Wednesday, March 28, 2007
Where to report spam
I've seen estimates that less than one in a million spams results in a well-directed complaint.
Almost every week I see bad advice about where to report incoming spam.
Never reply to a spam message. The reply address is probably bogus, and if it's real, you just made your address more valuable to other spammers. You can't mailbomb them. You can't exhaust their web servers with repeated requests, either.
Don't report spam if you're not computer literate enough to save a spam into a plain text file and look at the headers. That means the lines in the message headers that begin with the word "Received:." If the files you save don't have those, don't bother. If you do not know the difference between a plain text file and an MS-Word document with the font set to Courier, don't bother. But if you can include the message in-line, not as an attachment, without destroying the headers or adding word processor crap, go for it. Report it to:
Your email service provider. That's nice. Sometimes it helps "educate" or "train" their filters. AOL and Yahoo! Mail do that. It does approximately nothing to the spammer. Your ISP is probably not going to contact his ISPs.
Spamcop. That's nice too. It helps ISPs who subscribe to Spamcop's block list block more spam from the same source. Don't bother if the spam is more than an hour old. Unfortunately Spamcop also offers a "personal" software product that's supposed to analyze the spam and help you generate a report. But it's not very accurate, and a lot of ISPs, maybe most, ignore those reports.
The FTC. You can forward spam with complete headers to spam@uce.gov. They keep statistics.
The SEC. You can forward stock spam to enforcement@sec.gov. They bust some criminals sometimes. If it's "image" spam, put the stock symbol that's being promoted in your subject line.
news.admin.net-abuse.sightings. That's a Usenet newsgroup for posting spam samples. People use it to research spam patterns. If you can't post the contents of a plain text file, in-line, to a newsgroup, don't bother.
The owner of the exploited equipment. Almost all spam is sent through computers the spammers don't own. Spammers break into servers through leaky Web applications. Or they steal or guess weak passwords. They break into PCs in people's homes, on DSL or Cable, through "virus" infected email and malware infected Web pages.
Look at the Received: header line where your service provider receives the message from someplace that's not your service provider. (If you can't read, don't bother.) Maybe it's a cable company you've heard of. Look up that company's abuse reporting address. There's a service for doing that, at abuse.net. You can query abuse.net with your whois program (e.g., whois -h whois.abuse.net hotmail.com), or use its web site. The DSL or cable company will (sometimes) contact the owner of the compromised computer.
The giveaway for those DSL or cable senders is a so-called "generic address." I'll pick two examples from today's incoming spam. The hostname wsip-70-183-84-39.dl.dl.cox.net is generic. It's got numbers in it that are the same as its IP address. The hostname mercury1.networknoc.com is not generic. If it's not a generic name, it's not one of those home machines. It's either web hosting or a small business. You can figure out who the ISP is with your traceroute or tcptraceroute program. You'll never figure out who the owners of the individual cable/DSL zombies are. But their ISPs know. You can try calling the owners of the exploited web servers themselves. But if you can't talk about the spam they're sending authoritatively, they'll think you're just harassing them or trying to sell something. It's easier to just send a spam sample to the abuse address at their ISP.
Sometimes spammers break into other people's computers to host their name servers or Web servers or both. Never go to the URL in a spam message. If you use MS-Outlook [Express] or Thunderbird don't even open your email with image display enabled. But you can trace the name in the URL. And you can trace the name servers. They're named in the domain's Whois entry or you can look them up with your host or nslookup or dig commands. If the servers are on cable/DSL or at hosting places in western Europe, Australia, or North America, report them. Elsewhere, it's probably not worth the trouble. If it's in China, South Korea, Russia, or Bulgaria, sad to say, don't bother. As far as I know, all ISPs in those countries are spammer-friendly. You can look up the ISP at Spamhaus.org if you're not sure. There is no point in reporting spam to a spammer-friendly ISP.
"Free" email providers. A certain type of spammer prefers to use throwaway accounts at Yahoo Mail, Hotmail, Excite.com, etc. Those are the "advance fee fraud" or "Nigeria 419" scammers. If they're fresh, report these to the abuse address at the email company. If you received it more than 24 hours ago, don't bother. Notice that the "Reply to" address is hardly ever the same as the "From" in these things. Sometimes the Reply to address is repeated in the message body. Those are the ones that are worth reporting. The From address had already been discarded by the time you saw the spam.
Notice that abuse@hotmail.com does not work and never has. Hotmail (Microsoft) thinks the rules of the Internet don't apply to them, and their special abuse address is report_spam@hotmail.com. Also, the abuse address for Yahoo Mail is always abuse@yahoo.com, even for the country domains like yahoo.co.uk.
That's all. If you're savvy enough to find other assets in the spammer's network, you already knew all this stuff and didn't have to read this far. Experts go after the credit card processors. Uber-experts sometimes take legal action. But this is not work for amateurs. Remember spammers are criminals. Spam is international organized crime. You don't want to provoke these people if you don't know what you're doing.
Almost every week I see bad advice about where to report incoming spam.
Never reply to a spam message. The reply address is probably bogus, and if it's real, you just made your address more valuable to other spammers. You can't mailbomb them. You can't exhaust their web servers with repeated requests, either.
Don't report spam if you're not computer literate enough to save a spam into a plain text file and look at the headers. That means the lines in the message headers that begin with the word "Received:." If the files you save don't have those, don't bother. If you do not know the difference between a plain text file and an MS-Word document with the font set to Courier, don't bother. But if you can include the message in-line, not as an attachment, without destroying the headers or adding word processor crap, go for it. Report it to:
Your email service provider. That's nice. Sometimes it helps "educate" or "train" their filters. AOL and Yahoo! Mail do that. It does approximately nothing to the spammer. Your ISP is probably not going to contact his ISPs.
Spamcop. That's nice too. It helps ISPs who subscribe to Spamcop's block list block more spam from the same source. Don't bother if the spam is more than an hour old. Unfortunately Spamcop also offers a "personal" software product that's supposed to analyze the spam and help you generate a report. But it's not very accurate, and a lot of ISPs, maybe most, ignore those reports.
The FTC. You can forward spam with complete headers to spam@uce.gov. They keep statistics.
The SEC. You can forward stock spam to enforcement@sec.gov. They bust some criminals sometimes. If it's "image" spam, put the stock symbol that's being promoted in your subject line.
news.admin.net-abuse.sightings. That's a Usenet newsgroup for posting spam samples. People use it to research spam patterns. If you can't post the contents of a plain text file, in-line, to a newsgroup, don't bother.
The owner of the exploited equipment. Almost all spam is sent through computers the spammers don't own. Spammers break into servers through leaky Web applications. Or they steal or guess weak passwords. They break into PCs in people's homes, on DSL or Cable, through "virus" infected email and malware infected Web pages.
Look at the Received: header line where your service provider receives the message from someplace that's not your service provider. (If you can't read, don't bother.) Maybe it's a cable company you've heard of. Look up that company's abuse reporting address. There's a service for doing that, at abuse.net. You can query abuse.net with your whois program (e.g., whois -h whois.abuse.net hotmail.com), or use its web site. The DSL or cable company will (sometimes) contact the owner of the compromised computer.
The giveaway for those DSL or cable senders is a so-called "generic address." I'll pick two examples from today's incoming spam. The hostname wsip-70-183-84-39.dl.dl.cox.net is generic. It's got numbers in it that are the same as its IP address. The hostname mercury1.networknoc.com is not generic. If it's not a generic name, it's not one of those home machines. It's either web hosting or a small business. You can figure out who the ISP is with your traceroute or tcptraceroute program. You'll never figure out who the owners of the individual cable/DSL zombies are. But their ISPs know. You can try calling the owners of the exploited web servers themselves. But if you can't talk about the spam they're sending authoritatively, they'll think you're just harassing them or trying to sell something. It's easier to just send a spam sample to the abuse address at their ISP.
Sometimes spammers break into other people's computers to host their name servers or Web servers or both. Never go to the URL in a spam message. If you use MS-Outlook [Express] or Thunderbird don't even open your email with image display enabled. But you can trace the name in the URL. And you can trace the name servers. They're named in the domain's Whois entry or you can look them up with your host or nslookup or dig commands. If the servers are on cable/DSL or at hosting places in western Europe, Australia, or North America, report them. Elsewhere, it's probably not worth the trouble. If it's in China, South Korea, Russia, or Bulgaria, sad to say, don't bother. As far as I know, all ISPs in those countries are spammer-friendly. You can look up the ISP at Spamhaus.org if you're not sure. There is no point in reporting spam to a spammer-friendly ISP.
"Free" email providers. A certain type of spammer prefers to use throwaway accounts at Yahoo Mail, Hotmail, Excite.com, etc. Those are the "advance fee fraud" or "Nigeria 419" scammers. If they're fresh, report these to the abuse address at the email company. If you received it more than 24 hours ago, don't bother. Notice that the "Reply to" address is hardly ever the same as the "From" in these things. Sometimes the Reply to address is repeated in the message body. Those are the ones that are worth reporting. The From address had already been discarded by the time you saw the spam.
Notice that abuse@hotmail.com does not work and never has. Hotmail (Microsoft) thinks the rules of the Internet don't apply to them, and their special abuse address is report_spam@hotmail.com. Also, the abuse address for Yahoo Mail is always abuse@yahoo.com, even for the country domains like yahoo.co.uk.
That's all. If you're savvy enough to find other assets in the spammer's network, you already knew all this stuff and didn't have to read this far. Experts go after the credit card processors. Uber-experts sometimes take legal action. But this is not work for amateurs. Remember spammers are criminals. Spam is international organized crime. You don't want to provoke these people if you don't know what you're doing.