The AltBinariesNospamTeenfem FAQ:
Posting, Requests, Spam, and Spam-fighting
D. Spam-Fighting
Condensed Spam-fighting Instructions for Beginners
Advanced Spam-fighting
What can I do about spam ?
You have three basic choices:
1. Ignore the spam and concentrate on downloading the files you like. (be
a shameless leech)
2. Use a newsreader that has kill-filters for spam. (be a shameless but
sophistocated leech)
3. Take an active aggressive role in spam-fighting. (be a totally cool
dude and valiant protector of the Internet!)
Since you obviously want to be a totally cool dude and fight spam, you will need the
following software capabilities:
1. A Usenet Newsreader that can be set to display all headers for Usenet
messages. The NNTP (network news transfer protocol) headers include useful information
such as "From". "Subject", "Reply to",
"Message-ID", etc. that you would see in a raw message above the actual binary
coding. Agent, Gravity, and NewsXpress are examples of popular Windoze newsreaders that
allow full header listings. Unfortunately, many of the rudimentary newsreaders built into
Web browsers (Netscape Navigator, MS IE) may not be capable of displaying all headers. Go
to www.shareware.com and search for "newsreader" or "usenet" software
under your platform (DOS, Mac, OS/2, Unix, Windows).
You should also set your newsreader to sort messages by author instead of by subject or
thread, as this will help reveal who the spammers are more clearly (as well as who the
really cool posters are!).
2. A Network Utility program that will do DNS lookups and WHOIS queries.
These routines allow you to identify the ISP (Internet Service Provider) of a spammer, to
whom you must complain. An added bonus in some of these programs is the ability to do
Tracert queries, to identify the upstream ISP of any uncooperative ISP. There are many
freeware network utility programs available; one example for Windoze is NetLab
(http://www.eb.uah.edu/~adanil/php.cgi/~adanil/NetLab.phtml). Go to www.shareware.com and
search for "WHOIS" software under your platform (DOS, Mac, OS/2, Unix, Windows)
3. A degree of patience and intestinal fortitude, since your complaints
will often be ignored, responded to automatically by a cold computer, and, rarely,
acknowledged by a responsible human being at an ISP.
Condensed Spam-Fighting Instructions for Beginners
Step 1: Make sure that your newsreader is set to display all NNTP
headers for each message you read.
Step 2: Ignore the contents of the "From", "Reply to"
and "Organization" headers in a message - these are routinely faked or, if
legitimate, will simply result in your e-mail address being made known to the spammer when
you complain.
Step 3: Look at the "Path", "Message-ID" and
"NNTP-posting-host" headers - these give you the information that you need to
complain to the ISP. For example, these headers might contain phrases such as:
"Path:
yourISP!IntermediateNetwork1!IntermediateNetwork2!Spammers.domain.com!not-for-mail (or
user or newsadmin)"
"NNTP-Posting-Host: ppp-dialup35.spammers.domain.com"
"Message-ID: 19DR86 @spammers.domain.com"
If internally consistent, these three headers tell you that the spammer's ISP is
"domain.com". The Message-ID and NNTP-Posting-Host headers can be faked in some
cases, so if in doubt, go with the last complete network listed in the Path header. If the
network is given as a numeric IP address, e.g. 205.125.34.60, then get a freeware network
utilities program that does DNS lookups and WHOIS queries (see above) to find out who
205.125.34 or 205.125 is.
Step 4: Send a polite and informative e-mail complaint to
"[email protected]" AND "[email protected]" with the subject
"Usenet spam". Include a FULL copy of the spammer's post with all headers and
message text. Write a brief message, telling the ISP that the message was irrelevant to
the newsgroup. One example is:
"I wish to draw your attention to the attached Usenet posting. It is a commercial
advertisement posted to a binaries newsgroup. It's totally irrelevant to the group it was
posted to. Such vandalism just makes the whole system less useful to everybody. Please get
it stopped. Thanks!"
If the sys admin at the spammer's ISP gets numerous complaints from several people, the
spammer's account may be cancelled right away. 99.9% of the ISP sys admins will appreciate
and respond to any polite effort you make to keep their clientele within the confines of
Usenet protocol.
If each of us makes a concerted effort to complain to spammers' ISPs, the group will
remain relatively "clean".
Note: If you use Windoze 95, the FREEWARE program SpamHater will do all of this
automatically for you.
(Similar software exists for other platforms as well, go to www.shareware.com and search for "Spam"
software under your platform. Also go to http://com.primenet.com/spamking/#fighters)..
How to complain effectively to ISPs
Most ISPs do not know that their client is a spammer until you tell them. They are just
like the phone company: they don't know if a client is an obscene phone caller unless you
tell them, and you need firm documentation of the content, date, and time of the obscene
calls to get them to act.
So, don't send the ISP an angry, insulting message under the assumption that they are
knowingly harboring a spammer and don't care. Instead you need to inform them of the
situation and give them the ammunition they need to take action.
The ammo is a complete copy of the offending spam with all of the headers. In particular
they will use the Message-ID header to check out your allegations. (After all, you could
be making up the alleged spam's headers and message, just to get back at someone you don't
like). The system administrator can use the header info to check his news server logs and
verify that, indeed, his client sent the spam in violation of his company's internet usage
policy. This is the criteria he will use to either warn the spammer (on a first offense)
or cancel his account.
If the system administrator receives only one complaint (from you) and it is a first
offense, he will likely take no action other than to notify the spammer that a complaint
was made. He may or may not respond to your complaint. Most of the big ISPs (AOL, ATT,
etc.) get so many complaints that they generate a generic automated e-mail reply to your
complaint, with no personal follow-up. Many big ISPs also have special e-mail addresses
for usenet and e-mail spam complaints, such as "[email protected]". Check
the ISPs web site, because your complaint will get faster response if it is sent to the
right person.
Many smaller "Mom-and-Pop" ISPs will respond personally to your complaint,
particularly if they get many complaints about one particular spammer. Being small and
understaffed, they don't want their mail box filling up with hundreds of complaints from
external sources, depriving them of the time they need to deal with their own customers.
Sometimes, unfortunately, you will run into ISPs who just don't care, probably because
they are a small operation with lousy service and can't afford to cancel a customer even
if he is a spammer. In those cases, run a Tracert query to find out who the upstream ISP
is for the smaller ISP, and complain to them about their downstream inaction. Copy the
unresponsive ISP on your complaint, so that they will treat the next complaint with a
little more respect. You may get nowhere, however.
Be content with quiet, infrequent victories
When you nail a spammer by learning that his account was cancelled, feel good about it,
but don't brag about it in the newsgroup. Be a stealth fighter. The reasons for this are
two-fold:
1. Yours was not the only complaint that got the spammer's account cancelled.
2. Nothing will bring on more spam than baiting the other assholes out there with
chest-pounding.
Advanced Spam-Fighting: Understanding NNTP headers.
Advanced spam-fighting is well-covered by legendary sites such as S.P.U.T.U.M. (http://super.zippo.com/~sputum/sputools.htm) and others linked there. Below we present a brief introductory tutorial on checking out NNTP headers.
Here is an example of a full header listing for a recent Usenet message posted as a binary advertisement for the ALS CDs:
******
From [email protected] Thu Jun 26 10:42:13 1997
Path: wn5!worldnet.att.net!newspeer.sprintlink.net!news.sprintlink.net!Sprint
!howland.erols.net!newsfeed.internetmci.com!news.smart.net!not-for-mail
From: [email protected] (ALS)
Newsgroups:
alt.binaries.pictures.erotica.amateur.female,alt.binaries.pictures.erotica.amateur
Subject: ALS Scan, Claudia - She is only 79 pounds!! Inserts 4 fingers! C4 - claude04.jpg
(1/1)
Date: Thu, 26 Jun 1997 17:42:13 GMT
Organization: Smartnet Internet Services [via news]
Lines: 2781
Message-ID: <[email protected]>
NNTP-Posting-Host: sky1.smart.net
X-Newsreader: Forte Free Agent 1.1/32.230
Xref: wn5 alt.binaries.pictures.erotica.amateur.female:659103
alt.binaries.pictures.erotica.amateur:285859
******
We’ll use this as an example, although many might not consider this posting to be spam (since many collect the commercialy posted ALS series).
As a rookie your gut instinct might be to flame [email protected] and complain to the presumed ISP clark.net for crossposting binary advertisements in your favorite newsgroups, but it turns out that clark.net is not the source of the posted message. This example teaches you that one can put anything one likes in the "From" header. It is not a very reliable header since it can be faked. (I fake mine all the time!)
The really useful headers are Path, Message-ID and NNTP-Posting-Host, and you want to look for internal consistency among them to identify the true ISP.
Start at the end of the Path statement and find the last entries: in this case a user named "not-for-mail" posted the message to the news server "news.smart.net". This message then sequentially passed through the networks of MCI, Erols, Sprint and ATT until you finally read it from Worldnet news server #5 (wn5) at ATT. The important piece of information here is smart.net, the likely ISP of the poster.
Next examine the Message-ID and NNTP-Posting-Host statements; here we see internal consistency in that both servers listed (news and sky1) are also at smart.net.
Let’s see if clark.net and smart.net are legitimate ISPs.
Fire up your Network Utility program and do a WHOIS query on "clark.net". The result is:
Clark Internet Services (CLARKNET-DOM)
8970 Route 108 Suite I
Columbia, MD 21045
Domain Name: CLARK.NET
Administrative Contact:
Clark, Jamie (JC259) [email protected]
(800) 735-2258 (410) 730-9764
Technical Contact, Zone Contact:
Hostmaster (CIS5-ORG) [email protected]
(410) 995-0551, ext. 250
Fax- (410) 995-0495
Billing Contact:
Gretz, Mark (MG833) [email protected]
410-995-0551 x213 (FAX) 410-995-0495
Record last updated on 27-May-97.
Record created on 24-Mar-93.
Database last updated on 9-Jul-97 04:58:44 EDT.
Domain servers in listed order:
DNSPRIMARY2.CLARK.NET 168.143.0.4
SPRAWL.CLARK.NET 198.17.243.6
OK, so it seems that clark.net is a real ISP and so [email protected] could be a legitimate email address. But what about smart.net? Repeat the WHOIS query on smart.net. The result is:
Smartnet Internet Services, LLC (SMART2-DOM)
8562A Laureldale Drive
Laurel, MD 20724
Domain Name: SMART.NET
Administrative Contact:
Gani, Paul (PG359) [email protected]
(410) 792-4555 (FAX) (410) 792-4571
Technical Contact, Zone Contact:
Salathiel, Thomas (TS641) [email protected]
(410)377-4043
Billing Contact:
Gani, Paul (PG359) [email protected]
(410) 792-4555 (FAX) (410) 792-4575
Record last updated on 15-Jan-97.
Record created on 18-Apr-94.
Database last updated on 9-Jul-97 04:58:44 EDT.
Domain servers in listed order:
NS1.SMART.NET 207.176.80.102
NS2.SMART.NET 207.176.80.104
NS3.SMART.NET 206.27.242.102
NS4.SMART.NET 206.27.242.104
So, both clark.net and smart.net are ISPs in Maryland. Could one be the upstream provider to the other? Run a tracert query ("trace") on the poster’s news server, "news.smart.net". This will list the network path in descending order from your ISP to the poster’s ISP. The last part of the result is:
9 144.228.20.18 67 ms
10 144.228.128.6 72 ms
11 205.252.5.33 69 ms
12 206.161.255.105 75 ms
13 206.27.242.1 247 ms
14 207.176.80.103 155 ms
The last entry, 207.176.80.103, is the IP address for news.smart.net. A DNS lookup on clark.net yields 168.143.0.7, an IP which does not appear anywhere in the Tracert listing. So, clark.net is not the upstream ISP for Smart.net. Could it be the other way around?
A Tracert query on news.clark.net yields:
21 206.222.97.10 151 ms
22 206.222.102.74 150 ms
23 207.97.14.5 151 ms
24 207.97.14.1 154 ms
25 168.143.0.2 159 ms
and none of the IPs listed are for smart.net. It appears, then, that the two ISPs, though each legitimate, are not closely connected.
Thus our ALS poster is uploading his binaries using one ISP and giving an e-mail address for inquiries that is on another ISP. Why? There could be a very simple reason: The person charged with the task of posting the binary advertisements, designed to generate CD sales, is not the same as the person ([email protected]) to whom sales inquiries are to be directed. Maybe the President of ALS stays at home in his bathrobe, posting ads from his PPP dialup internet connection to smart.net, but wants responses directed to his Business Manager at the corporate office in the next county, on an ISDN line with clark.net. Hey, I’ll bet that by doing it that way he can write off both internet connections as a business expense on his taxes! What a genius!
Still want to complain that his posts are spam? Then you would send a polite complaint to "[email protected]" AND "[email protected]". You could copy the complaint to clark.net, but that ISP might not take any action since the posts did not originate with them.