Home Site Info Who What Site Services Experimental Contact

Home

Campaign to
Stop Junk Email

Blink-free home page

Macintosh Business Case

 

Navigate:

Advanced Search

Table of Contents

Site Map

X-Space Map

Home Page

The Campaign to Stop Junk Email

Home | Site Info | Dealing With It | Prevention | Business Guide | Further Info

Dealing with Junk Email (A Victim's Primer)

What you should do (and not do) when you have been victimized by a junk emailer.

This document teaches you how to read headers in order to trace the origin of junk email, and includes detailed examples to show you how it is done. Headers are designed for computers to read, not people, so they can be a little hard to follow. Therefore, I hereby grant permission to print or electronically save a copy of this page on your local machine for your personal use while tracing junk email. Please check back for updates and corrections, though.

Otherwise, I would prefer that you just refer people to this site via the URL to get their own copy. If you really feel you need to forward copies of this material throughout your organization or otherwise distribute or republish it, you will have to secure my written permission first (I consider my PGP-signed email to be "written" for this purpose).


On This Page

  • What Not To Do Stuff that doesn't work
  • What to do effective techniques, including how to trace junk email back to its source
  • Stay Calm (take a deep breath...)
  • Stay Mad (don't get discouraged)
  • Ready... Gather info, how to identify the sender and who gives them Internet access
  • Aim... Who to complain to, abuse addresses, online services
  • Fire! What to say and how to say it, effective complaining, leveraging illegal scam messages, phone calls, faxes.

  • What not to Do

    First of all, there are some things you really shouldn't do. Trust me.

    Mailbombing

    I have often had the urge to send a multi-megabyte BLOB file attachment in reply to the junk mailer, to sink their in-box. Or to mailbomb them. It's hard to resist. But, sadly, it's also not very satisfying, once you learn that it just isn't very effective. Junk emailers are getting more savvy. Often mail sent to the return address bounces because the return address is forged. Sometimes (when you're lucky) the system operator has already yanked the account when they discovered that the junk mailer was abusing the net in this way. Sometimes everyone else had the same idea, and all the disk space on the offender's mail server has already been consumed.

    There are also unintended consequences and side-effects for this kind of retributive action, which you should consider. First of all, if the address is forged on purpose (not that hard to do), the person in the reply-to might be the hapless victim of a reverse mailbombing.

    Even if this is not the case, causing a mail server to crash affects all the other innocent users on that system. Sure, I could rationalize that this will give them some incentive to deal with the offender, but if this happened to me I wouldn't have any idea which of my co-users was junk mailing from my ISP's server. All I'd know is that the mail server was unavailable. In addition, intentionally trying to crash a machine through mailbombing is technically a Denial-of-Service Attack, a computer crime (at least in the United States.)

    If the systems operator has done their job and terminated the account, you are just adding to their headache by mailbombing the address. Plus, the sysop is probably much better at it than you are. This means that you might just have your own mailbox squashed like an irritating mosquito.

    Phone Calls and Other Abuse

    If a junk email has a phone number in it for responses, especially a toll-free 800 or 888 number, it's obvious that the sender is either A) completely clueless about the Internet and its denizens, B) attempting to pull a nasty prank on someone they don't like very much or C) someone who just exploited the owner of the phone number by charging them for a "really good advertising opportunity on the Internet." No one who knows anything about the nature of the Internet would willingly or knowingly open themselves up for the inevitable massive abuse that's about to rain down on them via their telephone or fax machine.

    It's certainly acceptable to call once to calmly explain why you object to their junk email, or to send a single, polite fax. But think about this: If the bulk email mailing-list vendors are telling the truth, the lists have over a million supposedly valid email addresses. If the junk email included a toll-free number, suppose just one percent of the recipients were irritated enough to call in a (free, after all) complaint during the following week. That's ten thousand phone calls--more than 1,400 per day! And a lot of those calls are going to be abusive.

    I understand how angry junk email can make you. But please don't call the numbers to yell. Don't send 400-page faxes. It's really not a good idea to call the toll-free number repeatedly just to run up their bill. (For one thing, it's a crime to harass over the phone, and your calling number will appear on their bill.)

    The owner of that number is almost certainly either a victim of a selfish junk emailer (just like you) or a poor, ignorant fool about to learn a terrible lesson. I have talked to some of these people by phone, and they are usually very apologetic and repentant, and have been fielding angry phone calls all day. Feel sorry for them. Don't lower yourself to the same level as the junk emailers. Don't become an abuser.

    What To Do

    This is the technique that I have found most effective in battling junk email. I'm not saying this is the only correct response, and I still reserve the right to change my tactics in the future, but here it is, for what it's worth.

    Currently, I recommend the following three-step process (Well, OK, five if you count the beta steps). Step 1: Ready... is rather lengthy because it walks you through a complete example of tracking down the origin of a junk email from their message itself--don't let it scare you: after you've seen it done, it's actually pretty quick and easy. Step 1 also gives you links to Web-accessible versions of all the tools you need to do the job. Step 2: Aim... shows you how to dig deeper and discover the identity of junk emailers, or (more importantly) the people responsible for giving them access to the Internet. Step 3: Fire! tells you how to get that access cut off by showing you the best way to proceed, what to say in your message, alternate avenues of contact, as well as when and how to go to The Proper Authorities, if necessary. This is know as applying a LART.

    Step 0.5: Stay Calm

    I know junk email can really make you angry, but you can deal with it more effectively if you take the time to target your attack correctly.

    Step 0.7: Stay Mad

    On the other hand, don't get discouraged and just delete the message without retribution. This is known as the JHD mentality, and it's just what the junk emailer wants--only people who want to send cash need respond! We must take action to get change.

    Step 1: Ready...

    ... Be ready, gods, with all your thunderbolts--William Shakespeare, Julius Cæsar.

    Gather as much information as possible. The idea is to learn where the junk emailer actually "lives" on the Internet. We do this by determining where the message originated, where it was forwarded to you, and where any spamvertised Web pages or email drop boxes are located.

    1.1 Ignore the sender's "from" email address

    It's almost certainly forged. At best it doesn't actually exist. At worst it is the real address for some innocent person who had nothing dodo with this junk email. It is incredibly easy to forge an email address—it's simply a matter of typing in a bogus "from" address in your mail client. (If you don't believe me, try this experiment: change the return address in your email software to "nobody@jcrdesign.com" and send a message to yourself at your real email address.) There's no point in complaining to the ISP of the "From:" address, unless the body of the spam specifically requests replies to that address for more information. More on that later.

    1.2 Determine the originating host

    This is the machine from which the junk emailer actually sent the message. We determine the originating host by reading the headers.

    Understanding the "Received:" headers

    When you send email on the Internet with a mail client (like Eudora, Elm or Pine), you use Simple Mail Transport Protocol (SMTP). Your machine (Mac, PC, Unix host, whatever) makes a connection to the SMTP server on the outgoing mail machine, and sends your message. The SMTP server forwards your message to the next SMTP server down the line, and so on, until it arrives at its destination. The "Received:" headers record this route, and allow us to trace the path of an email message back to its origin.

    • Most mail readers don't show you the full headers by default. You may need to consult the help files or documentation for your mail program of choice to discover how to view the full headers.

    • You read the "Received:" headers from bottom to top to follow the path that the message took (the topmost "Received:" header is generated by your ISP's incoming mail machine (the last one in the path), while the bottom-most unforged header is generated by the first machine in the path).

    • It is usually best to analyze the headers in reverse, from top to bottom, as the likelihood that a "Received:" header is forged increases the further down the list it is. We'll deal with spotting forged headers a little later

    Header Decoding Example

    Here are the headers from an actual junk email I received, which we will decode as an example:

    Return-path: <ensatl@mac.com>
    Envelope-to: Webmaster@jcrdesign.com
    Delivery-date: Thu, 13 Dec 2001 23:16:57 -0500
    Received: from mclean.mail.mindspring.net ([207.69.200.57])
    by host13.hrwebservices.net with esmtp (Exim 3.33 #1)
    id 16EjmL-0004Bo-00
    for Webmaster@jcrdesign.com; Thu, 13 DEC 2001 23:16:57 -0500
    Received: from user-1120m9a.dsl.mindspring.com ([66.32.89.42] helo=mac.com)
    by mclean.mail.mindspring.net with smtp (Exim 3.33 #1)
    id 16EM2F-0001QO-01
    for Webmaster@jcrdesign.com; Wed, 12 DEC 2001 21:55:47 -0500

    Date: Wed, 12 DEC 2001 21:55:45 -0500
    From: "EVENT NOTIFICATION SYSTEM" <ensatl@mac.com>
    Message-ID: <B83D82E1.F4160@[192.168.1.100]>
    To: "Webmaster" <Webmaster@jcrdesign.com>
    Subject: E.N.S. has your Thursday and Friday covered!
    X-Mailer: eMerge 1.65

    Items in green bold are generated by my ISP's incoming mail server, so I consider them reliable.

    Items marked in grey are generated by intermediate mail-handling machines that are probably not under the spammer's control, so they are nominally reliable.

    Header items marked in red italic are generated by the spammer directly, so they are completely unreliable.

    Now lets decode the "Received:" headers of this junk email to trace this message's path back to the origin.

    Received: from mclean.mail.mindspring.net ([207.69.200.57])
    by host13.hrwebservices.net with esmtp (Exim 3.33 #1)
    id 16EjmL-0004Bo-00
    for Webmaster@jcrdesign.com; Thu, 13 DEC 2001 23:16:57 -0500

    This topmost "Received :" header line was added by my ISP's incoming mail server, "host13.hrwebservices.net," when it received this email. Because of this, I can trust the information in green as accurate. This line tells us that a machine calling itself "mclean.mail.mindspring.net" opened a mail connection from IP address 207.69.200.57 at the time indicated, and delivered this junk email to the address Webmaster@jcrdesign.com. (That address, by the way, was harvested from these very Web pages by this junk emailer or their list provider—in fact, identical junk email messages were sent to several addresses that appear on this Web site.)

    Important: note that the part right after the "from" (in this case, "mclean.mail.mindspring.net") is provided by the incoming connection, and is not actually verified by the my ISP's SMTP mail machine. It is called the "HELO" response, and it is easily be forged; the sending machine can pretty much enter anything they want at the "HELO" prompt—they could have entered "whitehouse.gov," "fbi.gov," or even "Wally the Wonder Worm" and it would have appeared there. But the host information between the parenthesis, however—IP address the inbound connection, 207.69.200.57 is verified and generated by the receiving SMTP machine, so this can't be forged by the sending machine.

    Received: from user-1120m9a.dsl.mindspring.com ([66.32.89.42] helo=mac.com)
    by mclean.mail.mindspring.net with smtp (Exim 3.33 #1)
    id 16EM2F-0001QO-01
    for Webmaster@jcrdesign.com; Wed, 12 DEC 2001 21:55:47 -0500

    This "Received :" header line was generated by the machine at 207.69.200.57. That machine , which calls itself "mclean.mail.mindspring.net" says it got the message from IP address 66.32.89.42 (a machine that called itself "mac.com"). Interestingly, it appears that the Mindspring machine ignored the unreliable "HELO" information inserted by the machine at 66.32.89.42 and performed a "reverse DNS" on the address, which it says is actually "user-1120m9a.dsl.mindspring.com." This behavior is not typical, but is a nice touch by Mindspring that makes forgery harder for spammers using their network.

    • Since this is the last (bottom-most) "Received :" header line, it's the end of the trail. The junk email originated at 66.32.89.42 (assuming we can trust what mclean.mail.mindspring.net tells us)
    • Just like in the topmost "Received :" header line, the IP address (mclean.mail.mindspring.net) of the inbound connection is verified and generated by the Mindspring SMTP machine, so this is harder to forge (unless this entire Received: line was inserted manually to throw us off—not likely, since there are only two).
    • Again, the "HELO" response of "mac.com" is completely arbitrary—it was created by the junk emailer's mail software on the junk emailer's machine (probably a PC) at 66.32.89.42
    • Assuming we can trust the Mindspring machine (and since Mindspring is a big and well-known ISP, it is reasonable to believe we can) it looks like this spammer is on a Mindspring DSL connection (a connection which, if we have our way, they are about to lose).

    So, we now know that this junk email originated at IP address 66.32.89.42, and was sent through a Mindspring SMTP server at 207.69.200.57. In the next section we will discover how to find out who owns those addresses. But for now, a few more notes about reading "Received:" headers:

    Spotting and avoiding forged headers

    Junk emailers know that they can be tracked through the "Received:" lines in the headers. Therefore, they often attempt to obfuscate the headers to confuse matters. Although "Received:" headers can also be forged, it is a somewhat more difficult than simply forging the return address.

    • Most of your incoming email (including junk email) will have a total of only two "Received:" lines in the headers: One generated by your ISP's incoming mail machine (indicating the address of the junk emailer's outgoing SMTP server), and one generated by the outgoing SMTP server indicating the originating IP. Although not unheard of, you should be suspicious of any additional "Received:" headers below the second one.

    • Sometimes, you will only find one "Received:" line in the headers. This is because some Spam software runs the outgoing mail server right on the junk emailer's PC (so they can avoid anti-bulk-email measures in place on their ISP's outgoing mail server). In this case, the originating address in that sole header is the source of the junk email. When you perform a traceroute or DNS lookup on that address (more on that in the next section), you often find it indicates a PPP or DSL dialup connection, with a name like "ppp-207-105-157-159.psdn11.pacbell.net"

    • Very rarely, the remote SMTP server will be running a outdated version of the software, and it will not provide information about where the incoming connection originated. Junk emailers love to find one of these servers, because it hides their location. Your only hope in this case is to contact the owner of that server and ask them to check their logs (and to upgrade their mail server software!)

    • Forged headers will usually show discrepancies (mostly because the forger can't control headers generated by later mail machines in the path).
      • Time stamps will often be inconsistent.
      • Impossible IP addresses will be indicated in the headers (IP numbers over 255, IP address of 0.0.0.0)
      • Compare the host name in the "Message ID:" header, which should match the host in the bottom-most "Received:" header.

    • Work you way down from the topmost "Received:" header. Once you identify a forged "Received:" line, you can also safely ignore all additional "Received:" lines below it.

    More information about decoding headers is also available.

    1.3 Finding additional targets in the body of the junk email

    Regardless of the headers, the junk emailer has to provide a contact in order to take money from the suckers they hope will fall for their spam. This gives you an additional avenue for punishment and retribution. Lets take a look at our example junk email:
     

    MAXIM MAGAZINE and NAUTICA JEANS have invited you to MEET MAXIM FEATURE
    MODEL SUNNY MABREY at The Nautica Store at Lenox Square Mall! Sounds
    provided by Atlanta dj J-Luv! Come and receive complementary VIP tickets to
    see NIKKA COSTA perform LIVE on Thursday, December 13th at Earthlink Live
    in Atlanta! Please click on the link below for details. Meet and greet
    starts at 6 p.m. sharp so don't be late!
    http://www.evite.com/r?iid=ZUSKEOSJIZISNLGTRBZV
    _________________________________________________
    Lava Midtown, Friday December 14th 2001 10p.m.- 4a.m.
    Essence n. that which makes a thing what it is....
    provided by djs
    Kevin O (deephouse.com, rewind)
    Daniel Gresham (crescent room)
    Brian Dotson (lava)
    Come out to Atlanta's most beautiful club for something a little
    different...
    Lava 13th street Atlanta Ga 30309
    404-873-4202 21+ please
    _________________________________________________
    To be removed from The Event Notification System, please reply with REMOVE
    in the header. We do not want you to be subscribed if you do not want to
    be. However we would like you to stay subscribed for our bi- monthly text
    only newsletter. This newsletter is about music, clubs, and live events in
    the Southeast, and we think that you would truely enjoy the events we
    promote . If you want to be removed we understand fully, but you will be
    excluding yourselves from special e-mail only information, discounted
    admissions and more.. Thank you for your time.
    New Step Promotions and The Event Notification System.
    ensatl@mac.com

    In this example, it is pretty clear that the advertisement comes from whomever owns "http://www.evite.com/" so in the next steps, we will determine who owns that site and target our complaint there.

    Also, although perhaps not directly connected with this spam, DJ Kevin O might like to know that the good name of his Web site deephouse.com is being spamvertised by the losers at New Step Productions and the Event Notification System.

    Sometimes the junk emailer will provide a valid response email address in the body of the message, or will ask you to respond by replying to the email. This is known as a spam "drop box" and is usually a violation of the hosting ISP's Terms of Service (TOS) or Acceptable Use Agreement (AUP), so the reply email address is a valid complaint target as well. Never reply directly to any spammer's email address, however. In this case, a little note to Apple Computer's mac.com service will likely get mailbox ensatl@mac.com turned into a smoking crater.

    Since this spammer provided a telephone number for the Lava club, it might also be worthwhile to try to call on the phone and calmly explain why junk email is a bad idea. Be aware that calling toll-free numbers reveals your number to the called party, even if you disable caller ID.

    Notes about Analyzing the Junk Email Body

    • Often a junk emailer will not provide any valid network information in the body of the message, and instead will only include telephone numbers or snail mail addresses.

    • Note that you should directly examine the HTML code of any HTML-formatted junk email you encounter for any trick links. For example, the hypertext link may look something like http://www.innocentparty.com/ but examining the code shows that clicking the link really takes you to http://www.spammersite.com/ (The HTML code would be <A HREF= http://www.spammersite.com/> click here to go to http://www.innocentparty.com/</A>)

    • Sometimes URLs in the email body will be in an obfuscated form like "http://123456789/" instead of the traditional dotted quad (http://123.123.123.123/), extremely long URLs with redirects and extraneous junk, and % encoding. You can decode those URLs using the excellent "Obfuscated URLs" tool Sam Spade.

    Step 2: Aim...

    ... Find out the cause of this effect--Or rather say, the cause of this defect--William Shakespeare, Hamlet.

    2.1 Determine who owns the domain(s) involved

    We want to find out who owns the machine that (looks like it) sent the junk email, and also who owns the IP address of that machine (which will tell us who sells them access).

    We find this information by consulting the InterNIC registration databases, which identify the registered owner of every assigned IP address on the Internet. This is sometimes referred to as "the Whois database," because it is traditionally accessed using the Whois protocol. The best way to access that information is to use Sam Spade, the most comprehensive spam-tracing tool available. You can use other tools to directly access the databases at InterNIC if you prefer (I personally like GeekTools).

    SamSpade gives this result for the originating IP of our example junk email (66.32.89.42):

    66.32.89.42 has valid reverse DNS of user-1120m9a.dsl.mindspring.com
    whois -h magic 66.32.89.42
    Trying whois -h whois.arin.net 66.32.89.42
    EarthLink Network, Inc. (NETBLK-EARTHLINKDSL-2BLK)
       3100 New York Drive
       Pasadena,  CA  91107
       US
       Netname: EARTHLINKDSL-2BLK
       Netblock: 66.32.0.0 - 66.32.223.255
       Maintainer: ERAD
       Coordinator:
          Earthlink Network, Domain Administrator  (DAE4-ARIN)  arinpoc@corp.earthlink.net
          626-296-2400 (FAX) 626-296-5113 (FAX) 626-296-5113
       Domain System inverse mapping provided by:
       ITCHY.MINDSPRING.NET 207.69.200.210
       SCRATCHY.MINDSPRING.NET 207.69.200.211
       Record last updated on 10-Jan-2002.
       Database last updated on  23-Feb-2002 19:56:39 EDT.

    So this spam was sent from a DSL account on Earthlink. Now lets check out the IP of the SMTP server (207.69.200.57):

    207.69.200.57 has valid reverse DNS of mclean.mail.mindspring.net
    whois -h magic 207.69.200.57
    Trying whois -h whois.arin.net 207.69.200.57
    EarthLink, Inc. (NET-EARTHLINK2000-D)
       3100 New York Drive
       Pasadena, CA 91107
       US
       Netname: EARTHLINK2000-D
       Netblock: 207.69.0.0 - 207.69.255.255
       Maintainer: ERMS
       Coordinator:
          Earthlink Network, Domain Administrator  (DAE4-ARIN)  arinpoc@corp.earthlink.net
          626-296-2400 (FAX) 626-296-5113 (FAX) 626-296-5113
       Domain System inverse mapping provided by:
       ITCHY.MINDSPRING.NET 207.69.200.210
       SCRATCHY.MINDSPRING.NET 207.69.200.211
       Record last updated on 20-Apr-2000.
       Database last updated on  23-Feb-2002 19:56:39 EDT.

    This indicates that Earthlink also owns the SMTP server through which this junk email was sent. Conclusion: Sender was an Earthlink subscriber.

    2.2 Determine the upstream provider(s)

    It's a good idea to try to find upstream Internet service providers, particularly in the case of a spamvertised Web site. Obviously, complaining directly to a host site who thinks it's OK to spam is not going to get you far (see "Decide if you should target your complaint further upstream", below).

    Because we might be interested in the upstream provider for the spamvertised Web site (www.evite.com), we are going to check all three options (Whois, IP block, and Traceroute) when we use Sam Spade this time:

    www.evite.com resolves to 209.104.61.200
    Mail for www.evite.com is handled by x.mx.tmcs.net (10) 209.104.63.240 y.mx.tmcs.net (10) 209.104.63.241
    whois -h magic www.evite.com
    evite.com is registered with REGISTER.COM, INC. - redirecting to whois.register.com
    whois -h whois.register.com evite.com

    [...]

       Organization:
          Ticketmaster
          TMCS Hostmaster
          790 East Colorado Blvd Suite 200
          Pasadena, CA 91101
          US
          Phone: 626-405-0050
          Fax..: 626-405-9929
          Email: hostmaster@unix.citysearch.com
       Registrar Name....: Register.com
       Registrar Whois...: whois.register.com
       Registrar Homepage: http://www.register.com
       Domain Name: EVITE.COM
          Created on..............: Fri, Sep 18, 1998
          Expires on..............: Fri, Sep 17, 2010
          Record last updated on..: Thu, Apr 05, 2001
       Administrative Contact:
          Ticketmaster
          TMCS Hostmaster
          790 East Colorado Blvd Suite 200
          Pasadena, CA 91101
          US
          Phone: 626-405-0050
          Fax..: 626-405-9929
          Email: hostmaster@unix.citysearch.com
       Technical Contact:
          Ticketmaster
          TMCS Hostmaster
          790 East Colorado Blvd Suite 200
          Pasadena, CA 91101
          US
          Phone: 626-405-0050
          Fax..: 626-405-9929
          Email: hostmaster@unix.citysearch.com
       Zone Contact:
          Register.Com
          Registrar Internic
          575 8th Avenue
          New York, NY 10018
          US
          Phone: 212-594-9880
          Fax..: 212-594-9876
          Email: internic-free@register.com
       Domain servers in listed order:
       C.NS.TMCS.NET                                     209.104.39.252    
       A.NS.TMCS.NET                                     209.104.63.252    
       B.NS.TMCS.NET                                     209.104.33.252    

    IP block lookup for 209.104.61.200

    whois -h magic 209.104.61.200
    www.evite.com resolves to 209.104.61.200
    Trying whois -h whois.arin.net 209.104.61.200
    Ticketmaster Online - CitySearch, Inc. (NETBLK-TMCS-BLK-1)
       790 E. Colorado Blvd. Suite 200
       Pasadena, CA 91101
       US
       Netname: TMCS-BLK-1
       Netblock: 209.104.32.0 - 209.104.63.255
       Coordinator:
          Batchelor, Michael  (MB844-ARIN)  arin@unix.citysearch.com
          626-405-0050
       Domain System inverse mapping provided by:
       A.NS.TMCS.NET 209.104.63.252
       B.NS.TMCS.NET 209.104.33.252
       C.PTR.TMCS.NET 209.104.39.252
       Record last updated on 21-DEC-2000
       Database last updated on  23-Feb-2002 19:56:39 EDT.
    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    traceroute to www.evite.com

    www.evite.com resolves to 209.104.61.200
    3 198.172.117.161 3.118 ms DNS error [AS2914] Verio
    4 129.250.29.139 5.739 ms fa-6-0-0.a03.lsanca01.us.ra.verio.net [AS2914] Verio
    5 209.189.66.54 5.681 ms intrnaplax-t3.customer.ni.net [AS2914] Verio
    6 216.52.255.86 11.991 ms border1.ge4-1-bbnet2.ext1.lax.pnap.net (DNS error) [AS10912] Unknown
    7 209.104.61.200 12.112 ms evite.citysearch.com

    This tells us that www.evite.com has an IP address of 209.104.61.200.

    That IP falls into a range of addresses (209.104.32.0Ê-Ê209.104.63.255) owned by TicketmasterÊOnlineÊ-ÊCitySearch,ÊInc.

    The traceroute, which traces the connectivity path from SamSpade.org to www.evite.com, shows that pnap.net provides connectivity to www.evite.com, which will be useful if we decide we need to complain to the upstream provider.

    A quick visit to www.evite.com reveals that this is an online party invitation system, which is apparently being abused by the spammer. A peek at their terms of service shows that they specifically prohibit spamvertising of this nature.

    It seems pretty likely that the spammer does not own TIcketmaster, which is a huge company, so let's give them the benefit of the doubt and say that TIcketmaster is probably unaware that their electronic invitation system is being misused in this way.

    2.3 Target your complaint properly

    So, for our example spam, we are going to send complaints to Earthlink (owner of the originating IP host and the SMTP relay), and evite.com (the owner of the spamvertised Web site) since it seems unlikely that they are aware of this violation of their terms of service.

    If it had appeared that the junk emailer was also the owner of the spamvertised Web server (for instance, the registration email address is the same as that used for responses in the junk email), we would instead complain to the upstream provider for the spamvertised site (in this case, pnap.net) in order to get the site taken down.

    The effectiveness of your message depends on getting your complaint to people who can and will actually do something about it. In general, this means that you want to send your complaint to the abuse departments at the originating site, the response collection site (if any), and any spamvertised Web sites.

    Don't complain to inappropriate addresses

    Remember the goal here is to get the junk emailer cut off, not to anger people at the junk emailer's ISP. You will lose credibility if you are perceived as spamming random ISP addresses with your spam complaint.

    Don't send your initial complaint to the administrative, technical, or zone contact in the InterNIC record. They have specific roles in terms of the domain-name registration, and aren't complaint addresses (they deal with technical problems, not social ones). Use the abuse@ and postmaster@ addresses. If you get no help from those addresses after a reasonable period of time, you might then consider escalating to other ISP contact addresses.

    Decide if you should target your initial complaint further upstream.

    It might be a good idea to complain to the upstream provider(s) right away if:

    • The junk email indicates or solicits illegal activity like pyramid scams, wire or mail fraud, child pornography, etc. You should also report these to the proper authorities.

    • The site demonstrates an official policy of email abuse--for example, a stated "opt-out" policy (i.e., "We will continue to junk email you until you visit our site and ask us nicely to stop")

    • The site violates its own stated policy on email abuse--for example, you filled out a Web form and checked the box that said "Don't send me email offers" and the site spammed you anyway

    • The technical contact, zone contact, and/or administrative contact listed at InterNIC is the same address that sent you the junk email. This indicates that the postmaster and the junk emailer are the same person--king of their own domain.

    • The sending host name indicates a pattern of abuse is likely (for instance, if the InterNIC indicates the owner of the domain name is "junkmails-r-us.com").

    Otherwise, don't bother complaining further up the ladder yet. It's just not constructive. Also, understand that big connection providers (like AT&T, for example) often are not ISPs; instead, ISPs are their customers. Therefore you will generally get a canned response from them to the effect that they don't police their customer ISPs' individual users, and recommending that you contact the ISP directly.

    Of course, it is appropriate to target later complaints upstream if the site is demonstrating a clear pattern of ignoring complaints and continuing to spam:

    • You got no response to earlier complaints sent to the originating site.

    • This is your second junk email after a complaint to the originating site.

    It can be effective to CC the upstream while continuing to complain to the target site, so that the site learns that their provider has been made aware of their junk email abuse.

    Complaint email addresses

    Once you have determined which host should receive your complaint about the junk email, there are essentially two email addresses that you should use.

    • Postmaster@[host.domain] The Internet Request For Comments (or RFC) documents, which are the written definitions of the protocols and policies of the Internet, require that any host that can send mail on the Internet have a human monitoring the address postmaster@[host.domain]. So, for example, if you want your complaint email to reach the Official Human at junkmailer.com, send it to postmaster@junkmailer.com. If a Postmaster address ever bounces, immediately escalate to the upstream provider.

    • abuse@[host.domain] Because the postmaster address also has other duties, including dealing with technical issues like mail routing glitches, many providers support the "abuse@" address specifically to deal with issues like junk email, Usenet spam, harassment, and general "inappropriate public behavior" by their customers. The RFCs strongly recommend supporting the abuse address. If available, this address is usually a better choice than postmaster, because it is read by the people who specifically deal with email abuse issues and violations of the ISP's Terms of Service, so it often produces faster and more effective results. Unfortunately, not all providers support the "abuse@" address. As a matter of practice, I send my complaints to both the abuse@ and postmaster@ addresses, unless I know from previous experience that the abuse address at a particular domain is active and monitored.

    Nonstandard abuse addresses Everybody's gotta be original. There are some nonstandard complaint addresses out there, which you will usually discover via a canned response message received when you submit your complaint to the postmaster address. ISPs that insist on varying from the RFC-standard "abuse@" address should be subjected to public scorn and ridicule until they change their bone-headed policy.

    Illegal Activities

    There may be some disagreement about whether junk email is currently or should be illegal, but often junk email contains clearly illegal scams, offers, and frauds. This is called "wire fraud." Notification of an illegal action will probably get priority attention from an ISP--this gives you extra leverage against the junk emailer and their ISP, and you should use it. (Of course, don't claim a junk email appears to contain illegal activity unless it actually does.)

    • Illegal activity by email is no different (or less illegal) than criminal activities by phone or snail-mail.

    • Scams and fraud junk email should be reported to the Fraud Information Center. Their email address is fraudinfo@psinet.com. You can also call toll-free at 1-800-876-7060, Fax to 202-835-0767. The snail-mail address is P O Box 65868, Washington, DC 20035.

    • Consumer fraud involving United State residents can be reported to Federal Trade Commission STAFF CONTACT: Bureau of Consumer Protection, Ms. Broder, 202-326-3224 (number may need to be updated), bbroder@ftc.gov Junk email in general can be forwarded to uce@ftc.gov (they get 10,000 junk emails per day there, so don't expect a personal response).

    • If the junk email asks you to send money through the snail mail, you can sic the US Postal Inspectors on the perpetrator, as discussed elsewhere.

    • Unsolicited stock "tips" and offers can be reported to the Securities and Exchange Commission (SEC) Division of Enforcement Complaint Center, which has an excellent Complaint Form. Their email address is enforcement@sec.gov The Enforcement Internet Fraud Hotline is:(202) 942-4647; You can also call toll-free at 1-800-SEC-0330; Fax Number is (202) 942-9618. The snail-mail address is SEC Division of Enforcement, Mail Stop 4-3A, 450 Fifth Street, N.W., Washington, DC 20549.

    • Solicitations or offers of pirated software can be forwarded to the Software Publishers Association at piracy@spa.org. Or you can fill out an online piracy report form.

    Step 3: Fire!

    Fire answers fire, and through their paly flames
    Each battle sees the other's umbered face;--William Shakespeare, King Henry V.

    3.1 What To Say to the Sender

    Nothing. That's right, don't say anything, at least not via email.

    First of all, there's not much point. Odds are it's a bogus address. Most of the junk email messages I have received had forged addresses, and most of those were not real addresses anyway.

    Even if it is a real response address, it may simply be a mailbot that will automatically send you more junk email as a reward for your "interest."

    Generally, even the valid addresses bounce, because the mailbox is already filled with other angry messages. As I mentioned before, it also could be that the address is that someone else that the junk emailer wanted to punish.

    Secondly, it has been purported on the net that email responses, especially (and perversely) responses to "REMOVE" request addresses, are in fact used to verify real email addresses, increasing the value of the list for resale. I have no proof of this, but I have seen "validated" lists of email addresses for sale. Never, ever reply to a "remove" address.

    Therefore, I do not recommend responding directly to the sender by email at all.

    This is not to say that you should never attempt to contact a junk emailer to express your displeasure, but I recommend fax, phone (toll-free is even better) or even regular snail-mail (see Phone, Fax, and Snail Mail Responses, below). There is no reason that you should have to reveal your name or email address just to lodge a complaint.

    3.2 What To Say to the Postmaster or Abuse addresses

    The postmaster message has the greatest chance of being effective, so I spend the most effort on that. I send this the and abuse and postmaster addresses of the involved sites (as determined above), suggesting that they might want to have a little talk with their junk-emailing user.

    I include all the text of the original junk email, including all headers. I emphasize that I have had no former correspondence with the junk emailer, and that the mail is completely unsolicited. I try to remember that it's not really the postmaster's fault, so I try to keep nasty comments to a minimum (as much as I can). Because I occasionally get a clueless "why-don't-you-just-use-the-'remove'-address" in response to my complaint, I also outline why I consider the unsolicited commercial messages such as this unacceptable.

    Here's what I currently send (I fill in the XXXXs with the relevant information); feel free to use this or modify it as you see fit:


    Subject: Junk Email From Your Site: (Subject: [original subject goes here])

    Dear Postmaster,

    A user on your system has sent me (and apparently many others) the
    following unsolicited commercial email. You are being contacted either
    because the message originated at your site, used your SMTP mailer, has
    replies directed to your site, or solicited visits to a Web page hosted by
    your site.

    The message originated at: XXXX
    using SMTP server: XXXX
    the sender claims to be: XXXX
    replies directed to: XXXX
    removal requests are directed to: XXXX
    the message solicits visits to the Web site at: XXXX

    I have to pay for my email, like most people, and I don't appreciate being
    forced to pay for unsolicited commercial messages such as this. My private
    email facilities are not an advertising medium for your users. This abused
    my resources and wasted my time, which is valuable to me.

    Even if the sender's message claims that I will receive no other messages
    from them, it is still completely unacceptable that I (and other
    recipients) have been forced to subsidize the cost of this advertisement. I
    have received nothing of value in return for this unauthorized commercial
    use of my email resources.

    Likewise, if the sender purports to honor requests to remove my address
    from their unwelcome mailing list, that does not make this cost-shifting
    acceptable--I did not sign up to any sort of LISTSERV or majordomo list in
    the first place, nor did I request any information from this user. It is
    abuse and forgery to put someone's email address on a mailing list without
    their permission nor knowledge.

    I have NOT replied to the apparent sender nor any "remove" addresses
    because it has been my experience that such requests are not honored, but
    instead are used to create list of validated email addresses which are
    resold, resulting in more junk email.

    I will consider any further communication from this person harassment. I
    respectfully request that you, as sysop, take whatever steps are necessary
    to prevent this from happening to me or anyone else again. No legitimate
    Internet providers allow this kind of abuse from their sites.

    Thanks,

    John


    [full junk email message text (including all headers) goes here]

    3.3 Responses to Illegal Activities

    If the junk email looks like a fraud or solicits criminal activity, change the subject to "Illegal activity at your site: [original subject goes here]"--This can help get the ISP's attention. Also, you should forward the message to the appropriate authorities, as described above. You should make it clear in your message to the postmaster and the Fraud Center, etc. why you think the junk email message indicates illegal activities. Obviously, you need to tailor such a response to the type of crime or scam in the junk email, so I don't have a canned template.

    3.4 Phone, Fax, and Snail Mail Responses

    Often, you may want to pursue other available means of contact, if you feel they might be more effective than an email message.

    If the junk emailer or their advertisers included a phone number, and you feel like dropping a few dimes on them, by all means call on the good old POTS network and vocalize your complaint. Especially if they are silly enough to provide an 800 or 888 toll-free number--here's your chance to shift the communication cost to them, for a change.

    Be polite when you call. Remember that the advertiser may just be ignorant newbie victims of a greedy junk email reseller (they've got to be pretty clueless to include a phone number). Don't call repeatedly or harass them--that's illegal, and also you've then sunk as low as the junk emailers (see "What not to do"). Try to educate them. Calmly explain why junk email is wrong and unacceptable, and that you'll never buy anything advertised that way. You don't have to give them your name or email address just to complain (though be aware that if you use a toll-free number, they have a record of the calling phone number on their bill).

    You can also send a complaint fax to any fax numbers included in the junk email. However, it is technically illegal to send a fax without including your own fax number in the header of each page. Be sure to include a copy of the entire message, and use a big enough font so that it is clearly readable!

    If there is a postal address (there often is, especially they want you to send money) and you have an extra stamp laying around, you may want to send a paper response. Again, don't threaten or be overly nasty.

    Conclusion

    These instructions should allow you to track down a junk emailer and get their access to the Internet terminated. However, I would be lying to you if I claimed that following these steps will eliminate or even noticeably decrease the amount of junk email you will receive. Getting individual spammers nuked may give you some satisfaction, but it will not solve the root causes of the problem. We need legislative tools that will allow individual victims to sue and collect from junk emailers. Unfortunately, the Forces of Evil like the Direct Mail Association (DMA), "the people who brought you junk paper mail," have successfully blocked or gutted any legislative relief from this scourge on the Internet. Write your legislators today and tell them you want confirmed opt-in written into law, and a real right of individual action so that people can enforce their rights to be junk-email-free.

    Postscript

    So, what happened to the spammer in my example spam? The Earthlink Abuse department sent me a nice email stating that after investigation, "The account responsible has been identified and terminated."

     

      Back to Top

    Last Updated:
    Monday, February 25, 2002
    at 1:00:46 AM by JCR
    Webmaster@jcrdesign.com

    Copyright ©2002 John C. Rivard.
    All Rights Reserved.
    This page is subject to these Terms of Use

    Back HomeJCR Logo