Since moving the page to Inertia, and taking on more of the responsibilities of administration, I wanted to put up a little portion of this page as a statement for the rest of the site. We don't have any real agenda for this domain, just kind of cool to have your own E-mail address without "22347" behind "Betty". We don't like spam, and don't support anyone who does it. If we find someone whom we have given an E-mail account to is abusing it in any way, we'll delete it.

period.

       Of course that kind of accusation needs to be documented. If you find anything that "supposedly" came from this domain, or asks you to reply to an address, or URL in this domain, send along with the E-mail the FULL headers, and I'll personally see to it that it will be investigated and dealt with. Be aware that I cannot do anything about someone outside this domain, other than sending polite E-mails to the respective site admins. Any abuse should be reported to:

abuse@inertia.org

 

HR3888, Sec 201, paragraph 2

(Unit #1544)

(tinlc)(tm)

Any inquiries, of any kind, contributions, suggestions,
or God forbid copyright infringement, please send to:

peti@inertia.org


(I actually read my mail)

 

   Let me preface this by saying it's not all commercial mail that I have a problem with, it's Unsolicited Commercial E-mail/Unsolicited Bulk E-mail. The kind that asks if you want to; "See world record sex...", and "Make millions in your spare time...". Things I didn't ask for in the first place. I have no problem helping to enforce ISP's Acceptable Use Policies, or Terms of Service. You can call me what you will... "Net Cop", "prick", "that A-hole that got my ISP to shut me down...", whatever. I prefer "Freelance AUP Enforcer". I started this page kind of annoyed by the occasional turdlett in my inbox, and have found out the hard way just how far these (L)users will go to keep you from infringing on their greed. Oh, and for those of you who think I'm infringing on inDUHvidual's "right" to free speech: Just because it didn't cost YOU anything, doesn't mean it's free! 'nuf said.

   I'm going to make every effort to keep this page up to date, but getting myself up to date is the big job. Check back often and I'll be updating things as I have time. Oh yeah, All the info on this page is geared for Win'95/'98. Seeing as it's the only platform I have any experience on. If your groaning at this particular point in time, and feel as if you have some info to share? Use the mail link above. Also use it to let me know of any dead links (except on the mirrors), and any comments or suggestions you may have. I hope you find these pages helpful,
      Don
(Badges? We don't need no steenking badges!)
http://www.cauce.org
http://www.inertia.org/PETI
Lumber Cartel Unit #1544 (tinlc)(tm)

 

"Table" of Contents

Responding
to spam
Tools of
the trade
Cracking a
mail header
Cracking a
Usenet header
Passive resistance
(Munging etc.)
FAQ mirrors
Links
E-sigs
Killboard
Page updates

 

 

 

 

Responding to spam

 

Do not reply to the return address

Never respond to a spam e-mail. For a spammer, one 'reply'
is justification enough to continue the practice. Responding in a threatening
way to a spammer could also get you signed up for things that you really
didn't want, Like the "Gay porno pic-o-the-day", or your home address and
phone numbers posted to alt.erotica.anal, or "Love letters" like : these,
sent to a poster on NANAE, Moyra J. Bligh. Remember that spammers are not law
abiding in any way, they won't hesitate to Mail-bomb, or perpetuate other
Denial of Service attacks on you. So if you are not prepared for these sorts
of things, Complain "upstream".

Never respond to the spam e-mail's instructions to reply with the
word "remove."This is just a trick to get you to react to the e-mail. Most of the
time, it's a reply to a "drop box" like an address at Hotmail or Juno. These
companies have "Zero Tolerance" policies to spam, and most likely these addresses
will be cancelled before you have a chance to respond. Also it potentially alerts
the sender that a human is at your address, which greatly increases its value.
If you reply, your address is placed on more lists and you receive more spam.

A word on "Remove Services"
There is (was, will be) "remove lists". These are websites set up under the
guise of "responsible commercial mailings" and other non-sense like that.
Most of these services are run by bilkers* to collect live addresses. You submit
your address to a list such as this: Prepare for the deluge of spam!

*(a term used to describe bulk E-mailers, which was misspelled and the term was so coined)

 

Respond to their server's postmaster

These are some of the instructions from Juno's unwanted mail FaQ:

"If you have received a commercial, obscene, or harassing e-mail message,
the best way of responding to such a message is to inform the postmaster
at the sender's Internet Service Provider.  To do so, please follow
these steps: 


...Pull down the Options menu by clicking on the word "Options" 
near the top of the screen and then select "Show Mail Headers" from
the menu that drops down. This will keep all the headers of the message
intact, which has important information to help the postmaster track down
the sender...


...Click on the "Forward" button, and address the new message
to the postmaster at the site from which the original message was sent.
For example, if the message was sent by "somebody@somewhere.com"
you would forward the message to "postmaster@somewhere.com"....

(You can read Juno's unwanted mail policy HERE.)

This is the first policy with instructions on how to "properly" respond to
UCE, that I found. Obviously, if you don't have mail from Juno these steps
will be different. I will cover more of how to find and read the FULL header
in "How to crack a header".

 

Example of a not-so-diplomatic response to spam:

Hello Kim Z.

Our news group was spammed by a guy offering MLM+Sex=Riches. I am
pleased to see you have yanked him off (no pun intended), but why is
there a link to an adult site at the top of the page??? And clicking on
it goes right to [website] the one who sent the spam?
What gives? Is this some kind of sham? I'll tell you what, you have 24
hours to get the spam of our news group
news://news/***.***.***.***.***[address omited]  or I will be getting real
ugly. This is no joke, and no threat, it is a promise.

...and the response from a not-so-happy president:

Hi,

Thanks for your threat, joke, or whatever you called it. I do not see how you 
were able to go to OUR sex site since the link at the top is to an online sex 
store which is not within our domain.  I will remove the link so that our 
member cannot "profit" from anything. I assure you that this webmaster has, 
and will be further reprimanded. He is brand new to this whole internet thing. 
I again thank you and about 600 others for letting me know. One last note 
that I do not respond well to stupid threats but I do understand your point 
and respect that his postings should not have been there. Next time a simple 
note and its handled OK? Lets all just get along :-) There are idiots out 
there and this may very well be one of them but threats will not help us rid 
ourselves of this type of activity.

Shawn Berg
President
O*** M*** Co.

*Mr. Berg has an anti-spam policy in effect, but did not want direct publicity
  since he recieves quite a bit of spam as well, and due to the nature of the
  "product" being advertised. I will thank him, however, for permission to
  re-print his reply.

 

Do not mail bomb!

Never mail-bomb spam sites or engage in hacking to stop spammers. This
only increases the amount of wasted Internet traffic, creates sympathy
for spammers, and makes the Internet even less reliable than it already
is.

Another reason not to mail bomb ISP's is that if enough people are 
aware of how to track these induhviduals down, and are willing to
do something besides hit the delete button, we can legitimately
"bomb" someone one at a time (ref.: "...you and about 600 others...").
This sends a GREATER message that we are no longer going to set
still and take this crap!

It also reminds me of a parable:

(paraphrased)
There was a judge who wasn't too concerned about certain issues,
and wasn't very respectful of anyone. A widow kept coming to him
saying, "Give me legal protection from my opponent.". He didn't want
to be bothered, at first, but then he said, "Even though I do not
fear God nor respect man, yet because this widow bothers me, I will
give her legal protection, lest by continually coming, she will wear
me out."


Moral:

If we wear postmasters out (i.e. sending them back the crap that their
users are sending to us), they will be more apt to stop spam and form
anti-spam policies than if we just sit back and do nothing.

 

What some sites say:

WaterWheel Systems has a wonderful anti spam policy, and is the first
one I came across. Some highlights are:

   "If you've been spammed by a Water Wheel Systems customer, please be
   reasonable when complaining. Send a copy of your complaint, along
   with the original message to root@waterw.com and to the person who
   sent it. There is no need to make threats against us or to include
   quotes from recent court cases; we're very aware the subject and
   can handle it better than a typical user on the internet. While we
   do not condone spamming, we also do not approve of users who take
   matters into their own hands and try to harrass us. If we get
   mailbombed then we simply add your email address and/or domain to
   our list of sites we refuse email from."

And:

   "When someone chooses to route mail through a mail server other
   than their provider's, the US court system has clearly decided
   that this is considered a loss of service for the legitimate users
   on that system. Therefore, we will charge for such incidents.
   A base price of $5000 per incident will be charged to anyone who
   routes spam through our mail server. You've been warned."

You can read the full policy HERE.

 

Hotmail's auto responder: 

Thank you for emailing Hotmail Policy Enforcement (Abuse). The
Hotmail Terms of Service (TOS) forbids email abuse, and we strictly
enforce the TOS. 

We also employ tough unsolicited bulk email (aka "spam")
counter-measures:

1. We LIMIT the number of individual recipients allowed per each email
message, making Hotmail ineffective for sending "spam."
2. We do not allow numeric characters at the beginning of an email
address. Any Hotmail Login Name beginning with a NUMERIC character is a
forgery.
3. We include the field "X-Originating-IP: [xxx.xxx.xxx.xxx]" in the
header of each email message that is delivered via our system. If an
email message doesn't contain this field in its full headers, it DID
NOT come from Hotmail. 
4. We maintain a FULL login IP history for each Hotmail account. 
5. We BLOCK our relay hosts so "spammers" can't use them.
6. We have been successful in taking action against senders of
unsolicited bulk email who forge Hotmail addresses.

Hotmail has also been instrumental in legal battles against "spam." 

We do not recommend replying to "Remove" addresses, as this only
confirms that your email address is active, and directs more unwanted 
email to your account.  Clicking a URL embedded in an unsolicited 
message may reveal your Hotmail address to that Web site. 

If you are writing to report unwanted, abusive, or fraudulent email,
please note that you MUST include the full, unedited content of the
email message in question, along with the full, unedited message
headers. Email programs often display short headers. To display the
full headers, please consult your email program's help system.  

If you are reporting abuse from a non-email source, such as ICQ, chat,
or Usenet, you must include the following information in your message:
1. The media involved (chat, ICQ, Usenet, etc.)
2. The Hotmail account involved
3. The content of the offensive or unsolicited message
4. Any user information

We will reply to you regarding your concern as soon as possible. 

You may also reach the Department of Policy Enforcement by telephone at
(1)(408) 222-7011 Monday-Friday from 8a.m. to 6p.m. Pacific time.

The Hotmail Department of Policy Enforcement is dedicated to
eradicating spam, one villain at a time.

And Hotmail's auto response to a cancelled account: 

NEWS FLASH: Hotmail Takes The Offensive Against Spammers
http://www.zdnet.com/zdnn/content/zdnn/0126/278638.html
http://www.hotmail.com/pressnospam.html

Thanks for contacting Hotmail, the original & world's largest free 
web-based email provider.

We DON'T maintain or manage any mailing lists. We provide free email 
accounts from which our users send & receive email. To ensure user 
privacy, we don't monitor the content of messages as they come and go. 
That being said, our TOS forbids email abuse including spam, & we 
enforce our TOS with zero-tolerance zeal. 

The account you reported HAS BEEN CLOSED. +99% of these are forged 
header addresses in spam NOT SENT BY OR THROUGH Hotmail. We employ 
tough 
spam counter-measures:

1) We severely LIMIT the number of individual recipients allowed per 
each email, making Hotmail ineffective for spam.

2) Any Hotmail username beginning with a NUMERIC character is a 
forgery.

3) We include "X-Originating-IP: [xxx.xxx.xxx.xxx]" in the header 
section of each email we deliver; if email doesn't contain this line in 
the full header, it DIDN'T come from Hotmail. 

4) We maintain a FULL login IP history on each Hotmail account. 

5) We BLOCK our relay hosts from improper use.

6) We have announced LEGAL action against spammers who forge Hotmail 
addresses into their spam, which NOT SENT BY OR THROUGH our service. 

In general, we've found it's a BAD idea to reply to "remove" addresses, 
as this usually only confirms your email address as active, and sends 
extra spam your way.

You may find some of the links below useful in your spam-fighting 
efforts. Please contact us if we can be of further help.

- Hotmail Policy Enforcement (Abuse)

Fwd Hotmail spam to: abuse@hotmail.com (full msg AND headers)
Hotmail TOS: http://www.hotmail.com/cgi-bin/tos.cgi
Hotmail UCE policy: http://www.hotmail.com/nospam.html
GoodGuys: http://www-fofa.concordia.ca/spam/complaints.shtml
Responsible sites: http://spam.abuse.net/goodsites/
UCE closures posted: news.admin.net-abuse.email
FTC ScamSpam: http://www.junkemail.org/scamspam/
Spam-L FAQ: http://www.ot.com/~dmuth/spam-l
"When a problem comes along, you must whip it."
Back

 

 

Tools of the trade

 

Where to get tools

This is the most modified section on the page. I've found more cool
tools in the past few days and I'm really excited about them.

 

"WEB TV"

Exsqueeze me? A baking powder? For those of you who are using WebTV
to do your surfing, and can't download any software (Or anyone who
doesn't want to download any software) there are web-based tools for
you to use:

U_X_N: Spam Combat
http://www.ultradesign.com/engineering/uxn/

Most everything you'll need to do the needed research on the turdletts
that show up in your inbox.

 

"SPAMKILLER"

This is what I'm currently running to filter my POP3 mail. It seems to have
unlimited filtering capabilities, and is available as a demo download here:

http://www.spamkiller.com

 

"NETDEMON"

NETDEMON is a utility program that let's you do WhoIs look-ups, traceroutes,
ping, finger, IP and DNS look-ups. An out and out cool program. It's WhoIs
utility is the best I've seen. Available as a Beta here:

http://netdemon.simplenet.com/index.hts

 

"SAM SPADE"

Pretty much the same as NETDEMON, but a few things are different. I like the
traceroute on this one better, and this is the only program that I didn't
disable the start-up tips. Funny, yet informative. The site is here:

http://www.blighty.com/products/spade/

 
(More tools that I haven't downloaded or looked at yet:)

Cyberkit

http://www.ping.be/cyberkit

NetLab

http://www.eb.uah.edu/~adanil/php.cgi/~adanil/NetLab.phtml

WS_Ping ProPack

http://www.ipswitch.com/Products/WS_Ping

AGNetTools

http://www.aggroup.com/AGNetTools

NetScanTools

http://www.nwpsw.com/nstmain.html 

(I'll get into showing you what the different utilities do, traceroute is the
only one I have done so far. Bear with me)

Trace route (tracert)

This is a command in DOS you can use to track down The originating DNS
(Domain Name Server) of the E-mail. This should give you Something that
looks like this:

C:\WINDOWS>tracert 203.108.182.235

Tracing route to slmlb7p43.ozemail.COM.AU [203.108.182.235]
over a maximum of 30 hops:

  1   179 ms   161 ms   202 ms  *****(deleted)*****
  2   161 ms   177 ms   157 ms  *****(deleted)*****
  3   178 ms   191 ms   164 ms  *****(deleted)*****
  4   185 ms   174 ms   181 ms  *****(deleted)*****

  5   185 ms   181 ms   177 ms  311.ATM12-0-0.BR1.ATL1.Alter.net [137.39.21.73]

  6   449 ms   438 ms   177 ms  core3-hssi3-0.Atlanta.MCI.net [206.157.77.113]
  7   285 ms   367 ms   295 ms  bordercore4.SanFrancisco.MCI.net [166.48.18.1]
  8   467 ms   466 ms   765 ms  telstra.SanFrancisco.MCI.net [166.48.19.250]
  9   464 ms   487 ms   473 ms  Fddi0-0.pad10.Sydney.telstra.net [139.130.249.231]
 10   480 ms   463 ms   459 ms  ozemail.lnk.telstra.net [139.130.32.18]
 11   464 ms   452 ms   456 ms  ciscosyd1fe11-0-0.gw.ozemail.COM.AU [203.108.0.49]
 12   645 ms   655 ms   579 ms  mel1s3-0.gw.ozemail.COM.AU [203.7.191.90]
 13   563 ms   638 ms   576 ms  termmlb7.ozemail.COM.AU [203.108.181.16]
 14  1672 ms  1534 ms   998 ms  slmlb7p43.ozemail.COM.AU [203.108.182.235]

Trace complete.

Now this particular trace yealded the server name "ozemail.COM.AU".
Match this with the header, and see if the Domain name matches DNS number.
You use the DOS prompt, in your 'start menu' and go to 'programs'. Double-click
on 'DOS prompt' and you should get a "C:\WINDOWS>_" prompt.

You can play with this for a while, and look up DNS's in E-mails that
your friends send to you, to get the hang of using it.

Note:
Tracert is a DOS command, and should work on any win'95/'98/NT OS, and you DO
have to be connected to the internet (or LAN) to run a trace (go figure).
	*(Thanks Kathi)
Back

 

 

Cracking a mail header

 

OK, I've got a couple, here. The first is a header of a Pyramid spam that
I got a while back. After the step by step I'll let you know what
happened with it.

 

The "short" header

 -----Original Message-----
 From: Larissa Jane <larissajane@hotmail.com>
 To: Don***@[XXX].com <Don***@[XXX].com>
 Date: Monday, June 29, 1998 1:25 PM
 Subject: Dear friend,

Yeah, Well, this doesn't tell you a whole lot. If you sent this to Hotmail,
They'd tell you (via auto-responder) that the account has been closed.
We're done, right? Wrong. We need to pull the FULL header off of this bad boy
To see who really sent it.

(Now I'm using Outlook Express as my POP3 mail program. I'll try Netscape,
But don't blame me if it isn't entirely correct.)

 

Netscape:

Go to 'options', then 'Show headers', then highlight 'all'. Simple.
All your mail should now show the full header when opened. As far as
Copying the header to your forward? Good luck. (I'm sure SOMEONE
will let me know how)

 

Outlook Express:

Let's start by going to your inbox, Where the offensive piece of spam is.
R-click on the message, and L-click on 'properties'. You should have a
window with the properties of that message. L-click on the 'Details'
tab, and you should have a window with the header in it. Click and drag
to highlight the header, R-click and choose 'copy', and 'paste' it to your
forward.

 

AOL's "mailserver":

The header should be a part of the message you've recieved
(tacked on to the bottom). Make sure you copy it to your forward
before you send it.

(NOTE:When you do this for a while you see small differences in
 the format of the E-mail sent. This can help you finger out who
 sent it)

 

The header:

OK, our sample header looks something like this:

Received: #############(this is where it came to me.)##########
	id NW51S6W1; Mon, 29 Jun 1998 16:25:43 -0400
Received: from netlink.com.au ([203.16.172.1])
          by bftoemail2.[XXX].COM ([XXX] [XXX] Mail v1.0
          with message handle 980629_160603_1_bftoemail2_smtp;
          Mon, 29 Jun 1998 16:06:03 -0500
          for don***@[XXX].com
Received: from reubsnt (slmlb7p43.ozemail.com.au [203.108.182.235])
	by netlink.com.au (8.8.5/8.8.5) with SMTP id GAA04309
	for <Don***@[XXX].com>; Tue, 30 Jun 1998 06:11:55 +1000
Date: Tue, 30 Jun 1998 06:11:55 +1000
From: Larissa Jane <larissajane@hotmail.com>
To: <Don***@[XXX].com>
Message-Id: <18161.235976.25190596 Don***@[XXX].com>
Subject:  Dear friend,
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

WOW! A lot different than the "short" version in the forward, huh?

Now let's look at it:

every time there is a 'Recieved:' it is either another leg of the
electronic journey, or a forgery. The first leg:

Received: from reubsnt (slmlb7p43.ozemail.com.au [203.108.182.235])
	by netlink.com.au (8.8.5/8.8.5) with SMTP id GAA04309
	for <Don***@[XXX].com>; Tue, 30 Jun 1998 06:11:55 +1000

OK, we go to our DOS prompt and do a trace:

 (We join the trace, already in progress)
  6   172 ms   168 ms   170 ms  core3-hssi3-0.Atlanta.MCI.net [206.157.77.113]
  7   230 ms   232 ms   233 ms  bordercore4.SanFrancisco.MCI.net [166.48.18.1]
  8   440 ms   437 ms   466 ms  telstra.SanFrancisco.MCI.net [166.48.19.250]
  9   453 ms   456 ms   452 ms  Fddi0-0.pad10.Sydney.telstra.net [139.130.249.231]
 10   446 ms   446 ms   443 ms  ozemail.lnk.telstra.net [139.130.32.18]
 11   439 ms   448 ms   442 ms  ciscosyd1fe11-0-0.gw.ozemail.COM.AU [203.108.0.49]
 12   666 ms   675 ms   663 ms  mel1s3-1.gw.ozemail.COM.AU [203.7.191.158]
 13  mel1s3-1.gw.ozemail.COM.AU [203.7.191.158]  reports: Destination host unrea
chable.

Trace complete.

In this case, "...reports: Destination host unreachable." was due to
the fact that the user has been shut down. Look at the last traced destination;

	mel1s3-1.gw.ozemail.COM.AU [203.7.191.158]

We'll go to our 'NETDEMON' and do a Whois on "ozemail.com":

	Registrant:
	 OzEmail Ltd. (OZEMAIL@-DOM)
 	 Level 1, MDIS House, 39 Herbert St
 	 St. Leonards, NSW 2065
 	 AU

 	 Domain Name: OZEMAIL.COM

 	  Administrative Contact:
  	   Kent, Andrew (AK!-AU) andrewk@ozemail.com.au
  	   +61 2 437 5500 FAX +61 2 437 5888
	   (Etc. etc. etc.)

OK, so let's see what (or who) we're dealing with. Go to your browser and
punch in the address: 'www.ozemail.com.au'



Cool, "Australia's LARGEST Internet Service Provider". Bet they don't want
any bad press. Lets see if they have an anti-spam policy (usually under
'User Policies'):

"3.3 Disruption of the network is not allowed

     You may not use the service to interfere with or disrupt other network
     users, services or equipment. In particular, for example, you must not:
 
            -distribute messages to inappropriate or unrelated forums,
             newsgroups or mailing lists (`spamming');
 
            -send unsolicited commercial messages;
 
            -propagate computer worms, viruses and other types of malicious
             programs;
 
            -make transmissions of any type or quantity which adversely affect
             our operation or jeopardise the use of our service, or its performance
             for other subscribers;

            -and harass or impersonate OzEmail or other users."

Good. Now we can look for some addresses to send copies of this thing to.
First go to:Complaint addresses

 'postmaster@ozemail.com.au' and I go for 'abuse@ozemail.com.au' too just
  to make it official. Most large ISP's have abuse addresses.

Now, since it was a pyramid scam, we can send a copy to the ACCC. It's the
Australia's Consumer Affairs. (Australian Competition and Consumer Commission)
They have an addresss to report internet abuse: 'sweep.day@accc.gov.au'.
I bet they'de LOVE to here about a skam in their own backyard.
And don't forget Hotmail: 'abuse@hotmail.com'. Even though the message didn't
Originate from there, we still should send a copy there so if the person is using
the account for replies, people that don't know any better won't be victimized.

(NOTE: Also something I did not do on this particular E-mail,
 is notify the postal inspector (your local phone book has the appropriate
 phone numbers). They also have a website: here)

 

The outcome:

This is a copy of the E-mail I sent out to those addresses:

"Please take action in regards to this UCE. I have traced it's probable
 origin to:

"14   711 ms   693 ms   679 ms  slmlb7p43.ozemail.COM.AU [203.108.182.235]".

***To postmaster/abuse @ ozEmail:

I have read your policy and feel that this a violation of section 3.3:

(3.3 Disruption of the network is not allowed

"You may not use the service to interfere with or disrupt other network
 users, services or equipment. In particular, for example, you must not:

  *distribute messages to inappropriate or unrelated forums, newsgroups or
   mailing lists ('spamming')
  *send unsolicited commercial messages;
  *propagate computer worms, viruses and other types of malicious programs;
  *make transmissions of any type or quantity which adversely affect our
   operation or;
  *jeopardise the use of our service, or its performance for
   other subscribers; and
  *harass or impersonate OzEmail or other users.)

If this was not originated at [203.108.182.235] please note that your
services were used against your policy, and forward this to it's proper
origin.

***Fraud info and Government organizations:

Since this UCE is asking that I send $5 dollars cash, and admits to be a MLM
"scheme", I thought you should be aware.

***Hotmail abuse:

I realize that the message was not sent from you, however it does make use
of one of your accounts as a return address. I know of your strong anti-spam
stance and greatly appreciate your help in the past. Please look into this.

***TO ALL:

Please respond to me with the action taken in this matter. I am aware of the
workload that you all must have, but it is good to hear when/if something is
being done about internet abuse. Thank you for the time that you take in
this matter,

        Don."

(With the FULL header attached to the FULL E-mail message)

 

The responses:

From: Systems Administration <abuse@ozemail.com.au>
To: Don <Don***@[XXX].com>
Date: Friday, July 03, 1998 12:58 AM
Subject: Re: Fw: Dear friend, A-9***28-0**

 Hello,


 The account responsible has been closed.

...This issue will be tracked by the reference number in the subject
 of the email. In all future correspondance regarding this issue,
 please quote this reference. Please email all abuse issues to
 abuse@ozemail.com.au.

And, Of course, Hotmails auto-responder sent a message EXACTLY like
the one in the 'response page'.

These are the only two that matter. And it was another "kill" in the
war on spam.

 

Let's look at a different one:

A friend in Cali got this one:

In a message dated 98-07-12 04:52:45 EDT, bareitall@ameritech.net writes:

<HTML><PRE><BODY BGCOLOR="#e7e7cd">
Did You Know That July 6 - 12, 1998 Is The Last Week To Enter 
Adult Services On AOL? They Will Now Be Censoring After That,
So If You Are Interested In Accessing XXX Hardcore Entertainment,
Now Is The Time! Here Is My Personal Favorite Adult Site. If You'd
<A HREF="http://206.217.29.###/~[blah,blah,blah].html">Click Here</A>, You
Can Get In Free All Week. Enjoy It Before It
Ends!</PRE></HTML>

And the corresponding header:

 ----------------------- Headers --------------------------------
  Return-Path: <bareitall@ameritech.net>
  Received: from  relay##.mx.aol.com (relay##.mail.aol.com [###.###.###.###])
    by 
 air12.mail.aol.com (v45.18) with SMTP; Sun, 12 Jul 1998 04:52:45 -0400
  Received: from UPIMSRGSMTP04 (upimsrgsmtp04.msn.com [207.68.152.48])
    by relay19.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
    with ESMTP id EAA07290;
    Sun, 12 Jul 1998 04:52:19 -0400 (EDT)
  From: bareitall@ameritech.net
  Received: from 2-5 - 206.141.213.91 by msn.com with Microsoft SMTPSVC;
  Sun, 12 Jul 1998 01:52:12 -0700
  To: bareitall@sprynet.com
  Subject: Let`s get to know eachother better
  MIME-Version: 1.0
  Content-Type: text/plain; charset=us-ascii
  Content-Transfer-Encoding: 8bit
  Message-ID: <0a77c1252080c78UPIMSRGSMTP04@msn.com>
  Date: 12 Jul 1998 01:52:14 -0700
  
This ones a little tricky, because the message ID reads:

Message-ID: <0a77c1252080c78UPIMSRGSMTP04@msn.com>

Came from MSN right? I don't think so. Look at the first 'Received' blocks:

Received: from 2-5 - 206.141.213.91 by msn.com with Microsoft SMTPSVC;

So let's look at the IP of origin via 'NETDEMON's IP lookup:

dyn1-tnt8-91.detroit.mi.AMERITECH.net (206.141.213.91)

Ameritech. Not at all MSN. Just to be sure you're on the right track,
Read over the E-mail and See what kind of content it has:

<A HREF="http://206.141.29.###/~[blah,blah,blah].html">

Same DNS. Let's look at the Whois entry (NETDEMON) for Ameritech.net:

Ameritech Interactive Media Services, Inc. (AIM2-ORG) hostmaster@AMERTIECH.NET

(Blah, blah, blah)
 Domain servers listed in order:

NS1.AMERITECH.NET         206.141.251.2


Everything is pointing to Ameritech. MSN is looking like a victim, their server
has been used to send this (raped), and Ameritech is hoping that you'll complain to
MSN, and in turn, clog up MSN's resources, instead of theirs.
	(So if spamming isn't so bad, why are these creeps sending through
	 someone else's server?)

When I respond to these people, based on the pornographic content,
I send something that looks a little like this:

"I am sorry to have to be writing you this, but I think harvesting my
address from a newsgroup, that regularly has people under the age of
eighteen/twenty-one posting on it, is NOT good business. I received this UCE
from someone there, and do not appreciate it's content. I don't want to make
it seem like I am against such sites, and you are more than welcome to post
this message on a RELEVANT newsgroup (i.e. alt.binaries.pictures.sex) I/we
are not happy to receive spam of an off-topic nature. I also don't think
that I should have to reply to remove my name from a mailing list that I did
NOTHING to get on. Please see that this incident is taken care of, and If
the parties involved are worried about further responses of this nature,
then I suggest they do not harvest E-mail addresses from ANY newsgroups, in
the future. Thank you for your time,
        Don

(Stop the inSPAMity!)
	(OK, so it's a groaner, you can blame Dave here)


Now, not all of them are easy, But with a little bit of
detective work, you can find the culprits behind this. Keep trying, the
more you do it, the better you get. And it's a good feeling, knowing that
you, uh, "Helped take a bite outta' spam".

(I couldn't resist!)
Back

 

 

Cracking the UseNet header

 

Here's a couple of headers I pulled off the NG with
some "off-topic" posts:

Path: newsfeed.slurp.net!not-for-mail
Message-ID: <35A05DF4.CD9AF200@ll.net>
From: hiphi <hiphi@ll.net>
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
Newsgroups: rec.autos.makers.vw.aircooled
Subject: how to make $6.00 into $60,000.00
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Lines: 331
Date: Mon, 06 Jul 1998 05:31:34 GMT
NNTP-Posting-Host: 209.83.49.103
NNTP-Posting-Date: Sun, 05 Jul 1998 22:31:34 PDT
Organization: Slurp News Feeds
Xref: newsfeed.slurp.net rec.autos.makers.vw.aircooled:78831

Look at this:
NNTP-Posting-Host: 209.83.49.103

Do an IP lookup and you get:

 casper2-ow6. ll.net(209.83.49.103)

We ca also look at the message ID:

Message-ID: <35A05DF4.CD9AF200@ll.net>

the key is the domain name: LL.NET

So I plug www.ll.net into the browser, and
look up who they are. Local Link, Owattona, MN.
Do some research into their TOS, or acceptable use policies, and they
usually have contact E-addresses for various people. If you can't find
them, use the "default" postmaster, hostmaster, abuse @wherever.whatever.

Also the  address domain and the ID domain match. Boom, you got 'em.

(Top Gear Header)

Path:
newsfeed.slurp.net!news.savvis.net!uunet!in1.uu.net!news-nyc.telia.net!howla
nd.erols.net!newsfeed.internetmci.com!195.99.66.215!news-feed1.eu.concert.ne
t!news.worldonline.nl!hlv2-p24.worldonline.nl!user
From: ownimport@yahoo.com (OwnImport)
Newsgroups:
rec.autos.makers.vw.aircooled,rec.autos.makers.vw.watercooled,rec.autos.mark
etplace,rec.autos.misc,rec.autos.rod-n-custom,rec.autos.rotary,rec.autos.sim
ulators
Subject: Seen Top Gear/Panorama?? Import Own auto Info
Date: Thu, 09 Jul 1998 00:49:03 +0100
Organization: MyImport
Lines: 14
Message-ID: <ownimport-0907980049030001@hlv2-p24.worldonline.nl>
NNTP-Posting-Host: hlv2-p24.worldonline.nl
X-Newsreader: MT-NewsWatcher 2.3.1
Xref: newsfeed.slurp.net rec.autos.makers.vw.aircooled:79349
rec.autos.makers.vw.watercooled:138952 rec.autos.marketplace:142681
rec.autos.misc:199190 rec.autos.rod-n-custom:55990
rec.autos.simulators:133887

The header in the Top Gear thing is a little more difficult, but the big
thing to look at the message ID:

Message-ID: <ownimport-0907980049030001@hlv2-p24.worldonline.nl>

And the path:

(Blah, blah, blah)...news-feed1.eu.concert.net!news.worldonline.nl!...[user]

News.worldline.nl was the news server of origin.

Same thing: look up www.worldonline.nl and look around. I don't do German,
or whatever, so I use the "default addresses" and reply with the FULL
header. If it didn't come from them, they can decipher the Message ID and
forward the mail to the offenders ISP, and believe you me, they do.

(Thanks to Toby for the passive motivation behind this page)

 

Like I said before:

Try it. You'll only get better with practice.
Back

 

 

The low road to combatting spam

 

"But I just don't have time for this kind of crap..."

Not everyone has time to pull down the header, find out where the
spam came from, and send a diplomatic response (Diplomacy takes
time, and pissed off is much easier). Especially when you're trying
to download 156 new headers from the newsgroup of your choice, and
evade the boss at the same time. Here's what some people do:

 

A portion of Diamondback's homepage:

"...try doing what the Usenet posters have been doing for years to
defeat spambots (automatic e-mail address gathering programs similar
to what was just described to query the ICQ database) by including a
"spam block" as part of your e-mail address.

    Example:

	diamondback@[wherever].com becomes
	diamondback@nospam_[wherever].com or
	diamondback@removethis_[wherever].com


Your friends (assuming they have at least half a brain) will know to
remove the spam block before e-mailing you, but the automatic e-mailers
would probably send e-mail to an address where it would bounce back to
them. As the spambots get more sophisticated and pick-up on phases like
"nospam," we'll just have to be more clever about what we add to our
e-mail addys."

(See the full page here)

 

Sending it right back to 'em (without doing anything).

John has a "special" E-signature that caught my eye. This is what he said when
I asked him about it:

"SPAMMERS who "steal" E-mail addresses from newsgroups and E-mails end up
adding all addresses to their SPAM lists. In my case that
includes the authorities. Also, they add themselves to their
own SPAM lists, clogging their mailboxes.

John  ;-)"

(the E-sig:)
While you capitalists are purging my email and spamming me,
don't forget to include these people:
Fraud Watch: fraudinfo@psinet.com
Federal Trade Commission: consumerline@ftc.gov 
	(no longer accepting mail at this address)
ACCC: sweep.day@accc.gov.au (Australia)

Oh, and while you're at it,  here's a taste of your own
medicine! admin@loopback  $LOGIN@localhost
$LOGNAME@localhost  $USER@localhost $USER@$HOST 
-h1024@localhost root@mailloop.com

 

Well, that's all I got.

I'm more into "fighting the good fight". I haven't found new and
exciting ways to thwart spammers, and there's a lot of things I
still have to learn about spamming. I just use the direct approach
and send the offensive crap back to their respective ISP's postmaster.
I get more satisfaction knowing that someone, besides me, and with a
little more control of the situation, had to read the same message.
I did however want to make you aware of the alternatives.

 

Good luck!
Back

 

 

The mirrors, so far:

  • Stop Spam FAQ
  • alt.spam FAQ or "Figuring out fake E-Mail & Posts".

    		•
    Back

     

     

    Links:

  • Hall of Humiliation
  • Washington's new anti-spam legislation
  • www.spambusters.ml.org
    • Spammer's Phone Number Pool!
  • tucows.tierranet.com
    • For Win '95 anti-spam software.
  • tucows.tierranet.com
    • for other than Win '95.
  • www.fulldisclosure.org
    • "We will help stop unwanted email to you!"
  • www.ybecker.net
    • F.R.E.E. (Forum for Responsible & Ethical E-mail).
  • http://members.aol.com/reinbeaux/pass/pass.htm
    • P.A.S.S. (People Against Stupid Spammers)
  • spam.abuse.net
    • "Fight Spam on the Internet!"
  • www.telebyte.com/spamlaw
    • The Telebyte NW "I HATE SPAM!" (And what to do about it!)
  • spambusters.ml.org
    • Has info and links on fighting spam.
  • www.ao.net/waytosuccess/nospam.html
    • A great anti-spamming page. Great resourses.
  • www.metareality.com
    • Dealing with junk email.
  • ddi.digital.net/~gandalf/spamfaq.html
    • "Figuring out fake E-Mail & Posts". (also mirrored)
  • www.stopjunk.com
    • "Welcome to Stop the Junk Mail."
  • www.public.asu.edu/~dtopping/ojen.html
    • O.J.E.N. - Outlaw Junk E-mail Now!
  • www.yahoo.com/Computers_and_Internet
    • "Bot Bait".
  • www.michaelphillips.com
    • List of addresses where spam originates. (bot bait)
  • members.wbs.net
    • "What, Another Site for Spambots?" (bot bait)
  • www.metareality.com
    • (Website found. Waiting for reply...)
  • members.aol.com/emailfaq
    • Links to Email Abuse FAQs.
  • The only spam I aprove of... SPAM®.
    • (had to go there)
  • www.acns.fsu.edu
    • Spam?.
  • www.acns.fsu.edu/Technotes The three faces of spam.

    • Back

     

     

    "Killboard"

     

    Well, no one really knows for sure who the first person was that sent
out the LART That got the account/site closed. Unless of course, you are
the person shutting them down. So, to that effect, I've decided to share
some E-mails that I've got from various ISP's in regards to terminated
accounts and sites: 

-----Original Message-----
From: Bell Global Solutions 
Date: Tuesday, August 18, 1998 2:51 PM
Subject: Response for Make Money-Save Money


Hello,

Thank you for bringing this matter to our attention.  My
sincere apologies for any inconvience that this annoying
spam may have caused.  Please rest assured that this 
account was immediatly cancelled.  I hope this information
is of assitance.

Sincerely,

Sean
Bell Global Solutions

************************

> Car Audio Installation Guide
>------------------------------
>Why pay high installation prices when you can install
>your stereo yourself. This guide tell's you the do's
>and dont's, what you need to build a sub box. How to 
>install amps, subs etc. Don't pay 25 plus dollars an
>hour when you can install your own stereo.
<snip>


     
    
-----Original Message-----
From: Tim Davis 
Date: Sunday, July 26, 1998 3:24 PM
Subject: SPAM Complaint


Thanks for the information on the spam incident on our server.  We found the spammer,
Paulette Boudreau, and she has been suspended from our system.  I personally called her
and she admitted that she sent the spam.  We bill $250.00 every time someone spams from
our system.  It is documented in our terms and conditions:
http://www.mninter.net/accessterms.html

This incident has been completely documented.  If anyone would like to take further action,
MN Inter.Net will cooperate fully.

If everyone took the time to complain, we could get rid of all of these jerks.

Thanks again!

Timothy K. Davis
President
MN Inter.Net
(612) 882-2990

(Tim has started a national ISP: North America Inter.Net If you want "spam free"
internet connectivity, see them.)

     
    
-----Original Message-----
From: Peter Brunet
Date: Friday, August 14, 1998 6:41 PM
Subject: Re: Fw: Income Potential attn. Peter


Hi Don.  

Our president Jim Marchant looked over the information that 
you emailed.  He wants to thank you for finding this spammer. 
Mercury takes this issue very seriously -- we are aware of the
damaging repercussions of spam on ISP's, the internet and its users.
-- not only will we cancel the account but we are going to take
this up to the state attorney.  We'll keep you apprised of our 
progress.  Please reply if you have any questions.

peter brunet
support tech

     
    
-----Original Message-----
From: Sato Yasutaka
Date: Wednesday, August 12, 1998 9:27 PM
Subject: Fw: Fw:Mail Your Message to Millions



Dear Don,

I'm one of webmaster@www.mri.co.jp and an engineer of domain
"mri.co.jp".  I'm sorry to have troubled you.  We take action
immediately to prevent such a spam.

thanks.

     
    
-----Original Message-----
From: Spam Buster 
Date: Monday, July 27, 1998 10:04 PM
Subject: Re: Fw: Advertise to Millions On-Line!


Hi Don,

I have deleted the abusive account you reported and have included some of
our anti-spam policies and features. Let me know if there is anything else
I can help with. Thank you for reporting the spammer and helping us in the
fight against this growing problem.


****************************


     
    
-----Original Message-----
From: Network Abuse Center at GDI 
Date: Monday, July 27, 1998 4:03 PM
Subject: Re: Fw: Use The Internet and Feel It's Power


This matter has been taken care of.  The Spammer has been terminated.

GDI Abuse Team


     
    
You get the point. I just hope someone else out there is...
    Back

     

     

    Page updates:

    *********************************

    Update (26 September, 1998)

    HR 3888 update is posted, and a link to WeBpOiSoN is at the bottom of the page.

    *********************************

    Update (21 September, 1998)

    I'm busy updating some entries and up-loading this page to my Inertia site. (but reading this, you know that, because the Geocities didn't get this update, you wouldn't have known about it if you went there instead)

    *********************************

    Update (23 August, 1998)

    Well the bulk of the re-structuring is done, I just have to do some clean-up, and syntax changes.

    *********************************

    Update (16 August, 1998)

    P.E.T.I. "pink-out" is done. I'll be working on a total overhaul as time permits. Stay tuned....

    (See the old page HERE)

    *********************************

    Update (9 August, 1998)

    I joined the Lumber Cartel (tinlc)(tm) today (You saw the link/button at the top). Tomorrow I will set out to turn the cover page pink. (Oh, God! what a HORRID color!) Soon: More links.
    Oh! I almost forgot! Soon to be added to the tools section: NETDEMON!

    *********************************

    Update (1 August, 1998)

    OK. I got enough links for a "page". We'll see how things progress.

    Check out this totally cool reply I got from an ISP's president, after a spamming incident:

    "Thanks for the information on the spam incident on our server. We found the spammer, Paulette Boudreau, and she has been suspended from our system. I personally called her and she admitted that she sent the spam. We bill $250.00 every time someone spams from our system. It is documented in our terms and conditions. http://www.mninter.net/accessterms.html

    This incident has been completely documented. If anyone would like to take further action, MN Inter.Net will cooperate fully.

    If everyone took the time to complain, we could get rid of all of these jerks.

    Thanks again!

    Timothy K. Davis
    President
    MN Inter.Net
    (612) 882-2990"

    *********************************

    Update (23 July, 1998)

       The links page is taking longer to do than I expected. I'll be on it from time to time, and leave a couple out for you to peruse whilst I get my S- together. Go in and check out the new anti-spam legislation, from Washington state.

     

    *********************************

    Back

    The image below is a link to a CGI program.
    It is intended to foil E-mail harvesting robots.
    It will randomly generate what looks like web page
    after page. It is not suggested that you follow this link.