This section has two pieces:
As you add WWW pages to the Internet, post messages to UseNET newsgroups, etc, you will find yourself getting MORE and more SPAM email. One or two SPAMs a week is ok (I suppose) but once you start getting 10+ a week, you'll get annoyed.
First, a few things should be understood about SPAM:
1. When you receive a SPAM email, the SENDER almost never use
their own email servers to send them out. They are usually using
someone else's mis-configured email MTA (mail transfer agent) to do
it. You might think this isn't that big of a deal but consider:
A. it is filling up the innocent email relayer's internet connection
with SPAM traffic that has NOTHING to do with their normal business.
B. for each email the SPAMER sends to this relay site, thousands
to tens of thousands emails leave. This saturates the email
server, its overall performance, etc.
C. The innocent email relayer's entire Internet domain could be
blocked from the internet via the various anti-SPAM systems
(RBL, ORBS, etc) because they have been spamming people.
Ok, so say you got a piece of SPAM. How can you tell what is really going on? Here is one SPAM I received that I'll use as an example. Bare with the length here but its important to see ALL of their various tactics:
1. If you were to simply REPLY to this "FROM" address, the email
would bounce because it is forged (totally bogus).
2. The only way to get a hold of these people is to call some toll
free number.
3. SPAMs sometime say this email meets "compliance with the proposed
Federal legislation". Why? Because they offer a way to
unsubscribe from from their list. But..
A. They usually use those free internet email services
out there (hotmail, yahoo, etc) to do this. Not their real
email addresses so when those sites ARE put up, they are usually
shut down quickly as all the free services out there strictly
prohibit spammers from using their services.
B. They never read the complaints the receive but they DO use those
hate emails to confirm that your email address is VALID. Once they
know your email address is valid, they either send more spam to
you or sell your address to some other spammer.
** This is why its CRITICAL to NOT to EVER email these addresses **
C. By using these free email services, the spammers are breaking those
service's Anti-SPAM rules.
The email without full headers:
------------------------------------------------------------------------------ From: "Barbara23347@powerworx.net" <Barbara23347@powerworx.net> Subject: Dental & Optical Plan Savings - Limited Time Only Date: Wed, 21 Oct 1998 06:15:00 -0400 (EDT) Hello, We work with a group of your local doctors and dentists and are offering a Dental - Optical Plan that runs approximately $3 a week for an individual and 4 a week for the entire family with no limit to the number of children. Would you like our office to furnish you with the details? Call Toll-Free 1-800-929-7648 "Refer to the K601 offer." (be sure to give this) *If your state is listed below then we currently do not service your area. ************************************************* We are linked to plenty of web sites that offer free subscriptions to our mailing list. You may JOIN or LEAVE this list at any time by following the simple instructions that can be found at the end of this email. You are on our mailing list because you have subscribed at one of our associate web sites, sent us email or we have a previous online relationship. Marketing Service Co. Customer Service Department 1-913-562-0134 This message is being sent to you in compliance with the proposed Federal legislation for commercial e-mail (S.1618-SECTION 301). "Pursuant to Section 301, Paragraph (a)(2)(C) of S. 1618, further transmissions to you by the sender of this e-mail may be stopped at no cost to you by clicking <A HREF="<url url="mailto:kppt@mypad.com">here</A>">; and placing REMOVE in the subject.</FONT></CENTER> ************************************************* ------------------------------------------------------------------------------
Ok, so where did this email REALLY come from and how can you STOP this SPAM in the future?
Well, first, you need to enable your email reader to show the FULL EMAIL
HEADERS.
Pine:
Go to the main Setup-->Config menu and enable the following
commands:
enable-aggregate-command-set
enable-full-header-cmd
include-header-in-reply
Now, when you read an email, hit the "H"eaderMode or
"h" key and you will see the FULL headers.
Eudora:
Click on the "Blah..Blah..Blah" icon
Now, here is that SAME email with full headers shown below:
1. Little different eh? Confusing even. Which site actually SENT this
email? Was it someisp.net, mailcity.com, popsite.net, or powerworx.net?
First, the various lines like X-Persona and other X-stuff don't really
matter. They are there more for information reasons. You really want
to look at the "received" line. Ok, for the following
example, there are TWO Internet domains of concern. Usually, you won't
see two domains like this but BOTH are valid. This particular email
server is configured to send/receive for both mailcity.com and
popsite.net.
The email with full headers:
------------------------------------------------------------------------------ X-Persona: <someisp.net> Received: from mta-mail.mailcity.com (02-070.038.popsite.net 209.198.10.70]) by someisp.net (8.9.3/8.9.3) with SMTP id DAA16082; Thu, 9 Sep 1999 03:18:16 -0700 (PDT) Message-ID: <Mr3y0.fZpgJrR.4mmQHYk3mWcOXRBx.@mta-mail.mailcity.com> From: "Barbara23347@powerworx.net" <Barbara23347@powerworx.net> Subject: Dental & Optical Plan Savings - Limited Time Only Date: Wed, 21 Oct 1998 06:15:00 -0400 (EDT) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-UIDL: fcfe6e177a9ad2665891d53ba4e141aa Hello, We work with a group of your local doctors and dentists and are offering a Dental - Optical Plan that runs . . . ------------------------------------------------------------------------------
So, now what?
Well, you need to take this email with FULL headers and forward it to
the correct people. For this example, I emailed:
abuse@popsite.net, postmaster@popsite.net, abuse@mypad.com and
postmaster@mypad.com
1. Why use the "popsite.net" address over the "mailcity.com"
address? No reason, either would have worked.
2. Why the abuse and postmaster addresses? The abuse
address is well known for notifying remote sites about
SPAM problems. The postmaster address is well known
as the address for the email server administrator.
3. Why the mypad.com address too? I also email these
these people because ANYONE associated with SPAMMERS
will almost ALWAYS discontinue the spammer's account.
This is a very effective way to shut spammers down.
From here, I recommend to prepend the original spammer's
subject field with "SPAM:" and also to start the email
body off with something like:
--
Spam Alert:
popsite: You are relaying spam. Please fix your MTA
mypad: Please delete this account
Then add the original spam email with ALL the headers.
.
.
.
--
--
That's it! You will probably get an automated email back from the various
sites letting you know you that they received your email and they will act
upon it. Some sites will personally email you back telling you that they
dealt with it.
So, that's it. Right? NOPE.
Many of these sites will still relay email for spammers though
you've ASKed and asked them to stop. What to do?
Report them! To who?
Go to these recognized Anti-SPAM sites:
Is the relay already filtered: Report it:
------------------------------ ----------
RBL: <url url="http://maps.vix.com/cgi-bin/lookup"> http://maps.vix.com/rbl/reporting.html
Orbs: <url url="http://www.orbs.org/verify1.cgi"> http://www.orbs.org/email.cgi
IMRSS: <url url="http://www.imrss.org"> http://www.imrss.org/cgi-bin/query.cgi
IMRSS DSSL: <url url="http://www.imrss.org"> http://www.imrss.org/cgi-bin/dssl/query.cgi
RRSS: <url url="http://relays.radparker.com/nph-lookup.cgi"> http://relays.radparker.com/nph-submit.cgi
P.S. Be SURE that you are using some of these filtering systems via your Sendmail setup. Check out the Sendmail section Section 25, for more details.
-----
If you get several firewall hits that looks like:
-- Sep 12 11:15:13 roadrunner kernel: IP fw-in rej eth0 UDP 209.249.159.162:137 100.200.0.0:137 L=78 S=0x00 I=32141 F=0x0000 T=57 --
Try TELNETing to that site. You will then see:
--
[root@roadrunner]# telnet 209.249.159.162
Trying 209.249.159.162...
Connected to 209.249.159.162.
Escape character is '^]'.
UNAUTHORIZED ACCESS!!!
You are not authorized to connect to this host.
Violations will be prosecuted to the full extent of the law.
See <url url="http://www.scour.com/General/Misc/Add_Or_Remove_Site.phtml"> for information on removing your host from our SMB crawler.
Connection closed by foreign host.
--
What the hell is this? It's a web crawler (Spider) that is trying to index everyone's insecure Microsoft File & Print shares. Personally, these people make me sick by doing this but they DO allow you a way to disable it. Go to the URL shown above and remove your box from their SMB crawler.