SPAM Complaining Legislator and ISP

UGNetwork Channel _ / _ User Group Library _ / _ Web _ / _ Spammer in Slammer Index

Put a Spammer in the Slammer by Phil Agre

Part 5
Complaining to your legislator

If you receive a particularly outrageous item of spam, you can use it to help educate your elected representatives on the need for appropriate legislative action. Federal legislation would have the advantage of uniformity, but action is more likely at the state level. Moreover, at least one state, Nevada, has passed very bad legislation in this area because legislators were not well-enough educated. You can easily identify your legislators and obtain their addresses by calling your state's capitol building. The most effective letters are hand-written, concise, calm and rational, based in personal experience, and explain the issue in plain language.

At the federal level, you can find instructions for contacting senators and representatives at http://www.cauce.org/congress.html Several anti-spam bills have been introduced in the US Congress, and you may wish to express your opinion about them.

Part 6
Complaining to the service provider

Warning. This section is slightly technical. Although I have tried to write it for beginners, many people might be impatient with the details. That's okay. Go ahead and concentrate on the methods of complaint that are listed in the previous sections and you'll be making a real contribution.

Internet Service Providers should require their subscribers to sign contracts that forbid spam, and some of them actually do so. It is appropriate, therefore, to complain to any ISP whose users originate spam. The ISP usually isn't responsible for the spam, so be polite. But do encourage the ISP to take action against the offender, and to strengthen its contractual language so that future offenders face stronger penalties for spamming.

The focus here, then, is on identifying the spammer's ISP. It is not useful to complain about particular spammers to your own service provider, who already knows about all of the spammers that it can do anything about. Your service provider, however, might be able to provide you with software for filtering spam or tracking spam messages back to the source. Beyond that, you might consider moving your business to a provider who makes a real effort to fight spam both technically and legally.

The hard question is how to identify the spammer's ISP. The most obvious approach is to look in the "From:" field of the spam message's header. If the address in that field is not a plausible e-mail address, for example

From: yourfriend@snarfworld.com

you can be confident that the header was forged and that the message did *not* originate at snarfworld.com. Even a legitimate-looking "From:" field is likely to contain the address of an innocent person whom the spammer wishes to burden with complaints. Likewise, any field that claims to identify the "Authenticated sender", for example:

Comment: Authenticated sender is otherguy@aol.com

is probably bogus as well. Now, if a spammer forges an individual's name or address as the source of a spam message, then that individual might have cause for a lawsuit. Likewise, the owner of an Internet site whose domain name has been forged as the source of a spam message might also have cause for a suit. So you might consider reporting spam to a site even when the site's address has obviously been forged. You should obviously be polite about it. In particular, you should understand that having to read your message constitutes part of the damage that will constitute grounds for the suit. It's your call.

In any case, another part of the header is less likely to be forged. It looks like this:

Received: from snarfworld.com ([194.177.96.7])
by weber.ucsd.edu (8.8.6/8.8.6) with ESMTP id QAA23180
for <pagre@weber.ucsd.edu>; Wed, 12 Nov 1997 16:01:42 -0800 (PST)

If you don't see any "Received:" fields in the header, that's because your mail-reading program isn't displaying the complete header, or else because the mailer at your site has stripped off the "Received:" headers before delivering the mail to you. Consult the mail-reader's documentation, or your ISP or system administrator, to find out how to see the complete headers. Here are the instructions for some commonly used mail reading programs:

* In Eudora or Eudora Pro, just press the "Blah Blah Blah" button at the top left side of the message window to toggle the full headers on and off. (Although I do not use Eudora, ten separate people have sworn to me that this button is called "Blah Blah Blah".)

* Pegasus for Windows: With the spam message open, from the Pegasus program's toolbar (not the message toolbar) click the 'Reader' menu and then click the "Show all headers" menu item. Or to use the keyboard shortcut, press and hold the [ctrl] key then press the "H" key. ([Ctrl] + H)

* With Netscape 3.0, pull down the Options menu, choose Headers, and choose All. Another option is to pull down the View menu and choose Document Source. It will open a new window with the full message including complete headers.

* With the Messenger component of Netscape Communicator 4.0, pull down the View menu, choose Headers, and choose All. An alternative is to pull down the View menu and choose Page Source. It will open a new window with the full message, including complete headers.

* In Emacs RMail, press "t" (which is bound by default to the command rmail-toggle-header) to toggle display of the message headers.

* In the Pine mail reader, you can hit H while viewing a message to see the full headers, if that option is enabled. If it doesn't work, here are the steps to enable it:

- from the main menu, hit S for setup
- hit C for config
- scroll down to the option named "enable-full-header-cmd"
- hit X to turn it on; an X will appear next to that option
- hit E to exit config (the new setting is automatically saved)
- go back and read your spam message; hit H again

* With Outlook Express and Exchange, pointing to the message and right-clicking will pop-up a menu that includes "Properties" at the very bottom. Selecting "Properties" will bring up a dialog box with two tabs, "General" and "Details". The "Details" tab will reveal the message header. In addition there is a button below the message field that says "Message Source...", which, when pushed, will bring up another box with the complete text of the header and body of the message.

* With Claris Emailer in version 2.0 and higher, use the "Show Long Headers" option in the "Mail" menu while you have the spam message open. In versions earlier than 2.0: Click the blue triangle near the "from" information to show additional message information, then click the "Show Original Headers..." button to bring up the full header info.

* On AOL, for messages sent via the Internet, complete headers are found at the bottom of the message, after a line that says "Headers".

Spammers sometimes put fake headers at the end of a message to cause confusion. But AOL is virtually the only environment where headers are supposed to show up at the end of a message, and even there you should be able to find the real headers after the fake ones.

When you do retrieve the full header for a spam message, you will usually see several "Received:" fields, which are supposed to trace which machines the message has passed through. You can use these fields to decide where to report the spam. Opinions differ about the best strategy, and I will keep this explanation simple at the risk of offending those who hold different opinions. The problem, simply put, is that many spam messages include forged "Received:" fields to throw you off track. Any "Received:" fields that mention AOL or Juno, for example, are probably forged.

The "Received:" fields are generally in order, with the most recent ones first, so if one "Received:" field is suspect, then all the ones below it are automatically suspect as well. If you assume that the "Received:" fields are all legitimate, then you can simply look through them and identify the first machine that accepted the message from the spammer's own site. This machine shares some of the blame, since it should have detected that the message was spam, for example because its return address could not be translated to a legitimate IP address, and refused it. If the spammer employed software that deliberately creates a confusing header, however, you may end up complaining to an innocent party -- one whom the spammer wishes to attack. This is where it helps to have technical tools for reconstructing the truth behind potentially forged e-mail headers. Although I'll talk about some of these tools in a moment, they may require more expertise than most people have.

Therefore, nontechnical people may wish to employ another strategy. If you look at a header closely, you will usually find that one or more of the "Received:" fields mentions your own site. Look for the "Received:" header field that records the message's first arrival within your site. Because the "Received:" fields are ordered, the field you want might be the first "Received:" field in the header. This field was generated by the mailer at your site, so it is probably reliable. In the case of the (fictional) "Received:" field that I quoted above, the message came from snarfworld.com. In that case, to report the message, you would forward a copy of it like so:

To: abuse@snarfworld.com
Subject: spam from your site

This spam message was apparently sent through your mailer...

[include a copy of the message, including the full header]

It is important to include the full header of the offending spam message; that header is the site maintainer's major source of clues about the message's actual origins. In fact, the site to which you are complaining was most likely "hijacked" against its will to produce spam. This is very common, and it generally results in torrents of "bouncemail" for the messages that the spammer sent to bad addresses -- potential cause for a lawsuit. Even if no lawsuit is filed, the site's maintainers need to upgrade their software to prevent this sort of hijacking in the future, and your complaint will help motivate them to do so. I recognize that this can be a complicated issue, and that mailer upgrades that suppress hijacking may also disable other, legitimate uses of mail. I believe, however, that spam is the more serious concern.

If mail to the "abuse" address does not work, you *might* be dealing with an ISP that is irresponsible or needs a little education on the importance of taking action against users who spam. See if you can reach them at "postmaster" instead and explain the issues to them. A table of the spam-reporting addresses at several major ISPs can be found about halfway down the following Web page:

http://members.aol.com/reinbeaux/pass/pass.htm

On the other hand, you should not expect a personal reply to a spam complaint from even the most responsible ISP. ISPs get far too many complaints, for better or worse, to respond to each one individually.

For more detailed instructions on interpreting "Received:" header fields, see:

http://kryten.eng.monash.edu.au/received.html

If the "Received:" fields in the message header are too complicated to think about, you might also be able to discern the origin of a spam message from the "Message-Id:" field, also in the header. For example:

Message-Id: <199711006334.WAB43780@node21.snarfworld.com>

This line can be forged as well, but so far only the professional spammers seem to be forging it regularly. Mail to "postmaster" or "abuse" at the indicated site (in this case snarfworld.com) would be appropriate, once again keeping in mind that the site could have been forged.

Another approach to researching the origins of spam messages is the Dejanews service, http://www.dejanews.com/ . This is a search engine for Usenet discussion groups. If an offensive spam message includes a distinctive text string, perhaps a fabricated address in the header or a misspelling in the body of the message, then you can use that text string to conduct a Usenet search. Oftentimes a discussion about that very message will already be ongoing among expert spam-trackers on Usenet, and if you can find the appropriate newsgroup then you can learn what they've discovered. In particular, if you notice a message whose "Subject:" line is "Please help me decode these headers", click on the icon indicating "replies".

If a particular Internet Service Provider seems to originate a large amount of spam, you might want to take the trouble to focus your attention on that particular provider. Start by looking at their web page, which will probably be found at http://www.companyname.com/ , and see if they have a policy about spam. If they don't have a policy, or if the policy is weak, or if they are clearly not enforcing it, then you might write to the addresses of any customer service people or company executives that happen to be mentioned on the site. Most reputable ISPs hate spam, so be polite unless you have the expertise to be certain that you're dealing with an irresponsible company.

You can also write to the webmaster of any site that is mentioned in a URL that might be included in a spam message. If the message contains a URL like http://www.snarfworld.com/~joker/freeoffer.html , then you might wish to send a message that looks like this:

To: webmaster@snarfworld.com
Subject: spammer using your site

A spammer is evidently using your web server...

[Enclose a copy of the message, again with complete headers.]

Often the URL will mention the spammer's company, but the spammer's web site will in fact be located on the server of a legitimate ISP. If you learn how to use whois, nslookup, and traceroute, you can identify the ISP and report the problem (with complete documentation) to the ISP's "abuse" or "postmaster" address.

URLs for Web interfaces to the whois, nslookup, and traceroute functions are provided below. Briefly, the whois function allows you to identify individuals who are involved in managing the spammer's Internet domain. If "abuse" and "postmaster" are invalid, you can send e-mail to the administrative and billing contacts. If those addresses are forged or inactive, see if the server information shown at the bottom of the whois report allows you to track down the actual ISPs supporting the spammer's site.

The nslookup function lets you recover the IP address from a domain name. IP addresses, which look like [251.666.4.71], might provide more reliable information about the source of a message than domain names, which look like snarfworld.com.

The traceroute function is easily the most entertaining of the three. It demonstrates the route that a packet takes from an arbitrary Internet site (say, for example, the site from which a spam message originated) to another arbitrary site. When you're dealing with a spammer who is connected to a small local ISP, traceroute is useful for figuring out which big national ISPs the spam messages are passing through. If the local ISP is chronically tolerant of spam, you might suggest that representatives of the big ISP have a talk with them.

If you would like to learn more sophisticated methods for tracking the origins of offensive spam messages, consult the Web pages mentioned at the end of this article.

Previous Section _|_ Index _|_ Next Section

Publication Restrictions:
Nonprofit user group publications may reprint this article provided that you print it in its entirety, verbatim, without any additions, deletions, or modifications, and so long as you include the following copyright statement:

"(c) 1997 by Phil Agre. All rights reserved.
Phil Agre is an associate professor of communication at the University of California, San Diego. He edits an Internet mailing list called the Red Rock Eater News Service, on which this article was originally distributed. Details on the Web at http://communication.ucsd.edu/pagre/rre.html . "

You'll also need to send Phil a hardcopy of the issue when it appears.

UGNetwork Channel _ / _ User Group Library _ / _ Life Online

USER GROUP EDITORS: Articles posted in this area have been cleared for publication in your newsletters. We do encourage you to contact the author for additional details and/or updates. Please ALWAYS credit the original author!
Articles posted here by UGNetwork News staff, or the UGN News Service may be reproduced ONLY after your group has become a registered Network affiliate. Contact the UGNet-News for authorization and the UGNet News Affiliate publicity package. Thank you. Copyright 1995, 1996, 1997, The User Group Network, and on behalf of the respective authors.
All of this content, and the associated services are donated through the generous efforts of members from the User Group community. This content area is provided by The User Group Network News Service, and is sponsored by The Design & Publishing Center as a public service.