How to Kill
SPAM/UCE – Version 0.5
Joseph Pistritto
16Mar2002
This page started as a short compilation of facts about SPAM and how to track it. Now it needs a bit of an index:
|
First (fun): if you want to read about a
really successful spam kill (including penetrating the machines of people
actually doing the spam in real time), try this site:
http://belps.freewebsites.com/TheStory.htm
(I call this the Precision Guided Spam Kill, and its *way* more than you'd ever
want to try at home, but its sure fun to read about. Note: there's a
number of things he did here that are probably illegal in some state, maybe all
of them, so *dont* try this stuff yourself...). I don’t know the guy who
did this myself, but the story made the rounds in net-ops circles
mid-last-year.
SPAM/UCE “Unsolicited Commercial Email” means mail that you didn’t ask for coming to your mailbox, probably with offers to buy things you didn’t ask for. If you opted-in on a web site (even if you didn’t notice the check-box for “don’t send me product updates” or similar, then it’s not SPAM. SPAM generally comes from an address you’re unfamiliar with as well, or will be sent to a large number of people as well as you. Please don’t send SPAM related reports on mail that you might actually have asked for, even inadvertently, but contact the sender and ask to be taken off the mailing list directly.
Is SPAM Illegal?
·
Generally speaking,
NO. However that may change, and
there are specific situations where SPAM is illegal. Many people think spam is illegal because “Junk FAX” which
is much like SPAM except delivered by fax machine, is illegal and in some
states, notably California, laws regulating Junk Fax have been modified to
include email communications as well.
However that’s not true in all states. Federal legislation on this topic is pending. A couple of sites to go to for information
on legal issues and SPAM/UCE:
·
Coalitition
Against Unsolicited Commercial Email – CAUCE
·
SpamCon Foundation – a donation
supported organization opposing spam legally
·
Mail Abuse Prevention Systems (MAPS) – one of
the oldest technically based anti-spam organizations
How do you prevent yourself getting
SPAM/UCE?
If I knew the answer to THAT question, I’d be sitting on the beach in Maui counting my millions and not writing this… However here are a few tips:
All of that address data is collected by repackagers who produce CDROMS with millions of addresses that you can buy for $25 or less. A good fraction of the SPAM I receive is selling these things. So once you’re address is out, zillions of people will get access to it.
How can you prevent getting tons of SPAM? Other than completely avoiding giving out your email address, there’s no way. One tactic I’ve heard of that might work is to use a different “temporary” email address every 6 months or year for all those “other” things. Then keep your “real” email address private to friends and business associates, and give out the “temporary” one to all those others. You can make the temporary one a free account on Yahoo! Or whatever and just delete it every 6 months or so. It’s a good idea to check your mail at the “temporary” account in case some legitimate user wants to get in contact with you, but you’ll localize the SPAM to a single mailbox and keep it out of your way at your real mailbox. Then you can just scan mail headers once a week to see if some legitimate person is using that other email.
There are a few popular types of SPAM from “worst” to “best”:
How do you tell the difference?
A couple of attributes
determine the type of SPAM:
·
Examine the Headers – Received headers will show
the path the mail took to you. If
you see only a header for a bulk email program (like LSMTP which is popular in
direct marketing circles) and ONE relay which is at a legitmate hosting
facility (the hostname shown in the received header matches the IP address
shown at the next hop for instance), you probably have a piece of marketing
direct mail. It might
be worth contacting them directly to get off of their list. (not all of them honor this, but
they’re supposed to).
·
The presence of any header with a foreign IP address
is a giveaway that you’re dealing with a hit-and-run. Very few direct marketers mail to US mail
addresses from a non-US relay point legitimately.
·
Check the reply/action path in the email – If
you are asked to use a web address whose name doesn’t match the company sending
you the mail, or any web address that consists of all numbers rather than a
name, be suspicious, you probably have a hit and run. Ditto the use of a “free mail” account as a reply-to
address. (This will appear in the reply-to header). Legitimate companies handle their own email, they don’t use
Yahoo! To do it. (It
violates Yahoo!’s and most free-email services to send or receive bulk email on
their service).
Tracking
down SPAM you receive yourself (for hit and run and direct marketing SPAM):
(this is unfortunately, a manual process. It *does* inconvenience
spammers, and can work well if you target open relays that spammers use to send
large volumes of mail, but it's tedious. I periodically go on binges of
tracking down every single SPAM i get this way and reporting them, and it
*does* seem to reduce the spam *I* get for awhile (maybe because people figure
out i'm doing it or something and take my name off the list? who
knows...)
What to attack:
1) - track down the originating source of the spam and
complain to their ISP abuse department (usually abuse@ispname).
Will usually get the account closed. Minor inconvenience generally to the
spammer.
2) - track down the open relay used to relay the spam
(usually the first relay the mail goes through after the spammer injects it at
his local ISP or a dialup). - This is a force multiplier, because it
helps prevent *other* spammers from using that relay if it gets closed (these
guys trade names of relays on IM channels, so this is an infrastructure
attack).
3) - track down any destination addresses (reply-to) that is
genuine, or a mailbox you're supposed to reply to in the spam, etc.
(Especially if its a mailbox at a free-mail site. Getting the mailbox
blown away makes the entire spam useless. Useful if you get to it
*quickly*.
4) as some have suggested, you could sue them. However
lawyers cost money (unless you are one yourself), and I'm not, so i haven't
tried that. I have heard of people using payphones to attack 800#
spam callers though and if you happen to own an establishment with a payphone
in it, you can actually *get paid* to do that (because the place where a
payphone is gets a cut of the revenue from it.) Which is pretty
amusing, but again, extreme.
How to track these guys
down:
If you want to track spam, you have to learn to read mail headers
(this is the ONE THING that spammers can't camoflage easily). (See the example below too)
Technical resources to do this
are at:
http://www.stopspam.org/email/headers/headers.html
<---For general information on reading E-mail headers
http://www.wurd.com/eng/ABCs/spamfight.htm
<-- how to read mail headers in various email clients
There's also a good site for running down mail headers you have found at:
http://www.samspade.org
and general purpose tools for translating IP addresses to responsible network
numbers at:
http://www.geektools.com - click on
“whois” and type in the IP address from a header in the SPAM to find out who really
owns it.
The first couple of those are provided by AT&T Networks by the way, in
their reply to spam complaint email, thats how I found them.
Then there's organizations interested in killing spammers, in particular
Resources for Killing
Spammers:
http://spam.abuse.net/spam/
Then there are organizations that run services that let you auto-filter your
email for known spam sources, such as:
Brett Glass’ paper from O’Reilly Conference: http://www.brettglass.com/spam/paper.html
Lauren Weinstein’s list of “possible spam sources” (big): http://www.vortex.com/mailblock
Procmail tool for killing SPAM at your server: SpamBouncer: http://www.spambouncer.org/
For various versions of common Mail Handlers, please see:
|
Sendmail 8.8 |
|
|
Sendmail 8.9 |
|
|
Sendmail (Latest Version) |
|
|
MICROSOFT SMTP |
|
|
QMAIL |
http://www.summersault.com/chris/techno/qmail/qmail/ antispam.html |
|
POSTFIX |
On how spammers work:
The most common M.O. I've seen is a dialup account in the US which relays
mail via an "open" SMTP relay, which is often located overseas.
This is why a lot of spam appears to "come from" an overseas source
when you look at the mail headers. Every so often, some incompetent
spammer sends *me* the output of one of the auto spam programs which looks
something like:
UserID: <something>
Addresses: 2500000
DeliveriesConfirmed: 2678394
Or something like that. Its only 3-4 lines and i think its supposed
to be sent back to the "controller" of the spam network, but most of
these people are pretty low level (they answer those "work at home, earn
big bucks" flyers you see pasted on telephone poles in downscale
neighborhoods), so i think every now and then one of them clicks on the wrong
file and mails the output to the list... I've thought about signing up
just to get inside one of the spam networks for intelligence purposes...
The shocking thing is the number of confirmed deliveries, which is usually
something like 2.5 *million* or something like that. Which points
out that individual mailings go to *huge* audiences. No wonder there's so
much SPAM out there. These guys use networks of *hundreds* of people,
paid by the message, trading bogus accounts on dialup ISPs etc. to forward
their SPAM to zillions of addresses.
Actually, China, Korea, and Eastern Europe (as a whole) were very popular last
year for spammers. I think Korea still is. I think almost all of
the actual spammers are based in the US though. One of the big
problems is the open relays are often machines in areas with "newer"
internet hosts. It takes a while for site administrators to be
appropriately paranoid about their Sendmail configurations. (until recently,
Sendmail was shipped in a fairly trusting configuration to make it easier to
set up.
For that reason, i usually send a site administrator that gets used as a relay
a note auto-translated into their local language as well as English, if their
local language is available (not all of them are). If they're not,
i pick the language of the nearest "larger" country, or French if nothing
else is available. The local language thing seems to work pretty
well in getting responses and its easy to do now that there are things like
Babelfish and Altavista around. (I'm sure some of the auto-translations of
phrases like: "please disable relaying for sites not on your network
address range in Sendmail if possible" are amusing in foreign
lanugages... Maybe its the humor value that works...)
Here's a pointer to an auto-translate program run by SYSTRAN on Altavista:
http://world.altavista.com/
It does a bunch of European languages from English and I use it extensively.
What to say/not say:
When reporting spam to a network (usually to abuse@ispname), *be polite*,
always include a full copy of the SPAM with included headers (I usually do a
Forward then type in the abuse address, so they get the entire mail including
headers), and make your note brief and to the point. When reporting
on OPEN RELAY, you need to find the administrator address for the relay machine
(which is often postmaster@domain.com), *also* forward the SPAM and include in
your note the fact that you realize this note didnt come from their site but
was relayed through their site, which wastes their bandwidth (and overseas
probably costs them money. Admins who learn about this sort of
thing and go read their logs will be motivated to kill it, especially
overseas.)
An
Exmple of a specific “hit-and-run” SPAM and who to contact:
I got this spam recently. On expanding the mail headers in my mailer It looked like:
Delivered-To: <my address>
Received: from h006.c021.snv.cp.net (209.228.35.176)
by mc021.snv.cp.net (5.6.030)
id
3C36581D00100B18 for <my address>; Sat, 16 Mar 2002 05:08:12 -0800
Received: from mail.itaa.nl (212.203.25.28) by
h006.c021.snv.cp.net (5.6.0.25)
id
3C893471000150BF for jcp@jcphome.com; Sat, 16 Mar 2002 05:08:12 -0800
Received: from aana.com
(host-209-214-93-152.bct.bellsouth.net [209.214.93.152]) by mail.itaa.nl with
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
To: jcone@P0PMAILER.ORG
From: jbuttime@P0PMAILER.ORG
A few things to note: