news.admin.net-abuse.email FAQ

0.1 About this FAQ

This FAQ is an attempt to answer some of the frequently asked and occasionally answered questions in, about and around the newsgroup news.admin.net-abuse.email

Most of the questions have already been answered fully elsewhere, so a lot of the answers are just pointers to other FAQs

1.1 About news.admin.net-abuse.email

In November of '96 the net-abuse groups were reorganised:

news.admin.announce

Announcements for news adminstrators. (Moderated)

news.admin.net-abuse.bulletins

Bulletins of action about net abuse. (Moderated)

news.admin.net-abuse.email

Discussion of abuse of email systems.

news.admin.net-abuse.policy

Discussion of net abuse policy. (Moderated)

news.admin.net-abuse.sightings

Sightings of net abuse. (Moderated)

news.admin.net-abuse.usenet

Discussion of abuse of the Usenet system.

For more info about the rest of the hierarchy, see http://www.ews.uiuc.edu/~tskirvin/nana/

1.2 news.admin.net-abuse.email charter

News.admin.net-abuse.email is a forum for discussion of possible abuses of e-mail. Possible topics include mailbombing, denial-of-service attacks, "listserv bombs", unsolicited and/or unwanted mail, email address lists, mailing list abuse, large-scale mailings in general, chain letters, "email viruses" such as Good Times, filtering software such as procmail, and so forth. Flames and other personal attacks received through email are not on-topic, unless they are related to another form of abuse.

News.admin.net-abuse.email is unmoderated.

The news.admin.net-abuse.* hierarchy is for discussion of abuse of Usenet and/or the Internet; it is not for discussion of abuse of groups or indiviuals on such networks, such as flames, personal attacks, or off- topic messages.

Binaries are specifically prohibited from all groups in the news.admin.* hierarchy, except as examples of other abuse. All messages removed by unauthorized cancels in the hierarchy will be automaticly reposted by Dave the Resurrector or a similar program, at the discretion of the group moderator or, for the unmoderated groups, the operator of the resurrector program. Spams, gateway spews, and other attacks on the system itself will be removed as appropriate, following standard Usenet guidelines.

1.3 news.admin.net-abuse.email mission

To fight abuse of the email system

This is primarily the fight against junk email, aka UBE, aka (incorrectly) UCE, aka spam, but also includes online chain-letters, mailbombing and list bombing.

It does not include abusive emails, unless they are sent in bulk. As Neil pawson says, it's for abuse of the net, NOT abuse on the net.

1.3.1 UBE? UCE?

UBE

Unsolicited Bulk Email

or Unsolicited Boilerplate Email

UCE

Unsolicited Commercial Email

1.3.2 'spam'?

SPAM is a registered trademark of Hormel Foods, and a canned luncheon meat that's not at all bad fried for breakfast.

Hormel are nice, friendly folks and are happy for people to use the word 'spam' (in lower-case) to describe UBE and usenet EMP, but would rather you didn't use 'SPAM' (upper-case) or graphics of the can

See http://www.spam.com/ci/ci_in.htm for more info

1.3.3Dave the Resurrector?

See section 3

2.1 Somebody sent me a nasty email! Make them stop!

We don't care. If you really want to complain, complain to them or their ISP. Better, filter them out

2.2 Somebody sent me a nasty email with forged headers!

Technically off-topic, but post full headers and someone may help

2.3 Somebody threatened me via email!

Contact the police. If you need help tracing the sender, post full headers and someone may help

2.4 This website should be shut down!

Unless the contents of the website are directly related to email abuse, we don't care

2.5 I saw this usenet post I don't like!

Unless it's directly related to abuse of email, we don't care. Try next door in news.admin.net-abuse.usenet

2.6 I'm on a mailing list, and I can't get off it!

Did you subscribe to the list? If not, see 2.7

Try the unsubscription instructions below. If all else fails, try emailing postmaster@ the domain that hosts the list.

2.6.1 Lyris

To unsubscribe from a list run by Lyris called, say, jazztalk@example.com you would send an email to jazztalk-unsubscribe@example.com

For more informations, see http://www.lyris.com/

2.6.2 ezmlm

To unsubscribe from a list run by ezmlm called jazztalk@example.com you would send an email to jazztalk-unsubscribe@example.com

For more information, see http://www.ezmlm.org/

2.6.3 Majordomo

To unsubscribe from a list run by Majordomo called jazztalk@example.com send an email to Majordomo@example.com containing just the words "unsubscribe jazztalk" in the body of the message

For more information, see http://www.greatcircle.com/majordomo/

2.6.4 LISTSERV

To unsubscribe from a list run by LISTSERV called jazztalk@example.com you would send an email to LISTSERV@example.com containing just the words "signoff jazztalk" in the body of the message

For more information, see http://www.lsoft.com/listserv.stm

2.7 I'm on a mailing list I didn't subscribe to!

Is it from a company or organisation you recognise and have done business with, given your email address to them via a webpage or somesuch? If not, see 2.8

Many of the more rigid inhabitants of n.a.n-a.e will consider this UBE, and treat it as such.

If you're in a more flexible mood, follow the unsibscribe instructions that should be included in the message. If that doesn't work, complain loudly to someone appropriate at the organisation sending it. If that doesn't work, treat it as UBE and see 2.8

2.8 I'm receiving messages claiming to be a mailing list, but I definitely didn't subscribe to it

It's possible that someone maliciously subscribed you to the list (either to harass you, or to make you harass the list-owner). Well run mailing lists require you to respond to a subscription verification message before they start sending you messages, but there are still many badly run lists out there.

If this seems to be a forged subscription then contact the list-owner, ask them for all info they have on the subscription request they received and tell them about subscription confirmation (point them at section xx of this FAQ)

Or it may well be UBE. You can often tell from the content of the message. Any mention of laws, bills, S.1618 or Senator Murkowski means it is UBE. If it has 'ADV' or 'AD' at the beginning of the subject then it is UBE. If it asks for removes to be sent to a different domain than the one you received it from, or if it asks that remove requests be sent to a hotmail, yahoo, my-dejanews or apexmail email address then it is UBE. See 2.10

2.9 I received something claiming to be Information I Requested. Is it UBE?

Almost certainly. It is just possible that someone has forged a request to a legitimate autoresponder or entered your address on a webpage requesting to be sent information.

Legitimate, well-run autoresponders will include information about the original requestor. In the case of an email request this would be the headers of the original email, in the case of a web request it would be the connecting IP address and the time the request was made

If it seems to be a forged request to a legitimate autoresponder and it has the info you need to track the originator in the response, notify the autoresponder owner (on principle) and track the culprit

If it doesn't include the info, ask the owner of the responder to retrieve it from their logs, and ask them to add that information to future responses.

2.10 I received some UBE - if I post it here will you make it stop?

That's not the way it works

First, take a look at news.admin.net-abuse.sightings and see if anyone has reported the same UBE there.

If they have, the post may give you some more background on the UBE, sometimes including the originator.

Otherwise, track it down yourself. See the hints in section 2.12. If you find something, post a complete copy to n.a.n-a.sightings including the info you found.

To post UBE to n.a.n-a.sightings you should use the same subject line as the original UBE, adding the tag '[email]' at the beginning

2.11 I have some questions about a UBE I received - what should I post here?

Include the full headers of the email (there should be at least one header beginning with the word Received: - if not, they aren't full headers). If there's a hugely long list of addresses in the To: or Cc: fields, snip most of them out. You might want to munge any innocent email addresses included, by replacing the @ sign with a #, for instance.

Snip out most of the body of the UBE, leaving just any names or contact information (websites, email addresses, address, 'phone numbers)

If you've posted the whole spam to n.a.n-a.sightings, mention that. For extra bonus points include the Message-ID of that post

2.12 How do I track down where this email came from?

See these webpages:

• http://www.tezcat.com/~gbyshenk/ive.been.spammed.html
• http://members.aol.com/emailfaq/emailfaq.html
• http://ddi.digital.net/~gandalf/spamfaq.html

If you have any questions, ask here

2.13 What about remove lists?

The vast majority of these are scams, intended to harvest addresses which will then be sent yet more spam. (A common game on n.a.n-a.e is to seed these lists with 'virgin' addresses that are never used before or after, then wait to see how long it takes for them to be spammed)

Most of the remainder are well-intentioned, but completely ineffective

The main (only?) exception is SAFEeps at http://www.safeeps.com/. This is run by someone reputable, won't sell or leak your email address and allows domain-wide opt-out (many large ISPs have already opt-ed out all their users).

Registering with SAFEeps won't reduce the amount of spam you receive (as spammers won't use it - anyone ethical/smart enough to use a list washing service is hopefully smart enough to use opt-in email instead...). The size and statistics of the database are good ammunition for lobbying politicians with, though

3 Odd stuff on the newsgroup....

3.1 Dave the Resurrector

A common game for spammers, vandals and other unsociable types is to attack news.admin.net-abuse.* with cancel messages - thes are a way of deleting peoples posts here.

Dave the Resurrector is a 'bot which watches over news.admin.net-abuse.* and reposts any message that is cancelled. This means noone can successfully cancel your posts here - they'll be reposted. This includes you.

3.1.1 Someone cancelled my post!

Probably not, see http://www.ews.uiuc.edu/~tskirvin/faqs/cancel.html#III.

Even if they did, don't worry, see 3.1

3.1.2 I posted something bad! How do I cancel it?

You don't. See 3.1

3.1.3 Someone's forging me here! How do I cancel it?

Don't worry about it, it's just another attack on the group. The Annihilator will probably cancel them soon enough. Even if it didn't, you shouldn't try and cancel it, see 3.1

3.1.4 I see usenet spam here! Should I cancel it?

Ah, Darwin in action!

No, you shouldn't cancel it. The major despammers have 'bots that have already seen it and issued cancels. And, they've been introduced to Dave, so their cancels will work. See 3.1

3.2 There's so much junk here, it's unreadable!

Is most of it garbage posts or transplant posts? If so, you may want to fiddle with your newsreader killfile to filter out Supercedes. Filtering out crossposts to three or more groups can help too. Or, buy news-service from someone who'll filter it for you, such as Newsguy http://www.newsguy.com/

If it's just the amount of traffic here, try getting a real newsreader and killfiling the people whose input you don't find useful and killing threads you have no interest in.

4 Miscellaneous useful stuff

4.1 How do I find a usenet post by Message-ID?

If it's a recent message, there may be an option on your news client to find it.

If you have a Newsguy account, you can search by Message-ID for recent-ish posts from their main search page

You can use the undocumented, but extremely useful, search page at DejaNews - http://www.dejanews.com/forms/mid.shtml

4.2 How do they get my email address?

4.2.1 Harvesting addresses from usenet

Probably the most common - harvesting email addresses from the From: lines un usenet postings.

The usual way to thwart this is to 'munge' your address, though many people choose not to do so. If you must munge your address, do it properly. Read the munging FAQ at http://members.aol.com/emailfaq/mungfaq.html first

Consider putting your real email address in the Reply-To: header - this will make replying via email work but prevent nearly all harvesting

Putting your email address in your signature is a Very Good Thing

4.2.2 Harvesting email addresses from webpages

There are a number of harvesters which spider through webpages, either looking for the content of mailto: tags, or anything of the form word@word.

There are many ways to obscure email addresses from harvesters

The visible text can be replaced with a gif containing the text - it'll look fine to people, but be impossible for 'bots to read. Using Roxen this is easy - <gtext href="mailto:steve@example.com">steve@example.com</gtext> will do it.

Generating a gif by hand is pretty easy for one or two addresses, such as the main contact address for a site

Replacing characters in the address with their equivalent HTML entities (see http://www.natural-innovations.com/boo/doc-charset.html) is very effective. Always replace the @ sign (to prevent harvesters from seeing it altogether) and a character on the right of the @ sign. This works for the email address in the mailto: tag too.

Replacing the whole tag with a fragment of javascript that outputs the tag would work, but would be unusable by anyone not using javascript

Using a cgi redirect script, <A HREF="mailto.cgi?user=steve&domain=example.com">email me</A>, where mailto.cgi returns an http redirect to the appropriate mailto: tag would be a useful thing for ISPs to provide. (example)

You could use a cgi form rather than a mail link. Blech.

If the address is only used for input from a form, either use a cgi script to receive the form and then mail it to you, or add a hidden field to the form, and filter out any email not containing that field

This doesn't stop harvesting of addresses, just the opposite.... see http://e-scrub.com/wpoison/

4.2.3 Buying addresses

Once one spammer has your address, many will. They're sold over the web or on CD-ROMs. 53,000,000 addresses on one CD is one of the common adverts.

4.2.4 Addresses given voluntarily

If you give your address to someone, there's nothing to stop them selling it to list brokers, who'll sell it on to the spammers. It's extremely rare for reputable companies to sell addresses - I've been buying things online for three years or so, probably a couple of hundred transactions via web forms; only once has a company ever sold my address. (How do I know? I always tag addresses I give to companies, see 4.7. It was Activision, who sold it to ZDNet.)

If you give someone your address in return for them sending you something free, or entering a competition or somesuch it's a fair bet that they'll send you email - that's why they're giving away free stuff, and it's not unreasonable. If they sell the address, or won't stop that's definitely not reasonable

email addresses entered on trade journal bingo cards, convention or hamfest registrations etc. tend to leak out to the spammers

4.2.5 Nic registrations

The email addresses used to register domain names, such as at Internic, are harvested. There's not a lot you can do, apart from dedicate an address to it and filter heavily.

4.3 What is an open relay?

A mail relay is a system that will receive mail from one site and forward it on to another site.

A typical ISP needs two sorts of mail relay. It needs to accept mail sent by it's customers and send it on to the right place, anywhere on the 'net (an outbound relay, aka smarthost) and it needs to accept mail from anywhere on the 'net addressed to its customers and forward it on to them (an inbound relay, aka MX). Most ISPs use a single relay for both jobs, but some large ISPs (eg AOL) use separate relays

An Open Relay is a relay which will accept email from address A and forward it on to address B when neither A nor B are customers

Open relays used to be common, and providing relay service for other people was considered polite, being a good neighbour

Unfortunately spammers abuse open relays by relaying spam through them. This can increase by a factor of 50 to 250 the rate at which a spammer can send spam, and can obscure the point of origin of the spam

In the case of an Anonymous Open Relay the relay doesn't record the originating address at all, making it near impossible to trace the originator without access to the relays mail logs

More information about open relays, and how to secure them, can be found at http://maps.vix.com/tsi/

In most cases an open relay is due to a configuration mistake, an old version of software, a newly installed version of unix, or just plain broken mail software

Some ISPs leave their relays open intentionally, allowing their users to connect to the 'net via another ISP, but still use their home ISPs smarthost to send mail. This is often called roaming service, and it's dumb. The roaming user should use the smarthost of the ISP they're dialing in through (while still being able to read their mail from their home ISP)

Sometimes, for political, commercial or (usually) stupid-management reasons an ISP can't do this. Better solutions to this include a virtual private network (see http://www.altavista.software.digital.com/tunnel/ or POP before SMTP, see any of the following:

• http://spam.abuse.net/tools/smPbS.html
• http://www.cynic.net/~cjs/computer/sendmail/poprelay.html
• http://mail.cc.umanitoba.ca/drac/index.html
• http://www.qmail.org/open-smtp3.tar.gz
• http://www.davideous.com/smtp-poplock/

4.4 What is an MX or DirectMX mailer

Normally you send email by sending it from your dialup to your ISP, who then sends it on to the recipient. If you try and send 100,000 pieces of UBE like this, your ISP tends to notice. One solution is to hijack an open relay (see 4.3), another is to use software that sends email directly from the dialup to the recipient. This is usually called MXware, direct-from-dialup mail or somesuch

One of the DULs (see 4.6) is a good way to block this

4.5 What is a throwaway dialup

A dialup account used to send one run of spam, assuming it's going to be deleted

4.6 What are RBL, ORBS, DUL etc?

These are all databases that list machines that match some criteria. They can be queried via DNS, allowing you to configure a mailserver to reject email from any machine listed in the database

4.6.1 MAPS RBL, Realtime Blackhole List

A conservative list, with all changes done by real, live humans. Lists actively spamming hosts, pro-spam providers and actively abused relays

Widely used, unlikely to drop much legitimate mail

See http://maps.vix.com/rbl/

4.6.2 ORBS, Open Relay "B" System

Aggressive, automatically maintained list of open relays, closed relays which smarthost for open relays and a few other systems

Will bounce some legitimate mail

See http://www.orbs.org/

DUL, MAPS Dialup User List (nee Orca DUL)

List of dynamically assigned IP sources, primarily dialups. Very, very little legitimate email is sent directly from dialups from dynamic-IP, non-dedicated dialups, but a lot of spam is sent that way (see 4.4)

The legitimate email sent directly from dialups tends to be sent by unix hobbyists, who'll understand the bounce messages

Should block negligable legitimate mail

5 Stuff for service providers

5.1 I'm setting up an autoresponder. How should I do it right?

• If you are accepting requests via email, include the full headers of the original request in your response, and ensure that your primary mailserver has the correct time
• If you are accepting requests via the web, include the connecting IP address, the exact time and ideally all other http headers that were sent with the request (this often includes proxy information that can be useful in tracking abuse)
• Don't email to any address too often - twice a day is plenty

If you can't do all these, consider using a commercial autoresponder. They're cheap (a few dollars a month) or free

5.2 I'm setting up a mailing list, how do I do it right?

Use real mailing-list software (such as Lyris, ezmlm, Majordomo or Listserv), running on a machine with a permanent connection to the 'net.

All four will run under unix, Lyris and Listserv will run under Windows (I prefer Lyris...)

Despite the claims of several dubious shareware programs trying to run a mailing list over a dialup will just cause you grief. Run it on a real machine, they're easy to administer remotely.

If you can't use real mailinglist software, consider a mailinglist hosting services (lyris and lsoft will both host commercially, as will many ISPs, there are a couple of free mailinglist providers [who?])

Ensure that all subscription requests send a confirmation request to the subscriber, containing a 'magic cookie', which the subscriber has to respond to before they start receiving any list mail. This stops your list being used to harass others via listbombing, and protects you from accusations of spamming

A new magic-cookie is generated for each subscription request, usually a random string of characters. Sometimes it is embedded in the subject of the confirmation request, sometimes in the return address or sometimes in a URL embedded in the body of the mail

Include the headers of the original subscription request in the confirmation request, so forge-subscriptions are obvious and can be easily tracked

Allow only subscribers to post to the list. This almost eliminates spam sent via the list. If a subscriber wants to post from a different address they can subscribe the second address, then tell the listserver to send them no mail to that address

In the welcome message sent to all new subscribers include some info about the list, instructions for unsubscribing or changing subscription options, any list rules, whether the list archives are publically available and a pointer to more information (either on the web or via an autoresponder)

Configure the list to refuse requests to list all subscribers, to prevent spammers harvesting your subscribers addresses

Make sure the machine running the list has time set correctly, ideally by synchronising it with an NTP server periodically

If you archive the list on a website either restrict access to subscribers only, or consider the privacy issues. Email addresses there will be harvested by spammers, see 4.2.2, unless you obscure them

For your own sanity, use mailing list software that handles bounces automatically, and make a web interface available to set subscriber options. Consider adding a trailer to each post explaining briefly how to unsubscribe

See also http://www.faqs.org/faqs/by-newsgroup/comp/comp.mail.list-admin.software.html

That's all folks

Steve Atkins, steve@blighty.com