net-abuse@nocs.insp.irs.gov
Everybody's favourite "Care Bears in wingtips," as a Well poster put it,
will be interested in those megabucks the spammers claim they are raking in.
Turns out that a lot of spammers forget to report all that income :-)
A note for Lick Observatory's user community:
After sending out an appeal to our site's users to report
commercial abuse of email services (spam and junk mailings)
I received so many responses that it's become impractical for
me to deal with each one. I'm hoping that this Web page will
enable users to track down the sources of spam and respond
themselves -- I would appreciate a Cc to postmaster, by the way,
when you do report or respond to the nuisance.
After reading the information below, you may conclude that it's
just too much trouble to respond to every minor nuisance... and you
are probably right. However, if your personal sense of annoyance
and/or outrage drives you to take action, this page can help
you get started.
If you receive a particularly illegal-looking message, or
any personal abuse, threats, etc., please do report these
directly to me as in the past.
What's a UCE ?
So you just received an email message from an unfamiliar but
innocuous looking address, with a subject like "Wow, it was
good to see you again." Thinking it might be from an old friend
with a new handle, you read it and discover (Ack! Pthffftpt!)
that it's Yet Another Unsolicited Commercial Email.
UCEs (or Unwanted Crap Email, for the more outspoken among us) are
sent by persons with no netiquette to vast mailing lists which they
usually cull from netgroup postings. For example, a spammer of this
kind may want to sell fishing rods; so he scans all newsgroup names
for the string "fish"; then he scans the fishy groups' archives or the
online bulk of postings for the email addresses
of all posters. He then mails to all 100,000 names on this list some
commercial come-on inviting them to buy fishing rods directly from
him.
Moreover, being a sneaky SOB and knowing that when you see "Great
New Deal on Fishing Rods" in the Subject line you will simply
delete the message, he falsifies the return address with a bogus
sender address and a misleading subject line, in the hope of
wasting more of your time. The bogus sender address is often
bogus enough to prevent you from Replying (with an irate request
that he shut up). Falsifying email headers, by the way, is
a violation of the written policy of just about every site and
service provider in the civilized Net.
UCE's fall into a limited number of major categories. The hopeful direct
mailer is probably the most innocuous; his cousin, who wants to
share a personal religious revelation, is also more
annoying than alarming. But they have creepier relatives.
Some of the direct mailers are hawking the tools for scraping thousands
of email addresses out of newsgroups; others are hawking huge
mailing lists that they have already scraped. Descending down the
sleaze chain we come to the guy who wants to show you some dirty
pictures, sometimes of his underage sister (these guys are worth
tracking down if you can, but they cover their tracks pretty well)
and the guy who earnestly hopes that you don't know what a Ponzi scheme is.
There are plenty of other unlovely parasites in the taxonomy, but
these are probably the most familiar.
- For those who don't know what a Ponzi scheme is, it's one variant
of the common "pyramid schemes" and "chain letter" scams.
Any scheme where each participant is told to find N more participants
and collect N dollars from them, passing N-something dollars back
up to the recruiter, is a scam. A little simple math will
tell you who wins and how fast the scheme crashes. For a good
expose, check out
The Skeptic's Dictionary entry. In brief, Mr. Ponzi made his mark
in the history books by dressing up the pyramid scam in the guise of an investment
prospectus: he skimmed some cash off the top, then paid back the
first-wave investors with the second-wave money and so forth until
the scheme crashed (there was never, of course, any legitimate investment
involved). Pyramid and chain letter schemes usually use language about
"gifts" and "magic" rather than trying to appear like reputable investments
-- Ponzi schemes are often elaborately constructed, with a briefly convincing
facade covering the basic scam. ALL THESE SCAMS ARE ILLEGAL; they can
be prosecuted as mail and/or business fraud. Most Internet providers are
aware of this and will quickly shut down any account that's being used to
promote Ponzi games.
So what can you do about this darned annoying cruft in your mailbox?
Here are some tips on how to read a mail header and how to respond
to the appropriate parties.
Basic Strategy:
- Determine the true delivery path of the mail message (details on
How to Read an Email Header below)
- Try to find a legitimate service provider in it
- Write to "postmaster" or "abuse" at the service provider address
- Be sure to include the original complete header and a
large enough chunk of the offending message to show what it was
about
Cathartic Strategy:
- Try to find the real user name of the sender in the header
mess
- Write a nasty note to the sender telling him/her exactly how
much you don't appreciate this waste of your time and bandwidth
(but keep it barely civil, folks, since our site guidelines prohibit
abusive/obscene and/or threatening mail messages!)
Advanced Strategy:
- If the originator is not a wildcat user of some legitimate
ISP, but lives in an established InterNIC domain, you can look
up the contact information for the domain (addresses and phone
numbers!) on the
InterNIC WhoIs Page.
- If you feel that strongly about it you can phone or fax your
objections to the contact, or even get your tame lawyer to write
a vaguely nasty paper letter for you.
How to Read an Email Header
First you have to find the complete header. Since many mail tools
helpfully suppress the difficult long words from the header for you,
your safest bet is to use your favourite text editor and edit your
mail spool file, mbox file, or whichever mailbox you believe the
offending message fell into. Use the editor in READ ONLY mode.
Search for a recognizable string in the message. Back up to
the header info (everything from the blank line that ended the
previous message to the first body line of this message). It
might look something like this:
From Mailer-Daemon Sun Mar 16 23:59:03 1997
Return-Path:
Received: from shakti.ucolick.org by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1)
id AA23377; Sun, 16 Mar 97 23:59:03 PST
Received: from mtigwc03.worldnet.att.net (mailhost.worldnet.att.net [204.127.131.3]) by shakti.ucolick.org (8.6.10/8.6.10) with ESMTP id XAA16844 for ; Sun, 16 Mar 1997 23:59:02 -0800
Date: Sun, 16 Mar 1997 23:59:02 -0800
Message-Id: <199703170759.XAA16844@shakti.ucolick.org>
Received: from RJIREDFF ([207.147.201.46]) by mtigwc03.worldnet.att.net
(post.office MTA v2.0 0613 ) with SMTP id AAW6060;
Mon, 17 Mar 1997 07:35:09 +0000
From: please@don't.reply
Subject: Aren't you the person who...?
Apparently-To:
This is a pretty typical example which I was recently asked to deal with.
This header tells us quite a lot.
We can see that the "From:" line does not match the "Received:" path;
even if the From: line were not obviously bogus, the mismatched domain
name would show that it had been falsified.
Reading the history of the piece of mail, which is displayed in reverse
chronology in the lines of header, we can see that shakti handed it to
helios (our mail hub). Shakti received it from mtigwc03.worldnet.att.net,
whose mail hub is mailhost.worldnet.att.net. But mailhost.worldnet.att.net
received it from something called RJIREDFF, a host whose address is
207.147.201.46.
Let's try nslookup on that address.
[109]de@ronin:/u/de% nslookup
Default Server: bigdog.ucolick.org
Address: 128.114.23.29
> 207.147.201.46
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: 46.los-angeles-002.ca.dial-access.att.net
Address: 207.147.201.46
OK, so we know now that this user is a wildcat, using a large public
access dialin facility in LA. I send mail to postmaster@worldnet.att.net,
and postmaster@mtigwc03.worldnet.att.net. What do I say?
In this particular case I said:
Postmasters:
An individual on the host "RJIREDFF" (207.147.201.46) has been using
your internet service to mass-mail unsolicited propositions of
dubious integrity to random individuals at our site. We strongly
object to this waste of internet bandwidth, not to mention the nuisance
and wasted disk space at our site.
I have not read the attached material closely, but a quick look indicates
that it is some kind of Ponzi scheme, which qualifies as fraud under
the law. The individual in question is clearly aware of the illegal
nature of the scheme, since he/she has gone to the trouble of
falsifying the From field in the mail header.
We request that you shut down this person's internet access immediately.
Here is one of the messages:
[etc.]
In messages to postmasters and abuse handlers, try to keep the tone
professional and the message brief. They have to read an awful lot
of this stuff every day.
Just for grins, let's compare this other header of a somewhat different
flavour:
From Karenm@usa.us Sun Apr 6 03:46:46 1997
Return-Path:
Received: from ucolick.org (lick.ucolick.org) by helios.ucolick.org (helios.ucolick.org) (4.1/SMI-4.1)
id AA01890; Sun, 6 Apr 97 03:46:44 PDT
Received: from sxx.com by ucolick.org (8.8.5/LICK-GATEv8)
id DAA21723; Sun, 6 Apr 1997 03:47:08 -0700 (PDT)
From: Karenm@usa.us
Received: from pcn-frank (local-2.xsx.net [205.205.158.19]) by sxx.com (8.8.5/8.7
.3) with SMTP id GAA01890 for de@UCOLICK.ORG; Sun, 6 Apr 1997 06:52:41 -0400 (EDT)
Date: Sun, 6 Apr 1997 06:52:41 -0400 (EDT)
Message-Id: <199704061052.GAA01890@sxx.com>
To: de@ucolick.org
Reply-To: Karenm@usa.us
Subject: I missed you !
Status: RO
Note the mismatch between Karenm@usa.us and the actual delivery path
of the message. The message, needless to say, is a UCE (in fact, one
of the kind that wants me to look at dirty pictures of someone's
underage sisters), and is apparently signed by
Thank You for your time and hoping to see you soon.
Mark Stanford
Vice President of Marketing
W.M.P. Inc
(a person whose existence I am somewhat inclined to doubt).
If we trace this message's history, we get to local-2.xsx.net:
[111]de@ronin:/u/de% nslookup
Default Server: bigdog.ucolick.org
Address: 128.114.23.29
> local-2.xsx.net
Server: bigdog.ucolick.org
Address: 128.114.23.29
Non-authoritative answer:
Name: local-2.xsx.net
Address: 205.205.158.19
Being curious, I proceed to walk around the domain with nslookup...
> 205.205.158.1
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: 158-1.total.net
Address: 205.205.158.1
> 205.205.158.10
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: 158-0.total.net
Address: 205.205.158.10
> 205.205.158.20
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: local-3.xsx.net
Address: 205.205.158.20
and eventually discover that xsx.net owns addresses 16 through 23 in
that domain. This is not just a wildcat.
And furthermore, what about that sxx.com?
> sxx.com
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: sxx.com
Address: 207.226.134.119
> 207.226.134.119
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: stealth.sxx.com
Address: 207.226.134.119
> 207.226.134.118
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: www.webnavi.com
Address: 207.226.134.118
> 207.226.134.120
Server: bigdog.ucolick.org
Address: 128.114.23.29
Name: www.4wyw.com
Address: 207.226.134.120
No block of addresses there, but a it is registered commercial site. This
is not a wildcat user, but an established commercial enterprise. One somehow
gets the feeling that the owners of sxx.com don't plan to be identified
publicly (machines called "stealth" don't inspire one with a lot of
confidence in their netiquette), so a personal message might have some
effect. Time to take a look at the site via the InterNIC page.
I enter "xsx.net" and start my search. I get a result:
Query: whois -h rs.internic.net SUM xsx.net
XSX Networks (XSX3-DOM) XSX.NET
To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
The "(XSX3-DOM)" text is an HTML link, which I follow to get
XSX Networks (XSX3-DOM)
3860 Notre Dame suite 101
Laval, Qc H7V 1S1
CA
Domain Name: XSX.NET
Administrative Contact:
Tambas, James (JT2447) james@BCS.CA
514-682-1720 (FAX) 514-682-2723
Technical Contact, Zone Contact:
TotalNet Domain Registrar (TDR-ORG) hostmaster@TOTAL.NET
(514) 481-2585
Fax- (514) 481-2785
Billing Contact:
Tambas, James (JT2447) james@BCS.CA
514-682-1720 (FAX) 514-682-2723
Record last updated on 11-Mar-97.
Record created on 11-Mar-97.
Domain servers in listed order:
NIC1.TOTAL.NET 205.236.175.4
NIC2.TOTAL.NET 205.236.87.4
We've just found out that XSX.NET is actually administered, or
receives some kind of service from, TOTAL.NET. We've found out
that it lives in Canada. We have a phone number and a fax number
and a real person's email address, which we can use to express
our irritation at receiving UCEs. We can write directly to
the machine called "stealth" or to the official contact (that's
what I did).
Some of these messages will contain weaselly little apologies
like "Sorry if you aren't interested in this, but we really
wanted to call your attention to..." or "All you have to do to
be removed from this list is not reply...". These weak
formulaic disclaimers do not legitimize in any way the falsification
of mail headers or the propagation of scams and illegal activities
via the Net. Don't feel that a response is not justified because
of some insincere pseudo-apology on the part of the spammer.
Spamming is bad netiquette, bad bandwidth management, and bad
business. If we resist it strenuously enough it may go out of
style.
For more discussion on the problem of internet spam, see the
groups