Nuke that spammer! (From Oct. 27, 2000)
Let's get one thing out of the way at the top: I'm totally
in favor of marketing and advertising. Much of what I do involves
marketing and advertising. These activities are good when they're
conducted by ethical people.
Spam is not ethical. It usually involves the use of stolen SMTP (simple
mail transport protocol) services. In many cases, the offers are fraudulent,
illegal, or questionable. Virtually every ISP and most Web hosting
organizations have terms of service (TOS) that specify what users
may not do. The TOS usually forbid spamming (either e-mail or newsgroup)
and "spamvertized" Web sites. The user who violates the TOS faces
loss of account and loss of Web site.
While sending spam violates virtually every Internet service provider's
TOS, it is not illegal in most jurisdictions. Where it is illegal,
the law cannot reasonably be enforced.
But spammers won't lose their accounts until you complain. Their Web
sites will remain open if you remain silent. We pay for the Internet.
Spammers steal from us. Stopping the vermin is up to us.
********* WARNING! *********
Under NO circumstances should you ever reply to a message that offers
to remove you from the list. Never! You are not dealing with ethical
homo sapiens. You are dealing with con masters, bunko artists, and
pathological liars. If you reply to a spam, you simply VALIDATE your
address. The spammer now knows that your address is a live one. You
will simply receive more spam.
Why spam exists
Because it works. Not well, but it works.
If someone has to pay to send messages, the response rate becomes
very important. If you don't have to pay to send a message, and spammers
don't pay because they typically steal everything they use, then the
response rate doesn't matter. If you send out 1,000,000 messages and
0.01% respond that's 100 orders. If you're selling something for
$20, that's a quick $2000 for little or no investment.
Particularly when what you sell for 20 dollars costs 20 cents to produce
and 33 cents to mail (presuming you send anything at all). It's not
uncommon for spammers to send nothing at all to people who send them
money. Some of the worst spammers operate "pump-and-dump" stock schemes.
The cost of spam is paid by Internet backbone operators who have to
transport the junk, by ISPs who have to store it, and by consumers
who have to waste their time opening it.
Education is the answer. When people understand why spam is bad and
understand who they should complain to so spammers' accounts can be
found and nuked, the problem will go away. It will not be legislated
away.
Some say "The absolute best thing you (and everyone) can do is to
DELETE (or ignore) it."
Well, I strongly disagree! The way to stop this crap is to make the
spammer's life so miserable that he or she will stop. If someone sneaks
up onto your porch every morning and steals your newspaper, is the
best solution to just forget about it and buy another copy?
I don't think so.
If everyone simply deleted spam, eventually the network would slow
to a crawl because there would be so much junk e-mail. What happens
then? Well, ISPs will buy more (and faster) mail servers and better
connectivity for the servers. Who will pay for this?
Since nobody would be complaining, spam would continue to multiply
until it clogs the new servers and connections. Educate ISPs. Educate
spammers. Treat the cause, not the symptom.
Spammers are thieves, plain and simple. If even 10% of the people
who received a spam tracked down the ISP the spammer used for e-mail
or the Internet presence provider (IPP) for the spammer's Web site
and complained, spammers would be forced to find an easier line of
work. NOTE! Since some IPPs are in cahoots with spammers, you
may have to complain to the upstream provider.
It's not rocket science. Examine the spam's headers. Find where the
message came from and complain. If there's a Web site involved, complain.
I've managed to get numerous e-mail accounts terminated and several
Web sites shut down. This can cost the spammer some cash (besides
causing orders to be lost).
If you want to see spam continue to proliferate, just ignore it. If
you want it to go away, be a pain in the ass to spammers.
The thieves will get away with it only as long as we allow them
to.
Spammers can get your address
even if you don't give it to them
Ever see an ad for 15 million "verified" addresses? Spammers have
long lists of common names (I would never have thought "blinn" to
be a "common" name) that they couple with each letter of the alphabet
(ablinn, bblinn, cblinn, and so forth). They then couple the result
with all the common domain names (aol.com, att.net) and all the obscure
domain names (blinn.com, procomp.com) that they can harvest from the
Web.
They send mail to each address.
If somebody is trusting enough to reply to the "We honor requests
to remove your address" link, the address is immediately verified
and will receive junk until flying pigs are made into silk purses
while flying over Hell's frozen landscape. These addresses are valid.
If the mail generates an error message, the spammer knows that the
address isn't valid. (Oxymoron alert!) Ethical spammers will
remove these addresses before selling the list.
If the mail doesn't generate a response or an error, it can be assumed
that the message was delivered somewhere.
Computers, of course, make this process very easy.
If you want to generate fake bounce messages, check out "Bounce Spam
Mail", freeware from a Canadian programmer. The program lets you pretend
your address is invalid and may convince spammers with elevators that
don't go all the way to the top (most of them) that your address doesn't
work. You may be able to find the program at http://www.pcworld.com/downloads/file_description.asp?fid=5402.
If the page is no longer there, search for "bsm18.zip" by Albert Yale.
NOTE: SpamKiller (see below) now offers this feature.
You could construct an address that's less vulnerable to dictionary
cracks
The user name bblinn seems to be easy to find because apparently Blinn
is in the "top 500" names. If I'd used wmblinn or billblinn, it would
take them several more years. I think they'd get wmblinn first. An
address like william179blinn would be virtually impossible for anyone
to construct but would also be ugly.
How to identify spammers' real accounts
See http://www.sputum.com/sputools.html
for examples of how to track all 3 types of spammers: "Stupid clueless
newbie, posting in the clear; Careful clueless spammer/warez kiddie,
attempting pseudonymity; and Professional SpamDude, posting pseudo-anon
from rogue ISP."
How to complain
First, keep in mind that you'll be complaining to a network administrator
or postmaster -- someone who's just as interested as you are in nuking
the spammer's account. So there's no good to be gained by insulting
the person you complain to. Be polite. If you're reporting an open
relay, it may be that it's a new relay -- one the spammer just found.
Those you're complaining to will almost always want to make their
servers unavailable to spammers if for no other reason than the spam
traffic slows down their networks.
When I see an open relay, I generally just send a note to abuse (and
only to postmaster if the message to abuse bounces). In many places,
the same person receives mail to either address. I'm less interested
in the e-mail account, though, than in the Web site. Spammers simply
open a new e-mail account or steal services from another open relay.
The best thing, if they mention a Web address is to get that shut
down. Note, though, that some spammers list Web sites that aren't
theirs in the spam. Their goal is to send you after the wrong person.
Before you report a Web site, make sure it really belongs to the spammer.
If the Web host is spammer friendly (and a few are) complain to their
upstream provider (find out who it is by using traceroute and whois).
Keep moving upstream until you find somebody who cares.
Administrators are badly overworked. One administrator for
a large organization has a staff of 4. They receive more than 30,000
e-mails per month concerning spam and security issues. It's important
that you send reports to the right people and that you provide adequate
information. Don't expect a personal reply; you'll probably receive
only a form letter that confirms receipt of your message. When enough
people make enough noise, spammers' accounts will be terminated with
extreme prejudice.
Information and organizations
Resources
First and foremost: http://abuse.net/.
This site has links to lots of spam-fighting sources. Specifically,
make sure you see http://spam.abuse.net/.
Second, the news.admin.net-abuse.email Usenet news group. Learn
from the pros how to track down the vermin of the Net. And if you
have a question about a specific spam, this is a good place to ask
for help.
See http://www.sputum.com/sputools.html
for examples of how to track all 3 types of spammers: "Stupid clueless
newbie, posting in the clear; Careful clueless spammer/warez kiddie,
attempting pseudonymity; and Professional SpamDude, posting pseudo-anon
from rogue ISP.
The Mail Abuse Prevention System is a non-profit organization that
claims to defend the Internet's e-mail system from abuse by spammers.
MAPS says that it educates ISPs and encourages them to enforce strong
terms and conditions prohibiting their customers from engaging in
abusive e-mail practices. Some say that MAPS is more than a little
heavy handed. See http://mail-abuse.org/
for information on what to report and how to report it. MAPS has 3
abuse "levels" -- the realtime blacklist (RBL) for hardcore proven
spammers, a dial-up list (DUL) that lists dial-ups that pass mail
(mail should come from a legitimate mail server and neve directly
from a dial-up), and the list of known, abused open relays (RSS).
The Forum for Responsible and Ethical Email takes a somewhat softer
approach than MAPS. See http://www.spamfree.org/
for information on the organization's programs to help ISPs obtain
software and knowledge necessary to find and remove spammers, to educate
end users in the tracking and reporting spam, and to lobby governmental
bodies to pass laws to make spamming illegal.
Attempting to legislate against spam is naive because of the
way the Internet works. Make spam illegal in Ohio and the spammer
will move to Michigan. Make it illegal in the US and the spammer
will work from overseas. ISPs and "big-pipe" backbone providers
working together with end users can stop spammers without legislation.
The Coalition Against Unsolicited Commercial Email (CAUCE) is pretty
much of a yawner. It's a volunteer organization that means well. You
can join. They have PR flacks (Hey -- I'm a PR guy) to talk to the
media. You won't find much that's useful at http://www.cauce.org/.
At http://www.mindworkshop.com/alchemy/nospam.html
you'll find another guide to dealing with spam.
Spam statistics, jargon, and other useful information are at http://www.rahul.net/falk/.
Clueless mailers (this is an outstanding site): http://www.cluelessmailers.org/.
Tools
You need some good tools to help you track down the spammer. Some
of the best tools are included in Sam Spade. See http://www.samspade.org/ssw/
to download the program, which is free. The site also has some excellent
on-line detective tools.
An automated spam processor is available (free or paid) at http://www.spamcop.com/
(additional links at http://spamcop.com/).
Spamcop has discussion groups that help neophyte spamfighters learn
how to blast a spam at 30 yards. The operations security manager for
Road Runner, W. Mark Herrick, Jr., has some serious reservations about
Spamcop: "It makes lots of mistakes. Some large ISPs don't accept
Spamcop reports. SpamCop reports all IP addresses in the spam to ORBS
for 'testing'."
See ORBS at http://www.orbs.org/
for an explanation of open SMTP servers and a way to report open servers
when you find them. ORBS tries to work with system administrators
to get open relays closed. (ORBS has been accused of having a "shoot
first, ask questions later" policy. This annoys legitimate ISPs
that are truly making an effort to halt spam. Road Runner security
manager Mark Herrick discussed ORBS from the ISP's
point of view.)
One of my favorite spam fighting tools is SpamKiller (http://www.spamkiller.com/)
because it sidelines most of the crap before it gets to my machine.
When I don't have time to track down the perps, I just delete the
messages unread. SpamKiller's creator, Thor Ivar, tells me that he's
just added a feature that allows you to send an error message.
This might cause the spammer who receives responses before his account
is shut down to mark your address as bad, thus reducing the amount
of spam you receive. The response looks like this:
The original message was received at date & time
The following addresses had permanent fatal errors
<youraddress@yourdomain.com>
----- Transcript of session follows -----
... while talking to mail.yourdomain.com:
>>> RCPT To:<youraddress@yourdomain.com>
<<< 550 <youraddress@yourdomain.com>... User unknown
550 <youraddress@yourdomain.com>... User unknown
Give spammers the double-whammy: First dispatch an error message,
then report them.
Check with your own ISP's customer service department and asking
what spam prevention is used. Are they using MAPS RBL/RSS/DUL,
local blacklists, ORBS? If not, ask them why!
Problems with ORBS from the ISP's point of
view
The operations security manager for Road Runner, W. Mark Herrick,
Jr., says ORBS has some serious shortcomings:
"We are currently experiencing problems delivering email to some
ISPs. This is due to a manual block from the ORBS system of which
those ISPs subscribe. Although we have a thorough anti-spam policy
and properly address these issues, Road Runner has been manually
added to the ORBS list due to a request we made to the ORBS administrators.
(See 'History', below.) With analysis and discussions with other
providers, we believe that the impact of the ORBS block is very
minimal and easily corrected on a case-by-case basis. We are currently
only hearing 1 or 2 reports per week from our entire customer base.
We will take the information provided and work with each provider
to correct it with them directly.
"I can assure you that the IP address that ORBS is currently blocking
is in no way an open relay, and that it is being blocked solely
due to ORBS' testing servers being refused at our border routers.
Road Runner takes the issue of open relay servers very seriously,
and, in addition to immediately closing them as they are detected,
performs proactive relay detection checks on its own network. Likewise,
Road Runner also takes the issue of unauthorized probes very seriously,
and as such has taken steps to minimize potential abuse from outside
sources. Many other major Internet Service providers, such as Above.net,
have taken this stance along with us. You may wish to take a look
at http://www.orbs.org/hallofshame.html to see who else is 'spite
listed' by the ORBS project.
"ORBS is currently blocking Road Runner IP Addresses with a DNS
'A' record of 127.0.0.4 - These are, according to the ORBS web
site, considered 'untestable netblock entries' (see HISTORY). ORBS
has, however, recently made available a number of different 'zones'
that providers can currently utilize to block unwanted SPAM mail
from open relay sources, but that will not block those 'untestable
netblock entries' sites such as Road Runner, Above.Net, and Carnegie
Mellon University.
"More information regarding these 'zones' can be found at http://www.orbs.org/usingindex.html
- All that is necessary to make this change is to modify your mail
server to query the ORBS database at 'outputs.orbs.org' instead
of 'relays.orbs.org'. This will not affect the amount of
spam that your servers block, only the amount of false positives
that are affecting our combined users."
History
"Road Runner customers and affiliates initially contacted us with
a security issue. They were concerned with their privacy and security
when an unknown entity (to them) began scanning them without permission.
We initially tried to address this case by case and later contacted
the ORBS administrators and requested this unwelcome scanning terminated.
This is analogous to someone requesting they be removed from a
list that they did not subscribe to. With this request, all Road
Runner IP space was unexpectedly added to the ORBS list with a
public statement on the ORBS WWW site, as well as the bounce message
which our subscriber has received. As scanning continued against
our repeated requests, the individual ORBS scanning hosts were
filtered out of our network.
"Although we strongly believe in stopping spam on the Internet,
as well as respect the initial work and charter ORBS has been under
in the past, we have serious concerns at the current methods and
actions that are taking place:
"For example:
- Scanning of private networks without permission from targets
- No REMOVE capability from the ORBS scanner
- When someone tries to stop or block the ORBS scans, they are
blocked by ORBS.
- No warning, as well as false public statements about the individuals
scanned or their provider. THAT IS: If you have a relay (known,
or unknown to you) you are called a spam supporter publicly
without any warning to correct it before ORBS adds you.
- Misinformation on ORBS' own web site (http://www.orbs.org/whatisthis.html)
'What is ORBS? The short answer: ORBS is a validated database
of open mail relays and open mail relay output points, accessable
via DNS lookup.'
- The addition of Road Runner hosts to a database which are not
listed via their normal web lookup at http://www.orbs.org/verify_1.html
- this is deceptive to most end users.
"Road Runner believes strongly in the fight against spam. We have
address it with strong policies, enforcement and our own relay
detection methods. We will continue this effort, work together
with other providers and the Internet community (including ORBS)
to make a difference. However, we reserve the right to assess the
methods used, by whom and determine the best way to accomplish
the desired results for our business."
Et Cetera
Traceroute.org is not a spam fighting site, but has useful links that
can help you gauge the overall health of certain parts of the Internet
by conducting traceroutes from various locations around the world
to your ISP. For more information, see: http://www.traceroute.org/.
Good luck. I hope you'll soon enjoy your first verified spam kill.
It's a very satisfying feeling!
|
