Nobody likes junk mail, well almost nobody!
It is a responsibility all of us must accept and devote some time to. At the
Blue Moon we try to protect our customers from receiving scads of UCE. SPAM
Mail is becoming big business and SPAM vendors are using ever more
sophisticated methods of jamming that unwanted mail into your mailbox. In order
to be able to surf the net relatively unmolested by this increasing
nuisance, you, the customer, need to be armed with the knowledge necessary to
discourage the purveyors of SPAM from dropping further unwanted junk mail into
your E-Mail box.
We go to great lengths and spend many hours per week working on our spam filters
so that mail you want gets to you and the mail you don't want disappears silently.
Our spam filtering is very sophisticated and we have been developing it in-house
for over 5 years.
You can check a list of known contact addresses for many domains
can be useful for reporting abuses to the correct place without playing email
Check Here for
information on viewing the full headers of email sent to you.
Most SPAM has a forged "From:" address. This means you CANNOT reply to that
address, the mail just bounces right back to your box markes as "Undeliverable."
Many times a novice spammer will still leave clues as to where their unwanted
message originated from. Many mail clients have an option to display a "full
header" or "rich header" which shows the mail server relay path the mail has
taken to reach your mailbox. I use "pine" to read mail from the shell account
rather than use a PPP connection with a POP client. Pine has an "h" command
to turn full header display on. In Netscape you can view the "source" to the
current message from the "View" menu. This will sometimes display more
information from the header. Many EMail clients have a "full header" or "rich
header" option to display more about the origin of the mail, contact the
EMail client's support staff if you can't find it in yours. If that feature
isn't available in the client you use now we recommend changing EMail programs.
Our mail server (net.bluemoon.net) will leave its mail signature in the header
of the mail as we are final relay before it lands in your box. One of the ways
spammers try to hide their identity is by relaying mail through several servers,
most of which they have no right to use. Some call this "hijacking" mail servers
to do their dirty work. A more recent tactic of the spammers is to use viruses
(no, viri and virii are not the plural of virus) to infect as many people's
computers as possible and then hijack them to send out spam. It is my belief
that most of the new viruses are specifically designed for sending spam.
When I receive SPAM I examine the header to see what servers the mail came from.
I then forward the spam mail to "abuse@" and "postmaster@" whatever domain sent
or relayed the email. The topmost "Received: from" header will show the
last IP address and hostname of the computer which sent the mail to our
mail server, that's the offender we are interested in and not the visible
"From:" line of the email as that was almost surely a forgery.
If I receive no reply from either address or the mail bounces back to me as
undeliverable I will add the relay domain or ip address to one of the SPAM
filters, whichever one is most appropriate, which should deny any further mail
of that type or from the offending network. If something smells fishy to me I
will do host lookups on the entire class C (/24) address block of the offending
server and if it turns out to be a "Spamhaus" operation I will block all
the domain names listed and the IP address block from sending us email. I have
found literally tens of thousands of spam domains and address blocks this
way and usually find 100 to 1000 new ones every week.
This can be sticky business. You don't want to cut large groups
of people off from being able to correspond with their friends. That would
defeat the purpose of the internet! Obviously filtering all mail from aol.com
is not practical (and that's one of the reasons many spammers forge the
"From:" line as being from firstname.lastname@example.org) and would prevent a huge
number of people from corresponding with each other. I can't cut them off, BUT,
I can bounce copies of that mail to email@example.com and firstname.lastname@example.org. Of
course AOL is notorious for ignoring spam complaints, but that is another
If they only relayed the mail through AOL's mail servers then AOL has a
responsibility to do everything reasonable to prevent the spammers from
hijacking their mail servers for spamming. If someone manages to relay spam
through our mail server I sure want to know about it and you can bet I'll
beat my brains out until I find a way to prevent that method from being used
again. If someone from our domain spams people on the net you can bet they
won't have access to our network ever again. We have terminated both personal
account and business account holders for spamming and I'm sure we'll be forced
to do that again.
Back to what you can do.
Send a copy of the spam to postmaster@ and abuse@ the domains you received it
from. If you don't get a reply that the problem will be looked into (many
sites have auto-responders for abuse@ and postmaster@) after 24 hours or so then
consider using the Spam Reporting feature at
http://www.spamcop.net/ which is also a great place to learn more about
fighting spam. If it appears to be some chronic spammer then by all means
drop some mail to SpamReport -AT- bluemoon.net with a copy of the spam
mail including the FULL headers. We'll look into it and if the domain is a
spam factory we'll block it as many ways as we can. I believe it is the duty
of each of our network's clients to notify every admin of every domain and
backbone network used to convey that unwanted spam mail to our mailboxes.
Please do not send SPAM mail directly to our staff without first trying to
resolve the issue yourself. We just don't have the time to chase down every
spammer there's too much spam to fight!
We also cannot do anything about
spam mail forwarded to us which does not include all of the header information
showing which servers forwarded it to us. Any email program worth its salt has
the option to "show full headers" or "show all headers" which provides the
nesessary information for tracking. Due to the volume of junk mail out there
we are not able to reply to forwarded spam which does not originate on our
network, but if the full header is included we will look into it.
Check Here for
information on viewing the full headers of email sent to you.
Two powerful tools you can use to trace the path of responsibility are
"traceroute" which is called "tracert" on win95/98 machines. The whois service
will report the contact email addresses and domain servers used for the
domain in question. Traceroute will show each connection used to reach a host
on the internet. Another neat trick is using telnet to open a session to
a mail host for a domain on port 25 which is the SMTP mail port and using the
VRFY command to attempt to verify a valid email request. Many servers won't let
you do that anymore, we don't allow it on our mail server and went to some
trouble to hack the server code to block it. If "VRFY username" doesn't
work, just close the connection or type QUIT to have their server close the
connection. This isn't illegal, don't worry, it's just talking directly to a
mail server in the language of SMTP.
Here is the raw header of some spam mail I received recently:
Received: from mail.goodnet.com (mail.goodnet.com [220.127.116.11]) by net.bluemoon.net (8.8.5-r-ANTI-SPAM/8.8.5) with ESMTP id BAA25058 for
; Wed, 6 Aug 1997 01:15:37 -0400 (EDT) From: email@example.com Received: from uspronet.com (phx-ts16-17.goodnet.com [18.104.22.168]) by mail.goodnet.com (8.8.6/8.8.6) with SMTP id WAA07433; Tue, 5 Aug 1997 22:06:39 -0700 (MST) Date: Tue, 5 Aug 1997 22:06:39 -0700 (MST) Message-Id: <199708060506.WAA07433@mail.goodnet.com> To: firstname.lastname@example.org Subject: Monthly special
Let's go through the process of determining responsibility for this mail and
taking appropriate measures to express our displeasure at being spammed.
The first part of the mail shows our server receiving the mail from one of
goodnet's servers. The "for <email@example.com>" shows it was specifically
sent to my box. The "From:" field shows it was intended to appear to be from
firstname.lastname@example.org, lets see if we can find out if that's a valid address:
BlueMoon 1> telnet uspronet.com 25 Trying 22.214.171.124... Connected to uspronet.com. Escape character is '^]'. 220 uspronet.com ESMTP Sendmail 8.8.5 ready at Sat, 16 Aug 1997 10:56:26 -0600 (MDT) VRFY jewelry 250 <email@example.com> quit 221 uspronet.com closing connection Connection closed by foreign host. BlueMoon 2>
uspronet says jewelry is a valid user name which means you can send their spam
right back at them. Don't send 1000 pieces of it back in their face, they'll
just delete them and maybe harass us because you spammed them (typical!) when
one piece of forwarded mail to their address as well as carbon copies (CC) to
firstname.lastname@example.org and postmaster@uspronet expressing your great displeasure
at being the target of their junk mail will get the point across that they
have made an enemy and not a potential sale.
Let's pretend that the user name "jewelry" isn't a valid mail address at
uspronet or that the VRFY wouldn't tell us if it was. Mail abuse and postmaster
there right off the bat. We also know they used goodnet's mail server to relay
it so mail abuse and email@example.com at the same time. Now it is time to
see exactly how the mail comes and goes to "uspronet.com" by using "traceroute"
or win95's "tracert" utility:
BlueMoon 1> traceroute uspronet.com traceroute to uspronet.com (126.96.36.199), 30 hops max, 40 byte packets 1 gatekeeper (188.8.131.52) 1 ms 1 ms 1 ms 2 uunet (184.108.40.206) 8 ms 10 ms 6 ms 3 120.Hssi1-0.CR2.CLE1.Alter.Net (220.127.116.11) 10 ms 12 ms 12 ms 4 119.Hssi4-0.CR2.SEA1.Alter.Net (18.104.22.168) 126 ms 526 ms 443 ms 5 Fddi1-0.GW2.SEA1.Alter.Net (22.214.171.124) 68 ms 69 ms 69 ms 6 lightrealm-gw.customer.ALTER.NET (126.96.36.199) 72 ms 69 ms 73 ms 7 sea-border1-f41.lightrealm.net (188.8.131.52) 72 ms 70 ms 93 ms 8 uspronet.com (184.108.40.206) 72 ms 72 ms 71 ms BlueMoon 2>"gatekeeper" is one of our routers. "uunet" was one of our connections to the backbone. Alter.Net is a part of UUNet's backbone. I have never heard of any backbone named "lightrealm.net" and that's the first hop off UUNet's backbone so it is a safe assumption to make that lightrealm who obviously provides services to uspronet uses UUNet for their services. Bam, add firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and email@example.com to a list of carbon copy recipients of your spam mail response. Each of those networks has a duty to impress upon their customers the necessity of adhering to an acceptable use policy. They may act like you are bothering them, but hey, THEY allowed their customer to SPAM YOU! You can bet your bippy that they'll pay more attention to who they sell connections to and what those people do with those connections if a million or people a year forward their customer's SPAM to them with a nasty little note about how displeased we are that they allow this type of internet menace to line their pockets with cash.
We know how it got here, but is there some way we can actually determine who
may be personally responsible for this invasion of our internet space? In many
cases there is :) That's where the whois service comes in.
BlueMoon 1> whois uspronet.com Dakota Engravings, Etc. (USPRONET-DOM) 5923 E. Hillery Dr. Scottsdale, AZ 85284 USA Domain Name: USPRONET.COM Administrative Contact: Holen, Bob (BH1447) engrave@GETNET.COM (602) 953-2413 Technical Contact, Zone Contact: Wayrynen, Darin (DW970) darin@GOOD.NET (602) 303-9500 ext 3234 (FAX) (602) 303-0550 Billing Contact: Holen, Bob (BH1447) engrave@GETNET.COM (602) 953-2413 Record last updated on 27-Jun-96. Record created on 27-Jun-96. Database last updated on 16-Aug-97 04:20:12 EDT. Domain servers in listed order: NS1.GOODNET.COM 220.127.116.11 NS2.GOODNET.COM 18.104.22.168 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. BlueMoon 2>
Well, well, well. They do use goodnet for services, the nameserver addresses
verify that. The best part is we now have some email addresses of individuals
directly responsible for their domain. The Administrative contact is
engrave@GETNET.COM and the technical contact is darin@GOOD.NET. Send out
copies to both of them. You got it, they should certainly get copies too. I
didn't want it and I'm sure they don't want it, but darn it, they made it
happen and they're going to get a carbon of every piece of spam from their
domain that I receive. You can also do a whois on each network used to relay
that spam mail. Win95/98/2k/XP users can download a whois client at
ftp.bluemoon.net/pub/pc/tcp/whois32.zip. Remember to use only the two names
surrounding the last period in the hostname, mail.goodnet.com would be in
the domain "goodnet.com", the "mail." is just the individual machine name.
Fighting spam can be a detective game, but if each us takes the trouble to
stir up the providers we can all help to make the point that SPAMMING us means
we won't ever want to have anything to do with their company, products or
There are many sites dedicated to fighting internet spam mail. The best I have
found yet is spam.abuse.net which contains
a wealth of information on how you too can join the war against spam mail. We
heartily urge you to visit this site and learn all you can about how to
discourage the spammers from bothering us all.
Any Comments? E-Mail Webmaster
Be sure to replace " AT " with @ in your mailer
© 1998 - 2006 Blue Moon Internet Corp.
Unauthorized Use Prohibited