Spamers and Junk Emailers: Before I get into anything, I would like to bring up an attitude that I have. I consider all spam and junk email to be a theft of services since the sender didn't pay me to download their email. I differentiate between spam and junk mail because with junk mail the sender pays the US Postal Service to deliver their JUNK. Most junk mail goes into the garbage (la basura). It is an automatic reflex action on my part. I personally think it is a theft of services because I spend 15-30 minutes tracking your ISP down and writing an abuse letter. I know who I have asked to be on their list. If you aren't one of those few, your ISP will receive an email at their abuse email drop. I only get envolved when the filter generated email to abuse@your_domain bounces. That is all to frequent but you have to understand that that each occurance will be reported. What I took completely as a threat was an email with my email address spoofed and sent from (c-24-98-172-83.atl.client2.attbi.com).
Some people have a tendancy to get soft when the see a Mom and Pop type of company. What you have to remember is that if they bought your email address, you have to assume they will also sell it. There are no innocent spammers. Once you figure that out, your standard response is good enough. If you get too far behind, you can't possibly shutdown the flood of spam.
Lately, I have been seeing a number of attempts by ...cn.com sites to use my system as an email relay. The latest is from 21cn.com with an IP address of 61.73.154.96. They have forged their from and reply-to to make it look like a PR China address; however, this IP address belongs to Seoul, South Korea's Kornet.net. Sendmail doesn't permit this and all that it achives is to get their Internet IP address block denied.
I was trying to chase down the correct address for "Spam.abuse.net" and encountered a response on how to deal with spam and junk email from China. It is a joke but would probably be really efficient. See the web page for "Dealing with Spam from China". It is also over the top. For what seemed like a long time the PRC was really bad about dealing with spam originating on Chinese networks; however, I noticed some time back that many of the ISPs in China have an abuse email address that you can send reports of spam to. Now, if only Korea and India would deal with the spam being generated in those countries. I think I have received spam from at least half of the schools in South Korea. There were enough messages from SK that I often wondered if they were using spam to generate revenue to run the schools.
The US Supreme Court recently decided that Washington State's anti-spam law was valid. Since the theft of services occured in Washington, State, you did business in this state and their law applies. The theft of services carries a fine of $500/message and $1500/message to my ISP. I have software that will pretty much track down where the spam came from. My gateway and firewall is usually online when the spam arrive and your connection to the Internet is readily available. If your email doesn't fit one of my message filters, you are automatically scanned. The system will traceroute you and email a canned abuse message to the first honest IP address it sees. That is usually the spamer's ISP. Most ISP's take a dim view of spam. If they don't, their upstream provider is located just in front of them on the traceroute and THEY usually take a dim view of spam. One of them will pay attention to your spam complaint. If the spamer forged anything the complaint simply goes to the Washington State agency that was created for this purpose. They will hunt you down. From this point on, it is beyond my control and I will never see any of this happen.
An even more profitable way to deal with spam is to follow the techniques in the following web pages. See Peacefire anti-spam lawsuits or Junkbusters. If you want an anti-spam hero, visit "Behind Enemy Lines". It may be mostly story but it reads the way for someone to get even. I think spam is like shoplifting and you can not let one get by for free. In case you have never heard of "shoplifting", that is where someone steals something of value from a store. They hide it and then try to walk out of the store without paying for it.
If you are reading this because you are being spamed and want to remain anonymous, send the spam plus headers to spamcop@spamcop.net. They will take care of the problem for you. Even Hotmail can provide you with headers that you need to track a spamer down. It is much easier with Microsoft's Outlook Express or Netscape's Messenger. With them, you only have to view the source and send a copy of that to SpamCop. If you want to know more visit SpamCop .
I ceased to think spam was a joke when someone started emailing me the same joke 4 or 5 times an hour. Eventually sprintlink.net was involved because they were the upstream link for the Canadian ISP and at that point the person doing the harassment stopped. I was torqued to a point that most people have never seen. You have to remember that where ever you go on the Internet, you leave tracks. The tracks ALWAYS lead back to the source. You are responsible for your own actions.
With a little bit of perserverance, you can achive an 80-90% success rate of getting accounts disabled. For starters, there are a few places you need to know about. There are command line programs that will almost do what the online databases do but not quite is a miss as far as I am concerned. You only need to know about three and they are: the Arin, the Apnic/whois, and Ripe/whois. If the IP address is known to be located in the USA, you use the "arin" and then use the whois option. If you know it belongs to the Asia - Pacific region, then you use the "apnic/whois". All connections in Europe can be found using the "ripe/whois". If you don't have any idea, use the "arin/whois" because it will know and tell you where to go. If it is a Korean ISP, you will probably find whois.nic.or.kr useful. You loose your IP that you are tracking down when you get to apnic/whois and they inform you that it is a Korean ISP. The URL is too long to copy by hand. I have started seeing a lot of spam generated by sites in Brazil. There is a Registro.br-whois that has started being an important URL to have in your bookmarks. It is all in what looks like Portugese but if you understand any computer Spanish, you can deal with it just fine.
A site that avoids moving from site to site is CyberAbuse. Their whois server looks at all of the other servers. The only problem with this site is the form. They don't provide a form clear, which causes problems for Unix users. In Unix, you select and it is automatically setup to paste. When you select to the old IP address in CyberAbuse's form, it becomes the paste string.
In June 2003, I learned about SpamAbuse, which incorporates lookups from most of these sites. This saves cuttung/pasting the IP address into each of the lookups. Some of these searvers have to be cut and pasted to move to the next step and you lose the IP address when you do this.
To figure out who to blame for your spam, you follow the from and by's in the full headers. The header will start out with your ISP receiving the email and it will work back to the person responsible for sending the spam. If you see a site located in between your ISP and the sender, you need to make a choice. This take a modest amount of knowledge. If you need more information on how to do this, see the how to at " Spam.abuse.net ". You look for what is known as a SMTP relay. The spammer uploads the message and then uses some innocent site (with a dumb sysadmin) to route the email to you. This makes it look like they sent it but it is easy to tell they didn't. Since they have a dumb sysadmin, you don't let them off of the hook. They are still partially to blame because they are permitting relays and you copy the email to the site allowing relay. Then you sit back and wait for the emails from abuse_at_their-site to tell you that the account has been disabled. A message like this is worthy of a "Tiger Woods" clenched fist pump. This is what Tiger does when he sinks a difficult putt or one that puts him up one on his competition.
When I first tried to send email to the support sites for my favorite OS, which is FreeBSD, the HELO setting at Dynacom was bad and the majordomo@freebsd.org would not accept any email from me. I was probed within 15 minutes after I succeeded in sending an email to the majordomo by two sites in China. It could have been any where but this time it was China. I denied their 8-bit address in my firewall. Within minutes, they had jumped to a higher level address in their IP chain. I eventually eliminated the whole Chinese network. If they aren't into FreeBSD, I don't have anything they want anyway. Eventually, I had done the same thing to a network in San Diego, California and a few other places. Curious, which I frequently equate with evil, people exist. If your system is online 24x7, you have to protect your self against them. You should also know about the Arin WHOIS site. They will take a name or address and return registration information. There were a couple of computers that have been trying to attack my server that didn't show up in the DNS information. An entry in the WHOIS web search form and I had who was responsible for the range of IPs covering the attacking computers.
The IP addresses of the sites infected with the Code Red II worm that were trying to break in didn't have a DNS name; however, a traceroute attached them to a network in China. I was kind of shocked a while back. I had been tracking down a system that was sending Code Red II bundles of joy to my system and was tracerouted back. I was sort of angry at first but then I really had to grin because someone else was as sensitive as I am. Their IP address was 61.144.0.1 just in case they read this. This is just to let you know why you were tracerouted and that I saw yours and understand.
If you use a firewall, logs are very important. I use ntpd to obtain the current time from a USA site that obtains its time from the Naval Observatory. When my time is off by a few 0.1's of a second, the system time is upgraded. You can configure your firewall to permit ntpd packets from a single source. This prevents anyone from exploiting holes that may be found in your version of ntpd. My internal computer's time clocks are all set using the server. This is the first time in history that all of my computer clocks are more accurate than my quartz wrist watch.