Archive-name: net-abuse-faq/email/spamfighting Posting-Frequency: bi-weekly Last-modified: 07-Jul-2001 URL: Maintainer: James Farmer <>
========================================================================== An FAQ For Part 1: Spamfighting Overview ========================================================================== TABLE OF CONTENTS Recent Changes Disclaimer Preface 1.1 Introduction 1.1.1 Whom is this document for? 1.1.2 What is spam and why do we fight it? 1.2 Basic Spamfighting 1.2.1 I've received some spam... what can I do? 1.2.2 How can I find a spammer's ISP? 1.2.3 Can I do anything about a spammer's website? 1.2.4 What if a spam doesn't have include a website? 1.2.5 What if the spam doesn't even include an email address? 1.2.6 Who else can I complain to? 1.2.7 What email address do I complain to? 1.2.8 Can't this all be automated? 1.2.9 Should I hack into the spammer's computer? 1.3 Advanced Spamfighting 1.3.1 Spammer Tricks What are these weird URLs? Is the spammer's URL always the place to complain to? Why does the spammer's website's source code look so weird? How can I stop a spammer's website doing bad things to my computer? What if a spammer's website has disabled right-click? 1.3.2 What can I do about Spam-Supporting ISPs? Research & Halls of Shame Posting in Education What if the ISP doesn't speak English? Contact their Upstream Publicise their Spam-Supporting Submit an RBL Nomination Bitching 1.4 Spam Prevention 1.4.1 How can an individual reduce the amount of spam they get? How do spammers get our email addresses? Choose a non-obvious email address Be careful with your email address Address Munging Whitelisting Filtering 1.4.2 How can an ISP reduce the amount of spam their customers get? Stop Accepting All Email Filtering Blackholing Lists MAPS ORBS Did ORBS die in June 2001? 1.4.3 How can an ISP reduce the amount of spam their customers send? 1.5 About anti-spammers 1.5.1 Why do anti-spammers fight spam? 1.5.2 Aren't anti-spammers just a load of anti-business communists? 1.5.3 Aren't anti-spammers just a load of anti-commerce net-nazis? 1.5.4 Don't anti-spammers just want to control email on the Internet? 1.5.5 Why don't anti-spammers spend their time stamping out porn instead? 1.5.6 Why don't you anti-spammers just get a life? 1.5.7 Are anti-spammers all Systems Administrators? 1.5.8 If you anti-spammers are so smart, why am I still getting spam? Credits Use Policy ========================================================================= --------------------------- RECENT CHANGES ------------------------------ ========================================================================= Added section, about Linked to <> from 1.2.1 Linked to an Esperanto Anti-Spam FAQ at <>. now links to <> as an alternative way of eliminating JavaScript. - the "Death of ORBS" section - has been updated with information about the new ORBS-related lists. ========================================================================= ------------------------------- DISCLAIMER ------------------------------ ========================================================================= The following document should, where not otherwise stated, be understood to represent the opinions and beliefs of the FAQ-maintainer only. I endeavour to ensure that these opinions and beliefs are as correct as possible, but take no responsibility for any problems caused by errors herein. This document should not be considered to represent the opinions of any individuals or organisations other than the FAQ-maintainer. Please note that in this document, "we" is intended to collectively refer to all regular or semi-regular posters to the newsgroup, including those of all persuasions, and should not be read as indicating the existence of a "clique" comprising persons of similar viewpoints. ========================================================================= -------------------------------- PREFACE -------------------------------- ========================================================================= This is one of three documents I have compiled to comprise an FAQ for the newsgroup. Each document addresses points in a given area, specifically: The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use to fight spam. The objective isn't to teach you how to fight spam (there are many far superior documents that do just this), but rather to introduce some of the techniques you can use and refer you to some more detailed works. THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of spam, including just what constitutes spam and the types of people who become spammers. UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and sometimes impenetrable terminology that people use in (nanae). It covers both colloquialisms (e.g. "chickenboner") and technical terms (e.g. "direct-to-MX"). These three parts are designed to stand alone and don't have to be read in order; feel free to pick and choose just the bits you're interested in. These documents shouldn't be considered to be "the" FAQ, as there are plenty of other FAQs that are superior in insight, detail, or depth of coverage. They are just an FAQ that I hope will answer some questions that have been troubling you. These documents are currently maintained by James Farmer. If you have any suggestions for additions or corrections, then feel free to send an email to The latest versions of all of these documents can always be found at <> ========================================================================= --------------------------- 1.1 INTRODUCTION ---------------------------- ========================================================================= 1.1.1 Whom is this document for? This document is intended for anyone who feels confused about any of the spamfighting techniques discussed in the newsgroup. It aims to briefly summarise what each of the commonly used techniques is, and provide links to sites where you can find more detailed information. This document is not a tutorial for spamfighters. While there is much in here that will be of interest to a newcomer, reading this document alone will teach you only what techniques you can employ to fight spam, not how to use them. 1.1.2 What is spam and why do we fight it? These are issues that are discussed in great depth in the second part of this FAQ, "The Evils of Spam". However, to briefly summarise, spam is a type of email that endangers the very existence of the email system by threatening to overwhelm it with a massive and uncontrollable volume of messages. Spam usually takes the form of advertising or promotional material that arrives in your emailbox without you having requested it. UBE (Unsolicited Bulk Email) and UCE (Unsolicited Commercial Email) are terms that are often used to describe different types of spam. RELATED LINKS NANAE FAQ part 2: The Evils of Spam <> ========================================================================= ------------------------ 1.2 BASIC SPAMFIGHTING ------------------------- ========================================================================= 1.2.1 I've received some spam... what can I do? Most people ignore the spam they receive. They either don't have the time or the expertise to deal with it. Their decision is understandable, but in the end inaction only helps the spammers because they can point to statistics and say "I sent my spam to 7 million email addresses and only 190 people complained so the other 6,999,810 must have been happy to receive it". Alternatively, spam-victims might try to use a spam's "remove address". The concept here is that by sending a message to a given email address you will tell the spammer to remove you from their mailing list. However, these things almost universally fail to work. In the rare cases where your "remove request" actually reaches the spammer, they'll just take it as an indication that email sent to your address is actually read by a human, and thus your address becomes _more_ valuable to them, and they send you _more_ spam. The best thing to do is: complain, complain, complain! Most ISPs have Terms of Service (or Acceptable Use Policies) that forbid spamming, so if you can tell the spammer's ISP that their customer broke these rules, then you can get the spammer's account cancelled! As well as giving you personal satisfaction, this will serve as a deterrent to this and other spammers, and with any luck prevent him from profiting in any way from his spam. (As an aside, an ISP will sometimes try to "educate" a spammer before terminating their account, as sometimes a company will send a spam without considering the issues involved. This topic is explored in the second part of this FAQ, "The Evils of Spam".) RELATED LINKS Elsop's How To Fight Spam Links <> 1.2.2 How can I find a spammer's ISP? The tricky bit is working out just who is the spammer's ISP. The address in the "From:" field is almost certainly forged in order to throw you off the scent (and may even belong to an innocent third-party), so you have to learn to read the "full message headers", which are a bit like a log of an email message's travels through the internet. The spammer will try to forge these too, but in most cases it's still pretty easy to work out which ISP the message came from. Header-reading is beyond the scope of this document, but here are a few links where you can find out more: How do I get my email program to reveal the full headers? <> Getting Full Headers <> SPAM-L FAQ : Tracking Spam <> Reading Email Headers <> Dealing with Junk Email <> Tracking the Source of Email Spam <> Reporting Abuse <> BUT... when complaining, please remember that the people at the spammer's ISP are not the bad guys. They didn't know their customer would turn out to be a spammer. There is a great temptation to fire off a few pages of verbal abuse, but remember that you are angry with the spammer, not the abuse staff at his ISP. The spammer will have abused them too, probably breaking their Terms of Service. And there is nothing an ISP can do to prevent, completely, any chance of Internet abuse emanating from their machines. So be polite. Point out what has happened without dramatic or obscenity-clad embellishment. Hostile or infantile behaviour will do you no good at this stage. If the abuse staff sends you a response that is blatantly offensive, then it may be time to revise your opinion of them (although always be aware of the potential for a misunderstanding), but you should start out from the assumption that these people are your friends. Most abuse departments won't act against a spammer until a non-trivial number of complaints have been received. This is because people sometimes forget that they have signed up for legitimate mailing lists or requested other types of email, and complain about it as spam. If you are convinced that a message was spam but the spammer's ISP claims that it wasn't, then there are further steps you can take. We will discuss these in later sections of this document. RELATED LINKS Step-By-Step Spam Reporting <> Reporting Abuse to ISPs <> 1.2.3 Can I do anything about a spammer's website? Assuming that the ISP agrees to take action, the spammer's account with that ISP will often be cancelled. Unfortunately, the spammers have caught on that their accounts rarely last long after they send their spam, so they've taken to using cheap "throw-away" accounts, opened solely for the purpose of sending spam which advertises ("spamvertises") websites held on other providers. The spamming accounts will get cancelled soon after the spam-run is complete, but the website will remain intact and thus the spammer can safely benefit from their spam (in terms of sales over the web, or clicks on banner advertisements, or whatever). That's the idea, at any rate. Largely, this doesn't work as most web-hosting companies have clauses in their Terms of Service forbidding the use of spam to advertise the websites they host. Sending a quick complaint to the hosting company will often result in the spammer's website being removed. But how to find the web-hosting company? The spammers may try to conceal this, but there's one snag - they want potential customers to reach their website, which means that the website's URL is probably somewhere in the spam. Once you find it, you can use tools like "traceroute" and "whois" to work out who's hosting the site. Here are some useful online versions of these tools: SamSpade <> UXN Spam Combat <> But if you'd prefer to run them from your desktop, rather than surfing over to a webpage every time you want to run a traceroute, then you can download versions of the tools from these links: SamSpade for Windows <> Net.Demon for Windows <> "traceroute" is a tool that gives you the list of machines on the Internet, where a message sent from the source machine to another machine would pass through. "Whois" is a tool for looking up the owner of a domain or IP address. A detailed look at either of these is beyond the scope of this document, but again here are some useful links: Whois Tutorial <> Spam Tracking 103 - The Whois Tool <> Traceroute Tutorial <> Traceroute and Spam <> Death to Spam (includes a traceroute guide) <> Tools to Help You <> NOTE: Make sure you know what you're doing before you start writing complaints based on the results of tools like "traceroute" or "whois", as it's very easy to make mistakes. If in doubt, ask in the newsgroup for confirmation. Spammers will often try to obscure the true address of their website by spamvertising the address of an intermediate site or giving the address in an obscure format, but in most cases it's pretty easy to work through their tricks. We'll look at this in more detail in section 1.3.1. 1.2.4 What if the spam doesn't include a website? Alternatively, the spam may not advertise a website and will instead be soliciting replies by email. You can use the techniques described above to work out who is hosting this email address and complain to the provider, which will probably cancel the spammer's email account. Good, eh? 1.2.5 What if the spam doesn't even include an email address? A few spammers - particularly chain-letter spammers - don't include any electronic ways of contacting them, giving only a postal address or a telephone number in their spams. In these cases, there tends to be less you can do. Most postal addresses found in spams will actually be P.O. boxes (e.g. Mailboxes Etc). Some of these mailbox providers may have rules against business use or certain types of business uses (e.g. chain letters or MLM); if so and you complain, they may take action. In fact, chain letters soliciting money are illegal pyramid schemes in many countries, so reporting them to the authorities may be a good idea. For example, in the United States you can forward such chain letters to your local postmaster or postal inspector, or the postmaster/postal inspector local to each address on the chain letter, or present them to the clerk at your local post office saying "I received this illegal chain letter asking for money". You can also send them by email to or Incidentally, I do NOT recommend making personal visits to addresses advertised in spams. Nothing good can come of such episodes. If you desperately want to contact the spammer, send him a letter. Many spams will include phone numbers you're supposed to call for more information. Sometimes these will play recorded messages giving the address of a website or an email address, in which case you can complain to the relevent ISP as usual. In other cases, it can be worthwhile checking the type of phone number it is - many spammers give premium-rate numbers and don't include legally required warnings, in which case you can complain the provider or the regulator or whatever is relevant to the locality. (On this note, _always_ check the call charges before calling a spamvertised phone number. If in doubt, don't call it.) Note that in many countries, a freephone number can still detect your number even if you have call blocking enabled. Use a pay-phone if this worries you. By the way, if you call a spammer's phone number and actually reach the spammer or his family, DON'T be abusive. It does no good and only makes the spammer feel like the victim. (Well that's all I know. Can anyone think of anything more for this section?) RELATED LINKS U.S. Postal Inspection Service on Chain Letters <> Mail Fraud Complaints <> 1.2.6 Who else can I complain to? The key with most spamfighting is summed up by this simple motto: "Follow the Money". Have a look at the spam and the spammed website and see how the spammer's intending to earn off it. Is he using an external merchant to charge credit cards? If so, complain to them and often they'll stop dealing with the spammer. Does he have banner ads? If so, complain to the suppliers of the banner ads. If there's a form on the spammer's website that sends information to an email address, complain to the ISP of that email address. Most legitimate businesses on the Internet aren't keen to sully their reputations by working with spammers. Remember: always be polite. The ISPs are not your enemies and a single polite word will get you a lot farther than a screenful of abuse. As an aside, the U.S. Federal Trade Commission has a project for analysing and classifying spam, and have invited Internet users to forward their spam to This won't help you in the short-term but it could be of long-term benefit in the fight against spam. They also occaisionally take action against outright scams that are reported in this way. 1.2.7 What email address do I complain to? At most ISPs, the address for sending complaints is "abuse@<isp-domain>", e.g. or However, a few ISPs have non-standard abuse department email addresses; in these cases it can be hard to know where to send your complaint. To the rescue comes; a database of ISP abuse addresses. It can even forward complaints automatically to the relevant abuse addresses if you supply the complaint and the name of the Internet provider! Have a look at <> 1.2.8 Can't this all be automated? All this reading headers, working out webhosting providers, and so forth is a pain. Spamcop is a service that aims to automate this process; you give it your spam and it writes and mails the complaint for you. Spamcop has a reputation for sending complaints to a few incorrect places, so you have to keep an eye on what it's doing, but if you think you might find it useful, then have a look at <>. (Note that has no relation to 1.2.9 Should I hack into the spammer's computer? No; hacking is very seriously frowned upon by most of the anti-spamming community. Apart from the fact that it's illegal, it allows the spammers to portray themselves as honest businessmen being assaulted by electronic terrorists. If we are to eliminate spam it is important that we retain the moral high ground. ========================================================================= ----------------------- 1.3 ADVANCED SPAMFIGHTING ----------------------- ========================================================================= 1.3.1 Spammer Tricks What are these weird URLs? Some spammers try to "obfuscate" the address of their website in order to make it hard to see where to complain to. A number of common tactics include: * The Non-Dotted-Quad IP address Most IP addresses have the "dotted-quad" form: However, the IP address is also valid as one big decimal number, e.g.: 3064945162 The spammer hopes that by giving you the address in this form, you'll be confused. However, tools like traceroute and whois will quite happily work on either dotted-quads or big decimal numbers. If you're happier working with the dotted quads, there's a tool at <> that will convert back to them. IP addresses can also be represented in Octal (prefixed '0') or hexadecimal (prefixed '0x'), or even as a mixture of these within a dotted quad, in which case the above IP address might become: 0266.0xaf.0x5a.012 The key thing to remember is that if it works in your web browser, it'll work in traceroute and whois too, so all this obfuscation by the spammer is really a wasted effort on their part. What a shame. :) * The Really Long Dotted-Quad IP address The dotted-quad I.P. address is just a way of representing a 32-bit number using four 8-bit numbers. It's a bit like the way you might right "1153" as one thousand, one hundred, five tens and three units. Now, in a dotted-quad only the lowest eight bits of each number are significant - to continue the above analogy, if we had "one thousand, twenty-one hundreds, five tens and three units", we'd discard the "twenty" from the "hundreds" column (because that would mean an extra two thousands and if we really wanted them we'd have put them in the "thousands" column, so it must be an error, right?) and still be left with the number "1153". Some spammers make use of this by setting the high-bits of the four numbers in the dotted quad to make the I.P. address rather long and confusing. For example: http://10889035741470030830827987437816582766808.41538374868278621028243970633761010.91343852333181432387730302044767688728495784090.5444517870735015415413993718908291383522/ It looks daunting, but dealing with it is quite simple. Just take each of the four dotted quads and ignore all but the eight lowest bits (ie divide each by 256 and take the remainder). In the example above, you'll end up with: and from here you've got the I.P. address and can continue as normal. Alternatively, the URL de-obfuscator at <> will happily decode this kind of really-long-dotted-quad URL for you. * The Username Trick You can specify a username and password in a URL using the @ symbol. For example: will log me into using the username "jjf" and the password "fred". But if didn't need a username & password, the username & password are ignored. Spammers use this to conceal their website's location. For example, is the following website located on or If you know this trick, it's fairly easy to see through it, so the spammers have now taken to trying a double-bluff. The username has to come before the first slash after the "https://" bit, and so the spammers try things like this: This URL references the directory "" at, not a website at itself. Many of the URL de-obfuscation tools given below for decoding Javascript-encoded URLs will also deal with this trick. * JavaScript A _really_ nasty technique is to encode the URL in JavaScript; this can result in URLs that look to you and me like absolute gobbledegook! Fortunately, help is at hand. Have a look at these resources: net.demon URL Decoder <> SamSpade URLomatic <> De-obfuscating JavaScript <> URL Revealer <> Downloadable Spam Decoder <> Is the spammer's URL always the place to complain to? Spammers know that no matter how hard they try to mangle their URL in the manner described above, some people will be able to decode them. Therefore, they sometimes try to hide their websites using other methods as well... * Page Redirections Another tactic favoured by some spammers is to spamvertise one URL but have that URL "redirect" visitors to another. In this way, the spammer hopes to confuse us, to misdirect complaints, and if the site that's redirected to is taken down he can just change the redirection page to point to another, identical site and still profit from his spam run. Fortunately, in most cases, page redirection can be followed simply by looking in your browser's history window. Once you recognise this, the thing to do is complain to the hosters of both the redirecting website _and_ the website it redirects to. * Frames A variant on the Page Redirection trick is to have a webpage on one site that contains a frame around a webpage on a second site; this way "Location:" field of the browser will contain the URL of the first site (the one containing the frame) and not the URL of the second site (the one containing the actual content). In Netscape, you can get the URL of the second site by selecting "Page Info" from the "View" menu; in Internet Explorer, right-click on the webpage and select "Properties". Why does the spammer's website's source code look so weird? Many spammers have learned that anti-spammers get important information about their operations from the source code of their website. So they've taken to encoding their webpages in JavaScript; this is decoded into HTML by your web-browser in order to display the page, but when you try to look at the source you just see gobbledegook-like Javascript. Fortunately, help is at hand. Have a look at these resources: Encrypted-HTML Decryption Tools <> De-obfuscating JavaScript <> SamSpade JavaScript Browser <> Net.Demon Haywyre Decoder <> Decrypt URLencoded HTML sources <> Downloadable Spam Decoder <> Alternatively, users of Internet Explorer 5.x can install the "Microsoft Web Developer Accessories" add-on from Microsoft. With this tool you can highlight a portion or all of a webpage, right-click (or shift+F10) and select "View Partial Source". You now see the plain HTML that the spammer's JavaScript sent to your browser. How can I stop a spammers' website doing bad things to my computer? Some spammers' websites can do some quite nasty tricks, such as switching Internet Explorer to full-screen mode and not letting you escape, or opening lots of pop-ups, or re-opening the site every time you try to leave it, and so forth. If you use IE, you can put the spammer's site in "Restricted Mode" which will disable all JavaScript, Java, ActiveX, cookies and anything else on the site the spammer will try to trick or trap you with. In other browsers you can disable JavaScript and Java from the configuration window. For more information see: Improving Security in IE5 and OE5 <> You can also use the advert-removing program WebWasher to prevent abusive JavaScript code from executing. Look for it at <>. However, beware; some spammers know that many anti-spammers surf with JavaScript permanently disabled and have written websites that look as if they have been killed if JavaScript is disabled yet are still fully functional for surfers with JavaScript enabled. Some other spammers websites will immediately redirect you elsewhere if they detect you have disabled JavaScript. What if a spammer's website has disabled right-click? Spammers know that anti-spammers get a lot of information about their revenue chains by looking at the source code of their website. So they have taken to writing little bits of JavaScript that intercept right-mouse-clicks on their webpage to prevent the context-sensitive menu containing the "view source" option in Netscape and Internet Explorer from appearing. This can, of course, be circumvented by deactivating JavaScript in your browser, but there is also a simpler solution, as the "view" menu on the menu bar allows you to bring up the page source in some versions IE and Netscape. Alternatively, Shift+F10 will simulate a right-click in some browsers. Some Windows keyboards also have a "context-sensitive menu key" which can be used to call up the menu you'd normally get by right-clicking. Note that some spammer's webpages will now intercept these keypresses as well as the right-click, but the "view" menu on the menu bar should still work. 1.3.2 What can I do about Spam-Supporting ISPs? Most ISPs hate spam. Sometimes, however, you'll come across an ISP that is either utterly clueless or refuses point-blank to act against its spamming customers. In these cases, there are a number of steps you can undertake. Research The first step is to check the archives to see whether anyone else is having a problem with this spammer or with this ISP. If you can contact others who are having the same problems as you, you can pool your resources to better achieve an affect. & is a newsgroup for reporting - not discussing - instances of Internet abuse. The idea is that anti-spammers post instances of the spam they see to this newsgroup, and then other anti-spammers can look in this newsgroup to see if other people are getting the same spam as they. But it gets better. Google's newsgroup archiving service at <> archives most postings to (along with most postings to most newsgroups); you can use the advanced search feature to search these archives for instances of a particular spam! For example, if you've received a spam advertising the website "" you could search for "" in the forum (Google-speak for "newsgroup") "" and find some other people who have been spammed by that spammer. Incidentally, the Google archives for are also a very useful resource for priming yourself on specific issues. There are few new ideas; most spam-related issues will have been discussed in this newsgroup at some point or another, and many spammers have too. RELATED LINKS Spamfighting 102 - The Many Uses of DejaNews <> Charter <> Google's Advanced Newsgroups Search <> Halls of Shame is a very useful resource but sometimes you need something a little more structured. Unlikely as it may seem, there are anti-spammers who dedicate whole websites to keeping track of the unrepentant spammers and those who run spam-support services. These can be very useful in discovering a spammer's M.O., or just why you're having trouble getting a spammer's account at a certain ISP killed. Here's just a handful of such sites... The Spamhaus Project tracks spam support services and spam-friendly ISPs, and displays the results in a number of easy-to-navigate formats, with links to "whois" information, relevant abuse addresses, and the like. As well as currently-active spamhausen it lists deceased spamhausen, including how many times they have been terminated and by which ISPs, and when. There's even a "league" of leading spam-support services. The Spamhaus Project <> In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of websites that are selling Spamware or supporting Spam in other material ways, each coming with various service providers (with cross-references), handy links to traceroute tools, and their status with the RBL. Sapient Fridge's Spamware Sites Listing! <> The Spammer Quick Reference Guide has by no means as many technical whizz-bangs, but it looks like a quite useful list of who's spamming what. Spammer Quick Reference <> ROKSO is a good reference of hard-core spam operations that get thrown off Internet providers time after time after time. ROKSO (Register of Known Spam Operations) <> has a database of postal addresses and phone numbers advertised in spams... Spammer Addresses & Phone Numbers <> In less general terms, Worldwide Online publishes a list of spammers they've told to stop spamming them. What is Worldwide Online doing to Stop Spam? <> Posting in If this research turns up a blank, then don't forget that a great way to contact other spamfighters about a suspected spam-supporting ISP is to post in Education Sometimes an ISP will support their spamming customer simply because the ISP themselves don't realise that spam is bad. In these cases, it may be worthwhile taking time to briefly explain (patiently and without expletives) the problems around spam and why the ISP should take action against their spamming customers. If you try this, you'll soon be able to tell whether an ISP is genuinely ignorant and confused or is purposefully supporting spam. What if the ISP doesn't speak English? There are an increasing number of ISPs, most notably those in the Far East, but also some in Europe and other parts of the non-English-speaking majority of this planet, where the technical contacts don't speak English. This can obviously lead to a communication difficulty if you yourself aren't fluent in their native language. One solution is to use the Babelfish automatic translation service, but this technology can be a little flakey at times. It's probably better to get a bilingual friend to translate for you if at all possible. For persistant spammers from foreign countries, you may be able to seek help from some of the foreign-language email abuse newsgroups, such as: - Italian net abuse newsgroup fr.usenet.abus.d - French net abuse newsgroup - German net-abuse newsgroup - Hungarian I *think* As a last resort, there are some anti-spam documents written in non-English languages, to which you may be able to refer non-English-speaching providers. RELATED LINKS BabelFish translation service <> Chinese Spam FAQ <> Japanese Anti-Relay Links <> Italian Spamfighting Tutorial <> French Anti-spam FAQ <> German Header-Reading Tutorial <> Esperanto Anti-Spam FAQ <> (All suggestions for this section gratefully received!) Contact their Upstream An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large ISPs called "backbones", every ISP purchases its connectivity with the rest of the Internet from one or more other ISPs, which are called the "upstreams" of the first ISP. Many of these upstreams will have clauses in their contracts about spam, and if you can show them that their customer is allowing spam to come through their networks, they may well cut them off or pressure them to take action. Occasionally, you'll find that a spammer has tricked you into thinking you're complaining to their ISP when really you're complaining to the spammer himself. In these cases, by going upstream you'll find the spammer's real ISP. If an upstream provider refuses to act, you can try _their_ upstream provider, and so forth until you reach a backbone. Publicise their Spam-Supporting Spam is unpopular, so if you publicise the fact that a large organisation is supporting spam, then you may be able to force them to change their mind. A posting about them in is a good place to start. If the provider has their own newsgroups, then possibly one of them might be appropriate for a posting too. And then, if you're really determined, you can move on to online magazines, newspapers, and so forth. Submit an RBL Nomination Before we start, I have been asked to emphasize that where not otherwise specified, everything in this section is the personal opinion of the FAQ-maintainer and should not be considered to be statements on behalf of MAPS, whose policies are set out at the website <> We'll discuss the MAPS RBL in more detail in the "Spam Prevention" section a little later; to quote from <>, however - "The MAPS (Mail Abuse Prevention System) RBL (Realtime Blackhole List) is a list of networks which are known to be friendly, or at least neutral, to spammers who use these networks either to originate or relay spam. As we discover such networks, we deny them access to the part of the Internet that we are paying for. Because our research into the attitudes and policies of network owners is hard to duplicate, many dozens of other network owners have asked for and are now receiving a real time mirror of our MAPS RBL. " These measures serve to exert pressure on a spam-supporting provider to clean up their act, in addition to protecting parts of the Internet from their spam. MAPS themselves actively work to encourage providers whose machines are on the RBL to reform and thus escape the RBL. Many entries on the RBL come about as a result of nominations from members of the general public. If you can't touch a spam-supporting provider by any other legal means, then nominating them for the RBL may be appropriate. Preparing an RBL nomination does not require a great deal of technical knowledge but it does require some time and effort. For full information on how to nominate a provider for the RBL, see the following resource: Reporting Abuse to the MAPS RBL team <> There is a mailing list for discussion of potential RBL nominations. To join, just send a message to: with the command subscribe rbl-nominate in the body of the message. You will be required to confirm your subscription, of course. Bitching A very controversial tactic is that sponsored by <>. This is a service a little like, except that it forwards email to _every_ known contact address for abusive and unresponsive ISPs. The idea is that by forwarding abuse reports to as many officials and unrelated departments as possible, the message will get through somehow. However, this is considered by many (including the faq-maintainer) to be sending Unsolicited Bulk Email and thus wrong. And even if you can get over that moral hurdle, it is extremely impolite. ========================================================================= ------------------------- 1.4 SPAM PREVENTION --------------------------- ========================================================================= Spamfighting is very important for reducing the amount of spam we'll all receive in the future but it doesn't do much to affect your spam intake for today. This section looks at some popular methods that are used to reduce the amount of spam currently ending up in mailboxes. RELATED LINKS Abuse Prevention <> SPAM-L FAQ: Blocking Spam <> Blocking Spam Relaying and Junk Mail (rather technical) <> 1.4.1 How can an individual reduce the amount of spam they get? How do spammers get our email addresses? The obvious way to reduce the amount of spam you receive is to make sure that spammers don't have your email address! Before we can go further with this, however, we must learn how spammers get hold of email addresses in the first place. As it turns out, there are five main ways: * They pick them up when they're used publicly on the Internet, e.g. in a newsgroup posting or on a webpage. This is by far the most common way, and is known as "harvesting". Using your email address in a newsgroup or on a webpage is generally understood to solicit personal, topical replies from individuals, but is not a solicitation to receive broadcast advertising. * They buy a CD of addresses from another spammer. These addresses were probably harvested from newsgroups or webpages in the manner described above, and are often years out-of-date to boot. As the saying goes, there is no honour among thieves... * They guess them. For example, it's a fair bet that "" could be a valid email address, although there's no way of knowing to whom it leads. When spammers concentrate this technique on one domain it is sometimes called a "dictionary attack". (As it happens, isn't a valid email address, because "" is a domain reserved for testing and examples.) * Our ISPs sell them our email addresses. This is extremely rare. * We give them to them. Always carefully read the privacy policy of any website before you give your email address to it, as sometimes email addresses are passed on or used for purposes other than those we intended when we gave them. For a more detailed look at how spammers find email addresses, have a look at this document: FAQ: How do spammers get people's email addresses? <> Choose a non-obvious email address Some spammers guess email addresses, so it may be a good idea to use something that spammers can't guess easily. For example, instead of, why not have Be careful with your email address The only way to totally eliminate the chance of receiving spam is not to have an emailbox. Even if you have an emailbox and never ever show your email address to anyone else, there's still the chance that a spammer might guess your email address. However, there are a few less extreme steps you can take to at least reduce the amount of spam you receive... * Never, ever give your email address to a company you do not trust entirely. If in doubt, open a free email account with a web-based provider such as and use that address for communicating with the company; that way, if they do spam, you can close the account and you've only lost a free email account you weren't using for anything else. * Never, ever post to usenet using an unmunged email address you care about. Use a throw-away address from a free email provider or munge your email address as described in (Some people have reported that you can reduce spam without impacting upon the ease of contacting you, by posting with a munged From: address or an unmunged Reply-To: address, but I can't believe the spammers won't catch on to this eventually.) * Never, ever allow your email address to appear on a website, including on a web-based discussion board. Some people concerned about privacy enter made-up email addresses into online application forms and the like. This seems like a good idea, but it is important to make sure that the made-up domain you use doesn't actually belong to anyone, otherwise you'll just be sending spam to the innocent third-party who owns it. This can become a very serious problem for the owners of some domains popularly used in such forms. BAD MADE-UP EMAIL ADDRESS: GOOD MADE-UP EMAIL ADDRESS: go@away.invalid There are several free mail-forwarding services that can be used to reduce your spam-level. The idea is simple; you give a different mail forwarding email address to each company that asks for your email address, and the mail forwarder forwards all mail to these addresses to your usual mailbox. If a company ever starts to spam you, you just disable the forwarding address you gave them and you won't get their spam, without affecting your other incoming mail. Companies who provide this service include: SpamEx <> Sneakemail <> Spam Motel <> Despammed (filters mail using the MAPS and ORBS blackhole lists) <> Address Munging "Munging" is the act of mangling your email address so that it can still be read by a human but cannot be automatically harvested by spammers. For example, my email address: Could be munged into any of the following: jjf<at>mungedeg<dot>twinlobber<dot>org<dot>uk fjj@ku.gro.rebbolniwt.gedegnum.REVERSE-TO-SEND-EMAIL When munging, you have to be careful not to accidentally munge your own email address so that it's identical to someone else's, and should always munge the bits to the RIGHT of the @-sign and not just the bits to the LEFT (otherwise your ISP will still get your spam even if you don't yourself). Also, you should ensure that your munged domain name is NOT an existing domain (else the poor sod who owns it could get your spam). Recent drafts of the Usenet message format RFC specifies that the From: line of a newsgroup posting must contain either a valid email address or an email address ending in ".invalid". Your munged email address should really comply with this forthcoming standard, e.g.: Note that some spammers now have harvesting software that can remove widely-used munges like "NOSPAM". RELATED LINKS Address Munging FAQ <> Whitelisting Some ISPs forbid their customers from using a munged email address. In these cases, whitelisting can be an alternative. In this, you set up your mail account such that some given word or string of characters must be in the subject line for any mail to be accepted, and then you explain this in any newsgroup postings and webpages containing your address. This way people can respond to you, but spam will be deleted from the server without you having to spend time downloading and reading it. This works especially well with webpages, e.g. use: <A HREF=" Comments about my webpage">Send me email!</A> Then kill any mail that doesn't have FRIENDLYMAIL: in the subject line and have the rest forwarded to your real email address. Filtering You can filter your personal email if you wish, deleting messages based upon the appearance of certain strings of characters or based upon the sender. For example, depending upon your tastes, it may be a fair bet that any message with "FREE LIVE SEX" in the subject line is spam. The risk of filtering, of course, is that some non-spam mail will accidentally trigger these filters (perhaps by someone trying to discuss a piece of spam with you?) and this legitimate email will get deleted too. In order to prevent this, some people just filter suspected spam into a separate folder, which they clean out by hand from time to time. RELATED LINKS The Spam Bouncer <> 1.4.2 How can an ISP reduce the amount of spam their customers get? Stop Accepting All Email This will immediately reduce the spam intake of their customers to zero. Unfortunately, it also destroys email as a usable communication medium. In order to prevent this becoming necessary whilst still taking action to reduce their customers' spam levels, many ISPs adopt policies that are midway between blocking everything and doing nothing... Filtering One tactic used by some ISPs to cut down on spam is filtering. The ISP scans incoming mail and any messages that match the pattern of a known piece of spam are discarded. The big danger with filtering is that of false positives; users are unlikely to be very pleased if some non-spam mails are mistaken for spam by the filter and never arrive. Blackholing Blackholing (or Blacklisting) is a variation on filtering whereby an ISP refuses to accept any email from machines that have a reputation for producing a disproportionate amount of spam. Many administrators have had some success with this tactic, although there are two main problems with it: firstly, someone will have to add more spam-sending machines to their list as more emerge if the effectiveness of the list is to be maintained, and secondly it is hard for the ISP to know when a machine on the list has reformed and is no longer emitting spam. Of course, with any type of blackholing, any legitimate email from machines on the blackhole list will be lost along with the spam emails. Lists There are several publically available lists of machines that many ISPs use for blackholing as described above. Having a reliable third party manage such a list neatly avoids the ISP having to take responsibility for maintaining a blackholing list, although it does raise censorship concerns for some people. The oft-repeated mantra in such discussions is that the list maintainers are not actually blocking email at third-party ISPs; rather, the ISPs themselves are blocking the email. However, the influence of these lists can itself be a powerful weapon in the war on spam; many organisations will reform or fix their problems rather than risk remaining on one of these lists. MAPS I have been asked to emphasize that where not otherwise specified, everything in this section is the personal opinion of the FAQ-maintainer and should not be considered to be statements on behalf of MAPS, whose policies are set out at the website <> MAPS (Mail Abuse Prevention Systems) LLC is a not-for-profit organisation which has in recent years become an important combatant in the battle against email abuse. Amongst other things, MAPS publishes non-definitive lists of IP addresses classified according to various criteria. It is commonly believed that many Internet Providers and others use some or all of these lists, in a variety of ways, in order to reduce the amount of spam received by them or their customers. Among the lists maintained by MAPS are: * MAPS RBL - To quote from <> - "The MAPS (Mail Abuse Prevention System) RBL (Realtime Blackhole List) is a list of networks which are known to be friendly, or at least neutral, to spammers who use these networks either to originate or relay spam. As we discover such networks, we deny them access to the part,of the Internet that we are paying for. Because our research into the attitudes and policies of network owners is hard to duplicate, many dozens of other network owners have asked for and are now receiving a real time mirror of our MAPS RBL." * MAPS RSS - "Relay Spam Stopper", an initiative aimed at the problem of spam sent through open mailservers (see 3.4.1 in the Understanding NANAE chapter of this FAQ for information on open mailservers). To quote from <> - "The MAPS Relay Spam Stopper (RSS) is a freely queryable DNS-based database of spam-relaying mail servers. If you run your own mail server, you can configure it to utilize our list, if you'd like to refuse mail from these types of servers." * MAPS DUL - "Dial-up User List". Quoting from <> - "The MAPS DUL lists dial-up and other dynamically assigned IP addresses for the convenience of mail administrators wishing to stop this trespassing, and for Internet providers to help prevent trespassing from their networks by volunteering their dial-up information to us.". Because most legitimate (non-spam) email is sent via an ISP's mailserver, rather than directly from a dynamically-assigned IP address, blocking email from machines on the DUL can reduce the amount of spam received. Note that machines on the DUL have not necessarily ever been used for abusive purposes. ORBS ORBS was a validated list of open mail relays (see section 3.4.1 in the "Understanding NANAE" part of this FAQ) and other types of system. Many Internet Providers and others choose to refuse to receive email from machines on this list, on the grounds that such email may be spam. By doing this they: 1) Reduce the amount of spam they and their customers receive. 2) Apply pressure to those running open relays to close them. Other Internet providers choose simply to flag or statistically count mail coming from machines on the list. ORBS could be a rather controversial entity, and long and robust discussions of it often broke out in Rather than go into the details here, this FAQ maintainer recommends that you use to sample the opinions on both sides of the argument and form your own views if you're interested. Did ORBS die in June 2001? Probably. There's been a great deal of conjecture but the facts seem to be as follows: * In early June 2001, two New Zealand ISPs went to court to force ORBS to remove (allegedly erroneous) entries for their mailservers from their list. The court upheld their complaint. * Thereafter Alan Brown of ORBS posted a public apology to these ISPs which also included the announcement that for unrelated reasons ORBS was closing immediately. There has been a great deal of conjecture about whether the timing of the closure of ORBS was entirely coincidental with this court case, but I haven't seen any evidence to suggest otherwise. And I have seen it suggested that Mr Brown was having problems with his own ISP anyway. There has been no indication that ORBS will be returning. Several other organisations have stepped up to fill the breach left by ORBS: ORBL <> ORBZ/ORB UK <> ORDB <> More information will be forthcoming once the situation has stabilised. RELATED LINKS ORBS now split into three! <> 1.4.3 How can an ISP reduce the amount of spam their customers send? With difficulty. However, experience has shown that there are a few things that can make a difference... * If an ISP has a reputation for dealing with spammers quickly and decisively, many spammers will avoid them. If spammers are dealt with very rapidly indeed, the ISP may be able to shut down a spam-run before it has completed. * An ISP can have a clause in their terms of service that allows them to charge "clean-up fees" to any customers that send spam. Unfortunately, many spammers sign up using stolen credit-card numbers, and in these cases clean-up fees aren't much of a deterrent. It can be messy to collect clean-up fees, too. * An ISP can implement "port 25 filtering" (see 3.4.2 in "Understanding NANAE") to prevent their customers from spamming via open relays. Note that this, however, will prevent their customers from using external mailservers for legitimate reasons too. ========================================================================= ------------------------ 1.5 ABOUT ANTISPAMMERS ------------------------- ========================================================================= 1.5.1 Why do anti-spammers fight spam? There's no collective answer to this - different people will have different motivations. However, three of the most common ones are: 1) Fear. We've calculated our email boxes will become useless if spam becomes a widespread marketing method, and we don't like the idea. 2) Anger. We don't like people stealing our computer resources and so we're going to defend ourselves. 3) Altruism. We want to make the Internet a better place. 1.5.2 Aren't anti-spammers just a load of anti-business communists? No. Some anti-spammers own businesses, and most of the rest work for businesses. Anti-spammers are generally NOT anti-business. In fact, many anti-spammers happen to believe that businesses that cannot survive without stealing the computing resources of others (i.e. spamming) should go the way of the dodo. It's called "capitalism". 1.5.3 Aren't anti-spammers just a load of anti-commerce net-nazis? See 1.5.2 above. ; 1.5.4 Don't anti-spammers just want to control email on the Internet? No. Controlling all email on the Internet, apart from being a practical impossibility due to the distributed nature of the system, would be an extremely big job to undertake purely to satiate a few egos. 1.5.5 Why don't anti-spammers spend their time stamping out porn instead? Porn isn't what gets anti-spammers hot-under-the-collar; spam is. Anti-spammers are drawn from a surprising cross-section of society and you'll find that they hold wildly divergent views about the contentious issues of the day, pornography included. However, they are drawn together by the simple opinion that spam endangers the email system, which they really rather like. 1.5.6 Why don't you anti-spammers just get a life? We have lives. Part of our lives involve sending and receiving email and so we want to protect this when it is endangered. 1.5.7 Are anti-spammers all Systems Administrators? Sometimes, when reading, you can get the impression that in order to be an anti-spammer you have to be a technical wizard and run your own mailserver. This isn't the case at all, and the point to remember here is that the only people who contribute to highly-technical discussions will be those with highly-technical knowledge, but this doesn't mean that there's not less-technically-minded people reading. Anti-spammers tend to be drawn from many sectors of life with many different types of knowledge. Some do run their own networks and their own mailservers, but many do not. This FAQ-maintainer, for example, is a Java programmer. Many anti-spammers don't even work in the computer industry; they can be florists or brick-layers, brain surgeons or secretaries. It doesn't matter. The skills needed for most spamfighting are fairly easy to learn and the more voices that are heard on this issue, the better. 1.5.8 If you anti-spammers are so smart, why am I still getting spam? So who said we were smart? ;-) As a problem, spam has not been solved. We will probably never be able to completely eliminate spam from this world, any more than we can expect to eliminate robbery, assault, or bad music. Realistically, our aim must be to reduce the spam levels as much as possible, to a level where it doesn't greatly impinge on the usability of electronic mail. That's an achievable goal. We aren't there yet, and we have a long way to go, but we've come a long way too. Someday, someway, we _will_ get there. ========================================================================= ------------------------------- CREDITS --------------------------------- ========================================================================= No document of this magnitude can be the work of only one man. I would like to thank everyone who offered ideas and suggestions, everyone who pointed out grammatical errors and gaps in my logic, and places where I was just plain getting things wrong. This wouldn't have been possible without you, people. Thanks also to Paul Anderson for giving the document an official proof-read. ========================================================================= ----------------------------- USE POLICY -------------------------------- ========================================================================= You may copy and redistribute this FAQ in unmodified form by any means or media you see fit. You may modify the presentation of this FAQ as you see fit, so long as the content remains unaltered. You may modify the content of this FAQ so long as you appropriately credit both your changes and the original authors of this FAQ. At a minimum, the link to the FAQ's website _must_ remain in place.