What is SPAM

Spam is also known as Unsolicited Commercial Email (UCE). In the context of email communications this word means all those ads you are getting while you didn't ask for them. They split into several categories:

If you are not going to read further, just remember the golden rule of dealing with spam:

Never, never inform the spammer that you have received his message. (Don't ever send any REMOVE messages, don't click on any links, don't reply to addresses in the body of the message.) If you feel the urge to respond, complain instead.


How to deal with SPAM

  1. if they ask you to send any email anywhere or go to any web site do not do it. They may be telling you their software will autoremove you from list if you send them some email, or anything else. Never confirm in any way that you've received the message to the spammer.
  2. when complaining about spam to anyone make sure you provide full headers. (With the From[space] line and all the Received: lines.) Otherwise your report will not only be ignored by any system administrator, but they will be annoyed, too.
  3. please do not complain about single instances of spam to me (Stanislav Shalunov). I do not have the time to read all the spam our whole site is getting. If you receive a lot of spam, and it annoys you, let me know once that you would like some site-wide anti-spam measures.
  4. do complain about spam you are getting. That is if you have the time or are annoyed enough to bother complaining. Spammers waste our valuable resources. The best thing you can do is complain about them. If you do not feel like complaining about some instance of spam just delete it and forget about it. Please do not file spam.

Possible technical solutions for the spam problem

This section should just give you some very basic understanding of the subject.

Some protection measures are on a per user basis; others are site-wide.

Any user can setup some filtering of incoming email for spam. Most spam can be identified by some formal rules (mostly some violation of RFC822 in the headers of the message). This filtering is most naturally done by procmail. (You can read "man procmail" for more information on this program; it is installed on mccme.ru as the default mail delivery agent.)

These measures can prevent spam from getting into your mailbox but the valuable bandwidth is still wasted.

The other approach is to refuse to take spam in the process of receiving mail via SMTP. Normal users cannot interfere with this process--it's out of their control.

How to complain about SPAM

Where to send the complaint, what to include

First, get your mail user agent to display the UCE you're unlucky to have gotten with its full headers.

The body of the complain should be something standard you do not have to type each time you complain. In particular cases you might add something mentioning the names of the involved ISPs. In fact, I always complain about my spam, but never even read it.

An example of such text:

Recently, I have received an Unsolicited Commercial E-mail from you.
I do not like UCE's and I would like to inform you that sending
unsolicited messages to someone while he or she may have to pay for
reading your message may be illegal.  Anyway, it is highly annoying
and not welcome by anyone.  It is rude, after all.

If you think that this is a good way to advertise your products or
services you are mistaken.  Spamming will only make people hate you, not
buy from you.

If you have any list of people you send unsolicited commercial emails to, 
REMOVE me from such list immediately.  I suggest that you make this list 
just empty.

	----------------------------------------------------

If you are not an administrator of any site and still have received
this message then your email address is being abused by some spammer.
They fake your address in From: or Reply-To: header.  In this case,
you might want to show this message to your system administrator, and
ask him/her to investigate this matter.

Note to the postmaster(s): I append the text of UCE in question to
this message; I would like to hear from you about action(s) taken.
This message has been sent to postmasters at the host that is
mentioned as original sender's host (I do realize that it may be
faked, but I think that if your domain name is being abused this way
you might want to learn about it, and take actions) and to the
postmaster whose host was used as mail relay for this message.  If
message was sent not by your user, could you please compare time when
this message was sent (use time in Received: field of the envelope
rather than Date: field) with your sendmail logs and see what host was
using your sendmail at this moment of time.

Thank you.

This text should be followed by the text of the message in question with full headers.

The next part is to find the list of addresses you want to send the complaint to. Here you will need to examine the headers yourself (and maybe do some additional research) for the list of ``involved foreign sites''. Then you add to the CC list all the addresses ``postmaster'' and ``abuse'' at all the involved foreign sites.

Let's do it on an example. Suppose you get some spam with these headers (real example):

Return-Path: <29111238@ix.netcom.com>
Received: from main.mccme.rssi.ru (main.mccme.rssi.ru [193.232.215.1])
	by mccme.ru (8.8.5/8.8.5) with ESMTP id KAA04007
	for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:03:19 +0300
From: 29111238@ix.netcom.com
Received: from mail.medford.net (mail.medford.net [208.151.225.131])
	by main.mccme.rssi.ru (8.8.5/8.8.5) with SMTP id KAA23972
	for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:01:38 +0300
Received: from mail.medford.net [153.37.69.90] by mail.medford.net
  (SMTPD32-4.02c) id A445900152; Wed, 04 Feb 1998 23:03:33 PST8PDT
Received: from mailhost.ttjijjcjlf.com
	(alt1.ttjijjcjlf.com(203.9.98.25)) 
	by 82723723@ix.netcom.com (8.8.5/8.6.5) with SMTP id GAA08071 
	for <82723723@ix.netcom.com>; Wed, 04 Feb 1998 23:55:07 -0600 (EST)
Date: Wed, 04 Feb 98 23:55:07 EST
To: 82723723@ix.netcom.com
Subject: Email your AD to 57 MILLION People  ONLY $99
Message-ID: <553728753719.GAA23515@ttjijjcjlf.com>
Reply-To: 82723723@ix.netcom.com
X-UIDL: 55296375829492153236187249751458
Comments: Authenticated sender is <82723723@ix.netcom.com>

We examine all the Received: lines, from the top to bottom. The first one (most recent) indicates that the message was transmitted from main.mccme.rssi.ru to mccme.ru. This is an internal transmission in MCCME. No interest for us. The next one,

Received: from mail.medford.net (mail.medford.net [208.151.225.131])
	by main.mccme.rssi.ru (8.8.5/8.8.5) with SMTP id KAA23972
	for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:01:38 +0300
says that the message came to main.mccme.rssi.ru from the machine mail.medford.net with IP address 208.151.255.131. You can always trust the information in this line--it's written by our sendmail and spammers have no way of altering it. The only caveat is that you should use hostname from the parentheses. So, medford.net is an involved site. This piece of spam came to us from them.

But it didn't originate at medford.net. This site was merely used as a relay. Which means that the spammer was somewhere else and he has asked mail.medford.net to relay his message to a (probably very large) number of people. So, what you want from mail.medford.net is to close their open relay. They just send messages anywhere no matter who's asked for it.

OK, let's see how do I know it didn't come from medford.net. Let's examine the next Received: line:

Received: from mail.medford.net [153.37.69.90] by mail.medford.net
  (SMTPD32-4.02c) id A445900152; Wed, 04 Feb 1998 23:03:33 PST8PDT

This line says that they have gotten the message from some host that introduced itself to them as mail.medford.net (and was lying) and had IP address 153.37.69.90. Now we want to know what this IP address stands for. We need to do a reverse DNS lookup on it. We issue to the shell the command host 153.37.69.90 and see the following output:

$ host 153.37.69.90
Name: 1Cust90.tnt6.lax3.da.uu.net
Address: 153.37.69.90
Aliases:

This means that the message really came from a dialup customer of uu.net. So, uu.net is involved, too.

We could stop at this point and send the complaint

To: abuse@medford.net
CC: postmaster@medford.net, postmaster@uu.net, abuse@uu.net

Usually, however, one gets best results with complaints addressed to upstream providers of the involved sites. Uu.net itself is a huge ISP; it doesn't have any ``upstream providers,'' but rather neighbors. It would not make a lot of sense to complain to them. However, I've never heard about medford.net before I got this spam. So, (as the opposite isn't proven) I assume that it is a small organization with a single upstream provider. Now we need to figure out which one. To aid us, there is a program named traceroute. The supplied argument should be a valid hostname or IP address.

$ traceroute mail.medford.net
traceroute to mail.medford.net (208.151.225.131), 30 hops max, 40 byte packets
 1  router.mccme.ru (195.178.198.1)  2.476 ms  2.026 ms  1.997 ms
 2  MSK-M9-1-S1-0-6.fr.iip.net (195.178.192.82)  81.733 ms 70.377 ms 78.770 ms 
 3  SOVAM.fr.iip.net (195.178.192.66)  52.939 ms  212.063 ms 158.894 ms
 4  SOVAM.fr.iip.net (195.178.192.66)  67.837 ms 46.797 ms 103.888 ms
 5  cisco0.Moscow.ST.NET (194.67.0.253)  75.956 ms amsterdam1.att-unisource.net
(195.206.65.185)  191.053 ms  217.468 ms
 6  * amsterdam5.att-unisource.net (195.206.64.85) 163.962 ms 305.007 ms
 7  amsterdam3.att-unisource.net (195.206.64.209) 240.267 ms 252.317 ms *
 8  newyork1.att-unisource.net (195.206.65.34)  274.748 ms  373 ms 265.914 ms
 9  12.127.241.157 (12.127.241.157)  351.343 ms  291.609 ms *
10  12.127.241.157 (12.127.241.157)  571.973 ms *  702.636 ms
11  br2-a3110s1.n54ny.ip.att.net (12.127.0.10)  515.108 ms * *
12  * * *
13  2-sprint-nap.internetmci.net (192.157.69.48)  516.699 ms * 635.118 ms
14  core2-hssi2-0.WestOrange.mci.net (204.70.1.49)  446.775 ms 438.515 ms  621.
15  core2.Bloomington.mci.net (204.70.4.65)  720.881 ms  541.220 ms *
16  * * *
17  * border2-fddi-0.Sacramento.mci.net (204.70.164.34)  388.194 ms 527.629 ms
18  data-research-group.Sacramento.mci.net (204.70.166.46)  373.171 ms
19  * raven.willamette.net (206.100.174.253)  552.666 ms  449.798 ms
20  WIZZ.FC2.willamette.net (207.48.101.69)  692.083 ms * *
21  rt1.rb.wizzards.net (206.100.190.253)  762.350 ms  779.960 ms
22  fr2.s1.rt1.wizzards.net (208.151.229.3)  589.633 ms  821.780 ms 678.265 ms
23  mail.medford.net (208.151.225.131)  405.088 ms * *

Here we see that the site that is right before the first *.medford.net site is in wizzards.net domain. So, the guys at abuse@wizzards.net and postmaster@wizzards.net should be added to the CC list.

OK, what about the last Received: line in this message?

Received: from mailhost.ttjijjcjlf.com
	(alt1.ttjijjcjlf.com(203.9.98.25)) 
	by 82723723@ix.netcom.com (8.8.5/8.6.5) with SMTP id GAA08071 
	for <82723723@ix.netcom.com>; Wed, 04 Feb 1998 23:55:07 -0600 (EST)

The answer is simple: the spammer has added it here to confuse you. It's a forged line, not added by any MTA. In fact one can see that the syntax in wrong here (IP address in parentheses rather than brackets, wrong spacing, ``by'' part includes username, etc.)

Complain to ORBS!

The previous section describes how to send a nice note to involved sysadmins. However, the people who administer the relay host might be clueless or just lazy. They might ignore your message. Here's a way to make sure they listen to you and fix their mail software.

There's a service called ORBS (Open Relays Blocking System). In short it contains a list of open relays and sites on the Internet may choose to consult this list before accepting messages. People who include ORBS lookups in their mail software won't ever accept mail from open relays reported to ORBS. When you are composing your complaint you should take into account that if you complain to ORBS as well as the involved system administrators they are more likely to listen to you; if they don't they'll end up in trouble!

Complaining to ORBS you cannot hurt the innocent. ORBS checks your complaint automatically and silently discards it if you get things wrong. You won't bother any human being--everything is done by a robot.

To complain to ORBS you need to do the following:

In the example above we would put the lines

Relay: 208.151.225.131
Relay: 153.37.69.90
into the message body. (Where exactly it is included does not matter; for example you can put it on top of the message.) In this example, the first line is really necessary part (the real relay) while the second line reports the (possibly) originating IP. Most likely this second IP number is just a dialup dynamically assigned number and the check won't detect anything bad about it (it probably doesn't even run anything on SMTP port) but including a wrong number won't hurt if you aren't sure what to put there.

Mail sent to relays@dorkslayers.com is processed automatically. All lines not beginning with ``Relay:'' are ignored. All the reported relays will be checked; if they actually allow relaying they will added to the database.

In one message to ORBS you can report up to ten IP numbers as suspected open relays.

Other Resources


If you see any errors on this page, please write us <compwww (at) mccme.ru>