The following document should, where not otherwise stated, be understood to represent the opinions and beliefs of the FAQ-maintainer only. I endeavour to ensure that these opinions and beliefs are as correct as possible, but take no responsibility for any problems caused by errors herein. This document should not be considered to represent the opinions of any individuals or organisations other than the FAQ-maintainer.
Please note that in this document, "we" is intended to collectively refer to all regular or semi-regular posters to the news.admin.net-abuse.email newsgroup, including those of all persuasions, and should not be read as indicating the existence of a "clique" comprising persons of similar viewpoints.
"> PrefaceThis is one of three documents I have compiled to comprise an FAQ for the news.admin.net-abuse.email newsgroup. Each document addresses points in a given area, specifically:
The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use to fight spam. The objective isn't to teach you how to fight spam (there are many far superior documents that do just this), but rather to introduce some of the techniques you can use and refer you to some more detailed works.
THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of spam, including just what constitutes spam and the types of people who become spammers.
UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and sometimes impenetrable terminology that people use in news.admin.net-abuse.email (nanae). It covers both colloquialisms (e.g. "chickenboner") and technical terms (e.g. "direct-to-MX").
These three parts are designed to stand alone and don't have to be read in order; feel free to pick and choose just the bits you're interested in.
These documents shouldn't be considered to be "the" FAQ, as there are plenty of other FAQs that are superior in insight, detail, or depth of coverage. They are just an FAQ that I hope will answer some questions that have been troubling you.
These documents are currently maintained by James Farmer. If you have any suggestions for additions or corrections, then feel free to send an email to
The latest versions of all of these documents can always be found at . There's also an index there, which is the easiest way to find the answer if you've got one question in particular - just find the word you're looking for and click on it!
These documents are somewhat extensive. For a quicker overview of the main things you'll need to know, have a look at George Crissman's excellent document "Your First Post to NANAE".
"> Use PolicyYou may copy and redistribute this FAQ in unmodified form by any means or media you see fit.
You may modify the presentation of this FAQ as you see fit, so long as the content remains unaltered.
You may modify the content of this FAQ so long as you appropriately credit both your changes and the original authors of this FAQ. At a minimum, the link to the FAQ's website _must_ remain in place.
"> CreditsNo document of this magnitude can be the work of only one man. I would like to thank everyone who offered ideas and suggestions, everyone who pointed out grammatical errors and gaps in my logic, and places where I was just plain getting things wrong. This wouldn't have been possible without you, people.
"> ]>New section about Bayesian filtering.
Removed or fixed lots of dead links.
I've added the following links:
This document is intended for anyone who feels confused about any of the spamfighting techniques discussed in the news.admin.net-abuse.email newsgroup. It aims to briefly summarise what each of the commonly used techniques is, and provide links to sites where you can find more detailed information.
This document is not a tutorial for spamfighters. While there is much in here that will be of interest to a newcomer, reading this document alone will teach you only what techniques you can employ to fight spam, not how to use them.
These are issues that are discussed in great depth in the second part of this FAQ, "The Evils of Spam". However, to briefly summarise, spam is a type of email that endangers the very existence of the email system by threatening to overwhelm it with a massive and uncontrollable volume of messages. Spam usually takes the form of advertising or promotional material that arrives in your emailbox without you having requested it.
UBE (Unsolicited Bulk Email) and UCE (Unsolicited Commercial Email) are terms that are often used to describe different types of spam
More information on just what is spam and why it is bad can be found in the second part of this FAQ, The Evils of Spam.
Most people ignore the spam they receive. They either don't have the time or the expertise to deal with it. Their decision is understandable, but in the end inaction only helps the spammers because they can point to statistics and say "I sent my spam to 7 million email addresses and only 190 people complained so the other 6,999,810 must have been happy to receive it".
Alternatively, spam-victims might try to use a spam's "remove address". The concept here is that by sending a message to a given email address you will tell the spammer to remove you from their mailing list. However, these things almost universally fail to work. In the rare cases where your "remove request" actually reaches the spammer, they'll just take it as an indication that email sent to your address is actually read by a human, and thus your address becomes _more_ valuable to them, and they send you _more_ spam.
The best thing to do is: complain, complain, complain! Most ISPs have Terms of Service (or Acceptable Use Policies) that forbid spamming, so if you can tell the spammer's ISP that their customer broke these rules, then you can get the spammer's account cancelled! As well as giving you personal satisfaction, this will serve as a deterrent to this and other spammers, and with any luck prevent him from profiting in any way from his spam.
(As an aside, an ISP will sometimes try to "educate" a spammer before terminating their account, as sometimes a company will send a spam without considering the issues involved. This topic is explored in the second part of this FAQ, "The Evils of Spam".)
The tricky bit is working out just who is the spammer's ISP. The address in the "From:" field is almost certainly forged in order to throw you off the scent (and may even belong to an innocent third-party), so you have to learn to read the "full message headers", which are a bit like a log of an email message's travels through the internet. The spammer will try to forge these too, but in most cases it's still pretty easy to work out which ISP the message came from.
Header-reading is beyond the scope of this document, but here are a few links where you can find out more:
BUT... when complaining, please remember that the people at the spammer's ISP are not the bad guys. They didn't know their customer would turn out to be a spammer. There is a great temptation to fire off a few pages of verbal abuse, but remember that you are angry with the spammer, not the abuse staff at his ISP. The spammer will have abused them too, probably breaking their Terms of Service. And there is nothing an ISP can do to prevent, completely, any chance of Internet abuse emanating from their machines. So be polite. Point out what has happened without dramatic or obscenity-clad embellishment. Hostile or infantile behaviour will do you no good at this stage.
If the abuse staff sends you a response that is blatantly offensive, then it may be time to revise your opinion of them (although always be aware of the potential for a misunderstanding), but you should start out from the assumption that these people are your friends.
Most abuse departments won't act against a spammer until a non-trivial number of complaints have been received. This is because people sometimes forget that they have signed up for legitimate mailing lists or requested other types of email, and complain about it as spam. If you are convinced that a message was spam but the spammer's ISP claims that it wasn't, then there are further steps you can take. We will discuss these in later sections of this document.
Assuming that the ISP agrees to take action, the spammer's account with that ISP will often be cancelled. Unfortunately, the spammers have caught on that their accounts rarely last long after they send their spam, so they've taken to using cheap "throw-away" accounts, opened solely for the purpose of sending spam which advertises ("spamvertises") websites held on other providers. The spamming accounts will get cancelled soon after the spam-run is complete, but the website will remain intact and thus the spammer can safely benefit from their spam (in terms of sales over the web, or clicks on banner advertisements, or whatever). That's the idea, at any rate.
Largely, this doesn't work as most web-hosting companies have clauses in their Terms of Service forbidding the use of spam to advertise the websites they host. Sending a quick complaint to the hosting company will often result in the spammer's website being removed.
But how to find the web-hosting company? The spammers may try to conceal this, but there's one snag - they want potential customers to reach their website, which means that the website's URL is probably somewhere in the spam. Once you find it, you can use tools like "traceroute" and "whois" to work out who's hosting the site. Here are some useful online versions of these tools:
But if you'd prefer to run them from your desktop, rather than surfing over to a webpage every time you want to run a traceroute, then you can download versions of the tools from these links:
"traceroute" is a tool that gives you the list of machines on the Internet, where a message sent from the source machine to another machine would pass through. "Whois" is a tool for looking up the owner of a domain or IP address. A detailed look at either of these is beyond the scope of this document, but again here are some useful links:
NOTE: Make sure you know what you're doing before you start writing complaints based on the results of tools like "traceroute" or "whois", as it's very easy to make mistakes. In particular, don't automatically email every email address you see in a whois output - sometimes these are merely the writers of the whois servers! If in doubt, ask in the newsgroup for confirmation.
Spammers will often try to obscure the true address of their website by spamvertising the address of an intermediate site or giving the address in an obscure format, but in most cases it's pretty easy to work through their tricks. We'll look at this in more detail in section 1.3.1.
Using the result of a "whois" or "nslookup" tool, you can also find out whose providing nameservers or DNS services for a spammer's domain. These are just as vital to the website's operation as the web-hosting company - you may wish to complain about the spammer's activities to them as well.
Alternatively, the spam may not advertise a website and will instead be soliciting replies by email. You can use the techniques described above to work out who is hosting this email address ("drop-box") and complain to the provider, which will probably cancel the spammer's email account. Good, eh?
A few spammers - particularly chain-letter spammers - don't include any electronic ways of contacting them, giving only a postal address or a telephone number in their spams. In these cases, there tends to be less you can do.
Most postal addresses found in spams will actually be P.O. boxes (e.g. Mailboxes Etc). Some of these mailbox providers may have rules against business use or certain types of business uses (e.g. chain letters or MLM); if so and you complain, they may take action.
In fact, chain letters soliciting money are illegal pyramid schemes in many countries, so reporting them to the authorities may be a good idea. For example, in the United States you can forward such chain letters to your local postmaster or postal inspector, or the postmaster/postal inspector local to each address on the chain letter, or present them to the clerk at your local post office saying "I received this illegal chain letter asking for money". You can also send them by email to
Incidentally, I do NOT recommend making personal visits to addresses advertised in spams. Nothing good can come of such episodes. If you desperately want to contact the spammer, send him a letter.
Many spams will include phone numbers you're supposed to call for more information. Sometimes these will play recorded messages giving the address of a website or an email address, in which case you can complain to the relevent ISP as usual. In other cases, it can be worthwhile checking the type of phone number it is - many spammers give premium-rate numbers and don't include legally required warnings, in which case you can complain the provider or the regulator or whatever is relevant to the locality. (On this note, _always_ check the call charges before calling a spamvertised phone number. If in doubt, don't call it.)
Note that in many countries, a freephone number can still detect your number even if you have call blocking enabled. Use a pay-phone if this worries you.
By the way, if you call a spammer's phone number and actually reach the spammer or his family, DON'T be abusive. It does no good and only makes the spammer feel like the victim.
(Well that's all I know. Can anyone think of anything more for this section?)
The key with most spamfighting is summed up by this simple motto: "Follow the Money". Have a look at the spam and the spammed website and see how the spammer's intending to earn off it. Is he using an external merchant to charge credit cards? If so, complain to them and often they'll stop dealing with the spammer. Does he have banner ads? If so, complain to the suppliers of the banner ads. If there's a form on the spammer's website that sends information to an email address, complain to the ISP of that email address. Most legitimate businesses on the Internet aren't keen to sully their reputations by working with spammers.
Remember: always be polite. The ISPs are not your enemies and a single polite word will get you a lot farther than a screenful of abuse.
As an aside, the U.S. Federal Trade Commission has a project for analysing and classifying spam, and have invited Internet users to forward their spam to
At most ISPs, the address for sending complaints is "abuse@<isp-domain>, e.g. abuse@rcn.com or abuse@yahoo.com. However, a few ISPs have non-standard abuse department email addresses; in these cases it can be hard to know where to send your complaint. To the rescue comes abuse.net; a database of ISP abuse addresses. It can even forward complaints automatically to the relevant abuse addresses if you supply the complaint and the name of the Internet provider! Have a look at
All this reading headers, working out webhosting providers, and so forth is a pain. Spamcop is a service that aims to automate this process; you give it your spam and it writes and mails the complaint for you.
Spamcop has a reputation for sending complaints to a few incorrect places, so you have to keep an eye on what it's doing, but if you think you might find it useful, then have a look at . (Note that www.spamcop.org has no relation to www.spamcop.net.)
A French-language service at seems to do something similar to SpamCop, but in French.
There's also downloadable anti-fighting tools, such as:
No; hacking (or, to use the precise term, cracking) is very seriously frowned upon by most of the anti-spamming community. Apart from the fact that it's illegal, it allows the spammers to portray themselves as honest businessmen being assaulted by electronic terrorists. If we are to eliminate spam it is important that we retain the moral high ground.
Some spammers try to "obfuscate" the address of their website in order to make it hard to see where to complain to. A number of common tactics include:
The Non-Dotted-Quad IP address
Most IP addresses have the "dotted-quad" form:
However, the IP address is also valid as one big decimal number, e.g.:
The spammer hopes that by giving you the address in this form, you'll be confused. However, tools like traceroute and whois will quite happily work on either dotted-quads or big decimal numbers. If you're happier working with the dotted quads, there's a tool at that will convert back to them.
IP addresses can also be represented in Octal (prefixed '0') or hexadecimal (prefixed '0x'), or even as a mixture of these within a dotted quad, in which case the above IP address might become:
The key thing to remember is that if it works in your web browser, it'll work in traceroute and whois too, so all this obfuscation by the spammer is really a wasted effort on their part. What a shame. :)
The Really Long Dotted-Quad IP address
The dotted-quad I.P. address is just a way of representing a 32-bit number using four 8-bit numbers. It's a bit like the way you might right "1153" as one thousand, one hundred, five tens and three units. Now, in a dotted-quad only the lowest eight bits of each number are significant - to continue the above analogy, if we had "one thousand, twenty-one hundreds, five tens and three units", we'd discard the "twenty" from the "hundreds" column (because that would mean an extra two thousands and if we really wanted them we'd have put them in the "thousands" column, so it must be an error, right?) and still be left with the number "1153".
Some spammers make use of this by setting the high-bits of the four numbers in the dotted quad to make the I.P. address rather long and confusing. For example:
It looks daunting, but dealing with it is quite simple. Just take each of the four dotted quads and ignore all but the eight lowest bits (ie divide each by 256 and take the remainder). In the example above, you'll end up with:
and from here you've got the I.P. address and can continue as normal.
Note that only the least-significant 32 bits have meaning in an I.P. address; any other bits are put there by the spammer to further confuse us.
Alternatively, the URL de-obfuscator at will happily decode this kind of really-long-dotted-quad URL for you.
The Username Trick
You can specify a username and password in a URL using the @ symbol. For example:
will log me into www.myreallysecurewebsite.com using the username "jjf" and the password "fred". But if www.myreallysecurewebsite.com didn't need a username & password, the username & password are ignored. Spammers use this to conceal their website's location. For example, is the following website located on members.aol.com or www.twinlobber.org.uk?
If you know this trick, it's fairly easy to see through it, so the spammers have now taken to trying a double-bluff. The username has to come before the first slash after the "http://" bit, and so the spammers try things like this:
This URL references the directory "@www.twinlobber.org.uk/ispammedyou" at members.aol.com, not a website at www.twinlobber.org.uk itself.
Many of the URL de-obfuscation tools given below for decoding Javascript-encoded URLs will also deal with this trick.
JavaScript
A _really_ nasty technique is to encode the URL in JavaScript; this can result in URLs that look to you and me like absolute gobbledegook!
Fortunately, help is at hand. Have a look at these resources:
Spammers know that no matter how hard they try to mangle their URL in the manner described above, some people will be able to decode them. Therefore, they sometimes try to hide their websites using other methods as well...
Page Redirections
Another tactic favoured by some spammers is to spamvertise one URL but have that URL "redirect" visitors to another. In this way, the spammer hopes to confuse us, to misdirect complaints, and if the site that's redirected to is taken down he can just change the redirection page to point to another, identical site and still profit from his spam run.
Fortunately, in most cases, page redirection can be followed simply by looking in your browser's history window. Once you recognise this, the thing to do is complain to the hosters of both the redirecting website _and_ the website it redirects to.
Frames
A variant on the Page Redirection trick is to have a webpage on one site that contains a frame around a webpage on a second site; this way "Location:" field of the browser will contain the URL of the first site (the one containing the frame) and not the URL of the second site (the one containing the actual content). In Netscape, you can get the URL of the second site by selecting "Page Info" from the "View" menu; in Internet Explorer, right-click on the webpage and select "Properties".
Many spammers have learned that anti-spammers get important information about their operations from the source code of their website. So they've taken to encoding their webpages in JavaScript; this is decoded into HTML by your web-browser in order to display the page, but when you try to look at the source you just see gobbledegook-like Javascript.
Fortunately, help is at hand. Have a look at these resources:
Alternatively, users of Internet Explorer 5.x can install the "Microsoft Web Developer Accessories" add-on from Microsoft. With this tool you can highlight a portion or all of a webpage, right-click (or shift+F10) and select "View Partial Source". You now see the plain HTML that the spammer's JavaScript sent to your browser.
Some spammers go to almost insane lengths to obfuscate their websites, but the key to remember is that they have to be decodable by your web-browser, so they're decodable by you too. John McGowan has written an excellent example of how he doggedly disected a spammer's website; this can be found at .
Some spammers' websites can do some quite nasty tricks, such as switching Internet Explorer to full-screen mode and not letting you escape, or opening lots of pop-ups, or re-opening the site every time you try to leave it, and so forth. If you use IE, you can put the spammer's site in "Restricted Mode" which will disable all JavaScript, Java, ActiveX, cookies and anything else on the site the spammer will try to trick or trap you with. In other browsers you can disable JavaScript and Java from the configuration window.
You can also use the advert-removing program WebWasher to prevent abusive JavaScript code from executing. Look for it at .
However, beware; some spammers know that many anti-spammers surf with JavaScript permanently disabled and have written websites that look as if they have been killed if JavaScript is disabled yet are still fully functional for surfers with JavaScript enabled. Some other spammers websites will immediately redirect you elsewhere if they detect you have disabled JavaScript.
Spammers know that anti-spammers get a lot of information about their revenue chains by looking at the source code of their website. So they have taken to writing little bits of JavaScript that intercept right-mouse-clicks on their webpage to prevent the context-sensitive menu containing the "view source" option in Netscape and Internet Explorer from appearing.
In Internet Explorer, you can also type into the Address box "view-source:" followed by the URL in question to see the page source, for example "view-source:http://www.spamfaq.net".
This can, of course, be circumvented by deactivating JavaScript in your browser, but there is also a simpler solution, as the "view" menu on the menu bar allows you to bring up the page source in some versions IE and Netscape. Alternatively, Shift+F10 will simulate a right-click in some browsers. Some Windows keyboards also have a "context-sensitive menu key" which can be used to call up the menu you'd normally get by right-clicking. Note that some spammer's webpages will now intercept these keypresses as well as the right-click, but the "view" menu on the menu bar should still work. (If the website contains frames you'll only get the source of the frameset - type the URL of the frame itself into your browser. Sometimes it'll automatically stick itself back in the frame - if this happens, disable JavaScript. If the page requires JavaScript, try using the w3c.org validator.)
Most ISPs hate spam. Sometimes, however, you'll come across an ISP that is either utterly clueless or refuses point-blank to act against its spamming customers. In these cases, there are a number of steps you can undertake.
The first step is to check the archives to see whether anyone else is having a problem with this spammer or with this ISP. If you can contact others who are having the same problems as you, you can pool your resources to better achieve an affect.
news.admin.net-abuse.sightings is a newsgroup for reporting - not discussing - instances of Internet abuse. The idea is that anti-spammers post instances of the spam they see to this newsgroup, and then other anti-spammers can look in this newsgroup to see if other people are getting the same spam as they.
But it gets better. Google's newsgroup archiving service at archives most postings to news.admin.net-abuse.sightings (along with most postings to most newsgroups); you can use the advanced search feature to search these archives for instances of a particular spam! For example, if you've received a spam advertising the website "www.iamareallybadassspammer.com" you could search for "www.iamareallybadassspammer.com" in the forum (Google-speak for "newsgroup") "news.admin.net-abuse.sightings" and find some other people who have been spammed by that spammer.
Incidentally, the Google archives for news.admin.net-abuse.email are also a very useful resource for priming yourself on specific issues. There are few new ideas; most spam-related issues will have been discussed in this newsgroup at some point or another, and many spammers have too.
news.admin.net-abuse.sightings is a very useful resource but sometimes you need something a little more structured. Unlikely as it may seem, there are anti-spammers who dedicate whole websites to keeping track of the unrepentant spammers and those who run spam-support services. These can be very useful in discovering a spammer's M.O., or just why you're having trouble getting a spammer's account at a certain ISP killed. Here's just a handful of such sites...
The Spamhaus Project tracks spam support services and spam-friendly ISPs, and displays the results in a number of easy-to-navigate formats, with links to "whois" information, relevant abuse addresses, and the like. As well as currently-active spamhausen it lists deceased spamhausen, including how many times they have been terminated and by which ISPs, and when. There's even a "league" of leading spam-support services.
In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of websites that are selling Spamware or supporting Spam in other material ways, each coming with various service providers (with cross-references), handy links to traceroute tools, and their status with the MAPS RBL.
The Spammer Quick Reference Guide has by no means as many technical whizz-bangs, but it looks like a quite useful list of who's spamming what.
ROKSO is a good reference of hard-core spam operations that get thrown off Internet providers time after time after time.
SenderBase seems to be a good way of checking the spam-reputation of a domain or I.P. address, including blacklists and other statistics:
If this research turns up a blank, then don't forget that a great way to contact other spamfighters about a suspected spam-supporting ISP is to post in news.admin.net-abuse.email.
Sometimes an ISP will support their spamming customer simply because the ISP themselves don't realise that spam is bad. In these cases, it may be worthwhile taking time to briefly explain (patiently and without expletives) the problems around spam and why the ISP should take action against their spamming customers.
If you try this, you'll soon be able to tell whether an ISP is genuinely ignorant and confused or is purposefully supporting spam.
There are an increasing number of ISPs, most notably those in the Far East, but also some in Europe and other parts of the non-English-speaking majority of this planet, where the technical contacts don't speak English. This can obviously lead to a communication difficulty if you yourself aren't fluent in their native language.
One solution is to use the Babelfish automatic translation service, but this technology can be a little flakey at times. It's probably better to get a bilingual friend to translate for you if at all possible.
For persistent spammers from foreign countries, you may be able to seek help from some of the foreign-language email abuse newsgroups, such as:
it.news.net-abuse - Italian net abuse newsgroup
fr.usenet.abus.d - French net abuse newsgroup
de.admin.net-abuse.mail - German net-abuse newsgroup
hr.news.net-abuse - Croatian net-abuse newsgroup
nl.internet.misbruik - Dutch net-abuse newsgroup
pl.news.mordplik - Polish net-abuse newsgroup
As a last resort, there are some anti-spam documents written in non-English languages, to which you may be able to refer non-English-speaching providers.
(All suggestions for this section are greatly appreciated!)
An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large ISPs called "backbones", every ISP purchases its connectivity with the rest of the Internet from one or more other ISPs, which are called the "upstreams" of the first ISP. Many of these upstreams will have clauses in their contracts about spam, and if you can show them that their customer is allowing spam to come through their networks, they may well cut them off or pressure them to take action.
Occasionally, you'll find that a spammer has tricked you into thinking you're complaining to their ISP when really you're complaining to the spammer himself. In these cases, by going upstream you'll find the spammer's real ISP.
If an upstream provider refuses to act, you can try _their_ upstream provider, and so forth until you reach a backbone.
Spam is unpopular, so if you publicise the fact that a large organisation is supporting spam, then you may be able to force them to change their mind. A posting about them in news.admin.net-abuse.email is a good place to start. If the provider has their own newsgroups, then possibly one of them might be appropriate for a posting too. And then, if you're really determined, you can move on to online magazines, newspapers, and so forth.
A very controversial tactic is that sponsored by . This is a service a little like abuse.net, except that it forwards email to _every_ known contact address for abusive and unresponsive ISPs. The idea is that by forwarding abuse reports to as many officials and unrelated departments as possible, the message will get through somehow.
However, this is considered by many (including the faq-maintainer) to be sending Unsolicited Bulk Email and thus wrong. And even if you can get over that moral hurdle, it is extremely impolite.
Spamfighting is very important for reducing the amount of spam we'll all receive in the future but it doesn't do much to affect your spam intake for today. This section looks at some popular methods that are used to reduce the amount of spam currently ending up in mailboxes.
The obvious way to reduce the amount of spam you receive is to make sure that spammers don't have your email address! Before we can go further with this, however, we must learn how spammers get hold of email addresses in the first place. As it turns out, there are five main ways:
They pick them up when they're used publicly on the Internet, e.g. in a newsgroup posting or on a webpage. This is by far the most common way, and is known as "harvesting". Using your email address in a newsgroup or on a webpage is generally understood to solicit personal, topical replies from individuals, but is not a solicitation to receive broadcast advertising.
They buy a CD of addresses from another spammer. These addresses were probably harvested from newsgroups or webpages in the manner described above, and are often years out-of-date to boot. As the saying goes, there is no honour among thieves...
They guess them. For example, it's a fair bet that "joe@example.com" could be a valid email address, although there's no way of knowing to whom it leads. When spammers concentrate this technique on one domain it is sometimes called a "dictionary attack". (As it happens, joe@example.com isn't a valid email address, because "example.com" is a domain reserved for testing and examples.)
Our ISPs sell them our email addresses. This is extremely rare.
We give them to them. Always carefully read the privacy policy of any website before you give your email address to it, as sometimes email addresses are passed on or used for purposes other than those we intended when we gave them.
For a more detailed look at how spammers find email addresses, have a look at these documents:
Some spammers guess email addresses, so it may be a good idea to use something that spammers can't guess easily. For example, instead of joe@example.com, why not have joe34z@example.com?
The only way to totally eliminate the chance of receiving spam is not to have an emailbox. Even if you have an emailbox and never ever show your email address to anyone else, there's still the chance that a spammer might guess your email address. However, there are a few less extreme steps you can take to at least reduce the amount of spam you receive...
Never, ever give your email address to a company you do not trust entirely. If in doubt, open a free email account with a web-based provider such as hotmail.com and use that address for communicating with the company; that way, if they do spam, you can close the account and you've only lost a free email account you weren't using for anything else.
Never, ever post to usenet using an unmunged email address you care about. Use a throw-away address from a free email provider or munge your email address as described in . (Some people have reported that you can reduce spam without impacting upon the ease of contacting you, by posting with a munged From: address or an unmunged Reply-To: address, but I can't believe the spammers won't catch on to this eventually.)
Never, ever allow your email address to appear on a website, including on a web-based discussion board.
Some people concerned about privacy enter made-up email addresses into online application forms and the like. This seems like a good idea, but it is important to make sure that the made-up domain you use doesn't actually belong to anyone, otherwise you'll just be sending spam to the innocent third-party who owns it. This can become a very serious problem for the owners of some domains popularly used in such forms.
BAD MADE-UP EMAIL ADDRESSES
walt@disney.com
go@away.com
GOOD MADE-UP EMAIL ADDRESSES
this@address.is.made.up.invalid
go@away.invalid
There are several free mail-forwarding services that can be used to reduce your spam-level. The idea is simple; you give a different mail forwarding email address to each company that asks for your email address, and the mail forwarder forwards all mail to these addresses to your usual mailbox. If a company ever starts to spam you, you just disable the forwarding address you gave them and you won't get their spam, without affecting your other incoming mail. Companies who provide this service include:
"Munging" is the act of mangling your email address so that it can still be read by a human but cannot be automatically harvested by spammers.
For example, my email address:
jjf@mungedeg.twinlobber.org.uk
Could be munged into any of the following:
jjf<at>mungedeg<dot>twinlobber<dot>org<dot>uk
jjf@mungedeg.twinlobber.org.uk.REMOVETHISTOSENDEMAIL
jjf@NOSPAM.mungedeg.twinlobber.org.uk.NOSPAM
fjj@ku.gro.rebbolniwt.gedegnum.REVERSE-TO-SEND-EMAIL
When munging, you have to be careful not to accidentally munge your own email address so that it's identical to someone else's, and should always munge the bits to the RIGHT of the @-sign and not just the bits to the LEFT (otherwise your ISP will still get your spam even if you don't yourself). Also, you should ensure that your munged domain name is NOT an existing domain (else the poor sod who owns it could get your spam).
Recent drafts of the Usenet message format RFC specifies that the From: line of a newsgroup posting must contain either a valid email address or an email address ending in ".invalid". Your munged email address should really comply with this forthcoming standard, e.g.:
jjf@REMOVE-CAPS-AND-INVALID.mungedeg.twinlobber.org.uk.invalid
Note that some spammers now have harvesting software that can remove widely-used munges like "NOSPAM".
Some ISPs forbid their customers from using a munged email address. In these cases, whitelisting can be an alternative. In this, you set up your mail account such that some given word or string of characters must be in the subject line for any mail to be accepted, and then you explain this in any newsgroup postings and webpages containing your address. This way people can respond to you, but spam will be deleted from the server without you having to spend time downloading and reading it. This works especially well with webpages, e.g. use:
Then kill any mail that doesn't have FRIENDLYMAIL: in the subject line and have the rest forwarded to your real email address.
There have always been people who have filtered spam using simple rules in their email client; for example, depending on your tastes, it may be a fair bet that any message with "FREE LIVE SEX" in the subject-line is spam, and can be deleted or filtered into a separate folder that the user will clean out by hand. However, this has always been a somewhat hit-and-miss approach, requiring hard work and made more difficult by the somewhat crude filtering capabilities of many popular mail programs.
More recently, personal spam-filters have started to appear. These sit between your mail program and your mailbox, using more advanced methods to filter or tag likely spam messages. The number of personal spamfilters has skyrocketed in recent months; I even wrote one myself (SpamPal). Most of them work in different ways, and will have differing strengths and weaknesses. Here's a few links to get you started:
Free spam-filters for Windows users:
Commercial/Shareware spam-filters for Windows users:
Spam-filters for Unix users:
Spam-filters for Macs users:
There are also various companies who will filter the spam from your mail without the use of additional software. These include:
Bayesian Probability Filtering is an increasingly popular spam-filtering technique which has been integrated into popular email programs such as Mozilla. The idea is that you "train" the filter to recognise spam from non-spam, by telling it whenever it makes a mistake. This can be quite succesful because everyone's spam is different and the types of legitimate mail everyone gets is different; for example, anything I get that mentions "Viagra" may be spam, but another person may have a bedroom issue and legitimately need to discuss Viagra with someone. (Or vice versa.) The down-side to Bayesian filters is that it takes an appreciable effort to train the them; pre-trained Bayesian filters aren't really practical.
Challenge-response systems, also known as "Reverse Whitelisting" or "Permission-based" fitering, take a different approach to traditional spam-filters. Whereas traditional filters start from a stand-point that all mail is good then try to detect the spam, Challenge-Response systems start by assuming all mail is spam then only letting through people on a "whitelist". If the user receives mail from someone not on a whitelist, the system "holds up" the mail and sends a "challenge" message to the sender. If sender replies ("responds") to the "challenge" message, the original message is "released" and allowed into the user's mailbox, and the sender is "whitelisted" so any future emails will be allowed through without this rigmarole. The theory here is that the spammers won't bother to reply to the "challenge" - most of them are using forged email addresses so they won't even receive the "challenge".
Put like that, it sounds like quite a good idea. But the simplicity of the solution doesn't reflect the complexity of the real world, and challenge-response has a number of problems:
Mailing lists, especially discussion lists. If I send a message to a mailing list with 1000 subscribers, would I receive - and have to respond to - 1000 challenge messages? Many Challenge-Response systems allow the user to whitelist a mailing list automatically, but this can be unreliable (and judging by experience plenty of people forget).
Automated mailings - generated by a computer with no human intervention - have no human sender who can respond to the challenge message. This immediately breaks things like password reminder messages, confirmed opt-in mailing lists, Cron job notifications and so forth. Again, these things could be whitelisted manually - but you have to remember, and anyway guessing the email addresses most of them will be sent from would be difficult.
Forged sender addresses. Spammers often forge the addresses of enemies or just random individuals as the senders of their spam - if a spammer forges me as the sender of a 1,000,000-recipient spam-run, the last thing I want to receive is a "challenge" message from each and every victim!
And of course, simple challenge-response systems can be fooled if the spammer stops using forged email addresses and sets up a simple bot to reply to the challenges. It has been suggested that challenge-messages could include a graphic image containing a number that has to be typed into the subject of the response, in order to prevent automatic responding, but this breaks the system for blind users and adds an extra hoop for senders to jump through. While it's tolerable if you only communicate with one or two new people every day, if you're (like me) exchanging emails with many new people every day (if you work in support, for example) then going through a prolonged challenge-response procedure for everyone - or even a fair proportion of senders - would be an enormous pain at best.
When you send an email message to an address that doesn't exist, you receive a "bounce message" back. (If you've never seen a bounce message, try sending an email to "joe@example.invalid" and you'll get one back within minutes.) There's a school of thought that says that if you could somehow send fake "bounce messages" in response to the spam you receive, spammers will remove you from their mailing lists and you'll get less spam in the future. To this end, there are various tools - the most well-known being MailWasher - that will generate such "fake" bounce messages.
The general consensus on news.admin.net-abuse.email is that this is a bad idea. Here's a few reasons why:
There is lots of anecdotal evidence that suggests spammers as a rule are not interested in removing dead email addresses from their lists - for example, The Story of Nadine.
The return address in almost all spam messages these days is forged, probably because the spammer knows his mailing list has lots of bad addresses and he doesn't want the bounce messages to fill up his own mailbox. So any "fake bounce" you generate probably won't reach the spammer anyway.
So at best, your "fake bounce" will hop around between mailservers consuming computing resources before being quietly dropped. However, a lot of spammers forge their spam to look like it came from the email address of a real person - either someone who's annoyed them (e.g. an anti-spammer) or just some poor soul picked at random. So your fake bounce message - together with those of everyone else who uses such a tool - would end up in the mailbox of this entirely innocent third-party. (My own email address has been forged in this way and let me tell you it isn't a pleasant experience - I have no idea how many of the thousands of bounce messages I received were real and how many were fake, but the last thing I'd have needed to receive were even more.)
By examination of the headers and included information in a bounce message, it's possible to make a reasonable inference as to whether it is real or fake. So even if your bounce message did somehow reach the spammer, his systems may well be able to figure out that it's fake and ignore it appropriately.
This will immediately reduce the spam intake of their customers to zero. Unfortunately, it also destroys email as a usable communication medium. In order to prevent this becoming necessary whilst still taking action to reduce their customers' spam levels, many ISPs adopt policies that are midway between blocking everything and doing nothing...
One tactic used by some ISPs to cut down on spam is filtering. The ISP scans incoming mail and any messages that match the pattern of a known piece of spam are discarded. The big danger with filtering is that of false positives; users are unlikely to be very pleased if some non-spam mails are mistaken for spam by the filter and never arrive.
Some of the filtering techniques discussed in can also be applied across an entire I.S.P., although there may be additional risks due to questions of scale.
DCC (Distributed Checksum Clearinghouse) is based upon a very simple idea - if only we knew what email everyone was getting, we could detect what was bulk and what was personal. DCC works by collecting "checksums" of incoming messages (and not the email messages themselves) in distributed databases, and counting the frequency with which each checksum occurs. Using this information, spam can be filtered out. The down-side is that solicited bulk email must be whitelisted or it too will be filtered out.
The DCC code is currently available for a variety of Unix-like systems, and is intended to work best when installed close to the mail server.
Blackholing (or Blacklisting) is a variation on filtering whereby an ISP refuses to accept any email from machines that have a reputation for producing a disproportionate amount of spam. Many administrators have had some success with this tactic, although there are two main problems with it: firstly, someone will have to add more spam-sending machines to their list as more emerge if the effectiveness of the list is to be maintained, and secondly it is hard for the ISP to know when a machine on the list has reformed and is no longer emitting spam.
Of course, with any type of blackholing, any legitimate email from machines on the blackhole list will be lost along with the spam emails.
The main tool for blackholing are so-called DNSBL Lists. These are publically available lists of IP addresses that can be queried using a DNS lookup. There are a wide variety of DNSBL lists listing IP addresses according to various criteria; an individual site will have to choose the services to use based upon their own requirements. It isn't possible for me to discuss or link to every single DNSBL service, but I will cover a few that are most frequently discussed in the newsgroup.
But first, a word of warning. If you configure your server to use an external listing service you are turning over part of the control of your server to that service. You should exercise caution when you do this, and keep an eye on how the list is being used. If you have no means of your own to verify the integrity of the service you should pay some attention to a newsgroup such as news.admin.net-abuse.email or news.admin.net-abuse.blocklisting and be alert for any reports that the service you have chosen has started to slip in quality.
You should also bare in mind that most of these DNSBLs are provided as a public service, but if you don't have a contract with the maintainer they may be withdrawn at any moment. On occaision, withdrawn DNSBLs have been set to reject everything in order to get people to stop using them quickly. Carefully monitor your mailserver and any third-party DNSBLs you choose to utilise.
A few specific DNSBLs are mentioned below, because these are the DNSBLs that are most frequently discussed in news.admin.net-abuse.email. However, there are a LOT of DNSBL services out there, and you would do well to evaluate more than the handful listed in this document before choosing which ones to implement.
There is a sister group to news.admin.net-abuse.email dedicated to discussion of blocklists; news.admin.net-abuse.blocklisting.
Mail Abuse Prevention Systems LLC is a Californian company who were one of the pioneers of DNSBL lists. They offer a number of different services, including the famous RBL (Realtime Blackhole List), DUL (Dialup Users List), RSS (Relay Spam Stopper), and NML (Nonconfirmed Mailing List).
MAPS have fallen out of favour with many regulars of news.admin.net-abuse.email since they stopped making their services freely available. Users now require a static IP address, and need to sign a contract (although there is no monetary fee for individual and hobbiest sites). However, they are still used by many thousands of Internet sites, and have a reputation for causing a minimum of collateral damage.
The Spamhaus SBL (Spamhaus Block List) lists all I.P. addresses belonging to known spammers, spam operations and spam support services. It draws on data from the Spamhaus Project and ROKSO as well as other sources..
The Spam Prevention Early Warning System, or SPEWS, is one of the most controversial DNSBL lists. For one thing the people behind it have chosen to remain anonymous and silent. For another, its policies are surrounded by mystery. It is believed that SPEWS lists spammers and hosts connected with them, presumably based upon some kind of evidence, but the exact criteria they use is uncertain. Mind you, it certainly seems to catch a lot of spam.
SPEWS' website has in the past suggested that SPEWS listings are discussed in news.admin.net-abuse.email, which is why you see so many SPEWS-related threads in the newsgroup. These days, such listings are more properly discussed in news.admin.net-abuse.blocklisting
SpamBag.org publish a list of the parts of the Internet controlled by "anti-social elements" (such as those who send large amounts of junk email), as defined by some very detailed criteria layed out on their website. By blocking traffic from machines on this list, providers can protect their customers from such anti-social elements.
The SpamCop Blocking List DNSBL service is based upon an analysis of the complaints sent through the SpamCop service - the sites that generate the most complaints get listed. While this is a very effective method of stopping lots of spam, it can also result in some alarming mistakes and false-positives, and so this experimental DNSBL list should only be used in caution.
Most blackhole lists try to be as specific as possible with the exact parts of the Internet that they list. However, sometimes an upstream ISP will move a spamming customer around in their I.P. space, in order to avoid such lists, and it will become necessary to list the entire ISP. However, that ISP will have other, non-spamming customers, who will also suffer the ill-effects of being in the list; these innocents have become collateral damage in the spam wars.
Collateral damage is sadly inescapable, and is directly the fault of those companies who support spammers in this way. Organisations and individuals so affected are advised to find themselves a different, more responsible ISP to escape the collateral damage blackhole.
The analogy of living in a slum neighbourhood is often invoked for those innocent people who become collateral damage, and I find it very appropriate. If you live in a bad part of town, you may find that pizzas won't be delivered after dark, taxis won't hang around, and so forth. Similarly, if you live in a spam-supporting ISP then many other organisations simply won't want anything to do with you. Just like living in a slum, you have two options: either help clean up the neighbourhood (persuade the ISP to stop supporting spam) or move somewhere nicer (find another ISP).
What has almost certainly happened to you is that your internet provider, or their upstream, has been facilitating spam or spammers in one way or another. Therefore large parts of the Internet have taken the decision to protect themselves from spam by accepting no email from these providers and all their customers.
You are probably an innocent caught in the middle; you're not a spammer but your email is bouncing and you can't contact your friends or your family or your customers. You're entirely justified in feeling very angry about this.
But the many Internet Providers who are shunning your provider are not the right targets for your anger, and neither are the organisations that recommended that your provider be blocked. Instead, you should direct your anger towards your own provider (or their upstream). After all, its their policies, freely decided upon, that have lead to you being cut off from parts of the Internet. If you have a Service Level Agreement with them then you should study it; if your provider is not providing the promised level of service then you may be able to claim compensation or take legal action against them.
If you can persuade your provider to mend their ways, then you will be on the road to becoming free of the blackholings. Alternatively, your only real option is to move to another, less spam-friendly Internet Provider.
You may wonder why the blackholing can't be made specific to the active spammers of the providers, or why just your own I.P. address cannot be removed from the blackhole. Unfortunately, this is not practical, as too many I.S.P.'s have in the past moved their spammers to new I.P. addresses to help them to evade blackholing. To guard against this, the entire I.S.P. in question is generally blackholed.
Your situation is regrettable, and we all wish this wasn't necessary. We feel much sympathy for you, but ultimately we feel more sympathy for the millions of victims of your I.S.P.'s pet spammers.
Occaisionally, you may encounter some problems because your I.S.P. has assigned you an I.P. address that once belonged to a particularly notorious spammer; such addresses often persist in providers' local blocking lists for months or even years after the spammer in question has departed. Since your address is probably present in hundreds or even thousands of such lists, getting it removed from them all will be a next-to-impossible task, so your best course of action in this case would be to ask your I.S.P. for a new I.P. address (and maybe take them to task for selling you damaged goods).
(You may also want to read the answer to question , which covers this issue from the other direction.)
With difficulty. However, experience has shown that there are a few things that can make a difference...
If an ISP has a reputation for dealing with spammers quickly and decisively, many spammers will avoid them. If spammers are dealt with very rapidly indeed, the ISP may be able to shut down a spam-run before it has completed.
An ISP can have a clause in their terms of service that allows them to charge "clean-up fees" to any customers that send spam. Unfortunately, many spammers sign up using stolen credit-card numbers, and in these cases clean-up fees aren't much of a deterrent. It can be messy to collect clean-up fees, too.
An ISP can implement "port 25 filtering" (see in "Understanding NANAE") to prevent their customers from spamming via open relays. Note that this, however, will prevent their customers from using external mailservers for legitimate reasons too.
An ISP can regularly "port-scan" their users, to check that they aren't running any open proxies or open relays that could be abused by spammers. This is particularly important for so-called "24/7" ISPs, such as ADSL or cable providers.
An ISP can monitor the email traffic generated by a customer. If a customer who hadn't previously sent more than three or four emails a day suddenly sends a hundred thousand messages, for example, it's a fair bet that he's a spammer and it would be nice if there were systems that would inform the ISP and let them take a closer look.
There's no collective answer to this - different people will have different motivations. However, three of the most common ones are:
No. Some anti-spammers own businesses, and most of the rest work for businesses. Anti-spammers are generally NOT anti-business. In fact, many anti-spammers happen to believe that businesses that cannot survive without stealing the computing resources of others (i.e. spamming) should go the way of the dodo. It's called "capitalism".
No. Controlling all email on the Internet, apart from being a practical impossibility due to the distributed nature of the system, would be an extremely big job to undertake purely to satiate a few egos.
Porn isn't what gets anti-spammers hot-under-the-collar; spam is. Anti-spammers are drawn from a surprising cross-section of society and you'll find that they hold wildly divergent views about the contentious issues of the day, pornography included. However, they are drawn together by the simple opinion that spam endangers the email system, which they really rather like.
We have lives. Part of our lives involve sending and receiving email and so we want to protect this when it is endangered.
Sometimes, when reading news.admin.net-abuse.email, you can get the impression that in order to be an anti-spammer you have to be a technical wizard and run your own mailserver. This isn't the case at all, and the point to remember here is that the only people who contribute to highly-technical discussions will be those with highly-technical knowledge, but this doesn't mean that there's not less-technically-minded people reading.
Anti-spammers tend to be drawn from many sectors of life with many different types of knowledge. Some do run their own networks and their own mailservers, but many do not. This FAQ-maintainer, for example, is a Java programmer. Many anti-spammers don't even work in the computer industry; they can be florists or brick-layers, brain surgeons or secretaries. It doesn't matter. The skills needed for most spamfighting are fairly easy to learn and the more voices that are heard on this issue, the better.
So who said we were smart? ;-)
As a problem, spam has not been solved. We will probably never be able to completely eliminate spam from this world, any more than we can expect to eliminate robbery, assault, or bad music. Realistically, our aim must be to reduce the spam levels as much as possible, to a level where it doesn't greatly impinge on the usability of electronic mail.
That's an achievable goal. We aren't there yet, and we have a long way to go, but we've come a long way too. Someday, someway, we _will_ get there.
Had to add a new section about CAN-SPAM
Removed or fixed lots of dead links.
Added links to:
These are all types of email abuse; that is, abuse _of_ the email system. They differ from abuse _on_ the email system (e.g. stalking, sexual harassment) in that they endanger the usability of electronic mail as a communications medium.
UBE stands for "Unsolicited Bulk Email" and is an email message that is:
Unsolicited
i.e. it wasn't explicitly requested by the recipient
and
Bulk (or Broadcast)
i.e. substantively identical messages were sent to a non-trivial number of recipients
To put it another way, UBE is most of the junk email messages that plop into your email box every day. UBE isn't necessarily advertising, and emailed advertising is not necessarily UBE (advertising isn't UBE if you request it, or you knowingly request something that it is attached to, for example), but most UBE is advertising (because advertisers are the ones with the most interest in making you see something you don't necessarily want to).
UCE is often used as an alternative to "UBE" - it stands for "Unsolicited Commercial Email". Which term you prefer is largely a matter of style. UCE is easier to prove than UBE - it's easier for one individual to see if an email is commercial in nature than to see if it is sent in bulk - but UCE doesn't necessarily endanger the email system if it isn't UBE.
Of course, as a spam-victim, you will probably be in no place to judge whether a suspected spam you received really was sent in bulk, as you'll only get one copy of the spam yourself. For the most part, this doesn't matter, as you can make a jolly good guess based upon what it looks like and whether you solicited anything like it. Unsolicited advertising is rarely sent individually. As the saying goes, if it waddles like a duck and quacks like a duck then it probably is a duck.
While almost all UCE is also UBE, the converse is not true - there are whole classes of UBE that are not UCE, such as:
Political - politicians love to make direct contact with the electorate. Many of them will see UBE as an ideal medium for this.
Charitable - the world's worthiest causes need our help. Many charities don't understand the issues surrounding bulk email and might think it'd be okay to send UBE requesting donations.
Religious - there is no shortage of people preaching the end of the world and repentance as the only salvation, and seeing UBE as an ideal way to reach a large number of sinners.
Five minutes spent thinking will throw up plenty more examples.
SPAM is a tasty luncheon meat produced by Hormel (). Spam (note capitalisation differences) is a colloquial term with a large and sordid history; in news.admin.net-abuse.email it is generally used as a synonym for UBE or UCE.
The subtle differences between these terms can be confusing, but for the most part UBE and spam can be equated and UCE considered a subset of them.
Other people may have different definitions. For example, some maintain that spam is any unsolicited, non-personal email. Most definitions are broadly compatible but differ in a few places around the edges.
Many spammers (senders of spam) try to equate junk email with junk postal mail. However, there are several important differences:
Junk postal mail is free to the recipient, whilst junk email must be paid for by the recipient. (Many people pay per-minute for Internet access, and spam means more mail to retrieve means more time online. Also, many ISPs have had to install extra capacity and employ extra staff in order to cope with spam, the money for which is raised by increased subscription charges for the subscribers.) Junk faxes are a better analogy than junk postal mail.
Junk postal mail won't stop your legitimate mail from being delivered. However, many people still have limited sizes (quotas) of emailboxes; the more spam that they receive the less space there is for legitimate email. And if their email box is full of spam, any legitimate email sent to them will be lost. Junk email can also cause loss of legitimate email by overloading mailservers.
Junk postal mail scales, because there is a significant cost for sending each individual junk mail - i.e. the cost of printing, the cost of the paper, the cost of postage, the cost of the envelope-stuffer to put everything together. This forces the junk mailer to send only to a relatively small number of people - it simply isn't economical to send mailshots to everyone in the country. In contrast, junk email is nearly free for the sender, which means that it doesn't scale. There's nothing to discourage every business in the world from sending spam to every person in the world.
Sound silly? Think about it for a minute... imagine you're going to send a junk email advertising your pizza parlour in New York, and you've got a list of email addresses for people all over the world that you've harvested from newsgroups/bought on a CD/whatever. How long will it take to extract from the list just the ones in New York? In fact, how long will it take to just weed out the non-American addresses? How much will it cost? A lot, a LOT more than it'd cost just to send your spam to every address on that list, local or not. So which option do you choose; the expensive one or the cheap one?
Now imagine that, say, 10% of the other businesses in America are doing the same thing. How many junk email messages do you think the average Internet user would receive every day if this happened? The answer is in the thousands.
Many people feel spam to be a violation of their privacy. Many people are now too afraid of getting more spam to use their email address in public - which is clearly not a good situation as these people are being driven away from the kinds of social intercourse the Internet had grown to facilitate. People's trust in the system has been broken down by spam.
So spam is a bad thing. And that's not even considering all the other problems associated with spam (crashed mailservers, scams, pornography adverts sent to children, etc)...
As we explained above, spam is Unsolicited Bulk Email. However, when spam is discussed the emphasis is often on the "Unsolicited" - which can lead people to conclude, quite logically, that anti-spam efforts would prevent sending any email which wasn't explicitely asked for. So you wouldn't be able to send a birthday greeting to your auntie in Australia, or a private email to someone you know from a newsgroup. But this just isn't so.
But remember that the "Bulk" part of the definition - in neither of these cases would the message be sent in bulk, and thus it wouldn't be spam.
Of course, just because an email isn't spam doesn't mean that it will be welcomed by the recipient - just that it isn't abusive of the structure of the Internet.
(For simplicity, I'm not going to cover ideas like sponsorship of Internet newsletters and the like, which, while technically advertising by email (and IMHO very good ideas), aren't really relevant to discussions on spam.)
You have two choices:
You can send an advert to the email addresses of people you are _sure_ have explicitly requested this advertising. This list could have been assembled by your company or it could be managed by another company who will handle sending the advert to the list for you.
Or you can send spam.
It's as simple as that.
Because most spammers are selling pirated software, sleazy pornography or sex-aids, or obviously illegal scams such as pyramid schemes, or cheap goods that may well have fallen off the back of a lorry, some people think that's it okay to spam if you're a legitimate mainstream company selling a product that is both legitimate and not sex-related. This is an incorrect assumption; the spam issue is about Consent Not Content. Whether promoting pornography, copyright violations, t-shirts, pizzas, medical services or books, spam threatens the Internet in exactly the same way, and if you don't have verifiable consent to send bulk email to every address on a list, you shouldn't send it.
No. There are several big problems with "remove" lists:
They have an inhumanly bad reputation because people have found that, on average, trying to be removed results in them being _added_ to more spam lists.
Trying to get on the "remove" list of every company out there just isn't practical.
Even if an email address gets removed, what's to stop it being added again later?
The technical term for using a remove list is "opt-out", which will be discussed in more detail later.
Still no. A "global" remove list (i.e. one remove list used by everyone) sounds okay to start with, but when it's been tried, there have been problems:
All too often, when spammers have got hold of the "global remove list" they've used it as a spam list - i.e. they've purposely spammed the email addresses on the global "remove" list! This is because, of course, each and every address on the global remove list is a confirmed "real" email address being read by a real person.
To be effective, a global remove list would have to allow entire domains to be added. For example, anything sent to <anything>@twinlobber.org.uk will end up in my mailbox - if I wanted to be on the global remove list, would I have to add every single possible twinlobber.org.uk email address (of which there are an infinite number)? Yet if you do allow domain-wide opt-out then immediately most ISPs will opt out all of their customers, which would render this solution unattractive to much of the Direct Marketing (junk mail of all varieties) industry.
Many people object to the principle of the thing. I didn't ask to receive spam, so why should I have to make the effort to be "removed"?
Around 1998, there was a "spam summit" between a group of leading antispammers and representatives of the Direct Marketing industry. One of the results was an understanding between the two sides to develop a global remove list. This caused mass controversy in the anti-spam newsgroups, which quickly subsided as the Direct Marketers allegedly reneged on every commitment they had made.
Opt-Out email marketing is similar to spam with a remove list. A company collects email addresses, sends as much advertising to them as they like, but have to remove an email address if its owner asks them to ("opts-out").
Opt-In email marketing is a system in which companies send advertising to lists of email addresses to which people are only added if they explicitly consent. Note that opt-in consent to be added to a mailing list should only be considered as consent to be added to _that_ mailing list, and not consent to be added to any other mailing lists as well.
Verified Opt-In (sometimes known as Confirmed Opt-In or Complete Opt-In) is a system by which people have to "confirm" or "verify" their wish to join a mailing list if the initial request came through a non-secure channel - e.g. an email message (the sender can be trivially forged) or a WWW form (ditto). The confirmation typically takes the form of an email message containing a unique token or URL; the recipient must reply to the message or visit the URL to confirm that they really do want to be on the mailing list.
Double Opt-In is the Direct Marketing community's name for Verified Opt-In, reflecting their belief that this makes it too difficult for people to join mailing lists.
However, many believe that Verified Opt-In is essential for these reasons:
With Unverified Opt-In, anyone can "opt-in" someone else to a mailing list. (There is a common revenge tactic, known as a "list-bomb", in which you subscribe someone to a few thousand high-traffic mailing lists and watch their email box die.)
People do mis-type their email address; by verifying it you can avoid spamming an innocent third-party. (See The Story of Nadine for an example of this.)
Given all of this, it is impossible to tell the difference between Unverified Opt-In and Opt-Out. If you receive an advertisement supposedly sent to a "100% opt-in" mailing list when you know you haven't opted-in, the list-owner can just say "someone else must have signed you up; here's how you can remove yourself" when you challenge them about it. Are they being honest or are they opt-out spammers? If the list is run using Verified Opt-In procedures, this situation is impossible.
Opt-out is, by the way, an important component of opt-in; it should be possible for a person who has opted in to a mailing list to opt out of it at some later date. This tends to preclude opt-in lists from being passed from party to party - if you send a copy of an opt-in list to a third party, and subsequently one of your subscribers wants to be removed, how can they also be removed from the copies of that list held by the third party and anyone they might have passed the list to?
Many proponents of opt-in email marketing have stated that it produces a vastly superior response-rate than purely opt-out email marketing.
Other people will have their own definitions of these terms which differ somewhat from those I've described here (e.g. ). As ever, the FAQ-maintainer advises you to read around.
Always a good favourite for an involved discussion is just what opt-in means beyond the typical setup of a mailing list. Let's look at a few examples:
Example.com is an ISP that decides to send regular advertising messages to their customers. Is this spam?
No, it's not spam because they own the email addresses. Their customers are perfectly free to opt-out of this advertising by finding another ISP. Example.com may choose to run a traditional opt-out system with a remove list for customers who don't want to receive this email, or they may decide not to.
But is this opt-in or opt-out? IMHO, it's certainly not wrong so it doesn't really matter.
Example.com is an online shop that decides to send regular advertising messages to their current and past customers. Is this spam?
This is a good one. Does the existence of a past relationship imply a solicitation of future promotional material by email? Various online shops have dipped their toes into this water and some have jumped straight in, but the consensus of opinion on this newsgroup is that it is spam... _unless_ the online shop made it clear to you at the time they acquired your email address that you would receive such promotional material.
But is this opt-in or opt-out?
As written above, it's clearly not opt-out, as the buyer doesn't have a method of stopping the flow of mails. Is it opt-in? Well, if the buyer knew the promotions would be arriving before they signed up then they certainly opted-in at that point, but this takes no account of the fact that the buyer may well change their mind later. Opting-in shouldn't be considered as permanently binding unless this itself is explicitly stated.
Example.com is an online shop that decides to send regular advertising messages to their current customers. But they don't want to spam, and want to be ethical, so they put a notice about the promotional emails in a small typeface at the bottom of their order form and supply a selected box that the buyer can deselect if they don't want to receive the promotional emails.
There are two opposing viewpoints on this issue:
The order form clearly explains about the promotional emails and tells the buyer what to do if they don't want to receive them, and everyone should read the entirety of a page before they input any of their personal details into it, so this is okay.
The order form is clearly structured in the hope that the buyer will fail to notice the explanation about the promotional emails, and in the event of this happening, the form is set up (checkbox ticked by default) so that the user's consent will be presumed even if the it wasn't explicitly given. This is not okay.
There is no clear consensus as to which of these viewpoints is correct. As ever, you should consider the issues involved, sample the debate on both sides, and make up your own mind.
Example.com is an online shop that decides to send regular advertising messages to their current customers. But they don't want to spam, and want to be ethical, so they put a notice about the promotional emails at the bottom of their order form and supply a box that the buyer can select if they want to receive the promotional emails.
In this case there is no controversy; positive action is required by the user to "opt in" to the mailing list, and if the buyer fails to notice the request for this action then it is assumed that he/she has not consented. This is opt-in, pure and simple. And because there's no attempt to trick the customer into receiving the promotional emails, they'll generally be better received, which means that the recipients will be more receptive to example.com's email promotions than would otherwise be the case.
There are a number of possibilities:
What you bought wasn't a real opt-in mailing list. Be especially beware of lists that claim to be "targeted" or offer "qualified addresses" or "screened contacts".
The people on the mailing list had opted-in to mail from the list's original creator, but not from you. This is very common.
The people may have opted-in to the list but then opted-out of it between you receiving the list and you sending your email. This is why opt-in email lists shouldn't be passed around or sold.
The people complaining have forgotten that they signed up to the list. You or your list-supplier should be able to prove that they did sign up; however, some may still fail to believe this even when confronted with the proof. This is not uncommon.
In any of the first three cases, I suggest you take it up with your list supplier... and bin that dodgy list now. In general, it is always good practice to ensure that you know exactly where the email addresses on a mailing list came from before you undertake to make use of it.
Ah; a tough one. There are two schools of thought on this:
Sending more email to that old list will be spam. Throw it away immediately, start a new list and put information about it prominently on your website.
Okay, just this once. But make sure you throw away the dirty list after the mailing and build a new one containing solely the verified opt-ins that result.
Again, think things through for yourself, weigh up the pros and cons, and make an informed decision.
Yes. Email is by no means the only way to market online, just as postal mail isn't the only way to market offline. From banner ads through sponsorship and the like, to attention-gathering innovation, there's a whole host of ways you can market. Here's just a few links to get you started:
Let me put it this way; if:
The reputation of your business has no value to you,
Being kicked off the Internet and turned into an online pariah will not inconvenience you,
You only need make a tiny number of sales to make a profit,
You aren't worried about any existing or future anti-spam legislation,
and You have no moral scruples whatsoever
Then it may be possible to make money using spam. Maybe. Perhaps. If you're lucky. That's why you receive spams from people selling spamware for ridiculous prices; people buy spam-sending software and find that all it's really good for is selling itself. After all, spamware doesn't have a reputation to worry about, as it's lower than mud already.
Think carefully before you start down the spam road, as it won't be easy to turn back. Sanford Wallace (see ), for example, still has an immensely poor reputation as a result of his spamming antics in the mid-1990s.
Perhaps. It depends on where you live, and may depend on certain interpretations of certain laws. I Am Not A Lawyer, but the spam laws website seems like quite a good resource for finding out about specifically anti-spam laws:
Many contend that spam is "theft by conversion" (because the spammer is "stealing" your resources to send his spam) and "trespass by chattel" (because the spammer is gaining entry to your computer (your mailbox or mailservers) against your will). These issues are beyond the legal expertise of this FAQ-writer, so if anyone can supply links to some discourse on these matters it would be appreciated.
Spam may also form a Denial of Service attack if it is sent in sufficient quantity (it can cause legitimate email to be lost as mailboxes fill with spam, can cause the network to slow down, and can even crash mailservers). This may be a crime in your locality.
Spam which forges header information to appear as if it's from another entity is very probably illegal in your locality, and it is in this area that most successful court actions have thus far taken place. Yahoo, for example, won a well-publicised court case against spammers who had forged "yahoo.com" in their spams. In another case, the owners of "flowers.com" successfully sued some spammers who had forged their domain. Here's a few links about this affair:
Spam which contains content that's illegal in your locality is, of course, illegal. But in this case it's illegal not because it's spam, but because of what it is, and thus this isn't a spam issue.
I'm guessing you've seen something like this in a lot of spam messages:
Under Bill s. 1618 TITLE III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is a one time e-mail transmission. No request for removal is necessary.
What happened was that a few years ago Senator Frank Murkowski (R-AK) championed a spam law that was widely panned by most anti-spam activists as being an effective green light to spamming. The bill, as it happened, died in Congress (i.e. the 105th US Congress ended before the bill could become law). That's why in all these disclaimers, it's called a "bill" - not a "law".
So no, there's no American law legalising spam. Almost all of the spam that quotes this disclaimer doesn't comply with the terms of the bill anyway. If you're interested you could have a look at the text of this bill; technical reasons prevent me giving a direct link but go to and enter "S. 1618" in the "Bill Number" field, then select either the version passed by the Senate or referred in the House.
Senator Murkowski recently championed another spam-related bill. More information is available at:
In one of the charming acronyms of which the U.S. legislature seems so enamoured, the full title of this one is "Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003". It has been dubbed the YOU-CAN-SPAM bill in many anti-spamming circles due to a general disgust with its measures.
Unlike the Murkowski bill, this one did become law; it was passed by the U.S. Senate on 25th November 2003, agreed by the House of Representatives on 8th December, and signed by President Bush on 16th December. It takes effect on January 1st 2004.
The law makes it an offence to falsify message headers and sue deceptive subject lines in spam, and requires the use of appropriate warnings in commercial email of a sexual nature. However, it rescinds the much tougher anti-spam laws of several U.S. states, and includes no right of private action; only ISPs will be allowed to pursue spammers. It has been speculated by some that this is an attempt, encouraged by bulk mailing firms, to clear away the current slew of porn-spammers and "chickenboners" and leave the ground clear for so-called "honest spam" from big companies.
Only time will tell the true effects - if any - of the CAN-SPAM law, but an Internet search on CAN-SPAM will find you lots of speculation, both informed and uninformed.
No. Sanford Wallace and Cyberpromo tried to argue this in court back in the mid-1990's, but the courts ruled against them. As I understand things, freedom of speech gives you the right to speak but not the right to force people to hear you. Plus it only affects the right of government to restrict speech, and doesn't extend to private entities such as ISPs. (But I am not an American and I am not a lawyer.)
For more information, see:
Many of the denizens of news.admin.net-abuse.email will be only too happy to furnish you with legal advice on any spam-related issues. However, you should remember two things:
Laws differ between localities; the law in, say, Mississippi may not be identical to that in, say, Quebec.
Free legal advice is worth exactly what you paid for it.
Should you really need legal advice, this FAQ-maintainer suggests that you seek the paid hours of a trained professional.
Incidentally, these points apply also to this FAQ. The FAQ-maintainer is not trained in law and the descriptions of legal issues are merely the way this untrained monkey believes things to be.
There is a popular stereotype of spammers as penniless, jobless wasters who dream of making it big and meeting a girl (see also in part 3 of this FAQ, "Understanding NANAE".) While some spammers are undoubtedly like this, many are not. In fact, spammers aren't all that different from normal, regular people. In fact, spammers tend to _be_ normal, regular people. Spammers can come from any walk of society; so suit-wearing businessmen can be spammers, caring mothers can be spammers, your granny can spam and so can a kid wearing a baseball cap backwards.
And not all spammers are fly-by-night one-man businesses either; some large companies have been known to use spam. In general the stereotypes, while amusing, can distract us from the important business of dealing with spammers as fellow human beings.
Despite our best efforts, some spammers do manage to make money from this business. You only have to contrast the kind of prices some professional spammers charge (a randomly chosen spammer charged $375 for a 500,000-address spamming) for their spam runs, with the cost of the resources they need (a dialup account, a piece of spamware and some harvested email addresses) to see that they're still laughing all the way to the bank even if they only ever have two or three customers.
And the authors of spamware do pretty well for themselves too. The kind of prices they charge ($299 for Desktop Server 2000!), for what are pretty simple programs, mean that the only way they can fail to make a profit is if they don't sell a single copy.
Other spam-support services must be similarly raking it in. www.bulk-isp.net for example charges $300/month for a (supposedly bulletproof) email account. Now admittedly I'm not privy to their hosting costs, but I can't believe they're not making a pretty packet out of that.
And of course there's the horde of other scams that take place over spam, from the world of "Pump & Dump" share scams (see in "Understanding NANAE") to the good old favourite "You send us the money and we don't deliver the goods!".
Just about the only people I'm not so sure make money from spam are the businesses that have their websites advertised by spam ("spamvertised"). Are the few hits they'll gain from this really worth the pain and the damage to their reputations that the spam will cause? In many cases, I doubt it.
Would that the world were painted in black and white. Anti-spammers on one side, spammers on the other; a unanimous cheer would go up as we metaphorically malletted the spammers one by one. Unfortunately, it's not that simple.
It's not uncommon for otherwise good people to spam because they've been sold a service by an unscrupulous spammer. "I'll send your message to a list of 500,000 opt-in email addresses I've assembled", the spammer will say. Or maybe it's "Nobody minds getting email like this." Perhaps they've been sold on the "It's just like junk postal mail" rhetoric. Whatever the specifics, someone somewhere has sold them a boatload of lies and now they've spammed, and their business is paying the price. "What's happening? That nice Mr Spammer said nobody would mind getting our emails. After all, everyone else is doing it," they will cry.
Such people aren't the enemy; they've been wrongly advised, so now's the time to gently tell them the facts of the matter. Most people in such situations see very quickly the problems of spam and are undoubtedly feeling the extremely negative impacts on their business. They may even be able to help you to track down and eliminate the spammer who took advantage of their innocence.
Right. You've got folks selling apricot seeds as the cure for cancer, envelope-stuffing as the way of the future, viagra as the elixir of life, and information about anyone. Spammers are advertising porn to children, US dentistry in the UK, and "We'll remove you from credit blacklists!".
And even if you go beyond the obvious scams, lots of spammers are still knowingly stealing our computing resources to send their adverts, clogging up our mailboxes with their rubbish, lying, and cheating to get internet accounts.
Yup, there's a whole lotta scumbags out there.
The Direct Marketing Association; a trade organisation and pressure group for the junk mail industry. Some parts of it are pro-spam; some parts of it are anti-spam; some parts of it don't give a damn. (Hey, I made a rhyme! :) ) For more information see:
While the DMA claims to be international, many countries have their own groupings of direct marketers, such as:
CAUCE (Coalition Against Unsolicited Commercial Email) is an all-volunteer organisation created to advocate legislative solutions to the spam problem. CAUCE's website includes a look at the anti-spam legislation currently worming its way through the U.S. legislature. In addition, there are European, Australian and Indian versions of CAUCE.
MAPS (Mail Abuse Prevention System) LLC is a not-for-profit organisation which has, in recent years, become an important combatant in the battle against email abuse. Amongst other things, MAPS publishes non-definitive lists of IP addresses classified according to various criteria. It is commonly believed that many Internet Providers and others use some or all of these lists, in a variety of ways, in order to reduce the amount of spam received by them or their customers. More information on MAPS can be found on their website at .
Rewritten section about honeypots.
Removed or fixed lots of dead links.
Added links to:
The short answer to this is: abuse of the email system. Please note the terminology here; abuse _of_ the email system is anything that endangers the existence or widespread usability of the email system. Most of the discussion in news.admin.net-abuse.email is concerned with spam, as this is, by far, the most prevalent abuse of the email system in recent times, but discussion of other abuses (e.g. mailbombing) would be on-topic.
However, issues like electronic stalking and sexual harassment by email are not on-topic, as they are abuse _on_ the email system. This means that, while these things are undeniably abuse, they don't threaten the survival of email as a communications medium. There are other newsgroups far more appropriate for discussions of these issues.
Yes. There is no prerequisite in terms of technical knowledge or spamfighting success for contributing to this newsgroup. Everyone is welcome! Even spammers are welcome to post their views, so long as they don't mind hearing a few conflicting opinions.
I advise newcomers to this newsgroup not to believe everything you read. Before making up your mind on any issue, read around and see what makes sense TO YOU. There are a lot of knowledgeable people in this newsgroup, but also a lot of people talking about things outside their knowledge, and a few people who aren't above deliberately mis-representing the facts to fit the stories they want to tell. My advice, which I repeat throughout these documents, is to take everything with a pinch of salt, read as many different views as you can, and form your own opinions.
If there's anything you don't understand, feel free to ask. But think carefully about what answers you choose to believe; adhering slavishly to the dogma of "accepted wisdom" in any newsgroup is not a good idea.
Let's hear it! People on this newsgroup don't have all the 7answers, so if you think your idea has merit, we want to hear about it. Fighting spam in the same way every day, it's easy to get tunnel vision and to overlook new possibilities. "Out-of-the-box" thinking is ALWAYS welcome.
The absolute worst that can happen is that people spot a hitherto-unseen flaw in your idea and think that it won't work. There's absolutely no shame in being wrong. But don't let anyone tell you that you're wrong unless they can CONVINCE you that you're wrong.
A few people may decide to flame any newcomer who posts an idea. This is an unfortunate fact of life on Usenet, and my advice is to ignore these people. After all, it's always easier to criticise than create.
Ah. Because some people don't like the fact that we fight spam, this newsgroup is occaisionally subjected to attacks by people trying to shut us up.
One form of attack is the cancel attack, whereby the attackers cancel lots of our posts. Fortunately a bot called Dave the Resurrector (see ) is always running and when it detects such an attack it will repost the articles removed. This does mean that you might see an article more than once, but that's generally considered to be better than never seeing it at all.
The other type of attack is the posting of hundreds or even thousands of nonsense articles in an attempt to drown out conversation (a "flood"). These articles are generated by a program that makes them look enough like genuine articles in the hope that they'll evade filters whilst still being total and utter gobbledegook. Such attacks are generally attributed to the entity "HipCrime" (a leading Usenet terrorist), although whether they are perpetrated by the real HipCrime or just someone using the software he wrote is unclear (and probably not very interesting).
If your newsreader is able, you can often filter out HipCrime's spew a few hundred articles at a time by filtering on the NNTP-Posting-Host: header; the articles are almost always emitted through open news servers. For those who cannot, several people have recommended the program NFilter, which sits between your newserver and your newsreader filtering out the stuff you don't want to see.
More recently HipCrime has taken to injecting his postings through open SOCKS servers in order to evade NNTP-Posting-Host filtering. If you have the ability, you can still evade the great majority of his flooding by filtering on the Path: line. Alternatively, many news hosts have got rather good at filtering out his floods; so nag your newserver admin or, if you can afford it, you could try a dedicated news service like Newsguy for a (reasonably) spew-free news.admin.net-abuse.email.
HipCrime's latest tactic has been to flood other newsgroups with the follow-ups set to news.admin.net-abuse.email, in the hope that lots of people will reply to his floods and flood NANAE with their follow-ups. I advise that you don't reply in the newsgroup to anyone who replies to HipCrime's nonsense postings if you haven't seen them in here before, as likelihood is they don't read news.admin.net-abuse.email and don't realise where their posting has gone.
The most recent tactic that HipCrime (see ) has adopted in his/their campaign against news.admin.net-abuse.email is to post in other newsgroups articles which are either derogatory to America or pretending to be encoded messages for terrorists. The follow-ups for these articles are set to news.admin.net-abuse.email, with the intention that when the denizens of these newsgroups reply in understandable indignation, their replies all go into news.admin.net-abuse.email and drown out other conversations.
In any discussion forum, conversations will wander from the point in hand. In news.admin.net-abuse.email this is broadly tolerated as a certain degree; it allows us to form more rounded impressions of the participants and gives a greater understanding of how the issues of email abuse sit within the wider scheme of things. Sometimes, a new and relevant insight can spring from discussion of a seemingly unrelated point.
However, too much off-topicality annoys people, and with good reason. We come here to discuss email abuse, not your goldfish or the state of your front lawn. So you should think carefully before making any off-topic postings. If an off-topic discussion has gone on for a while, or is likely to, or is attracting lots of articles, then it will be wise to consider moving it to a different, more appropriate newsgroup or mailing list.
As a courtesy to others, you should always mark any off-topic postings with an [OT] in the subject line, so that anyone not interested in the off-topic stuff can easily filter it out.
Many recent computer viruses have used email as a transmission medium. This often involves the virus hijacking the infected computer to send Unsolicited Bulk Email to infect more unsuspecting victims (usually the people in the first victim's address book, or, in some cases, the owners of any webpages they have visited recently.)
Theoretically, as such virii abuse the nature of electronic mail to spread, discussion of them would be on-topic in news.admin.net-abuse.email. However, there are a number of codicils to consider:
Email-borne viruses have little in common with other forms of spam. The objectives are different, the method of sending is different, and the ways to counter them are all different.
Compared to specifically anti-virus forums, there is not currently a great deal of anti-virus expertise in news.admin.net-abuse.email.
In short, there are many forums more appropriate than news.admin.net-abuse.email for discussing computer viruses, e.g. alt.comp.anti-virus
The excellent newsgroup archiving service at archives news.admin.net-abuse.email along with almost every other textual newsgroup. If groups.google.com claims otherwise, check you've spelt the newsgroup name correctly - in particular, check you haven't put a hyphen in the word "email"; it's "news.admin.net-abuse.email" not "news.admin.net-abuse.e-mail".
This issue is all about where, when you follow up to an article on a newsgroup, you should write your reply. When "Bottom-posting", you quote the article you're replying too, then write your reply afterwards. When "Top-posting", you write your reply and include a quotation of the article afterwards. Fans of top-posting point to the fact that this allows readers to read the response without having to scroll, and that it's easier to write because some news-reading programs automatically put the cursor at the top of the article. Fans of bottom-posting point out that newsgroup articles aren't always read in the order in which they are posted, so it makes sense to quote what's being replied to before the reply, so that the reply can be easily understood.
People get very passionate about the top-posting versus bottom-posting issue, and to my mind they miss the point. Quoting and replies should be "In-Context"; that is, your point should be placed immediately after the point you're responding to. This is different from Bottom-posting in that it's rare you should quote very much of the article to which you're responding; if anyone reading it has to scroll down to reach the first line of your response, you're quoting far too much! If there's any parts of the article you aren't responding to, you should trim them out; anything else is just a waste of bandwidth.
Let's look at an example of a reply to an article in each of the quotation methods. First of all, top-posting:
Now, the same thing in the bottom-posting style:
In both of these examples we can discern the meaning with a little work, but it's not exactly obvious in either case. But let's see the same thing with a little bit of trimming and in-context quotations.
I know which I think is more readable.
Over the years, news.admin.net-abuse.email has evolved its own dialect of abbreviations and terminology that can be quite confusing for new readers. It is, however, not intended to exclude newcomers, and in this section I will aim to explain the most commonly-used terms.
nanae (sometimes capitalised NANAE) is short for "news.admin.net-abuse.email" - in short, the newsgroup this FAQ is for.
nanau is "news.admin.net-abuse.usenet" - a newsgroup for discussing usenet abuse including newsgroup spam. It can be a slightly rougher place than NANAE, populated as it is by people with radically different principles on what Usenet should be like, as well as people who are just there for the rough-and-tumble.
nanas is "news.admin.net-abuse.sightings" - a newsgroup for posting sightings of Internet abuse. See section in the first part of this FAQ, the "Spamfighting Overview".
nanab is "news.admin.net-abuse.blocklisting" - a moderated newsgroup "devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic".
SPAM-L is a mailing list dedicated to spamfighting and discussion of spam-prevention measures. See for more details.
The term is inspired by a Monty Python sketch in which a group of Vikings chant "SPAM! SPAM! SPAM!" repeatedly, drowning out the conversations around them. (A bit like the way spam threatens to drown out our own electronic conversations.) It has been applied to a number of different mediums over the years, most notably "newsgroup spam", and is now being used for "email spam" too.
LART = Luser Attitude Readjustment Tool. It can be used as a noun (in which case it's something that hopefully causes the victim to re-evaluate their opinions by means of a short sharp shock) or a verb (in which case it means to apply a short sharp shock). Most often used as a euphemism for sending complaints to an ISP, as in "I've just LART-ed that spammer".
One example of a Luser Attitude Readjustment Tool is a mallet (a hammer with a big wooden head), which is metaphorically used on a spammer's genitals when his account is cancelled. In male spammers the result of this manner of LART-ing is sometimes described as "testicular malletosis".
Another example is a "clue-by-four"; a large wooden board (or baseball bat) with which spammers (or just those in urgent need of re-education) are metaphorically whacked.
"ack" is short for "acknowledgement", and usually refers to an acknowledgement that a complaint or LART has been received by an ISP.
An "auto-ack" is an acknowledgement that is generated automatically. For example, many abuse departments have configured their systems so that a standard acknowledgement is sent upon receipt of any complaint, explaining that the complaint has been received and will be dealt with when they have the time.
Auto-acks are called "auto-ignores" when it is believed that the sending of the auto-ack is the _only_ action that will be taken in response to the complaint.
Listwashing is the process of removing unproductive addresses from a mailing list. It could for example be removing addresses in a "global remove list", but often it takes the form of spammers removing complainers from their lists. (Until, of course, their addresses get harvested again.) At best, listwashing is a form of opt-out (see ), with all the problems that approach carries.
If a provider is insisting that you give them the exact email address that received a spam, it's probable that they're helping the spammer with their listwashing.
An account you don't intend to keep beyond the immediate future. Often used to refer to "throw-away" dial-up accounts that spammers open with no intention of them existing beyond the end of one spam run, but is sometimes also used in the context of "throw-away" email addresses - that is, email addresses, often from a free provider such as hotmail.com, that you intend to use merely for communicating with one party (often a spammer or suspected spammer) for a short period of time, and will afterwards throw away. The motivation for this could be to not endanger your "main" emailbox should the spammer decide to mailbomb you.
It's not there anymore. 404 is the number of the HTTP error message "Not Found".
Note that occasionally spammers design their webpages to look as though they're 404-compliant (especially for surfers who have disabled JavaScript) when really they're not. Take care. In these cases, your browser's "view source" feature is your friend.
TOS = Terms of Service. AUP = Acceptable Use Policy. These are documents that are published by an ISP describing what users are and are not allowed to do on their systems. The AUP or TOS of most ISPs will explicitly state that their users must not send spam.
Spammers often advertise "bulletproof" web-hosting or email-hosting. What this means is a spam-friendly (the term in spammer circles is "bulk-friendly") ISP guarantees not to cancel the "bulletproof" account no matter how many complaints they receive about it.
A spamhaus is an Internet provider that seems to exist for no reason other than sending spam and/or providing spam support services. Note that the plural of "spamhaus" is "spamhausen" and not "spamhauses".
Towards the end of the year 2000, it became clear that some major ISPs had signed contracts with spammers that included clauses permitting the spammers to _not_ abide by the anti-spamming portions of the ISP's Terms of Service. When these came to light, anti-spammers dubbed them "pink contracts" (because SPAM is a pink luncheon meat) and the ISPs almost universally proclaimed that they had been signed by low-level marketers and would not be binding. These statements were not entirely believed by many in the anti-spamming community.
Software designed primarily for the sending of spam. It can often be distinguished from legitimate bulk email software by the presence of tools for abusing open relays or open proxies, or for obfuscating website addresses, or for harvesting or de-munging email addresses, or for managing a "remove list" or a "flamers list", or tools for hiding the source of the message, or indeed the presence of any features that are needed for spam but not for legitimate opt-in bulk email.
Mainsleaze is when a well-known, mainstream company starts to spam. They quickly find themselves associated in the minds of their victims with the sleaze of the spam world and then people don't trust them anymore. Such companies often quickly come around to the idea that spam is bad, but it can take years to re-build the trust of their customers.
TRUSTe is a programme for reassuring web site visitors about online privacy. The idea is that vendors which adhere to TRUSTe's principles regarding disclosure of personal information sales, opt-out options (if any), and personal information protection get to display a TRUSTe privacy seal. Web site visitors will thus know that they can find out just what the site will do with the visitors' personal data obtained through the web site, and use that disclosure to make a more informed decision about whether they wish to provide accurate information, or any information at all.
In news.admin.net-abuse.email, TRUSTe's reputation is something of a joke. It is widely believed that TRUSTe is unlikely to revoke its privacy seal even when a site breaches its privacy policies. There have been numerous alleged cases in the past (such as when RealNetworks started spamming) when TRUSTe failed to do so.
These are regular expression replacement instructions, as used in Unix utilities like sed. For the most part they're fairly simple to understand; just substitute the second expression (the "somethingelse") for the first (the "something") in the text above it. For example, the following follow-up to an article:
should be read an instruction to replace "wonderful" with "horrible" - ie the writer is saying "This FAQ is a horrible thing".
When you press delete (or backspace) on your keyboard, it deletes the previous character, right? Well, imagine it didn't... or at least, it did but the deleted character didn't disappear from the screen and instead a ^H appeared after it. Well, this is how the old CP/M word processor Wordstar worked, and the behaviour persists in some terminals. So, you'd be trying to type:
But you'd get half-way through it and find that you'd hit one wrong key, e.g.:
What do you do? You hit delete three times, giving you:
Then type the correction, imagining that the last three characters were deleted. So in all you'd see:
But when you hit return, the computer would actually see:
Because you deleted the "lat". Clear?
Well, that's the background. In a newsgroup posting, ^H can be read as the author hitting the delete key in an effort to erase a "mistake" which was usually put there for humour value. ^H^H can be read as an attempt to delete the last two characters, and so forth.
Similarly, ^W can be read as an attempt to delete the last word, e.g.:
(Hmmm... does anyone know of a website explaining ^H and ^W that I could link to?)
Not "what"; "who". Afterburner was the abuse admin at erols.com, which has since become part of rcn.com. Apart from being very good at his job, he is famous for his witty and sadistic lines in account cancellation messages, and for calling his subordinates "Minions" and requiring them to take unpronounceable names. :) His own name is often abbreviated to "AB".
Joey was a spamfighter from Australia who was sued by some Australian spammers in late 2002. The spammers claimed that Joey had got them erroneously listed by SPEWS (see ). Unsurprisingly, given that they had no evidence and admitted in court that they sent spam, the spammers lost. They initially decided to appeal, but withdrew and the affair has now ended.
A nonexistent attorney (or other lawyer) with whom a spammer will threaten you, but who will never be seen, usually because he doesn't exist or isn't really an attorney.
Sometimes spammers claim a "right" to spam, on the grounds that spam is protected as free speech. Or, as one spammer memorably mis-spelt it, "free speach". These days "free speach" is used to refer to this mythic right, with the mis-spelling retained to differentiate it from actual free speech rights.
This spelling is sometimes further mutilated into "frea speach" in order to emphasize this difference.
The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.
A "Murk" is a disclaimer in a spam email that claims it abides by the dead Murkowski anti-spam bill of a few years ago. E.g.:
Under Bill s. 1618 TITLE III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is a one time e-mail transmission. No request for removal is necessary.
The presence of a Murk is 100% proof that a message is spam. Note also that most spam featuring this disclaimer doesn't comply with the provisions of the Murkowski bill anyway.
If you're interested you could have a look at the text of this bill; technical reasons prevent me giving a direct link but go to and enter "S. 1618" in the "Bill Number" field, then select either the version passed by the Senate or referred in the House.
Apparently, in the old cowboy movies, the good guys always wore white hats and the bad guys always wore black hats. These terms have since been applied to Internet Providers, with Black Hats supporting spam and White Hats being anti-spam.
In a similar veign, the term "Grey Hat" is sometimes used to refer to providers whose anti-spam policies seem a little schizophrenic. "Empty Hat" is a term occasionally used to refer to providers who are utterly stupid or clueless about spam.
Rule #1: Spammers lie
Rule #2: If a spammer ever appears to be telling the truth, consult Rule #1
Rule #3: Spammers are stupid
I believe the first two rules came first, and the third was tacked on at some point later. Less widely stated rules include:
Rule #0: Spam is theft
Krueger's Corollary to Rule #3: Spammer lies are really stupid
Russell's Corollary to Rule #3: Never underestimate the stupidity of spammers.
There are a few alternative versions of the rules, including:
Rule #1: Spammers lie
Rule #2: There is no such thing as legitimate or ethical UCE
Rule #3: Spammers are stupid
Named for its progenitor Gym Quirk, it goes like this:
"Objection! Assumes organ not in evidence!"
It's usually invoked after someone mentions the testicles or brains of a spammer.
Coffee & Cats. It's a warning that you should remove from your vicinity all tasty beverages and furry felines, as the content of the message may cause you to convulse with laughter in a manner which will scare furry felines and can result in spilling of a tasty beverage over your keyboard (or alternatively choking on your beverage if you are drinking it when you start laughing).
Incidentally, that's what the "You owe me a new keyboard/monitor" statements allude to - someone forgetting to put the C&C warning on a funny message and endangering cats & computer equipment as a result.
The Lumber Cartel is a nonexistent organisation allegedly formed by the world's paper-producing companies, who were supposedly worried that the growth in spam would result in a decrease in junk postal mail, thus a decrease in demand for paper, thus a decrease in their profits. They were supposedly funding anti-spammers to prevent this.
It is, of course, a complete fiction. Some spammer posted this story a few years ago and the whole thing has been a massive running joke ever since.
References to the Lumber Cartel are usually suffixed "(tinlc)" (There Is No Lumber Cartel) in order to reflect the fact that, well, there is no lumber cartel.
tinw = There Is No We. Used to reaffirm that the anti-spamming movement comprises individuals who have own ideas and motivations, and often-times don't necessarily agree with each other.
tinlc = There Is No Lumber Cartel. Used to reaffirm the nonexistence of the Lumber Cartel.
Someone's words once painted an incredibly vivid picture of an archetypical spammer living in a trailer, hunched in semi-darkness over his computer and surrounded by rotting chicken bones in half-eaten KFC buckets and empty beer cans. The image has stuck, and "Chickenboner" is now used to describe any two-bit spammer who wants you to think he's a big shot with his own yacht... but isn't.
Whack-a-mole is an old amusement park game. You stand in front of a board with a fluffy mallet, and as plastic moles pop up through holes in the board you have to whack them over the head.
Spamfighting is sometimes like that. Sometimes it seems as if no sooner do you get one of a spammer's accounts killed then they get another one... and another... and another... and their accounts keep popping up like the moles in that old amusement park game. And you keep whacking them.
Bastard Operator From Hell. Inspired by an extremely witty series of stories about a sadistic, homicidal systems administrator, this acronym is now applied as a compliment to any sadistic or potentially-sadistic admin-type, with the implication that the victims of a BOFH deserve everything they get.
fsck is a Unix command used to repair the filesystem. Often used as a "clean" version of a certain expletive that differs from it in only one letter and rhymes with "duck".
Godwin's Law (named for Mike Godwin) states that if a discussion in usenet goes on for long enough, someone will eventually make a comparison to Hitler or the Nazis. (This is due to the fact that history records Hitler and the Nazis as just about the worst people; ever.)
The law is often mis-stated as "If you mention Hitler or the Nazis you automatically lose the argument" or "If you mention Hitler or the Nazis then the thread is over".
Is it bad to invoke Godwin's law? Well, comparing people to Hitler rarely results in anything good...
In a "troll", someone will disingenuously make controversial statements in the hope of creating a large ruckus.
A "troll" can also be one who trolls.
A sort-of crossbreed of troll with a paranoid conspiracy theorist. Handle with care, or even better, ignore.
A commonly-used abbreviation for "sock-puppet". In the context of usenet, a sock-puppet is an alter-ego established by an individual for the purpose of posting messages that agree with his views, thus making it appear that the individual in question has more support than (s)he really does.
The sound of a poster being added to a killfile. Many readers of this newsgroup use "killfiles" to screen out posters they find annoying, so that their newsreader hides the objectionable articles from them. When someone has said something they think is the last straw, some people post a followup saying "Plonk" to let the recipient know that the poster won't be seeing any of their messages in the future.
This is a reference to Ron Ritzman, an insightful antispammer famous for some rather witty trolling of news.admin.net-abuse.email, to the extent to which any suspected troll is now met with cries of "Cut it out, Ron!" or "Cut it out, Ritzman!".
It's not who, it's what. You see, there are a few people who don't like what we talk about in this newsgroup, and will periodically try to sabotage our discussions by cancelling articles en masse. Fortunately, this doesn't work, and Dave is what saves us from it. Dave the Resurrector is a bot that sits watching this newsgroup (and several others), and when it sees an article cancelled it immediately reposts it. This means that our discussions can't be removed from Usenet by rogue cancellers, but it does have the disadvantage that we cannot cancel our own messages in this newsgroup.
So be sure you really want to say what you're posting before you click "send".
(Incidentally, I believe that Dave is now called Guido.)
The King of Spam in the mid-1990s, Sanford Wallace ran Cyberpromo and was the most hated man on the Internet. After failing to make a sustainable living from spam, he reformed.
Alan Ralsky, believed to be one of the biggest spammers currently operating. Ralksy has several hundred domains he uses for spamming, in order to evade filters and confuse spamfighters.
Ralsky achieved mainstream publicity in late 2002 due to an episode in which his postal address became public knowledge and enraged spam-victims proceeded to sign him up for lots and lots of junk mail. This document in no way endorses this abuse of junk postal mailers.
These abbreviations are common all over usenet, and so I won't go into too much detail. However...
BMOC - Big Man on Campus
ESAD - Eat S**t and Die
FWIW - For What It's Worth
FYI - For Your Information
GoAT - Go Away Troll
HTH - Hope That Helps or Happy To Help
IANAL - I Am Not A Lawyer
IIRC - If I Recall Correctly
IMHO - In My Humble Opinion
LOL - Laugh Out Loud
RTFM - Read The F*****g Manual
ROFL or ROTFL - Rolling On the Floor Laughing
NANAE - news.admin.net-abuse.email
NANAS - news.admin.net-abuse.sightings
NANAU - news.admin.net-abuse.usenet
YMMV - Your Mileage May Vary
There's tonnes more abbreviations listed at the following website:
Spam is about delivery methods, not content; an Unsolicited Bulk Email is spam regardless of whether it's advertising Microsoft or Mike's Fruit & Veg Store. However, there are some messages that have been spammed so often that they have passed into the language of news.admin.net-abuse.email.
This is a type of stock scam that often makes use of spam. The idea is that the scammers buy some shares that are trading relatively cheap. Then they try to encourage investors to buy shares in this company, hoping to drive the price up as much as possible. This is the "pump", and it can continue for some time. Finally, when the scammers judge that they're not going to be able to force the share price any higher, they "dump" by selling their shares and walking away with a huge profit, while the investors they encouraged are left with shares worth a lot less than they paid for them.
Spam is just one way that the scammers may use to try to entice people towards their chosen shares. After all, spam is a cheap way of reaching lots of people, who probably don't have experience of investing, and won't be wise to the tricks of the trade. Of course, there are others. Discussion boards are another favoured venue for creating hype. Throw in a healthy dose of outright lying (e.g. "Microsoft is about to buy this company!") and the situation can quickly spin out of the control of the normal reality of the markets.
In the U.S., pump and dump scams are illegal and people DO get busted for them. You should report them to
Most marketing material is broadcast; ie the promotional material is sent to many people at once. Viral Marketing is a concept wherein the marketing message spreads gradually from person-to-person, a bit like a virus does.
Imagine a man getting off a ship at Plymouth. Now imagine that this man has the Plague. This plague is very contagious, and anyone this man touches will be infected. But it's a cold day and the man is wearing lots of thick clothes, so between the dock and his hotel he only touches ten people. And then he dies, because this plague is very lethal and will kill 24 hours after infection.
Let's imagine that the next day, the ten newly-infected people will each infect ten more people, and then die. So after two days, there are 11 (1+10) people dead from the plague, and a further 100 (10*10) people are infected. Next day, the 100 people infect 10 each, for 1000 total, then die. And so it continues on...
Except that the population of the UK is only 60 million, and so before the end of the tenth day the entire country will have caught the Plague and died. And all from one guy getting off a ship in Plymouth.
The obvious type of viral marketing is the chain-letter-style Multi-Level Marketing scheme. You know the type; you have to enrol other people in some "scheme" to make money, and each of those people have to enrol others, and so forth, and so before you know it everyone's drowning in solicitations to join the scheme. When the solicitations are sent by email, the effect can be similar to spam even though no one individual is sending more than a handful of messages.
But of course, not everyone who receives such a solicitation will join the scheme and try to enrol others. Then again, most of these schemes don't place a limit on the number of people you can enrol, either, so people on the scheme will often send spam to thousands or millions of email addresses in the hopes that they'll persuade lots of people to enrol in the scheme.
Such pyramid scams whereby enrolling others is the only major way to make money are highly illegal in most parts of the world. Such scams are often referred to as "MMF schemes" after an early such scam that was spammed with the subject line "Make Money Fast".
The term "viral marketing" is often also applied to legal MLM schemes in which people can earn more money by "referring" others. The obvious examples are the Get-Paid-To-Surf schemes such as AllAdvantage. At their height, solicitations to join such schemes seemed to be everywhere. Many such schemes will have policies that forbid their users using spam to solicit referrals, but some don't and some that do don't enforce their policies rapidly.
I should just point out that I've emphasized the abusive elements of viral marketing here, as these are the ones most often discussed in news.admin.net-abuse.email, but if used in a properly-constituted manner, viral marketing techniques need not constitute Internet abuse. An example of this would be free email providers that place an advert for themselves at the bottom of every email message sent. (Although this in itself was controversial at one point.)
This is another elderly type of scam that has made the move from paper-based mail to Unsolicited Bulk Email. It's quite simple really; you receive a message from an alleged civil servant or government official of some foreign country, usually Nigeria. He needs your help to embezzle away a very large sum of money, and if you let him use your bank account he will let you keep a few million bucks of the ill-gotten gains.
But, if you take him up on this offer, problems will eventually emerge and you will be asked to contribute some of your own money to help save the deal. And thus the scammers make their money...
The scam can be quite sophisticated, including documents bearing the Nigerian government seal, and sometimes even meetings between the victims and the fake "government officials", but thus far none of the victims have become millionaires. In fact, the U.S. Treasury estimates that the scam annually grosses hundreds of millions of dollars for the scammers. If you receive a copy of the 419 scam in your email, you should email it to them at uce@ftc.gov as well as doing your usual spamfighting.
It's called the "419 scam" after the article of Nigerian law that defines fraud.
A specific, and very popular, type of Blackhole List (see ). DNSBL stands for "Domain Name Service-delivered Blocking List" (or "DNS-delivered Blackhole List") and refers to the delivery mechanism more than the content of the list itself; the list data is queried using the standard DNS protocol usually used for turning hostnames into I.P. addresses.
Each DNSBL list will have a "zone". To query a DNSBL list for a certain I.P. address, you reverse the address, prepend it to the zone name, and make a DNS query for the result. For example, to see if "62.31.215.49" is listed in the DNSBL list "relays.osirusoft.com", I do a DNS query (e.g. nslookup) on:
49.215.31.62.relays.osirusoft.com
By having your mailserver check the source of mail against a DNSBL service, the hope is that mail from spam-friendly providers can be rejected (since it's probably spam), while other email is allowed to pass unmolested.
Most DNSBL services can also be queried from their websites.
Most mailservers (or mail relays) on the present-day Internet will deliver email from and to only a small set of authorised users. For example, let's take an imaginary ISP "example.com". The mailservers at example.com could be used to deliver email sent to users of example.com, and to transmit email sent by users of example.com, but would deliver no other emails. This type of relay is generally known as "closed" or "secure".
However, some relays are configured without this security, so that any unauthorised user can use them to send email messages to other unauthorised users (ie any email address in the world). For example, if example.com's mailservers were open, they could be used by a user of aol.com to send an email message to a user of twinlobber.org.uk.
Why is this a bad thing? Well, spammers love to use open relays to send spam. There are several reasons for this:
Because they don't use their own ISP's mailservers, it helps them to conceal their spamming from their ISP.
Open relays will help the spammer to conceal their identity, and help to deflect complaints to the wrong ISP.
It's more efficient to send spam using several mailservers rather than just one (the spammer can spread the load to make it quicker, and the less the load on a mailserver the less likely that the mailserver's administrators will notice his activities and stop him). And one of the main ways to get use of more than a handful of mailservers is to use open relays.
All mailservers on the Internet used to be open relays (they could be useful; for example you could still use the email system even if your own ISP's mailserver was down), but constant abuse of them by spammers has resulted in a mass move to closed mail relays in recent years. Many people now consider open relays to be nothing more than sources of potential email abuse. ORBS described open relays as an "attractive nuisance". Because of this, many ISPs block email from open relays, often using an open-relay listing service such as one of the many successors to ORBS (e.g. ), or the MAPS RSS ().
Often, the people running the open relay can be completely unaware that their relay is open, as much mailserver software ships with open relaying being the default configuration or open relaying is trivial to enable. Other people leave relays open as a convenience to friends or customers, intending to allow them to send email no matter which Internet Provider they use, not realising the potential for abuse. Surprisingly few open relays are run as a deliberate service for spammers. Many mailserver admins are only too happy to close their open relays when they are pointed out to them.
It's good that you're approaching this in a positive frame of mind. With any luck, securing an open relay should be a relatively quick and easy task and then you will be on your way to removing yourself from any lists of open relays.
Here's a few links to get you started. If you run into problems, people on the newsgroup will be happy to help you out.
An alternative tactic some people adopt is to post to news.admin.net-abuse.email about the injustices of having to close an open relay in order to get off one list or another. This doesn't often achieve much for the poster.
The "hijacking" of an open mailserver for the purposes of sending spam.
"Teergrube" is German for "tar-pit". The idea is that you run what appears to be an open mailserver that a spammer will find and try to abuse, but he'll find when he tries to send mail through it... things seem to start going very slowly...
In fact, what is happening, is that the teergrube holds the SMTP connection with the spammer open but doesn't actually do anything. Thus the spammer's UBE-sending software is slowed to the point of stopping, wasting his time and preventing him from abusing the Internet. (Since the expectation is that the spammer won't be sitting watching in case anything goes wrong, this situation could continue for quite some time.)
The teergrube may still be able to send and receive legitimate email for authorised users; it's only when someone tries to use it as an open relay that this activity kicks in.
A teergrube is just one example of a way that fake "open relays" can be set up to entrap spammers. They may be configured just to waste spammers' time, or they might log the spammers' activities and allow the administrator to report them directly to their ISP!
A honeypot in general is a computer well-buttressed with security features yet crafted to look like an ordinary or insecure system. Its purpose is to help detect illicit activity and log it or take countermeasures. In the context of spam fighting a honeypot is a more limited concept: it is a system that is intended to look like an open proxy or open email relay but to in fact not be either. The idea here is that this will deceive spammers into using the honeypot as though it is an abusable system. The goals are multiple. Some try to eliminate some confusion by referring to these anti-spam honeypots as proxypots and relaypots.
First of all the goal is to keep some spam from being delivered - the spam that the honeypot traps. A second goal is to detect systems that are the direct or indirect sources of spammer abuse and to act to end that abuse. If a proxypot grabs spam direct from the spammer then the spammer's IP is known and the spammer can be reported to his ISP. (This also works for relaypots, but many spammers now feed the relaypots through proxypots so their IP isn't visible to the relaypot owner.
A third goal is to interfere with the spammers where otherwise they would have an easy task. If all systems either reject abuse or are vulnerable to it then the spammers can make a simple assumption: they can safely abuse all systems of the second type. If some systems which don't reject are decoys (honeypots) then the spammers cannot safely abuse every system that doesn't appear secure. Given a reasonable number of honeypots, that creates a lot more work for the spammer - work in the most resource-intensive part of spamming.
A fourth goal ties in with the second: use the trapped information to alert law enforcement officers of the source of spammer abuse.
If honeypots proliferate it is probable that they will have to be advanced in sophistication as the spammers advance their methods used to discriminate between honeypots and true abusable systems. If this is successful, honeypots will directly reduce the delivered spam volume at about their proportion to abusable systems. This is a small reduction for small numbers of honeypots. This may give satisfaction to the honeypot operator but the effect on spam volume is negligible. In order to have a major direct effect honeypots must exist in more than trivial numbers. Honeypots can be implemented and be effective anywhere in the internet that spammers look for abusable systems. In principle this could be the entire internet. Certainly most businesses, most ISPs, and most universities could run honeypots. Home users with permanent connections (cable, DSL) can probably run a successful honeypot as well. In some cases there surely are considerations (technical competance, corporate policy, etc) that prevent the running of a honeypot. That's no problem: to have a major effect honeypots do not have to be universal - just numerous.
Customers of ISPs who block outgoing port 25 probably will have little success with relaypots but then the spammers probably have stopped looking in such network spaces - they can't find many abusable open relays if the ISP is taking such action (only if the system had an open relay and smart-hosted through a server run by the ISP might the spammer succeed. In such a case it might be quicker and better to warn the ISP of the open relay that is feeding its server spam.)
In addition to the reduction in delivered spam the honeypot captures information about how the spammers operate. Conceptually a honeypot is to open proxies and open relays what a spamtrap address is to the set of all email addresses: it is an entity that looks to be normal but is in reality an anti-spam weapon. Larts from a honeypot can cite multiple spams from the same source (whatever the spammer attempted to send through the honeypot) and may sometimes be more effective than larts from spam recipients (who have only a single spam to report). In addition to the greater number of spam messages the honeypot is also reporting attempted theft of service, which again may increase the effectiveness of the lart. Larts should probably go to upstream providers (if they go to the spammers themselves they will reveal the honeypot IP). For example, one relaypot trapped the spam of big-time spammer Alan Ralsky, and allowed one ISP to be notified in real time of which accounts were being abused to send it.
SMTP communications generally take place using port 25. "Port 25 blocking" is a technique sometimes used by ISPs who have a problem with users connecting to external mailservers to commit email abuse. Put simply, the ISP blocks any outgoing connections on port 25 from its users to the outside world. Thus the spammers cannot connect to the external mailservers to commit their abuse. The downside is that their customers won't be able to connect to external mailservers for legitimate reasons either.
Of course, the spammers will still be able to connect to external mailservers that listen on a non-standard port, but these are rare.
Recalling our discussion of open relays, I stated that a closed relay would only relay messages that were from or to a set of authorised users. I went on to give an example where the authorised users were the customers of a given ISP. This is the most common situation, but there are cases where an Internet Provider will want to provide a mailserver to users who are logging in through different systems.
The main problem here is that normal SMTP (the Internet protocol used for sending email) doesn't require authentication (ie you don't require a username or password to use it). There is a proposed extension to SMTP that allows authentication, but this is not widely supported right now. So there's a problem in working out whether someone trying to use your mailserver to send email from an external system is one of your customers or a spammer trying to abuse an open relay.
This is the problem that "POP-before-SMTP" is designed to solve. POP3 is an Internet protocol often used for retrieving email, and unlike SMTP it does require authentication. The idea here is that the mailserver notes a machine successfully logging in with POP3 and then allows that machine to make SMTP communications (ie send email) for a period of time thereafter. This way only authorised users can relay through the mailserver (because only they'll have POP3 passwords), but they can do it from anywhere on the Internet.
As open relays have become increasingly blacklisted and closed, spammers have turned to other ways to send their spam, such as open or insecure proxies. Proxies are normally used to route data from a LAN to the Internet; however, if misconfigured they can be abused to to route data from the Internet into the LAN, or even to another part of the Internet. Spammers sometimes use an open proxy to send spam using a mail server on the LAN, or to anonymously abuse a mailserver elsewhere on the Internet.
This is beyond my area of expertise, so I'll pass you over to Philip Newton:
"MX Records" are one type of resource record (RR) used by DNS, the Domain Name System. They show which mail servers accept mail for a given domain. (MX stands for "Mail Exchanger".)
Generally, you or your mailing program don't need to know what the mail exchangers for a domain that you're trying to send email to are - you usually send the mail to your ISP's mail server, which will look up the MX records and send the mail on its way (it acts as a "smarthost" for you so that your configuration need only include one mail server and you don't need to do DNS lookups for every message you send).
"Direct-to-MX" spamming is where you find out the MX records for the target domain (by querying the DNS) and deliver mail directly to that domain's mail exchangers, rather than using your ISP's mail server. One reason why spammers do this is so that they don't leave any logs with their ISP that can be used to track them down.
This isn't really an email abuse issue but it is a term that gets thrown around a lot in the newsgroup. A Smarthost is a mail server that passes mail between other mailservers and doesn't necessarily interact with any mailboxes directly. For example, a large organisation might have a firewall and a mailserver for each department within the firewall, all of which talk to a smarthost which handles communicating with mailservers outside the firewall. This set-up has a number of advantages over the traditional approach of having one big mailserver, including:
Another advantage is that, if the recipient mail exchanger can't be reached, the smarthost will try the other mail exchangers in preference order, if more than one is listed. If none are listed, most mail servers will attempt delivery to the domain itself (an 'A' resource record). Also, if none of the delivery attempts work, smarthosts will usually queue the mail and retry at intervals, meaning you don't have to do all this yourself (and dial up each time to retry the delivery).
ISPs sometimes run "smarthosts" to allow their customers to collect email by SMTP.
Another tool designed to frustrate spammers. Many spammers obtain email addresses using harvesting software that extracts them from websites, automatically following links and exploring new sites to find new addresses. What Ron Guilmette's wpoison does is generates linked webpages containing lots of made-up email addresses, to the end of:
Filling the spammer's mailing list with useless addresses.
Wasting the spammer's harvesting program's time while it finds these useless addresses.
To quote from Wpoison's website :
"So the basic idea behind Wpoison is to trap unwary and badly engineered address harvesting web crawlers, and to fool them into adding enormous quantities of completely bogus e-mail addresses to the E-mail address data bases of the spammers, thus polluting those data bases so badly that they become essentially useless, thereby putting the spammers who are using them out of business, or at least shutting them down for a time and causing them some major headaches while they try to clean up the mess in their now-heavily-polluted e-mail address data bases."
You can install Wpoison on your own website as a CGI script. Note that some spammers have now developed address harvesting systems that are smart to wpoison's tricks.
Sometimes you'll see something like an I.P. address, but with a slash and a number after it, e.g.:
This is actually a way of specifying a block of I.P. addresses. The number after the slash is the size, in bits, of the network prefix.
Remember that, although they're written as four eight-bit integers, an I.P. address is really one thirty-two bit number. The first few bits are what is known as the "network prefix"; that is, the number of the network the I.P. address is a part of. The remainder of the I.P. address is the "host address"; that is, the number of the host within its local network.
So, in the example above, the 32-bit I.P. address has a network prefix 24 bits long, so the host address will be 8 bits long (32-24=8). This means that it specifies a block of 256 I.P. addresses, starting at 127.0.0.0 and going all the way up to 127.0.0.255.
Another example would be:
which specifies a block of four I.P. addresses (the network prefix is 30 bits, leaving 2 bits for the host address, and there are only four two-bit numbers), starting from 251.128.0.0.
Traditionally, a /24 is known as a "Class C" network, a /16 a "Class B" network, and a /8 is a "Class A" network. With the advent of classless addressing this terminology has fallen out of use.
Wonderful though it is, news.admin.net-abuse.email should not be considered the fount of all wisdom or the source of all news where spam-related issues are concerned. Here are a few links you can use to keep up-to-date about various spam issues:
Spamfighting is tough sometimes, especially for those who've been at it for years. Sometimes you just don't feel like you're getting anywhere; you LART the spammers but some more spring up and there seems like no end to it. When you get a little down, it's time to touch on the lighter side of this whole business... SPAM HUMOUR!
Here's a few funny links to get you started. Do remember though, to differentiate between the humorous sites and the serious ones! :)