S
P
A
M


Fravia's antispam section
~
Advices



Fravia's Nofrill
Web design
(1998)
 

Updated
End July 1998
Spammers are the quintessence of evil: they are stupid and greedy, they are commercial oriented, they don't understand nothing that has real value and, moreover, they annoy us with their commercial stupidity

Therefore let's retailate and try to

a) annoy them (easy: for beginners)
b) stalk them and find their real identities in order to annoy them in a "less virtual" way (possible: for intermediate antispammers)

c) destroy their servers or email addresses (can be difficult: for advanced spammer haters)
 

HONEST WARNING
I'm not a "professional" antispammer myself... if you're really into this, you better visit a "best knowledge" dedicated site (Julian Byrne's) at
http://kryten.eng.monash.edu.au/gspam.html, that I have in part ripped off, and you better learn the best techniques by the Spam hater (His page will help you a lot to make things HOT for stupid spammers).

Yet I'm a master reverser and a fairly good stalker, and my own techniques, coupled to the antispammer knwoledge, can give some ineteresting results, as you'll be able to read either on this very page or, may be, on my redenemy.htm stalking page.

Byrne's Instructions

  1. Step one is to look at all the headers of the message. News/email readers normally show only a subset of the available headers to avoid screen clutter. Select the option that makes the hidden headers visible. In Netscape select Options/Show all headers, in MSWIN Pegasus press ^H, in Pine press H, in VM press t and in NewsExpress select File/ Options/ Compose/ Include Headers. Other news/email readers have similar options.

  2. Important headers are:

    All contain a network host name that may give you a clue as to who the spammer is. However, any or all of them may be faked. It is common for spammers to send email from a throwaway account at one site and solicit replies at other sites, so you may need to track down two or more network locations. Make a list of all host names mentioned in the headers and in the body of the message. These are the parts to the right of the @ sign in email addresses, between // and / in web links, in the last Received: header and at the right end of the Path: between !'s.

    Path: gives the list of hosts a news item passed through, from the poster's site at the right end to get to your site at the left end. One or more entries on the right end may be faked so you may need to cooperate with others to track down which host in the Path: list the message was injected at.

    Like the Path: header Received: headers are a list of sites the message passed through in reverse order but with only one host name per header. Again, the bottom entries (earlier timewise) in the Received: list may be faked. It is also possible for spammers to relay email via a third party so that the Received: header before your site's Received: headers may be a victim too. They're slack though as they should've configured their mail servers not to relay third party email. Some spammers also pretend to be innocent relay sites by forging additional Received: headers and lying in response to complaints; complain to the so-called `relay' site's ISP if you suspect this is the case.

    Since intermediate sites always prepend headers then those higher in the list are much less likely to be forged than those further down.

    Even with normal, non-faked operation not all hosts or network routers a message passes through are recorded in the Path: or Received: headers. Use TRACEROUTE to get a more complete list.

  3. Host names usually have machine name and domain name parts. For example kryten.eng.monash.edu.au has a machine name of kryten and domain name of eng.monash.edu.au (engineering faculty, monash university, education sector, australia) with larger domains monash.edu.au, edu.au and au. Look at your list of host names and see if you can add some local domain names to the list by stripping machine names from host names. This is a trial and error procedure and may not always give a valid result.

  4. Some of the host/domain names you've discovered may actually be a numerical network IP address eg. kryten's is 130.194.140.2. See in my links page how to find a host name given an IP address and how to find an IP address given a host name. Add any new host/domain names discovered to your list. IP addresses can have zero, one or several host names. Host names can have zero, one or several IP addresses.

    Some hosts and domains designate one or more hosts to handle any email directed to them. Use a tool like the freeware (actually postcardware) and very good CyberKit (copyright 1996 by Luc Neijens, Luc, you are invited to dinner by fravia+ :-) to find out if there are any such hosts.

  5. DIG queries domain name servers for information about the host/domain names you've found. It gives a mess of information, most of which you can ignore. You're not normally interested in addresses associated with the site where DIG was run (in this case ?.monash.edu.au and 130.194.?.?) and you're also not interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is in the ;; ANSWERS: section and is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records. If they don't exist then the ;; ANSWERS: section will be empty or non-existent. The ;; AUTHORITY RECORDS: and ;; ADDITIONAL RECORDS: sections tell you what domain name server[s] are responsible for the part of the domain name system (DNS) you have queried.

    Any email sent to the queried host/domain will initially go via one of the hosts given by the MX records if they exist, otherwise it will go to the host given by the A record. If there are no MX and no A records then email will normally bounce. The MX and A host names may be in completely different domains. Add any new domains to your list.

    If an IP address has no corresponding hostname the SOA `start of authority' record can be used to see which hosts/domains are responsible for that part of the net. Internic.net is responsible for unallocated addresses so if you get this it usually means the queried IP address is faked or in error. If there is no SOA record try doing a DIG ipaddress->hostname on another IP address which is in the same subnet as the one you're interested in ie. vary the last number from 1 to 254. eg. For 130.194.140.37 you might try 130.194.140.66. Some machines are configured by accident or by design to not reveal who is responsible for them. Alternatively, look for the owner of the subnet by stripping off one or more right elements (eg. 130.194.140.2 -> 130.194.140 -> 130.194 -> 130).

  6. Use Cyberkit's WHOIS to find the administrative and technical contacts for the hosts/domains/ip address ranges you've discovered. This will give more contact information including email addresses. If there is more than one WHOIS entry for the domain you've entered you'll get a list of abbreviated entries. To get full information use an entry's key as a query string (eg. mci.net gives keys MCI8-HST and MCI2-DOM). Add the host/domain names of the email addresses to your list. You may need to strip off one more left elements of each domain before you get a domain that WHOIS knows about (eg. eng.monash.edu.au -> monash.edu.au -> edu.au -> au). Similarly, you may need to strip off one or more right elements of each IP address range before you get an IP address range that WHOIS knows about (eg. 130.194.140.2 -> 130.194.140 -> 130.194 -> 130). WHOIS also knows about company names and some user names. This WHOIS covers US non-military domains only. For other domains see other WHOIS servers.

  7. Use Cyberkit's TRACEROUTE to get a list of sites handling messages between this web server host and each of the host/domain's. This can take several minutes. Ideally it should be from your mail host but this should do. Alternatively, if you're running MSWindows 95 it comes with a TRACEROUTE; run TRACERT in an MSDOS window. The last entry in the TRACEROUTE results list should be the host/domain you're querying. The next-to-last should be the Internet Service Provider (ISP) for your queried host/domain. The next-to-last for that ISP is their ISP and so on. More than one host at the end of the list may be owned by the spammer and so you need to use some judgement as to whether, when you send email to one of the hosts, you're talking to the spammer or their ISP. Add the hosts at the end of the list together with their domains to your host/domain list. This TRACEROUTE will have trouble if the test link is heavily loaded (likely during Australian working hours). If so you could try other web TRACEROUTE's.

    It is possible but rare for a spammer to forge the response to a TRACEROUTE so that sites later in the list may be deceptive. If you suspect this is the case you will need to complain to all the upstream ISP's as only they can determine where the forgery starts.

  8. Use a web search engines to look for references to the domain names you've found. Look for `domain' and `www.domain' Virtually all ISP's have web sites like this and you can use the web pages to get some idea of whether it's actually the spammer or the ISP, together with the size, contact addresses and the email/news policy of the ISP. In addition if it's a .net domain try a .com domain and vice-versa; many companies use both. Be careful though as there are also many completely unrelated companies using domain names differing only in the .net and .com ending. You can check by looking at the WHOIS contact information and the IP addresses.

    You can also use a altavista or Deja news to find out other information about your target spammer.

  9. You should now have a list of hosts and domains with a fair idea of the spammer's addresses and their ISP's addresses. Send an email to the spammer's ISP (this may or may not have the same domain name as the spammer themselves) using the abuse@ address and a copy to the spammer themselves. In the message include a copy of the spam with full headers, detail the reasons why you find the spam unacceptable and request that they not do it again. If abuse@ bounces send the message to admin@, root@ or postmaster@ and additionally ask them to configure an abuse@ address which forwards to their person responsible for handling net abuse. If the email addresses aren't working you could try a fax gateway or check out the email search FAQ.

  10. Large ISP's will generally not reply to you because they're too busy but if they receive enough complaints (and if they are full of spammers they usually do) it is likely the spammer will be dealt with. Most ISP's are good net citizens because it's in their own interest to maintain a good reputation. If you see the spam again send another message but this time post a copy of the spam with full headers to the news.admin.net-abuse.sightings newsgroup and let the experts have a go. You may also want to email the ISP of the ISP. You should read the news.admin.net-abuse.* newsgroups for a week or two to get a feel on how spammers operate and are dealt with. Be warned that these newsgroups include plenty of argumentative and intentionally deceptive and disruptive posts from spam supporters in addition to posts from people trying to reduce spam. Life is fight.

A final warning: Any message on the internet which doesn't use strong encryption/authentication techniques like PGP can be completely fake. Any text you read can be ripped off another site without any notice of it. Great part of the preceding text, and part of the following has been RIPPED OFF the very good (if a little too much USA oriented) page of Julyan Byrne, at http://kryten.eng.monash.edu.au/gspam.html. (Yet I have already added material of mine and I intend to add even more in the near future).

So what people tell you and what really goes on are NOT THE SAME THING! Head this!

Occasionally enemies on the net attack each other by tricking a third party into doing their dirty work for them. Treat any address you get with suspicion until proven otherwise.


Some easy tricks to annoy the stupid commercial spammers
The 127.0.0.1 trick

When posting news items on usenet use one of the following From: or Reply-To: addresses: [127.0.0.1] and localhost are often synonyms for `the current host'. If you're lucky the bounce addresses will cause a bounce on the sender's machine as it tries to deliver to the non-existent user bounce. The last two addresses will cause the spam to be delivered to the email administrator of the machine sending the spam. The first four will have analogouos effects. If you're lucky that will be the ISP and not the spammer themselves. So that you can be contacted make sure your posting body includes a signature that gives your true email address, perhaps in encoded form to confuse automated address collectors that scan news article bodies as well as article headers.

The simplest system seems tome to be the use of (at) and (point) inside the addresses, so that your JohnHSmith@mymail.com will be "translated" as JohnHSmith(at)mymail(point)com... even complete idiots should be able to understand this, at least I hope :-)
Let the stupid commercial spammers pay and stalk their real identities at the same time!
Letting them pay is always great fun, valid also for non-spam commercial advertisements... :-)

  • If the spam includes a freecall 800 phone number (States) or a 'green' number (European Union) then, by all means, use it. They are paying for that number and this transfers the costs where they belong. Keep in mind that freecall numbers frequently use unblockable caller-id to get the caller's phone number so you may want to freecall from a public phone. Repeatedly dial these phone numbers as this is NOT illegal if you have forgotten to ask them something :-)
    Just keep handy a list of freecalls spammers number and use it as soon as you have to wait for a plane or a train or someone or else you happen to have some free time where there are some public phones
    Be wary of non-freecalls numbers, as some area codes that are apparently local are actually international and have exorbitant charge scams associated with them... all probmlems will be avoided if you use a public phone.
    This technique is themost elementary technique used in order to stalk the spammers: act like an ineterested client in whatever the stupid spammer would like to sell, and get (social engineering elementary techniques, of course) real info out of them, inputting to them totally faked info and data. It's very easy, as you will see, and you'll get them. You'll annoy them just calling, but if you enjoy going the whole way, then do prepare some valid amexco/visa card numbers (you'll find on the web as many fake credit card numbers generators as you want) and have a couple of credible faked identities (best ones are 'immigrant' identities: when you fake an address and that address (and the telephone number you have given) are possibly going to be checked, use some name (and people) like 'Wong' or 'Kiczielsky', or 'M'bungo' and give address (and corresponding telephone) in a huge house full of people that barely speak English (or German, or Italian, or whatever you are siupposed to speak). You'll find a lot of these 'anonymity baits' with a little social engineering. Such 'refugees' decoys are the best thing you can use when you are covering your tracks and/or faking addresses: confronted with a family of 25 immigrants that do not speak the country language nor understand what the cuckoo is going on, the card society agents themselves won't be able to understand if there was -or not- any malicious intent :-)

    Ok, now you have your target, a fake credit card and a fake (yet existing) identity... order everything they sell and let them deliver it to some impossible address, like your local police station, an abandoned building or another spammer's real address (this is the most funny destination IMHO)

  • Some scarecrow rhetoric can also be helpful...
    This is the kind of message you may want to append...

  • Unsolicited commercial e-mail will be proof-read with the help of the mailer, his postmaster, and if necessary, his upstream provider(s).
  • The sender of any unsolicited email sent to this address agrees to pay EURO 350/email for proofreading services.
  • Any junk email sent to this address will be placed in my junk email blacklist. Sender agrees to pay EURO 65 for each such email archived.
  • Our organisation will take care of spam email trying either to blow the spam mailer's hosting server to pieces, or to block/damage it to the maximum extent or -at least- to slowbomb it for a period comprised between three and five non consecutive months. Pertinent Cisco routers will be redirected where necessary and all "bombing" packet loads will of course appear to be originated by the spam mailer himself

  • Finally a whole 'bounce' page, added to
    your site, can seriously annoy spam bots...

    Have a look at redmine!


    Variety as stalking lure

  • Use slightly different names and email addresses, with different organizations, to help track down the culprit if your address is sold. Remember that you may have dozens of email addresses, since any free page provider and any remailer, like usa.net or hotmail (which has been bought by Billy-bane... they are moving from old powerful Unix to buggy NT-servers and the service is getting worser and worser as a consequence) or Yahoo or (if you happen to be careful enough to MISTRUST anything located in the States) latin.com or chez.com will gladly give you as many (faked) emails as you need!

    So start preparing five email addresses, say IvanBilibin@hotmail.com IvanBilibin_@hotmail.com IvanBilibin__@hotmail.com and so on... and use them accordingly to the 'spam risk': the more underscore, the higher the spam risk... d'you dig it? Of course you will NEVER use your REALLY USED address for any web-transaction, nor it will EVER figure on any usenet group... cela va sans dire... note that you can have a couple of "luring" addresses, but that's another 'advanced stalking' matter...


  • Use special email addresses that are only valid for a limited time period, that are only valid when used by a particular correspondent or are only valid for a single return email message. These approaches require sophisticated use of email filtering programs and probably only make sense for somebody technically literate and with a high volume of junk.


  • Study eudora's filter help files... note how one of the MOST ADVANCED filtering applications that exist: Micro$oft's Exchange, does NOT explain you how to use its powerful filter assistants :-( s
    destroy spammers' servers or spammers' email addresses

    This section is in fieri... in the mean time please read my smut-sites bombing pages... they may give you some sound ideas :-)
    redenemy stalking
    redhomepage redlinks redsearch engines red+ORC redstudents' essays redacademy database
    redtools redjavascripts wars redcocktails redanonimity academy redantismut CGI-scripts
    redcounter measures redmail_fravia+
    redIs reverse engineering legal?

    red(c) Fravia 1995, 1996, 1997, 1998. All rights reserved
    (*) mailto:postmaster@[127.0.0.1]?subject=Stupid guy is spamming from your own domain