The Campaign to Stop Junk Email
Dealing with Junk Email (A Victim's Primer)
What you should do (and not do) when you have been victimized by a junk emailer.
This document teaches you how to read headers in order to trace the origin of junk email, and includes detailed examples to show you how it is done. Headers are designed for computers to read, not people, so they can be a little hard to follow. Therefore, I hereby grant permission to print or electronically save a copy of this page on your local machine for your personal use while tracing junk email. Please check back for updates and corrections, though.
Otherwise, I would prefer that you just refer people to this site via the URL to get their own copy. If you really feel you need to forward copies of this material throughout your organization or otherwise distribute or republish it, you will have to secure my written permission first (I consider my PGP-signed email to be "written" for this purpose).
On This Page
First of all, there are some things you really shouldn't do. Trust me.
I have often had the urge to send a multi-megabyte BLOB file attachment in reply to the junk mailer, to sink their in-box. Or to mailbomb them. It's hard to resist. But, sadly, it's also not very satisfying, once you learn that it just isn't very effective. Junk emailers are getting more savvy. Often mail sent to the return address bounces because the return address is forged. Sometimes (when you're lucky) the system operator has already yanked the account when they discovered that the junk mailer was abusing the net in this way. Sometimes everyone else had the same idea, and all the disk space on the offender's mail server has already been consumed.
There are also unintended consequences and side-effects for this kind of retributive action, which you should consider. First of all, if the address is forged on purpose (not that hard to do), the person in the reply-to might be the hapless victim of a reverse mailbombing.
Even if this is not the case, causing a mail server to crash affects all the other innocent users on that system. Sure, I could rationalize that this will give them some incentive to deal with the offender, but if this happened to me I wouldn't have any idea which of my co-users was junk mailing from my ISP's server. All I'd know is that the mail server was unavailable. In addition, intentionally trying to crash a machine through mailbombing is technically a Denial-of-Service Attack, a computer crime (at least in the United States.)
If the systems operator has done their job and terminated the account, you are just adding to their headache by mailbombing the address. Plus, the sysop is probably much better at it than you are. This means that you might just have your own mailbox squashed like an irritating mosquito.
If a junk email has a phone number in it for responses, especially a toll-free 800 or 888 number, it's obvious that the sender is either A) completely clueless about the Internet and its denizens, B) attempting to pull a nasty prank on someone they don't like very much or C) someone who just exploited the owner of the phone number by charging them for a "really good advertising opportunity on the Internet." No one who knows anything about the nature of the Internet would willingly or knowingly open themselves up for the inevitable massive abuse that's about to rain down on them via their telephone or fax machine.
It's certainly acceptable to call once to calmly explain why you object to their junk email, or to send a single, polite fax. But think about this: If the bulk email mailing-list vendors are telling the truth, the lists have over a million supposedly valid email addresses. If the junk email included a toll-free number, suppose just one percent of the recipients were irritated enough to call in a (free, after all) complaint during the following week. That's ten thousand phone calls--more than 1,400 per day! And a lot of those calls are going to be abusive.
I understand how angry junk email can make you. But please don't call the numbers to yell. Don't send 400-page faxes. It's really not a good idea to call the toll-free number repeatedly just to run up their bill. (For one thing, it's a crime to harass over the phone, and your calling number will appear on their bill.)
The owner of that number is almost certainly either a victim of a selfish junk emailer (just like you) or a poor, ignorant fool about to learn a terrible lesson. I have talked to some of these people by phone, and they are usually very apologetic and repentant, and have been fielding angry phone calls all day. Feel sorry for them. Don't lower yourself to the same level as the junk emailers. Don't become an abuser.
This is the technique that I have found most effective in battling junk email. I'm not saying this is the only correct response, and I still reserve the right to change my tactics in the future, but here it is, for what it's worth.
Currently, I recommend the following three-step process (Well, OK, five if you count the beta steps). Step 1: Ready... is rather lengthy because it walks you through a complete example of tracking down the origin of a junk email from their message itself--don't let it scare you: after you've seen it done, it's actually pretty quick and easy. Step 1 also gives you links to Web-accessible versions of all the tools you need to do the job. Step 2: Aim... shows you how to dig deeper and discover the identity of junk emailers, or (more importantly) the people responsible for giving them access to the Internet. Step 3: Fire! tells you how to get that access cut off by showing you the best way to proceed, what to say in your message, alternate avenues of contact, as well as when and how to go to The Proper Authorities, if necessary. This is know as applying a LART.
I know junk email can really make you angry, but you can deal with it more effectively if you take the time to target your attack correctly.
On the other hand, don't get discouraged and just delete the message without retribution. This is known as the JHD mentality, and it's just what the junk emailer wants--only people who want to send cash need respond! We must take action to get change.
Gather as much information as possible. The idea is to learn where the junk emailer actually "lives" on the Internet. We do this by determining where the message originated, where it was forwarded to you, and where any spamvertised Web pages or email drop boxes are located.
It's almost certainly forged. At best it doesn't actually exist. At worst it is the real address for some innocent person who had nothing dodo with this junk email. It is incredibly easy to forge an email addressit's simply a matter of typing in a bogus "from" address in your mail client. (If you don't believe me, try this experiment: change the return address in your email software to "email@example.com" and send a message to yourself at your real email address.) There's no point in complaining to the ISP of the "From:" address, unless the body of the spam specifically requests replies to that address for more information. More on that later.
This is the machine from which the junk emailer actually sent the message. We determine the originating host by reading the headers.
Understanding the "Received:" headers
When you send email on the Internet with a mail client (like Eudora, Elm or Pine), you use Simple Mail Transport Protocol (SMTP). Your machine (Mac, PC, Unix host, whatever) makes a connection to the SMTP server on the outgoing mail machine, and sends your message. The SMTP server forwards your message to the next SMTP server down the line, and so on, until it arrives at its destination. The "Received:" headers record this route, and allow us to trace the path of an email message back to its origin.
Header Decoding Example
are the headers from an actual junk email I received, which we will
decode as an example:
Items in green bold are generated by my ISP's incoming mail server, so I consider them reliable.
Items marked in grey are generated by intermediate mail-handling machines that are probably not under the spammer's control, so they are nominally reliable.
Header items marked in red italic are generated by the spammer directly, so they are completely unreliable.
Now lets decode the "Received:" headers of this junk email to trace this message's path back to the origin.
This topmost "Received :" header line was added by my ISP's incoming mail server, "host13.hrwebservices.net," when it received this email. Because of this, I can trust the information in green as accurate. This line tells us that a machine calling itself "mclean.mail.mindspring.net" opened a mail connection from IP address 220.127.116.11 at the time indicated, and delivered this junk email to the address Webmaster@jcrdesign.com. (That address, by the way, was harvested from these very Web pages by this junk emailer or their list providerin fact, identical junk email messages were sent to several addresses that appear on this Web site.)
note that the part right after the "from"
(in this case, "mclean.mail.mindspring.net")
is provided by the incoming connection, and is not actually
verified by the my ISP's SMTP mail machine. It is called the "HELO" response,
and it is easily be forged; the sending machine can pretty much enter
anything they want at the "HELO" promptthey could have
entered "whitehouse.gov," "fbi.gov," or even "Wally
the Wonder Worm" and it would have appeared there. But the host information
between the parenthesis, howeverIP address the inbound connection,
is verified and generated by the receiving SMTP
machine, so this can't be forged by the sending machine.
This "Received :" header line was generated by the machine at 18.104.22.168. That machine , which calls itself "mclean.mail.mindspring.net" says it got the message from IP address 22.214.171.124 (a machine that called itself "mac.com"). Interestingly, it appears that the Mindspring machine ignored the unreliable "HELO" information inserted by the machine at 126.96.36.199 and performed a "reverse DNS" on the address, which it says is actually "user-1120m9a.dsl.mindspring.com." This behavior is not typical, but is a nice touch by Mindspring that makes forgery harder for spammers using their network.
So, we now know that this junk email originated at IP address 188.8.131.52, and was sent through a Mindspring SMTP server at 184.108.40.206. In the next section we will discover how to find out who owns those addresses. But for now, a few more notes about reading "Received:" headers:
Junk emailers know that they can be tracked through the "Received:" lines in the headers. Therefore, they often attempt to obfuscate the headers to confuse matters. Although "Received:" headers can also be forged, it is a somewhat more difficult than simply forging the return address.
of the headers, the junk emailer has to provide a contact in order to
take money from the suckers they hope will fall for their spam. This gives you an additional
avenue for punishment and retribution. Lets take a look at our example
In this example, it is pretty clear that the advertisement comes from whomever owns "http://www.evite.com/" so in the next steps, we will determine who owns that site and target our complaint there.
Also, although perhaps not directly connected with this spam, DJ Kevin O might like to know that the good name of his Web site deephouse.com is being spamvertised by the losers at New Step Productions and the Event Notification System.
Sometimes the junk emailer will provide a valid response email address in the body of the message, or will ask you to respond by replying to the email. This is known as a spam "drop box" and is usually a violation of the hosting ISP's Terms of Service (TOS) or Acceptable Use Agreement (AUP), so the reply email address is a valid complaint target as well. Never reply directly to any spammer's email address, however. In this case, a little note to Apple Computer's mac.com service will likely get mailbox firstname.lastname@example.org turned into a smoking crater.
Since this spammer provided a telephone number for the Lava club, it might also be worthwhile to try to call on the phone and calmly explain why junk email is a bad idea. Be aware that calling toll-free numbers reveals your number to the called party, even if you disable caller ID.
Notes about Analyzing the Junk Email Body
2.1 Determine who owns the domain(s) involved
We want to find out who owns the machine that (looks like it) sent the junk email, and also who owns the IP address of that machine (which will tell us who sells them access).
We find this information by consulting the InterNIC registration databases, which identify the registered owner of every assigned IP address on the Internet. This is sometimes referred to as "the Whois database," because it is traditionally accessed using the Whois protocol. The best way to access that information is to use Sam Spade, the most comprehensive spam-tracing tool available. You can use other tools to directly access the databases at InterNIC if you prefer (I personally like GeekTools).
SamSpade gives this result for the originating IP of our example junk email (220.127.116.11):
So this spam was sent from a DSL account on Earthlink. Now lets check out the IP of the SMTP server (18.104.22.168):
This indicates that Earthlink also owns the SMTP server through which this junk email was sent. Conclusion: Sender was an Earthlink subscriber.
It's a good idea to try to find upstream Internet service providers, particularly in the case of a spamvertised Web site. Obviously, complaining directly to a host site who thinks it's OK to spam is not going to get you far (see "Decide if you should target your complaint further upstream", below).
Because we might be interested in the upstream provider for the spamvertised Web site (www.evite.com), we are going to check all three options (Whois, IP block, and Traceroute) when we use Sam Spade this time:
IP block lookup for 22.214.171.124
traceroute to www.evite.com
This tells us that www.evite.com has an IP address of 126.96.36.199.
That IP falls into a range of addresses (188.8.131.52 - 184.108.40.206) owned by Ticketmaster Online - CitySearch, Inc.
The traceroute, which traces the connectivity path from SamSpade.org to www.evite.com, shows that pnap.net provides connectivity to www.evite.com, which will be useful if we decide we need to complain to the upstream provider.
A quick visit to www.evite.com reveals that this is an online party invitation system, which is apparently being abused by the spammer. A peek at their terms of service shows that they specifically prohibit spamvertising of this nature.
It seems pretty likely that the spammer does not own TIcketmaster, which is a huge company, so let's give them the benefit of the doubt and say that TIcketmaster is probably unaware that their electronic invitation system is being misused in this way.
2.3 Target your complaint properly
So, for our example spam, we are going to send complaints to Earthlink (owner of the originating IP host and the SMTP relay), and evite.com (the owner of the spamvertised Web site) since it seems unlikely that they are aware of this violation of their terms of service.
If it had appeared that the junk emailer was also the owner of the spamvertised Web server (for instance, the registration email address is the same as that used for responses in the junk email), we would instead complain to the upstream provider for the spamvertised site (in this case, pnap.net) in order to get the site taken down.
The effectiveness of your message depends on getting your complaint to people who can and will actually do something about it. In general, this means that you want to send your complaint to the abuse departments at the originating site, the response collection site (if any), and any spamvertised Web sites.
Don't complain to inappropriate addresses
Remember the goal here is to get the junk emailer cut off, not to anger people at the junk emailer's ISP. You will lose credibility if you are perceived as spamming random ISP addresses with your spam complaint.
Don't send your initial complaint to the administrative, technical, or zone contact in the InterNIC record. They have specific roles in terms of the domain-name registration, and aren't complaint addresses (they deal with technical problems, not social ones). Use the abuse@ and postmaster@ addresses. If you get no help from those addresses after a reasonable period of time, you might then consider escalating to other ISP contact addresses.
It might be a good idea to complain to the upstream provider(s) right away if:
Otherwise, don't bother complaining further up the ladder yet. It's just not constructive. Also, understand that big connection providers (like AT&T, for example) often are not ISPs; instead, ISPs are their customers. Therefore you will generally get a canned response from them to the effect that they don't police their customer ISPs' individual users, and recommending that you contact the ISP directly.
Of course, it is appropriate to target later complaints upstream if the site is demonstrating a clear pattern of ignoring complaints and continuing to spam:
It can be effective to CC the upstream while continuing to complain to the target site, so that the site learns that their provider has been made aware of their junk email abuse.
Once you have determined which host should receive your complaint about the junk email, there are essentially two email addresses that you should use.
Nonstandard abuse addresses Everybody's gotta be original. There are some nonstandard complaint addresses out there, which you will usually discover via a canned response message received when you submit your complaint to the postmaster address. ISPs that insist on varying from the RFC-standard "abuse@" address should be subjected to public scorn and ridicule until they change their bone-headed policy.
There may be some disagreement about whether junk email is currently or should be illegal, but often junk email contains clearly illegal scams, offers, and frauds. This is called "wire fraud." Notification of an illegal action will probably get priority attention from an ISP--this gives you extra leverage against the junk emailer and their ISP, and you should use it. (Of course, don't claim a junk email appears to contain illegal activity unless it actually does.)
Each battle sees the other's umbered face;--William Shakespeare, King Henry V.
Nothing. That's right, don't say anything, at least not via email.
First of all, there's not much point. Odds are it's a bogus address. Most of the junk email messages I have received had forged addresses, and most of those were not real addresses anyway.
Even if it is a real response address, it may simply be a mailbot that will automatically send you more junk email as a reward for your "interest."
Generally, even the valid addresses bounce, because the mailbox is already filled with other angry messages. As I mentioned before, it also could be that the address is that someone else that the junk emailer wanted to punish.
Secondly, it has been purported on the net that email responses, especially (and perversely) responses to "REMOVE" request addresses, are in fact used to verify real email addresses, increasing the value of the list for resale. I have no proof of this, but I have seen "validated" lists of email addresses for sale. Never, ever reply to a "remove" address.
Therefore, I do not recommend responding directly to the sender by email at all.
This is not to say that you should never attempt to contact a junk emailer to express your displeasure, but I recommend fax, phone (toll-free is even better) or even regular snail-mail (see Phone, Fax, and Snail Mail Responses, below). There is no reason that you should have to reveal your name or email address just to lodge a complaint.
3.2 What To Say to the Postmaster or Abuse addresses
The postmaster message has the greatest chance of being effective, so I spend the most effort on that. I send this the and abuse and postmaster addresses of the involved sites (as determined above), suggesting that they might want to have a little talk with their junk-emailing user.
I include all the text of the original junk email, including all headers. I emphasize that I have had no former correspondence with the junk emailer, and that the mail is completely unsolicited. I try to remember that it's not really the postmaster's fault, so I try to keep nasty comments to a minimum (as much as I can). Because I occasionally get a clueless "why-don't-you-just-use-the-'remove'-address" in response to my complaint, I also outline why I consider the unsolicited commercial messages such as this unacceptable.
Here's what I currently send (I fill in the XXXXs with the relevant information); feel free to use this or modify it as you see fit:
Subject: Junk Email From Your Site: (Subject: [original subject goes here])
A user on your system has sent me (and apparently many others) the
following unsolicited commercial email. You are being contacted either
because the message originated at your site, used your SMTP mailer, has
replies directed to your site, or solicited visits to a Web page hosted by
The message originated at: XXXX
using SMTP server: XXXX
the sender claims to be: XXXX
replies directed to: XXXX
removal requests are directed to: XXXX
the message solicits visits to the Web site at: XXXX
I have to pay for my email, like most people, and I don't appreciate being
forced to pay for unsolicited commercial messages such as this. My private
email facilities are not an advertising medium for your users. This abused
my resources and wasted my time, which is valuable to me.
Even if the sender's message claims that I will receive no other messages
from them, it is still completely unacceptable that I (and other
recipients) have been forced to subsidize the cost of this advertisement. I
have received nothing of value in return for this unauthorized commercial
use of my email resources.
Likewise, if the sender purports to honor requests to remove my address
from their unwelcome mailing list, that does not make this cost-shifting
acceptable--I did not sign up to any sort of LISTSERV or majordomo list in
the first place, nor did I request any information from this user. It is
abuse and forgery to put someone's email address on a mailing list without
their permission nor knowledge.
I have NOT replied to the apparent sender nor any "remove" addresses
because it has been my experience that such requests are not honored, but
instead are used to create list of validated email addresses which are
resold, resulting in more junk email.
I will consider any further communication from this person harassment. I
respectfully request that you, as sysop, take whatever steps are necessary
to prevent this from happening to me or anyone else again. No legitimate
Internet providers allow this kind of abuse from their sites.
[full junk email message text (including all headers) goes here]
3.3 Responses to Illegal Activities
If the junk email looks like a fraud or solicits criminal activity, change the subject to "Illegal activity at your site: [original subject goes here]"--This can help get the ISP's attention. Also, you should forward the message to the appropriate authorities, as described above. You should make it clear in your message to the postmaster and the Fraud Center, etc. why you think the junk email message indicates illegal activities. Obviously, you need to tailor such a response to the type of crime or scam in the junk email, so I don't have a canned template.
Often, you may want to pursue other available means of contact, if you feel they might be more effective than an email message.
If the junk emailer or their advertisers included a phone number, and you feel like dropping a few dimes on them, by all means call on the good old POTS network and vocalize your complaint. Especially if they are silly enough to provide an 800 or 888 toll-free number--here's your chance to shift the communication cost to them, for a change.
Be polite when you call. Remember that the advertiser may just be ignorant newbie victims of a greedy junk email reseller (they've got to be pretty clueless to include a phone number). Don't call repeatedly or harass them--that's illegal, and also you've then sunk as low as the junk emailers (see "What not to do"). Try to educate them. Calmly explain why junk email is wrong and unacceptable, and that you'll never buy anything advertised that way. You don't have to give them your name or email address just to complain (though be aware that if you use a toll-free number, they have a record of the calling phone number on their bill).
You can also send a complaint fax to any fax numbers included in the junk email. However, it is technically illegal to send a fax without including your own fax number in the header of each page. Be sure to include a copy of the entire message, and use a big enough font so that it is clearly readable!
If there is a postal address (there often is, especially they want you to send money) and you have an extra stamp laying around, you may want to send a paper response. Again, don't threaten or be overly nasty.
These instructions should allow you to track down a junk emailer and get their access to the Internet terminated. However, I would be lying to you if I claimed that following these steps will eliminate or even noticeably decrease the amount of junk email you will receive. Getting individual spammers nuked may give you some satisfaction, but it will not solve the root causes of the problem. We need legislative tools that will allow individual victims to sue and collect from junk emailers. Unfortunately, the Forces of Evil like the Direct Mail Association (DMA), "the people who brought you junk paper mail," have successfully blocked or gutted any legislative relief from this scourge on the Internet. Write your legislators today and tell them you want confirmed opt-in written into law, and a real right of individual action so that people can enforce their rights to be junk-email-free.
So, what happened to the spammer in my example spam? The Earthlink Abuse department sent me a nice email stating that after investigation, "The account responsible has been identified and terminated."
|Back to Top|
Monday, February 25, 2002
at 1:00:46 AM by JCR