Latest News

What is Spam? UBE? UCE? Acquaintance Spam?

The Problem

The Situation in Australia

How You Can Help

How To Avoid Being Spammed

Join CAUBE.AU

Information for Businesses

Information for the Media

Information for Politicians

Who is CAUBE.AU?

Links

Feedback

Home

Guide on Actively Fighting Spam

Introduction

If you want to know how to fight back against spammers, but don't know where to begin, this page is for you, but perhaps the first place to begin is what not to do.

  • DO NOT send large volumes of mail to the spammer to try to inconvenience them or disrupt their computers - this is illegal in Australia and many other countries around the world.

  • DO NOT try to disable the spammer's computers - this is also illegal.

  • DO NOT try to break into the spammer's computers - yes, that's illegal too.

  • In short, don't do anything illegal in the name of fighting spam - that would hurt the cause, not help it.

  • DO NOT complain directly to the spammer, and DO NOT use the "remove" facility provided by the spammer - some spammers compile addresses of people who respond in this way and sell them as a more valuable address of somebody who is confirmed to read their mail.

  • DO NOT buy anything that has been advertised by spam, even if it's something you really needed. Spammers only need a very small response rate to make spamming worthwhile to them, so by buying from them, even if it's "only this one time", you are actually encouraging them to spam. Also, spammers are not the sort of people you should trust with your credit card details - many spammers will actually use your credit card details to sign up for Internet access themselves - to avoid their name being recognised by the ISPs and so they don't have to pay for Internet access that they know is going to be lost for spamming.

Where to Begin

First, visit the following sites and bookmark them - these sites contain useful tools you will need for actively fighting back:

  • GeekTools - this site contains a number of tools that just make life easier - its "Whois" tool in particular makes the job of finding out who own a particular domain name or Internet address many times easier.

  • Sam Spade - this site contains a number of tools that help you to track down the true origin of an email message.

  • Network Abuse Clearing House - you can use this site to help make sure your complaints reach the right people.

Another popular resource is known as "Spamcop", however we don't recommend using that because it generates a lot of complaints to uninvolved third parties, and because of this many abuse handling personnel filter out complaints received via Spamcop.

Complaining about Spam

One way to fight back is to complain about spam to the spammer's Internet Service Providers. You can complain to the ISP who provides the spammer's email address, the ISP the spammer used to connect to the Internet, and the ISP who hosts their web site, if there is one referenced in the message. There are also some government enforcement groups you can complain to for certain types of spam.

Whenever you complain about spam, it is important to forward the entire message, with all headers intact, to whoever you are complaining to. More information on how to display full headers is available at WHO@ and Panix.

Complaints to Law Enforcement

For some types of spam, you can complain to various law enforcement organisations:

  • pyramid@ftc.gov - report any pyramid schemes propagated by email which involve participants in the United States to the FTC.

  • enforcement@sec.gov - report any spams promoting the purchase of stock in a US based company to the SEC.

  • CYBERFRAUD@nasaa.gov - The North American Securities Administrators Association should be copied on anything that goes to the SEC - they monitor enforcement of state securities laws in the United States.

  • otcfraud@cder.fda.gov - the FDA is interested in people illegally selling medicines over the Internet.

  • Stock spams sent by Australians, or about Australian companies, should be reported to the Australian Securities and Investments Commission.

  • Pyramid schemes involving participants in Australia should be reported to the Australian Competition and Consumer Commission.

  • Pornography spams sent within Australia should be reported to the Australian Broadcasting Authority.

Complaining to the Spammer's ISPs

Most ISPs maintain an abuse address for reporting spam - this is usually "abuse" at the ISP's domain name - for example, "abuse@example.net". For a few ISPs the address is a little more obscure - for example, UUNET (aka AlterNet), uses "abuse-mail@uu.net". To avoid having to guess the address or remembering the addresses of all of the ISPs out there, you can take advantage of the Network Abuse Clearing House, which uses standardised addresses and forwards your complaint to the correct address for the ISP.

To complain to the ISP, first identify what email addresses in the spam are related to the sender - these will usually be the "From:", "Reply-To:" and "Return-Path:" headers. Usually the host name will be a valid host address for an ISP that provides email services to the customer. You can check this by checking out the web site at that address to see if it looks like an ISP's web site, and by checking out the Whois information at GeekTools.

If it looks like the spammer has their own domain name, you can use the "Query DNS" tool at Sam Spade to find out what the MX for that domain is - the MX is where that domain's mail is delivered. Then you can use the Traceroute tool at Sam Spade to try to find out who provides the spammer with their network connectivity - only the last two or three lines of the Traceroute output are likely to be important.

When the spammer is advertising a web site, you should use the Traceroute tool at Sam Spade to find out who provides network connectivity to the spammer's web site. Again, only the last two or three lines of the Traceroute output are likely to be important.

Tracking Down the True Origin of an Email

Any email address you receive on the Internet will contain lines in the headings which begin with "Received:" - these are referred to as "Received Headers". The received headers at the top of the email are the ones added to the message last. If you can't see any received headers on email you receive, or you can only ever see one, your email software may be hiding them to make the message look prettier. Your software should offer a way to "View full headers" or "Display complete headers" - you can use these options to show all the received headers.

The received message for a spam mail may look like this:

Received: from mail-server-1.example.com ([10.8.25.3]) by mail-server-2.example.com
            (InterMail vM.4.01.02.17 201-229-119) with ESMTP
            id <20000630152208.GYMI7578.mail.example.com@mail.example.com>
            for <spammee@example.com>; Sat, 1 Jul 2000 01:22:08 +1000
Received: from mailbox-service.example.net (bigbox.example.net [192.168.20.1])
            by mailhandler.example.com (8.9.1/8.9.1) with ESMTP id JAA21108 
            for <spammee@example.net>; Sat, 1 Jul 2000 09:12:34 +1000 (EST)
Received: from mail-host@example.org (some-host.example.org [192.168.66.2])
            by inbound-mail.example.net (8.9.1/8.9.1) with ESMTP id IAA05991
            for <spammee@example.net>; Fri, 30 Jun 2000 08:21:06 -0700
Received: from mail.example.net (ip-192-168-66-25@example.org [192.168.66.25])
            by mail-host@example.org (8.9.0/8.6.12) with SMTP id BAA16262;
            Sat, 1 Jul 2000 01:01:24 +1000 (EST)

In these headers, you should notice that the host that sent the message (the "from" host), and the host that sent the message, should have some correlation. For example, in the following sequence:

Received: from mailbox-service.example.net (bigbox.example.net [192.168.20.1])
            by mailhandler.example.com (8.9.1/8.9.1) with ESMTP id JAA21108 
            for <spammee@example.net>; Sat, 1 Jul 2000 09:12:34 +1000 (EST)
Received: from mail-host@example.org (some-host.example.org [192.168.66.2])
            by mailbox-service.example.net (8.9.1/8.9.1) with ESMTP id IAA05991
            for <spammee@example.net>; Fri, 30 Jun 2000 08:21:06 -0700

The message was received by a server at "mailbox-service.example.net". Both the "Received" lines match, so you can be fairly confident that both are accurate. Notice also that there is a second host name in parentheses after the "from" host name, together with an Internet address in square brackets.

Received: from mailbox-service.example.net (bigbox.example.net [192.168.20.1])
            by mailhandler.example.com (8.9.1/8.9.1) with ESMTP id JAA21108 
            for <spammee@example.net>; Sat, 1 Jul 2000 09:12:34 +1000 (EST)

The host name in before the parentheses is supplied by the sending machine, and if the sending machine is the spammer machine, may be forged. The host name in parentheses is more reliable, and the Internet address in square brackets is the most reliable part of the received line. In the example below, the spammer has forged the name "mail.example.net", when they are really "ip-192-168-66-25.example.org".

Received: from mail.example.net (ip-192-168-66-25.example.org [192.168.66.25])
            by mail-host@example.org (8.9.0/8.6.12) with SMTP id BAA16262;
            Sat, 1 Jul 2000 01:01:24 +1000 (EST)

A received line like this that is obviously forged will most likely be the original source of the spam. This received header includes another clue that you have found the source of the spam - host names with a lot of numbers in them are usually dial-up user addresses.

If you come across a received header that does not have the second host name and IP address for the sending machine, the email has been through an anonymous relay, and you will not be able to reliably track it to its source.

Keep going down the list of received headers until you either find the original source of the spam, or find an obvious forgery (which is likely to indicate the true source of the spam).

For more information about tracking down email using the headers, see http://www.rahul.net/falk/mailtrack.html, and Reading Email Headers.