Unsolicited Commercial Email (aka UCE or "spam") is a burden to Internet users and should be combatted whenever possible. This document describes some of the steps I take to fight spam.
For more information about why spam is a Bad Thing, please visit the following sites:
Here are a few more links with various opinions on the spam issue:
Mail headers are trivial to forge. Keeping that in mind, let's examine the headers from some spam I recently received (some lines have been reformatted for readability):
Michael Fuhr's Home Page
Received: from mailhub.cts.com (mailhub.cts.com [204.216.216.130])
by blackhole.dimensional.com (8.7.6/8.6.12)
with SMTP id XAA29782
for <mfuhr@nova.dimensional.com>;
Thu, 17 Apr 1997 23:23:00 -0600 (MDT)
Note that the hostname could be forged, although it doesn't appear to be in this case: the hostname the sender claimed (shown after the word from) matches the name listed in DNS for the sender's IP address (both shown in parentheses). However, it's also possible to spoof the DNS info, so the IP address is probably the most reliable piece of information here.
The sender is apparently Masterpiece@USA.net. This is probably a bogus address, but we'll remember it anyway.From: Masterpiece@USA.net
Posted-Date: Thu, 17 Apr 1997 23:23:00 -0600 (MDT)
Received-Date: Thu, 17 Apr 1997 23:23:00 -0600 (MDT)
Received: from crash.cts.com(really [192.188.72.17]) by mailhub.cts.com
via smail with smtp
id <m0wI64B-000WSLC@mailhub.cts.com>
for <mfuhr@nova.dimensional.com>;
Thu, 17 Apr 97 22:18:35 -0700 (PDT)
(Smail-3.1.92 1996-Mar-19 #3 built 1996-Apr-21)
Received: by crash.cts.com (Smail3.1.29.1 #5)
id m0wI5q4-00001nC; Thu, 17 Apr 97 22:04 PDT
Message-Id: <m0wI5q4-00001nC@crash.cts.com>
Good news indeed. Just what I needed.Date: Thu, 17 Apr 97 22:04 PDT Subject: "The GOOD NEWS Electronic Journal"
The names and addresses we've gleaned from the headers are:
You can also examine the message itself for additional hostnames or email addresses. We know any of these could be bogus, but they're all we have to work with. The next step is to find out who we should complain to.Masterpiece@USA.net mailhub.cts.com crash.cts.com 192.188.72.17 204.216.216.130
One address I always complain to is postmaster@domain; some sites also support abuse@domain. So for the names we found above, we have:
The postmaster may or may not care about our complaint, or mail to it might just go in the trash. Let's find out who else we can talk to.postmaster@USA.net postmaster@cts.com abuse@USA.net abuse@cts.com
traceroute is a program that traces the route a packet takes on its way to a particular address; we can use it to find the sender's upstream providers. Note that if the sender has relayed the message through several mail servers, this information probably isn't very useful.
In this case, we've traced the route to mailhub.cts.com and found that their upstream provider appears to be atmnet.net. We'll cc: a copy of our complaint to postmaster@atmnet.net and abuse@atmnet.net.% traceroute mailhub.cts.com traceroute to mailhub.cts.com (204.216.216.130), 30 hops max, 40 byte packets 1 pm-8.dimcom.net (208.206.176.208) 132.315 ms 131.683 ms 131.776 ms 2 cisco-1.dimcom.net (208.206.176.5) 136.114 ms 134.013 ms 135.818 ms 3 dimensional-gw.san-jose.good.net (207.98.191.157) 177.280 ms 196.843 ms 175.259 ms 4 mae-west.atmnet.net (198.32.136.89) 181.992 ms 255.614 ms 174.802 ms 5 sd-gw-1-OC3c.atmnet.net (207.67.242.6) 192.904 ms 203.416 ms 206.098 ms 6 * cts-gw.atmnet.net (207.67.240.114) 229.036 ms * 7 mailhub.cts.com (204.216.216.130) 272.628 ms 209.394 ms 239.526 ms
whois is a program you can use to query the InterNIC database for the names of persons responsible for a network.
% whois cts.com
CTS Network Services (CTS-DOM)
4444 Convoy Street, #300
San Diego, California 92111
USA
Domain Name: CTS.COM
Administrative Contact:
Blue, William (BB167) bblue@CTS.COM
619.637.3600
Technical Contact, Zone Contact:
Sherwin, Dan (DS813) hostmaster@CTS.COM
619-637-3637 (FAX) 619-637-3630
Record last updated on 20-Dec-96.
Record created on 19-Jan-87.
Database last updated on 21-Apr-97 06:07:13 EDT.
Domain servers in listed order:
NS.CTS.COM 192.188.72.18
NEWS.CTS.COM 192.188.72.21
To: postmaster@USA.net,
postmaster@cts.com,
abuse@USA.net,
abuse@cts.com,
bblue@cts.com,
hostmaster@cts.com
Cc: postmaster@atmnet.net,
abuse@atmnet.net
Now that we have an idea of who to complain to, we forward the message to those individuals. Be sure to include the entire message, including the headers: the people we're writing to may need them to verify our gripe.
Here's the message I always include with the forwarded mail:
This message is polite but direct. Here are some things to keep in mind when complaining about unsolicited email:This is unsolicited, undesired email. Please take appropriate actions to stop it, or see <URL:http://spam.abuse.net/spam/> for how and why you should. This message is sent to persons who appear to be in responsible positions on the networks involved in the transmission of the original message, possibly including upstream providers. This information is obtained from the message headers, InterNIC Registration Services (whois), and traceroute. I realize that some of the information in the message headers could have been forged and that some of the domains may have actually had nothing to do with this message. Nevertheless, I think it's just as important to notify those domains so they know that someone is using their name inappropriately. Thank you for your attention in this matter.
In most cases, you'll hear nothing. That doesn't necessarily mean your request was ignored, though that's certainly possible. Just keep up the fight.
Some of the addresses you forwarded the message to may bounce, saying something like "user unknown." C'est la vie.
Some administrators may actually be irritated that you complained, especially if they've already fixed the problem. Here's part of a response I recently received:
The original message told me to use the autoresponder if I wanted more information or ordering instructions, which I didn't. It mentioned nothing about using the autoresponder to remove myself from their list; even if it had, I still wouldn't have used it. I don't play the "send REMOVE if you wish to be removed from this list" game -- I never subscribed to their list in the first place, so I shouldn't have to take action to remove myself from it. Instead, I contact their service providers and let them know that I don't welcome unsolicited email.Now, I terminated this account well over 9 days ago. In the future, please make sure you check the "AutoResponder" prior to complaining. If you would have, then you would have noticed this problem had already been rectified and you would have recieved the following statement:
Every once in a while, you'll get responses like these:
Thank you for your report. We have disabled this account (mefbus@ix.netcom.com), and will not reenable it.
Thank you for your message. This account was canceled on March 12, 1997 due to complaints regarding unsolicited e-mail.
I do thank you for contacting us, as your message adds to us proving our case should this go as far as the court system. From what we understand, last time CyberPromotions quickly settled out of court.
These are the small victories :-)The message you forwarded to me not only violates Pacific Bell Internet's ban on unsolicited commercial email and illegal pyramid schemes, it also contains forged headers. At Pacific Bell Internet, we have a zero-tolerance policy towards forged email headers: all customers who forge an email header will have their accounts terminated immediately. Consequently, the sender of the message to which you objected is now a *former* Pacific Bell Internet customer. :)
See also Reading Email Headers at www.stopspam.org.
procmail is a program you can use to filter email. You can get procmail from:
For more information on mail filtering, please visit the following sites: