
    and eventually discover that xsx.net owns addresses 16 through 23 in that domain. This is not just a wildcat. And furthermore, what about that sxx.com?
    > sxx.com
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    sxx.com
    Address:  207.226.134.119
    
    > 207.226.134.119
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    stealth.sxx.com
    Address:  207.226.134.119
    
    > 207.226.134.118
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    www.webnavi.com
    Address:  207.226.134.118
    
    > 207.226.134.120
    Server:  bigdog.ucolick.org
    Address:  128.114.23.29
    
    Name:    www.4wyw.com
    Address:  207.226.134.120
    
    
    No block of addresses there, but a it is registered commercial site. This is not a wildcat user, but an established commercial enterprise. One somehow gets the feeling that the owners of sxx.com don't plan to be identified publicly (machines called "stealth" don't inspire one with a lot of confidence in their netiquette), so a personal message might have some effect. Time to take a look at the site via the InterNIC page.

    I enter "xsx.net" and start my search. I get a result:

    
    Query: whois -h rs.internic.net SUM xsx.net
    
    
    XSX Networks (XSX3-DOM)                                                XSX.NET
    
    To single out one record, look it up with "!xxx", where xxx is the
    handle, shown in parenthesis following the name, which comes first.
    
    The InterNIC Registration Services Host contains ONLY Internet Information
    (Networks, ASN's, Domains, and POC's).
    Please use the whois server at nic.ddn.mil for MILNET Information.
    
    
    The "(XSX3-DOM)" text is an HTML link, which I follow to get
    
    
    XSX Networks (XSX3-DOM)
       3860 Notre Dame suite 101
       Laval, Qc H7V 1S1
       CA
    
       Domain Name: XSX.NET
    
       Administrative Contact:
          Tambas, James  (JT2447)  james@BCS.CA
          514-682-1720 (FAX) 514-682-2723
       Technical Contact, Zone Contact:
          TotalNet Domain Registrar  (TDR-ORG)  hostmaster@TOTAL.NET
          (514) 481-2585
    Fax- (514) 481-2785
       Billing Contact:
          Tambas, James  (JT2447)  james@BCS.CA
          514-682-1720 (FAX) 514-682-2723
    
       Record last updated on 11-Mar-97.
       Record created on 11-Mar-97.
    
       Domain servers in listed order:
    
       NIC1.TOTAL.NET               205.236.175.4
       NIC2.TOTAL.NET               205.236.87.4
    
    
    We've just found out that XSX.NET is actually administered, or receives some kind of service from, TOTAL.NET. We've found out that it lives in Canada. We have a phone number and a fax number and a real person's email address, which we can use to express our irritation at receiving UCEs. We can write directly to the machine called "stealth" or to the official contact (that's what I did).

    Some of these messages will contain weaselly little apologies like "Sorry if you aren't interested in this, but we really wanted to call your attention to..." or "All you have to do to be removed from this list is not reply...". These weak formulaic disclaimers do not legitimize in any way the falsification of mail headers or the propagation of scams and illegal activities via the Net. Don't feel that a response is not justified because of some insincere pseudo-apology on the part of the spammer. Spamming is bad netiquette, bad bandwidth management, and bad business. If we resist it strenuously enough it may go out of style.

    For more discussion on the problem of internet spam, see the groups