Re: junk mail (fwd)

Steven Schimmrich (
Mon, 3 Nov 1997 17:49:23 -0500 (EST)

---------- Forwarded message ----------
Date: Mon, 3 Nov 1997 12:15:51 -0500
From: chris@Stassen.COM
Subject: Re: junk mail


I can't send to the ASA mailing list (due to a unknown incompatability
between my mailer and theirs). You can forward this along if you think
it is of general interest.

Steven Schimmrich writes, about "junk E-mail":
> There's not much that can be done.

Mail-bombing is considered a denial-of-service attack and is illegal.
Anyone engaging in this tactic could be charged with a crime or sued.
I would recommend the following steps instead:

(a) Figure out where the junk E-mail (aka "spam") came from. Politely
ask the originating ISP to cancel the offending user's account.
(If the spam came from a known spam-friendly ISP who will not take
action, ask THEIR upstream provider to pull THEIR plug.)

(b) Figure out if the E-mail was "relayed" through a third-party mail
server (essentially stealing their resources). Politely ask them
to (1) fix their mail server to reject that sort of abuse, and
(2) take action against the thief who hijacked their system.

(c) Check to see if the E-mail advertises a web site or E-mail address.
This is often a different ISP than the one the junk E-mail was
sent from. Politely ask the hosting ISP to pull the plug on the
spammer's drop-box or web site (again, if it's a spam-friendly
site, then go over their heads to *their* service provider).

(d) If the junk E-mail is an illegal chain letter (also known as a
"MMF" or "Make Money Fast" scam) requesting you to send $5 to
several addresses and add your own to the list), report it to the
U.S. Postal Inspector as well (see:

(e) In order to protect yourself, talk to your own ISP about setting
up PROCMAIL or some other spam-filtering software. This is not
a complete solution (the spam has still consumed network resources
by the time your ISP throws it away), but at least your mailbox
can be kept reasonably clean. I use PROCMAIL to save spam off
into a separate trap; I send out complaints when I have time to
go through it.

(f) If you live in the USA, write your representative and support
the Smith Bill (aka Netizens Protection Act). It extends the
"junk fax" law to make "junk E-mail" illegal as well (for the
same reason -- it is advertising at the target's expense).
More information is available at:

In order to execute steps (a)-(d) properly, you are going to have to
become fluent in reading E-mail headers and using tools such as
"traceroute," "dig," and "whois" (these are widely available Unix
programs; the functionality of most of them is available in a
freeware program called "CyberKit" for Windows 95).

Here is one example of the process. I recently received some
"adult-oriented" spam. Here is what I did:

(1) Check out the headers:

# From Fri Oct 31 05:09:43 1997
# From:
# Received: from by via smap (V
# id xma017201; Fri, 31 Oct 1997 05:09:21 -0500
# Received: from ( [206.13
# by (8.8.7/8.8.7) with SMTP id EAA13666;
# Fri, 31 Oct 1997 04:06:39 -0600 (CST)
# Received: from ( []) by
# (0.0.0./0.0.0.) with SMTP id AAA000000 for <>;
# Wed, 29 Oct 1997 23:13:58 -0 500 (EST)
# Date: Fri, 31 Oct 1997 04:06:39 -0600 (CST)
# To:
# Comments: Authenticated sender is <>
# Subject: XXX Live Sex!!!
# Message-Id: <>

The "From" and "From:" lines are trivially forged, so they can almost
always be ignored. (Generally the poor owner of that address will
be deluged when tens or hundreds of thousands of the undeliverable
addresses that the spam was sent to are "bounced," so there's little
point in complaining to that address even if it appears genuine.)

Each time a mailer hands off the message to another mailer, a "Received:"
line is inserted at the top of the message. Many mailers do not show
these unless you ask for "full headers," so you may have to poke around
a little just to be able to see them.

Sometimes these lines are forged. But each site always inserts their
own at the very top of the message; once the message leaves the
spammer's site, all of the legitimate "Received:" lines will be above
the bad ones.

Generally you want to work downwards from your site to the source of
the message (and ignore the forged ones that are always below the true
source). In this case, the "Received:" lines are, in top-down order:

# Received: from by via smap
# (V 1.3) id xma017201; Fri, 31 Oct 1997 05:09:21 -0500

This line was inserted by my machine. The name outside parentheses
("") is what the machine called itself during the mail
exchange; the number inside parentheses ( is the IP
address that the connection came from. The former is trivial to
forge (as we will see below), the IP address is extremely difficult
to forge. The first thing I do is use "dig" to see the REAL name of
the machine that handed the mail off to mine:

} % dig -x
} 14400 PTR

This machine's official name is "," so it was not lying
about that. I received this spam from Texas A&M's mail server. They
are probably not in the business of sending spam, so I need to see
where *they* got the E-mail from. I look at the next "Received:" line:

# Received: from (
# []) by (8.8.7/8.8.7) with SMTP id
# EAA13666; Fri, 31 Oct 1997 04:06:39 -0600 (CST)

Texas A&M's mail server received the message from a machine which called
itself "" but whose real IP address
and is part of's network. (Unlike my own machine, Texas
A&M did the IP-to-name inverse lookup and included the result in the
header. The name inside the parentheses is the inverse-lookup, which
can be trusted.)

Thus, the message probably originated at, and was
relayed through Texas A&M's mail server on its way to me. Just for
grins, I check the next "Received:" line:

# Received: from ( []) by
# (0.0.0./0.0.0.) with SMTP id AAA000000 for <>;
# Wed, 29 Oct 1997 23:13:58 -0 500 (EST)

This is forged. IP addresses are not reported with leading zeroes,
and is not a legal address anyway. This line is meaningless,
so I just ignore it.

There's one more catch: Some sites haven't configured their mailers
to report the originating IP address of a connection. As soon as
you get to a "Received:" line that does *not* include a numeric IP
address, you cannot trust anything below that.

For example, if Texas A&M's "Received:" line had said:

} Received: from by (8.8.7/8.8.7)
} with SMTP id EAA13666; Fri, 31 Oct 1997 04:06:39 -0600 (CST)

... then we wouldn't have been able to find out where the spam was
actually sent from. (Had this happened, I would have sent a polite
note to Texas A&M asking them to configure their mailer properly,
in addition to noting that their SMTP server had probably been

(2) Scan the body for additional information:

I'll spare you the details of that message's body, but the one important
thing is that it advertised a web site called "".
Then I use "whois" to see who owns that domain (it reports the contact
information that must be submitted to the InterNIC on the domain name

} % whois
} Katy Smith Productions (PINKPUSSYCLUB-DOM)
} 450 N. Alta Vista
} Los Angeles, CA 90036
} US
} Administrative Contact:
} Smith, Katy (KS4284) pussycat@PINKPUSSYCLUB.COM
} 818-340-0443 (FAX) 818-340-0443
} Technical Contact, Zone Contact:
} Name Service Administrator (NSA6-ORG) nsadmin@CYBERSPACE.NET
} (206) 505-7155 Fax- - (206) 812-7283
} Billing Contact:
} Smith, Katy (KS4284) pussycat@PINKPUSSYCLUB.COM
} 818-340-0443 (FAX) 818-340-0443

If I care to send a complaint to the spammer, I would send it to
"". Judging by the seedy nature of their
business, it is not likely that they care about complaints, so I
will complain to their service provider instead. That is what the
tool "traceroute" is for (it reports all the machines that data
passes through between my site and the target):

} % traceroute
} traceroute to (, 30 hops max
} 1 ( 58.043 ms 58.245 ms 59.776 ms
} 2 ( 59.721 ms 58.517 ms 59.739 ms
} 3 ( 79.675 ms 58.482 ms 59.8 ms
} 4 ( 69.613 ms 88.468 ms
} 5 ( 79.649 ms 88.445 ms
} 6 * 574.Hssi2-0.GW1.EWR1.ALTER.NET ( 469.91 ms *
} 7 Fddi0-0.BR1.EWR1.Alter.Net ( 309.963 ms * *
} 8 ( 350.052 ms
} 9 ( 279.879 ms
} 10 ( 319.922 ms
} 11 ( 249.888 ms 189.272 ms
} 12 ( 259.893 ms * 330.047 ms

Lines 1-5 are the connections from my site up to the backbone (the
box that I dial into, my ISP's main router, my ISP's ISP, etc.).
The lines at the bottom are the connections from the backbone down
to the offending site.

"" (line 12) gets their connection from (line 11). That machine either is owned by
or gets its connecivity from (line 10). Since the IP-to-name
lookup failed for line 11 (else it would have reported the machine's
name instead of the IP address twice), I use "whois" to see who owns
that block of addresses. This is done by dropping numbers off the
end of the address until "whois" reports a success:

} % whois
} No match for "".
} % whois 209.67.64
} Exodus Communications Inc. (NETBLK-ECI-5)
} 1605 Wyatt Dr.
} Santa Clara CA 95054
} Netname: ECI-5
} Netblock: -
} Maintainer: ECI
} Coordinator:
} Bowman, Robert Director of Engineering, g
} [Sr. Systems Engineer] (RB203) rob@EXODUS.NET
} (408) 346-2293 (800) 2-NETUSA (FAX) (408) 346-2201

That address is owned by, so the spammer apparently receives
connectivity directly from I shall ask to pull
the spammer's plug. When I check out, they tell me that
their "contact" is "". (In general the appropriate
complaint address is "abuse@site", but Exodus has bounced that address
in the past.)

(3) Putting it together

I have now identified the three parties that I want to complain to:
(1) Texas A&M (hijacked mail relay), (2) sprintlink (spam sent from
an account there), and (3) (connectivity for the
spam-advertised web site).

I use "whois" to find out Texas A&M's contact address,
and get "".

Then I assemble my three short "form letters" relevant to those
topics and include a copy of the spam with full headers. And I
send out this message:

} To:,, tech@NET.TAMU.EDU
} Subject: Re: XXX Live Sex!!!
} The enclosed E-mail spam appears to have been sent by
} hijacking your SMTP server. You may wish to take steps to make your
} site more secure (e.g., refusing third-party relaying), and you may
} wish to take action against the thief who abused your system.
} The enclosed E-mail spam appears to have originated
} at your system. Please terminate the spammer's account. (And, if
} possible, charge them a large amount for your having to clean up the
} mess that they created.)
} You are providing connectivity to a a spammer
} ("", who is (1) hijacking SMTP servers,
} (2) forging E-mail identity and origination, and (3) indiscriminately
} sending "adult-oriented" spam to accounts owned by minors. Please
} disconnect this site.
} # From Fri Oct 31 05:09:43 1997
[Message with full headers followed this point, deleted]

-- Chris (