July 24, 2004
Fighting Spam
A lot of people these days ask me how to report spam. So I'll write about how I do it.
A few things to remember...
First, 999 times out of 1,000 the address the spam is coming from is going to be a fake one. So it does no good whatsoever to send a reply to these addresses. In fact, it only exacerbates the problem because more useless mail is being sent.
Second, the key is to find the real origin of the email.
Third, most spam today is being sent from a zombie computer that has been infected by one of the many email virii floating around out there. So even by disconnecting that computer you're not getting to the real spammer. Instead you're helping someone else get their computer problems sorted (hopefully) so that it doesn't sit there sending 10's of thousand of spam mails every day.
Okay, here's how to do it.
First, you need to familiarize yourself with how to read email headers. You don't need to understand what each header line means or does. In fact, you'll just confuse yourself more since most spam sending programs these days will forge headers.
The key here is that even if there are forged headers, the real information is also there too. The trick is finding it.
Have a look at a few of your legitimate emails. In your email software you will want to View Full Headers. Each email application has a different way of showing the full headers, and the default is typically not to show these. You may need to search the Help function of your software to sort out how to view the headers.
In your header lines you should see something that looks similar to this:
Received: from smtpout.ev1.net (207.44.129.132)
by sub.server.com with SMTP; 21 Jul 2004 22:48:38 -0000
The key point I want you to look for here is the part that immediately follows the word by In your legitimate emails you should see something that is pretty much the same. This stamp is produced by your own mail server, whether that's your ISP or the mail server name/address of your domain.
Make a mental note of how your mail server identifies itself. This will help you to quickly wade through forged headers in the future, and make sure you're reporting the spammer to the correct place.
Where do you report them? It's in that same line. Do you see the IP number inside the parentheses? In the example above what I'm talking about is 207.44.129.132.
This you can also trust to be correct. As long as you use the IP number that is inside the parens you'll be reporting the spam to the folks who have authority for the IP number.
This is the IP number that actually connected to your mail server to send the mail to you. That's all the farther you have to go with it. They will have log files to track things back any further if need be.
Next, head over to my little WhoIs Tool and plug this IP number into the search box. Searching on the IP will bring up the ownership data, or who is ultimately responsible for the IP.
Most providers these days will provide a specific email address to send Spam/Abuse complaints to. In fact, most of these will have "abuse" in the email address, so the quick way is to do a search of the WhoIs data for the word abuse.
(Note: My little WhoIs Tool will help you to trace back almost any IP number, worldwide. The only exceptions being: Japanese (.co.jp) WhoIs providers don't provide much information and you usually have to go directly to the .co.jp interface to get a reporting email address, but the address to go to is provided by my tool; and some Korean pennisula IP's don't resolve correctly for some reason, but the additional URL to use with those is also provided.)
So now you've got the abuse@ email address to report the spam to.
What I do at this point is to simply Forward the spam email, with full headers showing to the address provided. I add a bit of text to the top that I've saved to help them sort everything out. I even include the name of my mail server as it appears in the headers for their reference.
The main things you want to remember when sending in a spam report are:
1. Do not include any attached files. Abuse departments will typically delete any emails that contain an attachment.
2. When you forward the email make sure you are sending it as Plain Text. Most email clients come with a default setting to send "Styled" or "HTML" text. Some abuse departments will delete those without reading them. Better safe than sorry.
See, it's really not as hard as everybody makes it out to be. A little bit of due diligence on your part makes it happen. Once you get used to it, you can report the spammers very quickly and easily. Especially if you set up a little canned Spam Report response.
I've gotten to the point that I can report a spam mail in under a minute. The process looks like this...
Open the spam mail.
Click the Show Headers button in my Eudora.
Locate and highlight the offending IP number.
Do a Ctrl+C to copy it.
Click over to my browser that already has my WhoIs Tool open.
Ctrl+V to paste the IP into the search box.
Click the "Check Domain" button.
Locate the "abuse@" email address in the WhoIs record.
Highlight the address with my mouse.
Ctrl+C to copy it to my clipboard.
Go back to Eudora and click the Forward Mail button.
Ctrl+V to paste the address into the To: field.
Click over to my canned Spam Report text.
Highlight it and Ctrl+C to copy it to my clipboard.
Click back to the email I'm sending and Ctrl+V to paste the text into my email.
Click the "Send" button.
It sounds a lot harder than it is. I've reported enough over the years that I can get through the entire process above in about 15-20 seconds. And it does work! I get several (dozen) email accounts killed per day because they've spammed me. My total time investment? Maybe 30 minutes per day, on the days I actually decide to report the 100+ spams I get.
A couple of other quick tips:
- It'll normally take more than one report against each spamming computer to get it removed from the network. Unless it's an AOL IP number. Those folks are ruthless about fighting spam thankfully.
- If no abuse@ address is listed in the WhoIs record, I will typically put the email address(es) listed there in the To: field and CC: it to abuse@ anyway, just to be safe.
- When you go to the Japanese (.co.jp) WhoIs tool, paste in the IP number, hit your space bar and put a /e at the end. (Example: 123.45.67.89 /e ) This will convert the WhoIs information to English for you.
- The Brazilian folks do it right, but you'll need to scroll a bit to get the info you need. If you see .BR indicated at the top of a record scroll way down to the bottom of the page. If there is an abuse@ address for the ISP it'll be down there somewhere. While you're there though, note that at the very end of the record, typically right below the ISP info, you'll see a blurb about also sending abuse complaints to mail-abuse@nic.br so make sure to put that in the CC: field. nic.br is the Brazilian domain name authority, or the equivalent of ICANN for .com domains. nic.br will help to assure that the ISP does their job in removing the spamming computer from the network.
Good luck! Drop me a comment if you have any questions or something above doesn't make sense. I'll be more than happy to take a look at your individual situation.
Comments
Any chance of you releasing the code for your whois tool? its pretty slick.
ooh, I could do that stoph. But it would take me a lot of time and effort to clean it all up and make the code somewhat pretty.
How about a deal for ya though. Head over to the PHP WhoIs Project at SourceForge (http://sourceforge.net/projects/phpwhois) and you'll find a freebie one that is probably even better! I know it's had a lot more recent development than mine has.