Reporting SPAM

How to report spam

Try to syncronize your computers clock to an accurate standard. Since many spams originate from dialup lines, the time a message was received is important in identifying the perpetrator.

These instructions will be much easier to understand if you are also looking at a real spam in another window.

The "From:" address

The Received lines

Look at the "Received: from" lines. Ignore the initial lines which refer to your own mail server or your ISP's server and any other servers which normally appear in normal mail. If you have mail aliases on other machines which are forwarded to you, ignore received lines which indicate they were generated by that server. For the preceeding tests, look at the name after the word "by". Now look at the only remaining line or the first two lines of any remaining Received lines. These are the spam origin (only one line) or the spam relay or origin and the spam origin or forged if there are two or more lines. Any "Received: from" lines after that are probably forgeries or internal relaying within the same network anyway.

If you received the spam because it was posted to a mailing list you subscribe to, trace back through the "Received:" lines past lines which correspond to the mailing list server(s) and then examine the "Received: from" lines which follow.

The received lines normally look like

      Received: from name1 (name2 [x.x.x.x] by name3 with protocol dateandtime
   

Ignore "Received:" lines that don't have a "from". name1 is the name supplied by the connecting server. It is often forged; ignore it. name2 is the domain name obtained by the server using reverse dns. This is often forged; ignore it. name3 is the name of the server generating this line (assuming the entire line is not a forgery). x.x.x.x is the ip address of the sending machine. Now this is useful. Use one of the following two commands (the next two are more specific), depending on your version of whois.

       whois x.x.x.x@whois.arin.net
       whois -h whois.arin.net x.x.x.x
       whois "net x.x.x.x"@whois.arin.net
       whois -h whois.arin.net "net x.x.x.x"
   

For more technical users: if you are trying to write a script, consider preceeding your query with "full" and/or "dump", as in "full dump net 1.2.3.4"@whois.arin.net. Full will list all matching records. Dump will dump them in a format more suitable for parsing and less likely to change; you will need to do another lookup on the contact addresses, though, if you use "dump" since it won't perform that lookup for you in that case.

arin.net will often return the name of the netblock and whois responsible for it. Look carefully, though. It will often refer you to "whois.ripe.net", "whois.apnic.net", or another registration authority. Do not send complaints to ripe.net or apnic.net. Instead, repeat your whois query on that regestrar's whois server. The report from whois.arin.net will list a contact address. You usually don't want to send a complaint to that address unless you can't figure out a more suitable one. But, the report will usually implicate EXAMPLE.NET (substitute the name of the network). Send your complaint to "abuse@example.net"; if it bounces, send it to the contact address listed. Repeat this process for each Received: line of interest.

Examine the message text for any websites being promoted. Sometimes a spammer will send you a list of links. One or more of these are usually sites being promoted by the spammer. Others are decoys. Very well known sites such as yahoo, amazon, altavista, whowhere, do not send spam. Ignore them and concentrate on the less familiar ones. You can use whois @whois.internic.net to look up the site (leave off the www - you usually only want the last two parts of the domain name; if you aren't sure, try cutting off various numbers of components from the beginning). whois.internic.net will not return the record for this domain. Instead, it will forward you to a registrar, usually "whois.networksolutions.com". Repeat the whois query on that server. If a contact looks like they are the spammer, sending them your complaint will not accomplish much. You may see other contacts listed which look like their ISP.

Often, the preceeding whois will not be that informative. Use traceroute to trace the route to the spammer. The last network listed in the traceroute is probably an appropriate place to send your complaint. Some networks do not include reverse DNS records for their routers so only the IP address will be shown. Feel free to complain to the last one which does show a domain name - their downstream customer is guilty of negligence in not providing reverse DNS info and needs to be hit over the head with a clue by four by their upstream. Note that in a few cases, the domain names may be forged. The spammer can route the packet past a few machines on their internal network and provide bogus reverse dns records implicating an unrelated network. This is not usually likely to be the case but you can use whois.arin.net if you suspect hanky panky.

If there are remove addresses or serious reply to addresses in the text of the message, use whois and traceroute to track those down as well and generate other ocmpliants.

What your email should look like

Send one message to all complaint addresses you found rather than multiple messages.

Tell your mailer you want to Forward the message. If you get the choice to include it as included text or an attachment, it is preferable not to send it as an attachment. Among other things you can read the text of the message while you are sending your complaint. Put all your abuse reporting addresses in the To: field.

Include the complete headers of the message. How you do this will vary depending on your mail program. In some (such as PINE), if you have full headers displayed when you forward the message then it will include the full headers in the reply.

The "Subject:" field of your complaint should have the original subject of the spam message. Edit it to put "SPAM: " or "UBE: "at the beginnign. This makes it easier for them and you to identify the complaint and any responses. It may also help them automatically route the message to the appropriate group.

In the body of the message, before the included spam, put information which tells each recipient why they received the complaint. Don't leave them scratching their heads figuring out hou you associated this with your network and having to repeat all your work. Here is a simple format:

   Spam relay or origin: 1.2.3.4     -->  abuse@example1.net
   Spam origin or decoy: 5.6.7.8     -->  abuse@example2.net
   Promoting: www.hothothot.com      -->  abuse@example3.net

Don't include a lot of dialog, it is likely to just slow them down.

If the spammer claims you opted in, point out that this is a fraudulent claim. If this is a repeated spam, point this out.

You can also include copies of your whois, traceroute, and nslookup output although in most cases this isn't needed if you include the simple report above. What they really need is the spam itself with full headers and something to tell them QUICKLY which IP address, web site domain name, or email address lead you to complain to them.

Sample complaint

From whitis@freelabs.com Fri Mar 10 08:23:46 2000
Date: Fri, 10 Mar 2000 08:22:31 -0500 (EST)
From: Mark Whitis 
To: abuse@frontiernet.net, abuse@ziplink.net, abuse@cp.net
cc: relays@mail-abuse.org, spamrecycle@chooseyourmail.com
Subject: VA SPAM: Adult Jokes (fwd)


Relay: (209.228.14.102)

http://3438729010/ = 204.246.215.50    --> abuse@frontiernet.net
Spam origin or relay:   209.228.14.102 -->  abuse@cp.net
                        (not listed in MABS RSS)
Spam origin or decoy:   209.206.88.227 -->  abuse@ziplink.net
                        (known dialup line listed in MAPS DUL)


---------- Forwarded message ----------
Received: (qmail 25158 invoked from network); 9 Mar 2000 12:03:29 -0000
Received: from c004-h015.c004.sfo.cp.net (HELO c004.sfo.cp.net) (209.228.14.102)
  by imap.dbd.com with SMTP; 9 Mar 2000 12:03:29 -0000
Received: (cpmta 24502 invoked from network); 9 Mar 2000 03:01:33 -0800
Received: from miami-ip-1-227.dynamic.ziplink.net (HELO server) (209.206.88.227)
  by smtp.ifreedom.com with SMTP; 9 Mar 2000 03:01:33 -0800
X-Sent: 9 Mar 2000 11:01:33 GMT
From: acarter999@ifreedom.com 
To: xxxadult2 
Date: Thu, 09 Mar 2000 06:14:00 -0500
Subject: Adult Jokes
Reply-To: acarter999@ifreedom.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=XXADFFAD7B-00E4ADFFXX
Content-Transfer-Encoding: 7bit
X-Priority: 3

The following jokes are for adults 18 or older.
For more free jokes, pictures, games, videos & porn
http://3438729010/%7E%61%63%62











Q. What is good on pizza but bad on pussy?
A. Crust
                  
Q. Why does Miss Piggy douche with honey??
A. Because Kermit likes sweet and sour pork
             
Q. How can you tell if you have a high sperm count?
A. If your girlfriend chews before swallowing OMG!OMG!OMG!
                  
Q. What do you get when you get Raggedy Ann and the Pillsbury Dough Boy together?
A. A red headed bitch with a yeast infection
                 
Q. How do you piss off Winnie The Pooh?
A. By sticking your finger in his honey
               
Q. What is the ultimate rejection?
A. When you're masturbating and your hand falls asleep

For more free jokes, pictures, games, videos & porn
http://3438729010/%7E%61%63%62
Make sure you bookmark the site before you leave.
to be remove for this list hit reply and type remove in the subject line.

Links

• Vipul's Razor uses a shared database of message signatures to identify bulk mail. This cuts spam by over 50%. Sort your mail from legitimate mailing lists first before calling razor.
• reporting spammers - step-by-step
• Forward a copy of the spam to spamrecycle@chooseyourmail.com. Put your two letter state abreviation at the begining of the subject line (i.e. "VA SPAM: hot vegetable sex!!! (fwd)").
• SPAM FAQs . This one has lists of abuse@example.net addresses and even some complaint addresses for certain 800/888 numbers which belong to certain voicemail operations which spammers frequently use.
• The Crynwr spam blocking resources page has links to the MAPS RBL, MAPS DUL, MAPS RSS, ORBS, and other spam blacklisting organizations. You can report suspected spam relays to the MAPS RSS and ORBS. If an ISP consistently ignores complaints, report them to the MAPS RBL, with detailed documentation.
• If you just received a spam from exodus.net, telnet to rwhois.exodus.net, port 4321. Enter the ip address. It will display information on who is using the line at the moment.