Welcome to Spamcops.org

 

The basics of what we deal with. Some of it is rather confusing at
first, but we've all been through this and will do our best to answer any
questions that you have. On top of this, a general understanding of how
TCP/IP works and the protocols involved for the transmission of email
(SMTP, POP3, and IMAP) and news(NNTP) is helpful.

Example stationary for general spam information, including filtering and
several header reading tutorials:
<-----begin spam information stationary----->
There are many ways that spammers can get your email address. Nabbing your
email address from your browser is only one way that spammers get their
lists. Newsgroup postings are another very common way that spammers can
retrieve your email address. Also, many companies will sell their
"subscription" lists for others to use. For example, if you order
something online and give that company your email address, they will send
you more information. If you request that information, all is well.
However, if you do not, or if they sell your address to someone else, the
spamming starts. There are also cds with lists of email addresses that
spammers will sell to each other. Mailing lists are also another place
that spammers get the email addresses that they abuse. In a poorly
configured mailing list, the email addresses of all the people on the list
are shown and it's easy to get hundreds of names that way. Or, if you send
mail out to a mailing list. There's even a new spam product on the market
that will do a "test run" of a mail server to see what addresses will go
through. It then sends email to those valid addresses.

The To: field does not necessarily have to have an email address in it.
You can actually enter every email address in the cc: field or the bcc:
field. That's how some of the spam that you receive sneaks through to you
when you don't see yourself listed. On a related note, neither does the
From: field. Sometimes, you'll see something like A.Friend@mx05.erols.com.
What that tells me, since our mail server is given to our customers as
pop.erols.com is that the sender didn't actually add anything to the From:
field besides A.Friend. mx05.erols.com deciphered this as the email being
local, and so it added it's name to the end. (It's sort of like you
sending out mail to 1234 Anywhere Drive with no city or state codes and the
post office delivered that piece of mail to 2134 Anywhere Drive in your
town as opposed to asking you which town you want it delivered to.)

There are a variety of email programs availble which provide their own
filtering system. You can configure these filters yourself to catch some
of the junk email we can't block. Eudora Pro, Pegasus Mail, and Netscape
v4.0 (and higher) all provide email filters, and you can find all of them at:

http://www.stroud.com
http://www.tucows.com

(As a side note, those of you interested in getting software that will help
to filter what your kids can see online may want to check out
http://www.tispa.org/filtering.htm.)

Also, I strongly recommend AGAINST sending remove requests. Most junk
emailers put these remove instructions in their spam in an attempt to
appear legitimate. In most cases, mail to the specified address will
simply bounce. However, many junk emailers monitor these remove requests,
and instead of removing your address, they'll add it to a special list
that's been verified as "live." They will then sell this list to other
spammers, thus ensuring that you'll end up receiving MORE spam.

Filtering services help to keep spam from getting to your mailbox. One
email filtering service free to individuals to use is:

http://www.brightmail.com

If you'd like to download a program that will track junk email FOR you, one
of the best ones on the Internet can be found at:

http://samspade.org/ssw/

Some organazations were created for the purpose of making spam illegal. If
you'd like to read more about one of them that focuses on the federal level
of legislature, take a peek at:

http://www.cauce.org

There are even some mass email marketers helping the fight against spam.
They would like to clean up the image that legitimate online marketers are
getting because of spammers.

http://www.chooseyourmail.com/spamindex.cfm

And for more information about junk email, check out the following websites:

http://www.mcs.com/~jcr/junkemail.html
http://members.aol.com/emailfaq/emailfaq.html
http://www.cybernothing.org/faqs/net-abuse-faq.html
http://www.samspade.org

Or, if you're interested in learning how to read headers and making the
complaints yourself, some good places to start are:

http://www.fmp.com/spam_patrol/tracking.html
http://digital.net/~gandalf/spamfaq.html under tracing an email
http://help.mindspring.com/features/emailheaders/index.htm
http://www.stopspam.org/email/headers/headers.html (highly recommended)
http://just4u.com/webconsultants/spamfaq.htm
<-----end spam information stationary----->

A bit of stationary that I put together quite some time ago that rarely
gets sent out. It takes the headers of an email and breaks it down
step-by-step.
<-----begin header reading stationary----->
The Received: lines are something like recording an incoming phone call
with Caller-ID turned on. There is a dialog that goes on between the mail
servers. The important bits of the conversation get logged in the
Received: headers, which allow you to track the email to its source.

Neighbor: Hi, you there?

You: Yep. Who are you?

N: I'm your dog. (HELO mx10.mindspring.com)

You *checking caller ID*: OK, well, you say you're my dog
(mx10.mindspring.com), but caller ID tells me that you're really Joe
Neighbor (209.138.36.101). I'll accept the call, but I'm going to note
that the caller ID tells me that you are Joe Neighbor (209.138.36.101)
calling from my neighbor's house (pool-209-138-36-101.irvn.grid.net). I'll
make a note of that as well as the time (19:10:51 -0400 (EDT)) and date
(Mon, 12 Apr 1999) that you called.

N: You can reach me at "jeni97890@yahoo.com" <jeni97890@yahoo.com>. (MAIL
FROM: "jeni97890@yahoo.com" <jeni97890@yahoo.com>)

You: Alright, let me write that down.

N: I'd like to leave a message for someone. They're found at <email
address of person who is intended to get the email>. (RCPT TO: <email@domain>)

You: Alright. I'll write that down to.

N: Here's the message that I want to leave for them. (DATA)

You: Alright. Start talking and let me know when you're done with the message.

N: blah blah blah (This is where the Subject: line and the body of the
email go. Most SMTP servers quit out of this with a single . on one line.)

You: Alright. I've got the message now.

If your neighbor wanted to send another message, it could do that at this
time or it could end the connection with QUIT.

Let's go ahead and break a header down so that you can see more of what I'm
talking about:
The big thing to remember is that anything that the user can set isn't
reliable. If you can lie about it, don't trust it. Receiving servers add
headers when they get the email in order to track the mail back to it's
source. The receiving computer (let's call this B) adds what the sending
computer (A) tells it as well as information that it gathers. Received:
lines almost always have some form of this layout:

Received: from A HELO (extended actual name of A [A's Internet Protocol
address which is necessary to establish the connection]) by extended actual
name of B (version information of mail program) with PROTOCOL id TEMP
MESSAGE ID for <username@domain.com>; DayOfWeek, dd Mon yyyy hh:mm:ss
(timezone)

Keeping in mind that not all of the above components are always contained
in a header, let's start. First, the header as it appears in it's entirety:


Return-Path: jeni97890@yahoo.com
Received: from rmx11.iname.net (rmx11.iname.net [165.251.12.115]) by
acestes-fe0.ultra.net (8.8.8/ult/n20340/mtc.v2) with ESMTP id TAA10944 for
<deletia>; Mon, 12 Apr 1999 19:14:41 -0400 (EDT)
Received: from smv10.globecomm.net by rmx11.iname.net (8.9.1a/8.8.0) with
SMTP id TAA12577 ; Mon, 12 Apr 1999 19:10:51 -0400 (EDT)
Received: from mx10.mindspring.com (pool-209-138-36-101.irvn.grid.net
[209.138.36.101])
by smv10.globecomm.net (8.9.1a/8.9.1SMVSNAP) with SMTP id TAA17095;
Mon, 12 Apr 1999 19:11:12 -0400 (EDT)
Message-ID: <2346.79110@mx10.mindspring.com>
From: "jeni97890@yahoo.com" <jeni97890@yahoo.com>
Reply-To: jeni@yahoo.com
Subject: A Calista Flockheart strip tease (aka Ally McBeal) (67936)
Date: Mon, 12 Apr 1999 16:12:48 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-UIDL: b9fc4ff64416e2243c1d8dfced6c17eb


And now, we start with the breakdown:


Return-Path: jeni97890@yahoo.com

This is the Reply-to address, basically.


Received: from rmx11.iname.net (rmx11.iname.net [165.251.12.115]) by
acestes-fe0.ultra.net (8.8.8/ult/n20340/mtc.v2) with ESMTP id TAA10944 for
<user@domain.com>; Mon, 12 Apr 1999 19:14:41 -0400 (EDT)

Here, we have the handoff from someone claiming to be rmx11.iname.net to
acestes-fe0.ultra.net (ultranet pop server). acestes checks to make sure
that rmx11.iname.net is who he says he is by doing a nslookup on
165.251.12.115 (There's the caller ID that I mentioned.) which does come
back as rmx11.iname.net. You'll want to verify this nslookup in all the
rest of the headers, but ultranet.com is the very last (timewise) header
and must be real.


Received: from smv10.globecomm.net by rmx11.iname.net (8.9.1a/8.8.0) with
SMTP id TAA12577 ; Mon, 12 Apr 1999 19:10:51 -0400 (EDT)

This is a handoff from someone claiming to be smv10.globecomm.net to
rmx11.iname.net. Since rmx11.iname.net doesn't mark this "caller ID",
we'll be a little skeptical about this header until we get farther down the
chain and can see how feasible it is. We do our own nslookup on
smv10.globecomm.net and come up with 165.251.12.104.


Received: from mx10.mindspring.com (pool-209-138-36-101.irvn.grid.net
[209.138.36.101])
by smv10.globecomm.net (8.9.1a/8.9.1SMVSNAP) with SMTP id TAA17095;
Mon, 12 Apr 1999 19:11:12 -0400 (EDT)

Well, smv10.globecomm.net shows up in this header too, so we'll be less
skeptical. The handoff here happens from someone claiming to be
mx10.mindspring.com to smv10.globecomm.net. But the "caller ID" says
209.138.36.101. Looking it up (nslookup 209.138.36.101) gives us
pool-209-138-36-101.irvn.grid.net who is the actual sender of the email.


Message-ID: <2346.79110@mx10.mindspring.com>

As we saw from the Received: headers, which are added by the receiving
machines, this email never touched mindspring.com's servers, so this is forged.


From: "jeni97890@yahoo.com" <jeni97890@yahoo.com>

Easy enough to change who you say you are. Unreliable.


Reply-To: jeni@yahoo.com

See above note.


Subject: A Calista Flockheart strip tease (aka Ally McBeal) (67936)
Date: Mon, 12 Apr 1999 16:12:48 -0400 (EDT)

Time stamp for when the email became available for you to download.


MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-UIDL: b9fc4ff64416e2243c1d8dfced6c17eb

Message ID and random other information telling the email program how to
interpret the email.
<-----end header reading stationary----->

A fun version of whois: http://www.spinnwebe.com/whoitis/ Other
web-interface versions of whois servers:
http://www.geektools.com/cgi-bin/proxy.cgi is the geektools.com page and
it's very handy as it does automagically query the different databases.
http://www.networksolutions.com/cgi-bin/whois/whois/ was THE registry for
.com, .net, and .org before. There are a few other companies now that also
do this. NSI lost a lot of customers due to the fact that they spam their
customers both via email and snail mail and sell all of their contact
information. One of the nice things about this search, though, is you can
pass different types of queries through it, including name, handle, and IP.
Name and handle are the ones that I use most often (and geektools will
pass the query on to networksolutions just fine).
http://www.arin.net/whois/index.html is the ARIN page. ARIN stores
information on who owns what IP block and the lookups for there should be
in dotted format (A.B.C.D). http://www.abuse.net/lookup.phtml is the
list of registered preferred abuse contact addresses.

Open relays:
http://mail-abuse.org/tsi for instructions on how to close your open relay.
http://www.abuse.net/relay.html will run a relay test for you so you can
make sure that your relay is locked up tight.
I tend to avoid ORBS unless it's absolutely necessary for something. I do
check the ORBS database to see if someone is listed there.

Random useful stuff:
Babelfish for translations: http://babelfish.altavista.com/

http://www.bcpl.net/~jspath/isocodes.html is a list of the two letter
country codes. Handy for relayed spam to find out where it's coming from.
http://www.uninett.no/navn/domreg.html has the same list and links to the
registries for each of the countries.

http://www.stacken.kth.se/~kvickers/timezone.html and
http://sunland.gsfc.nasa.gov/info/tar/Timezone_item.html have simple
lists of some of the timezones in the world.
http://www.businesswindow.com/clock.shtml has a complete list and will
tell you what time it is in the varying timezones currently.

Sometimes you'll want to know where an ANI is coming from to see if the
account that was being used is likely compromised.
http://startingpage.com/html/lookup.html has quite a few people tracking
resources, including a pretty big list of reverse number directories

IPs will sometimes be sent in hex or other weird ways. You can use the
'color conversion' at http://www.yvg.com/twrs/RGBConverter.html to
translate from the hex numbers to decimal.
http://ils.unc.edu/crenshaw/convert.html has a chart that you can
reference to do the conversions, as does
http://www.ozemail.com.au/~enigman/html/dechex.html. If you see the long
string of numbers and need to decode that, http://www.samspade.org will
do that for you. If that's down, there are a few other sites that I don't
have bookmarked that will do the conversion.
(Stolen from a post on nanae, but I can't find the original anymore to give
credit to the original poster. Many, many big thanks and a smooch to the
person who posted this originally.)
The algorithm to do the conversion yourself:
Given N where N is decimal equivalent of 32-bit number,
Divide N by 256. Quotient is N1, remainder is Z.
Divide N1 by 256. Quotient is N2, remainder is Y.
Divide N2 by 256. Quotient is W, remainder is X.
IP address equivalent of N == W.X.Y.Z

Ex:
3505021947/256 == 13691491 r 251
13691491/256 == 53482 r 99
53482/256 == 208 r 234
so 3505021947 == 208.234.99.251

Common variant is to convert N to hexadecimal and pulling out the octets (2
hex-digit elements) from the string:
Ex:
3505021947 == 0xD0EA63FB
0xD0 == 208
0xEA == 234
0x63 == 99
0xFB == 251

Trojan horse stuff:
http://www.simovits.com/nyheter9902.html has a list of default ports of
many Trojans.
This is one of the best sites around for Trojan horse programs.
http://www.commodon.com/threat/
BO only:
http://sundance.nwinternet.com/~pchelp/bo/bo.html
http://www.iss.net/xforce/alerts/advise5.html
NetBus only:
http://www.nttoolbox.com/
BO Detect:
http://www.cc.columbia.edu/acis/rhno/security/

Firewall stuff:
http://www.robertgraham.com/pubs/firewall-seen.html is one of the best
firewall FAQs that I've seen to date. It gives the standard port numbers
of many popular chat programs and multi-player games.
http://www.pc-privacy.com/page15.html is a page that contains information
about Conseal PC, one of the firewall programs, and links to a 30-day free
trial period for Conseal PC.
http://webopedia.internet.com/TERM/f/firewall.html contains information
about firewalls and links to more pages with firewall information and
firewall software.
http://www.networkice.com is the homepage for BlackIce Defender. I
highly recommend this firewall software, but it weighs in at around $50.

Virus stuff:
http://www.hoaxkill.com and http://www.kumite.com/myths are two virus
denking sites. http://www.kumite.com/myths happens to be the better of
the two, but it's not easily searchable.
A good place to look up how to get rid of actual viruses is the Symantec
Anti-Virus Center (SARC), which can be found at
http://www.symantec.com/avcenter/index.html.
http://www.sophos.com/virusinfo/analyses/ is the virus encylopedia that I
prefer. Also, http://www.datafellows.com/virus-info,
http://www.pandasoftware.com, and
http://www.mcafee.com/centers/anti-virus/.

Urban legend debunking:
http://www.snopes.com and http://www.urbanlegends.com are pretty
helpful. You can also search the Dejanews archives at
http://www.deja.com/usenet for an urban legend (or to check usenet
archives for anyone that we're having a problem with that has expired from
our news server). The power search is usually more useful
http://www.deja.com/home_ps.shtml. If you do a powersearch, you may want
to restrict any urban legend debunking to alt.folklore.urban as they tend
to be the best source of information.

Registered port list: http://users.dhp.com/~whisper/mason/moreservices.
Doing a search on any search engine will get you a ton of identical pages.
http://blighty.com/ports.txt has it in slightly different format.
Deja's messageID search: http://www.deja.com/forms/mid.shtml I have no
idea how someone found this, as it's not linked anywhere on their site that
I was able to find.

Interesting article about someone being banned from Usenet posting by a
court of law: http://www.vix.com/menmag/gagorder.htm. A very scary
situation, actually, as it opens the door to more legislation and gagorders
for other reasons. The article says something about ISP's not being able
to do this because of fear of the First Amendment, which is a load of poo.
ISPs are private industry, which means that we don't *have* to let people
post, email, etc on our network if we don't want to. We also do not have
to allow traffic to pass through our network at all. A lot of people use
the RBL for this purpose and some have their own versions of it.

http://www.cybernothing.org/faqs/net-abuse-faq.html is one of the many
net-abuse FAQs which goes into newsgroups, the Breidbart Index (BI), and
several other things that are good to know. The BI is an equation which is
used to determine newsgroup spam.

http://www.tribal.com/help/tips/firewalls.cfm Information about PowWow
and firewalls. You see a lot of this type of problem with any program that
requires a direct connection or static IP. It also touches on proxies,
which you'll want to read up on if you don't know about them already. The
most commonly seen proxy is WinGate, which had a gaping security hole set
as the default. http://wingate.deerfield.com/support/ has a nice
searchable database about WinGate. WinGate 2.? was defaulted to accept and
process all incoming connection requests. There was a simple setting
change that kept people from being able to use you as an anonymous proxy.

http://rootshell.com/ has general computer security information, as does
http://www.l0pht.com, http://www.cert.org and
http://www.securityfocus.com. http://www.hacktech.org/main.html is
another handy resource. Some of these are from the other side of the
fence, but they're just as informative for us as anyone else.

A nice little article on a Mac exploit that Apple was made aware about.
http://www.accessatlanta.com/partners/ajc/newsatlanta/y2k/1229.html


To Report abuse

abuse@spamcops.org