Reverser's antispam section
End July 1998
Therefore let's retailate and try to
a) annoy them (easy: for beginners)
b) stalk them and find their real identities in order to annoy them in a "less virtual" way (possible: for intermediate antispammers)
c) destroy their servers or email addresses (can be difficult: for advanced spammer haters)
Step one is to look at all the headers of the message. News/email readers normally show only a subset of the available headers to avoid screen clutter. Select the option that makes the hidden headers visible. In Netscape select Options/Show all headers, in MSWIN Pegasus press ^H, in Pine press H, in VM press t and in NewsExpress select File/ Options/ Compose/ Include Headers. Other news/email readers have similar options.
Important headers are:
All contain a network host name that may give you a clue as to who the spammer is. However, any or all of them may be faked. It is common for spammers to send email from a throwaway account at one site and solicit replies at other sites, so you may need to track down two or more network locations. Make a list of all host names mentioned in the headers and in the body of the message. These are the parts to the right of the @ sign in email addresses, between // and / in web links, in the last Received: header and at the right end of the Path: between !'s.
Path: gives the list of hosts a news item passed through, from the poster's site at the right end to get to your site at the left end. One or more entries on the right end may be faked so you may need to cooperate with others to track down which host in the Path: list the message was injected at.
Like the Path: header Received: headers are a list of sites the message passed through in reverse order but with only one host name per header. Again, the bottom entries (earlier timewise) in the Received: list may be faked. It is also possible for spammers to relay email via a third party so that the Received: header before your site's Received: headers may be a victim too. They're slack though as they should've configured their mail servers not to relay third party email. Some spammers also pretend to be innocent relay sites by forging additional Received: headers and lying in response to complaints; complain to the so-called `relay' site's ISP if you suspect this is the case.
Since intermediate sites always prepend headers then those higher in the list are much less likely to be forged than those further down.
Even with normal, non-faked operation not all hosts or network routers a message passes through are recorded in the Path: or Received: headers. Use TRACEROUTE to get a more complete list.
Host names usually have machine name and domain name parts. For example kryten.eng.monash.edu.au has a machine name of kryten and domain name of eng.monash.edu.au (engineering faculty, monash university, education sector, australia) with larger domains monash.edu.au, edu.au and au. Look at your list of host names and see if you can add some local domain names to the list by stripping machine names from host names. This is a trial and error procedure and may not always give a valid result.
Some of the host/domain names you've discovered may actually be a numerical network IP address eg. kryten's is 126.96.36.199. See in my links page how to find a host name given an IP address and how to find an IP address given a host name. Add any new host/domain names discovered to your list. IP addresses can have zero, one or several host names. Host names can have zero, one or several IP addresses.
Some hosts and domains designate one or more hosts to handle any email directed to them. Use a tool like the freeware (actually postcardware) and very good CyberKit (copyright 1996 by Luc Neijens, Luc, you are invited to dinner by reverser+ :-) to find out if there are any such hosts.
DIG queries domain name servers for information about the host/domain names you've found. It gives a mess of information, most of which you can ignore. You're not normally interested in addresses associated with the site where DIG was run (in this case ?.monash.edu.au and 130.194.?.?) and you're also not interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is in the ;; ANSWERS: section and is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records. If they don't exist then the ;; ANSWERS: section will be empty or non-existent. The ;; AUTHORITY RECORDS: and ;; ADDITIONAL RECORDS: sections tell you what domain name server[s] are responsible for the part of the domain name system (DNS) you have queried.
Any email sent to the queried host/domain will initially go via one of the hosts given by the MX records if they exist, otherwise it will go to the host given by the A record. If there are no MX and no A records then email will normally bounce. The MX and A host names may be in completely different domains. Add any new domains to your list.
If an IP address has no corresponding hostname the SOA `start of authority' record can be used to see which hosts/domains are responsible for that part of the net. Internic.net is responsible for unallocated addresses so if you get this it usually means the queried IP address is faked or in error. If there is no SOA record try doing a DIG ipaddress->hostname on another IP address which is in the same subnet as the one you're interested in ie. vary the last number from 1 to 254. eg. For 188.8.131.52 you might try 184.108.40.206. Some machines are configured by accident or by design to not reveal who is responsible for them. Alternatively, look for the owner of the subnet by stripping off one or more right elements (eg. 220.127.116.11 -> 130.194.140 -> 130.194 -> 130).
Use Cyberkit's WHOIS to find the administrative and technical contacts for the hosts/domains/ip address ranges you've discovered. This will give more contact information including email addresses. If there is more than one WHOIS entry for the domain you've entered you'll get a list of abbreviated entries. To get full information use an entry's key as a query string (eg. mci.net gives keys MCI8-HST and MCI2-DOM). Add the host/domain names of the email addresses to your list. You may need to strip off one more left elements of each domain before you get a domain that WHOIS knows about (eg. eng.monash.edu.au -> monash.edu.au -> edu.au -> au). Similarly, you may need to strip off one or more right elements of each IP address range before you get an IP address range that WHOIS knows about (eg. 18.104.22.168 -> 130.194.140 -> 130.194 -> 130). WHOIS also knows about company names and some user names. This WHOIS covers US non-military domains only. For other domains see other WHOIS servers.
Use Cyberkit's TRACEROUTE to get a list of sites handling messages between this web server host and each of the host/domain's. This can take several minutes. Ideally it should be from your mail host but this should do. Alternatively, if you're running MSWindows 95 it comes with a TRACEROUTE; run TRACERT in an MSDOS window. The last entry in the TRACEROUTE results list should be the host/domain you're querying. The next-to-last should be the Internet Service Provider (ISP) for your queried host/domain. The next-to-last for that ISP is their ISP and so on. More than one host at the end of the list may be owned by the spammer and so you need to use some judgement as to whether, when you send email to one of the hosts, you're talking to the spammer or their ISP. Add the hosts at the end of the list together with their domains to your host/domain list. This TRACEROUTE will have trouble if the test link is heavily loaded (likely during Australian working hours). If so you could try other web TRACEROUTE's.
It is possible but rare for a spammer to forge the response to a TRACEROUTE so that sites later in the list may be deceptive. If you suspect this is the case you will need to complain to all the upstream ISP's as only they can determine where the forgery starts.
Use a web search engines to look for references to the domain names you've found. Look for `domain' and `www.domain' Virtually all ISP's have web sites like this and you can use the web pages to get some idea of whether it's actually the spammer or the ISP, together with the size, contact addresses and the email/news policy of the ISP. In addition if it's a .net domain try a .com domain and vice-versa; many companies use both. Be careful though as there are also many completely unrelated companies using domain names differing only in the .net and .com ending. You can check by looking at the WHOIS contact information and the IP addresses.
You can also use a altavista or Deja news to find out other information about your target spammer.
You should now have a list of hosts and domains with a fair idea of the spammer's addresses and their ISP's addresses. Send an email to the spammer's ISP (this may or may not have the same domain name as the spammer themselves) using the abuse@ address and a copy to the spammer themselves. In the message include a copy of the spam with full headers, detail the reasons why you find the spam unacceptable and request that they not do it again. If abuse@ bounces send the message to admin@, root@ or postmaster@ and additionally ask them to configure an abuse@ address which forwards to their person responsible for handling net abuse. If the email addresses aren't working you could try a fax gateway or check out the email search FAQ.
Large ISP's will generally not reply to you because they're too busy but if they receive enough complaints (and if they are full of spammers they usually do) it is likely the spammer will be dealt with. Most ISP's are good net citizens because it's in their own interest to maintain a good reputation. If you see the spam again send another message but this time post a copy of the spam with full headers to the news.admin.net-abuse.sightings newsgroup and let the experts have a go. You may also want to email the ISP of the ISP. You should read the news.admin.net-abuse.* newsgroups for a week or two to get a feel on how spammers operate and are dealt with. Be warned that these newsgroups include plenty of argumentative and intentionally deceptive and disruptive posts from spam supporters in addition to posts from people trying to reduce spam. Life is fight.
A final warning: Any message on the internet which doesn't
use strong encryption/authentication techniques like
PGP can be completely
fake. Any text you read can be ripped off another site without any notice of it.
Great part of the preceding text, and part of the following has been RIPPED OFF the very good (if a little too much
USA oriented) page of Julyan Byrne, at http://kryten.eng.monash.edu.au/gspam.html.
(Yet I have already added material of mine and I intend to add even more in the
So what people tell you and what really goes on are NOT THE SAME THING! Head this!
Occasionally enemies on the net attack each other by tricking a third party into doing their dirty work for them. Treat any address you get with suspicion until proven otherwise.