An FAQ for news.admin.net-abuse.email
Part 3: Understanding NANAE

Maintainer: James Farmer
Last Modified: 27-Dec-2003


Recent Changes
3.1  About news.admin.net-abuse.email
3.1.1  What can be discussed in news.admin.net-abuse.email?
3.1.2  Can anyone join in?
3.1.3  What if I've got a new idea to end spam forever?
3.1.4  What's with all these nonsense posts and reposts?
3.1.5  I replied to some Anti-American posting in another newsgroup and my article ended up here! What gives?
3.1.6  Why are some postings not about email abuse?
3.1.7  Are computer viruses on-topic here?
3.1.8  Why is this newsgroup not archived by groups.google.com?
3.1.9  What is top-posting and why does it annoy people?
3.2  Colloquialisms
3.2.1  What is "nanae"? "nanau"? "nanas" "nanab"?
3.2.2  What is "SPAM-L"?
3.2.3  Why does the word "spam" apply to junk email?
3.2.4  What is a LART? What is a mallet?
3.2.5  What's an "ack"? What's an "auto-ack"?
3.2.6  What is "listwashing"?
3.2.7  What's a "throw-away"?
3.2.8  What does it mean if a website is "404-compliant"?
3.2.9  What's a TOS? What's an AUP?
3.2.10  What does "bulletproof" mean?
3.2.11  What's a "spamhaus"?
3.2.12  What's a "pink contract"?
3.2.13  What is "spamware"?
3.2.14  What is "mainsleaze"?
3.2.15  What is "TRUSTe"?
3.2.16  What's all this s/something/somethingelse/ stuff mean?
3.2.17  What do ^H and ^W mean?
3.2.18  What is "Afterburner"?
3.2.19  What was the Joey McNicol affair?
3.2.20  What's a "cartooney"?
3.2.21  What is "frea speach"?
3.2.22  What's a "Joe Job"?
3.2.23  What's a "murk"?
3.2.24  What's a "black-hat"? What's a "white-hat"?
3.2.25  What's Rule #1? What's Rule #3?
3.2.26  What is the Quirk Objection?
3.2.27  What does "C&C" mean?
3.2.28  What is the Lumber Cartel?
3.2.29  What do "tinw" and "tinlc" mean?
3.2.30  What is a "Chickenboner"?
3.2.31  What's "Whack-a-mole"?
3.2.32  What's a "BOFH"?
3.2.33  What does "fsck" mean?
3.2.34  Someone said I'd invoked Godwin? Is that bad?
3.2.35  What's a "troll"?
3.2.36  What's a "kook"?
3.2.37  What is a "sock"?
3.2.38  What is a "plonk"?
3.2.39  What does "Cut it out, Ron!" mean?
3.2.40  Who is Dave/Guido the Resurrector?
3.2.41  Who's this "Spamford" guy people talk about?
3.2.42  Who is "Ralsky"?
3.3  Abbreviations
3.4  Specific Types of Spam
3.4.1  What's a "pump-and-dump" scam?
3.4.2  What is "Viral Marketing"? What's a Pyramid Scheme? What's MMF?
3.4.3  What is the Nigerian 419 Scam?
3.5  Technical Terms
3.5.1  What is a DNSBL List?
3.5.2  What are open relays?  How can I fix my open relay?  What is "relay rape"?  What is a "teergrube"?  What is a "honeypot"?
3.5.3  What is "port 25 blocking"?
3.5.4  What is "POP-before-SMTP"?
3.5.5  What are open proxies?
3.5.6  What does "direct-to-MX" mean?
3.5.7  What is a "Smarthost"?
3.5.8  What is "wpoison"?
3.5.9  What do those slashes after an I.P. address mean?
3.6  Keeping Up-To-Date
3.7  Keeping Happy
Use Policy

(Questions highlighted in red have been modified since the last release of this document.)

Recent Changes

Rewritten section about honeypots.

Removed or fixed lots of dead links.

Added links to:


The following document should, where not otherwise stated, be understood to represent the opinions and beliefs of the FAQ-maintainer only. I endeavour to ensure that these opinions and beliefs are as correct as possible, but take no responsibility for any problems caused by errors herein. This document should not be considered to represent the opinions of any individuals or organisations other than the FAQ-maintainer.

Please note that in this document, "we" is intended to collectively refer to all regular or semi-regular posters to the news.admin.net-abuse.email newsgroup, including those of all persuasions, and should not be read as indicating the existence of a "clique" comprising persons of similar viewpoints.


This is one of three documents I have compiled to comprise an FAQ for the news.admin.net-abuse.email newsgroup. Each document addresses points in a given area, specifically:

The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use to fight spam. The objective isn't to teach you how to fight spam (there are many far superior documents that do just this), but rather to introduce some of the techniques you can use and refer you to some more detailed works.

THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of spam, including just what constitutes spam and the types of people who become spammers.

UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and sometimes impenetrable terminology that people use in news.admin.net-abuse.email (nanae). It covers both colloquialisms (e.g. "chickenboner") and technical terms (e.g. "direct-to-MX").

These three parts are designed to stand alone and don't have to be read in order; feel free to pick and choose just the bits you're interested in.

These documents shouldn't be considered to be "the" FAQ, as there are plenty of other FAQs that are superior in insight, detail, or depth of coverage. They are just an FAQ that I hope will answer some questions that have been troubling you.

These documents are currently maintained by James Farmer. If you have any suggestions for additions or corrections, then feel free to send an email to faqmaster@spamfaq.net.

The latest versions of all of these documents can always be found at http://www.lumbercartel.ca/archives/spamfaq.net/. There's also an index there, which is the easiest way to find the answer if you've got one question in particular - just find the word you're looking for and click on it!

These documents are somewhat extensive. For a quicker overview of the main things you'll need to know, have a look at George Crissman's excellent document "Your First Post to NANAE".

3.1 About news.admin.net-abuse.email

3.1.1 What can be discussed in news.admin.net-abuse.email?

The short answer to this is: abuse of the email system. Please note the terminology here; abuse _of_ the email system is anything that endangers the existence or widespread usability of the email system. Most of the discussion in news.admin.net-abuse.email is concerned with spam, as this is, by far, the most prevalent abuse of the email system in recent times, but discussion of other abuses (e.g. mailbombing) would be on-topic.

However, issues like electronic stalking and sexual harassment by email are not on-topic, as they are abuse _on_ the email system. This means that, while these things are undeniably abuse, they don't threaten the survival of email as a communications medium. There are other newsgroups far more appropriate for discussions of these issues.

3.1.2 Can anyone join in?

Yes. There is no prerequisite in terms of technical knowledge or spamfighting success for contributing to this newsgroup. Everyone is welcome! Even spammers are welcome to post their views, so long as they don't mind hearing a few conflicting opinions.

I advise newcomers to this newsgroup not to believe everything you read. Before making up your mind on any issue, read around and see what makes sense TO YOU. There are a lot of knowledgeable people in this newsgroup, but also a lot of people talking about things outside their knowledge, and a few people who aren't above deliberately mis-representing the facts to fit the stories they want to tell. My advice, which I repeat throughout these documents, is to take everything with a pinch of salt, read as many different views as you can, and form your own opinions.

If there's anything you don't understand, feel free to ask. But think carefully about what answers you choose to believe; adhering slavishly to the dogma of "accepted wisdom" in any newsgroup is not a good idea.

3.1.3 What if I've got a new idea to end spam forever?

Let's hear it! People on this newsgroup don't have all the 7answers, so if you think your idea has merit, we want to hear about it. Fighting spam in the same way every day, it's easy to get tunnel vision and to overlook new possibilities. "Out-of-the-box" thinking is ALWAYS welcome.

The absolute worst that can happen is that people spot a hitherto-unseen flaw in your idea and think that it won't work. There's absolutely no shame in being wrong. But don't let anyone tell you that you're wrong unless they can CONVINCE you that you're wrong.

A few people may decide to flame any newcomer who posts an idea. This is an unfortunate fact of life on Usenet, and my advice is to ignore these people. After all, it's always easier to criticise than create.

3.1.4 What's with all these nonsense posts and reposts?

Ah. Because some people don't like the fact that we fight spam, this newsgroup is occaisionally subjected to attacks by people trying to shut us up.

One form of attack is the cancel attack, whereby the attackers cancel lots of our posts. Fortunately a bot called Dave the Resurrector (see 3.2.40) is always running and when it detects such an attack it will repost the articles removed. This does mean that you might see an article more than once, but that's generally considered to be better than never seeing it at all.

The other type of attack is the posting of hundreds or even thousands of nonsense articles in an attempt to drown out conversation (a "flood"). These articles are generated by a program that makes them look enough like genuine articles in the hope that they'll evade filters whilst still being total and utter gobbledegook. Such attacks are generally attributed to the entity "HipCrime" (a leading Usenet terrorist), although whether they are perpetrated by the real HipCrime or just someone using the software he wrote is unclear (and probably not very interesting).

If your newsreader is able, you can often filter out HipCrime's spew a few hundred articles at a time by filtering on the NNTP-Posting-Host: header; the articles are almost always emitted through open news servers. For those who cannot, several people have recommended the program NFilter, which sits between your newserver and your newsreader filtering out the stuff you don't want to see.

More recently HipCrime has taken to injecting his postings through open SOCKS servers in order to evade NNTP-Posting-Host filtering. If you have the ability, you can still evade the great majority of his flooding by filtering on the Path: line. Alternatively, many news hosts have got rather good at filtering out his floods; so nag your newserver admin or, if you can afford it, you could try a dedicated news service like Newsguy for a (reasonably) spew-free news.admin.net-abuse.email.

HipCrime's latest tactic has been to flood other newsgroups with the follow-ups set to news.admin.net-abuse.email, in the hope that lots of people will reply to his floods and flood NANAE with their follow-ups. I advise that you don't reply in the newsgroup to anyone who replies to HipCrime's nonsense postings if you haven't seen them in here before, as likelihood is they don't read news.admin.net-abuse.email and don't realise where their posting has gone.

3.1.5 I replied to some Anti-American posting in another newsgroup and my article ended up here! What gives?

The most recent tactic that HipCrime (see 3.1.4) has adopted in his/their campaign against news.admin.net-abuse.email is to post in other newsgroups articles which are either derogatory to America or pretending to be encoded messages for terrorists. The follow-ups for these articles are set to news.admin.net-abuse.email, with the intention that when the denizens of these newsgroups reply in understandable indignation, their replies all go into news.admin.net-abuse.email and drown out other conversations.

3.1.6 Why are some postings not about email abuse?

In any discussion forum, conversations will wander from the point in hand. In news.admin.net-abuse.email this is broadly tolerated as a certain degree; it allows us to form more rounded impressions of the participants and gives a greater understanding of how the issues of email abuse sit within the wider scheme of things. Sometimes, a new and relevant insight can spring from discussion of a seemingly unrelated point.

However, too much off-topicality annoys people, and with good reason. We come here to discuss email abuse, not your goldfish or the state of your front lawn. So you should think carefully before making any off-topic postings. If an off-topic discussion has gone on for a while, or is likely to, or is attracting lots of articles, then it will be wise to consider moving it to a different, more appropriate newsgroup or mailing list.

As a courtesy to others, you should always mark any off-topic postings with an [OT] in the subject line, so that anyone not interested in the off-topic stuff can easily filter it out.

3.1.7 Are computer viruses on-topic here?

Many recent computer viruses have used email as a transmission medium. This often involves the virus hijacking the infected computer to send Unsolicited Bulk Email to infect more unsuspecting victims (usually the people in the first victim's address book, or, in some cases, the owners of any webpages they have visited recently.)

Theoretically, as such virii abuse the nature of electronic mail to spread, discussion of them would be on-topic in news.admin.net-abuse.email. However, there are a number of codicils to consider:

In short, there are many forums more appropriate than news.admin.net-abuse.email for discussing computer viruses, e.g. alt.comp.anti-virus

3.1.8 Why is this newsgroup not archived by groups.google.com?

The excellent newsgroup archiving service at http://groups.google.com/ archives news.admin.net-abuse.email along with almost every other textual newsgroup. If groups.google.com claims otherwise, check you've spelt the newsgroup name correctly - in particular, check you haven't put a hyphen in the word "email"; it's "news.admin.net-abuse.email" not "news.admin.net-abuse.e-mail".

3.1.9 What is top-posting and why does it annoy people?

This issue is all about where, when you follow up to an article on a newsgroup, you should write your reply. When "Bottom-posting", you quote the article you're replying too, then write your reply afterwards. When "Top-posting", you write your reply and include a quotation of the article afterwards. Fans of top-posting point to the fact that this allows readers to read the response without having to scroll, and that it's easier to write because some news-reading programs automatically put the cursor at the top of the article. Fans of bottom-posting point out that newsgroup articles aren't always read in the order in which they are posted, so it makes sense to quote what's being replied to before the reply, so that the reply can be easily understood.

People get very passionate about the top-posting versus bottom-posting issue, and to my mind they miss the point. Quoting and replies should be "In-Context"; that is, your point should be placed immediately after the point you're responding to. This is different from Bottom-posting in that it's rare you should quote very much of the article to which you're responding; if anyone reading it has to scroll down to reach the first line of your response, you're quoting far too much! If there's any parts of the article you aren't responding to, you should trim them out; anything else is just a waste of bandwidth.

Let's look at an example of a reply to an article in each of the quotation methods. First of all, top-posting:

You may mean well, but if we make an exception for you
then we have to make one for everyone who wants to send
a religious spam, and we'd all end up drowning
in spams-for-God. SpamAssassin is pretty good.

Joe Nobody (joe@example.com) wrote:
> A friend put me onto this newsgroup, so I think I'm posting
> in the right place. Sorry if I've got it wrong, I'm kinda
> new to the web.
> Yeah, spam is bad, but there are worse things y'know? I
> sent a bulk email advertising my online church and you guys
> reported me to my ISP for spamming! This is an evil world
> and people need to find God. It's not as if I was selling
> pornography or anything obscene, I was just trying to save
> souls and if you stop me you're doing the devil's work.
> btw, does anyone know a good spam-filter?

Now, the same thing in the bottom-posting style:

Joe Nobody (joe@example.com) wrote:
> A friend put me onto this newsgroup, so I think I'm posting
> in the right place. Sorry if I've got it wrong, I'm kinda
> new to the web.
> Yeah, spam is bad, but there are worse things y'know? I
> sent a bulk email advertising my online church and you guys
> reported me to my ISP for spamming! This is an evil world
> and people need to find God. It's not as if I was selling
> pornography or anything obscene, I was just trying to save
> souls and if you stop me you're doing the devil's work.
> btw, does anyone know a good spam-filter?

You may mean well, but if we make an exception for you
then we have to make one for everyone who wants to send
a religious spam, and we'd all end up drowning
in spams-for-God. SpamAssassin is pretty good.

In both of these examples we can discern the meaning with a little work, but it's not exactly obvious in either case. But let's see the same thing with a little bit of trimming and in-context quotations.

Joe Nobody (joe@example.com) wrote:
> Yeah, spam is bad, but there are worse things y'know? I
> sent a bulk email advertising my online church and you guys
> reported me to my ISP for spamming!
> I was just trying to save
> souls and if you stop me you're doing the devil's work.

You may mean well, but if we make an exception for you
then we have to make one for everyone who wants to send
a religious spam, and we'd all end up drowning
in spams-for-God.

> btw, does anyone know a good spam-filter?

SpamAssassin is pretty good.

I know which I think is more readable.

3.2 Colloquialisms

Over the years, news.admin.net-abuse.email has evolved its own dialect of abbreviations and terminology that can be quite confusing for new readers. It is, however, not intended to exclude newcomers, and in this section I will aim to explain the most commonly-used terms.

3.2.1 What is "nanae"? "nanau"? "nanas" "nanab"?

nanae (sometimes capitalised NANAE) is short for "news.admin.net-abuse.email" - in short, the newsgroup this FAQ is for.

nanau is "news.admin.net-abuse.usenet" - a newsgroup for discussing usenet abuse including newsgroup spam. It can be a slightly rougher place than NANAE, populated as it is by people with radically different principles on what Usenet should be like, as well as people who are just there for the rough-and-tumble.

nanas is "news.admin.net-abuse.sightings" - a newsgroup for posting sightings of Internet abuse. See section in the first part of this FAQ, the "Spamfighting Overview".

nanab is "news.admin.net-abuse.blocklisting" - a moderated newsgroup "devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic".

3.2.2 What is "SPAM-L"?

SPAM-L is a mailing list dedicated to spamfighting and discussion of spam-prevention measures. See http://www.claws-and-paws.com/spam-l/spam-l.html for more details.

3.2.3 Why does the word "spam" apply to junk email?

The term is inspired by a Monty Python sketch in which a group of Vikings chant "SPAM! SPAM! SPAM!" repeatedly, drowning out the conversations around them. (A bit like the way spam threatens to drown out our own electronic conversations.) It has been applied to a number of different mediums over the years, most notably "newsgroup spam", and is now being used for "email spam" too.

3.2.4 What is a LART? What is a mallet?

LART = Luser Attitude Readjustment Tool. It can be used as a noun (in which case it's something that hopefully causes the victim to re-evaluate their opinions by means of a short sharp shock) or a verb (in which case it means to apply a short sharp shock). Most often used as a euphemism for sending complaints to an ISP, as in "I've just LART-ed that spammer".

One example of a Luser Attitude Readjustment Tool is a mallet (a hammer with a big wooden head), which is metaphorically used on a spammer's genitals when his account is cancelled. In male spammers the result of this manner of LART-ing is sometimes described as "testicular malletosis".

Another example is a "clue-by-four"; a large wooden board (or baseball bat) with which spammers (or just those in urgent need of re-education) are metaphorically whacked.

3.2.5 What's an "ack"? What's an "auto-ack"?

"ack" is short for "acknowledgement", and usually refers to an acknowledgement that a complaint or LART has been received by an ISP.

An "auto-ack" is an acknowledgement that is generated automatically. For example, many abuse departments have configured their systems so that a standard acknowledgement is sent upon receipt of any complaint, explaining that the complaint has been received and will be dealt with when they have the time.

Auto-acks are called "auto-ignores" when it is believed that the sending of the auto-ack is the _only_ action that will be taken in response to the complaint.

3.2.6 What is "listwashing"?

Listwashing is the process of removing unproductive addresses from a mailing list. It could for example be removing addresses in a "global remove list", but often it takes the form of spammers removing complainers from their lists. (Until, of course, their addresses get harvested again.) At best, listwashing is a form of opt-out (see 2.2.3), with all the problems that approach carries.

If a provider is insisting that you give them the exact email address that received a spam, it's probable that they're helping the spammer with their listwashing.

3.2.7 What's a "throw-away"?

An account you don't intend to keep beyond the immediate future. Often used to refer to "throw-away" dial-up accounts that spammers open with no intention of them existing beyond the end of one spam run, but is sometimes also used in the context of "throw-away" email addresses - that is, email addresses, often from a free provider such as hotmail.com, that you intend to use merely for communicating with one party (often a spammer or suspected spammer) for a short period of time, and will afterwards throw away. The motivation for this could be to not endanger your "main" emailbox should the spammer decide to mailbomb you.

3.2.8 What does it mean if a website is "404-compliant"?

It's not there anymore. 404 is the number of the HTTP error message "Not Found".

Note that occasionally spammers design their webpages to look as though they're 404-compliant (especially for surfers who have disabled JavaScript) when really they're not. Take care. In these cases, your browser's "view source" feature is your friend.

3.2.9 What's a TOS? What's an AUP?

TOS = Terms of Service. AUP = Acceptable Use Policy. These are documents that are published by an ISP describing what users are and are not allowed to do on their systems. The AUP or TOS of most ISPs will explicitly state that their users must not send spam.

3.2.10 What does "bulletproof" mean?

Spammers often advertise "bulletproof" web-hosting or email-hosting. What this means is a spam-friendly (the term in spammer circles is "bulk-friendly") ISP guarantees not to cancel the "bulletproof" account no matter how many complaints they receive about it.

3.2.11 What's a "spamhaus"?

A spamhaus is an Internet provider that seems to exist for no reason other than sending spam and/or providing spam support services. Note that the plural of "spamhaus" is "spamhausen" and not "spamhauses".

3.2.12 What's a "pink contract"?

Towards the end of the year 2000, it became clear that some major ISPs had signed contracts with spammers that included clauses permitting the spammers to _not_ abide by the anti-spamming portions of the ISP's Terms of Service. When these came to light, anti-spammers dubbed them "pink contracts" (because SPAM is a pink luncheon meat) and the ISPs almost universally proclaimed that they had been signed by low-level marketers and would not be binding. These statements were not entirely believed by many in the anti-spamming community.

3.2.13 What is "spamware"?

Software designed primarily for the sending of spam. It can often be distinguished from legitimate bulk email software by the presence of tools for abusing open relays or open proxies, or for obfuscating website addresses, or for harvesting or de-munging email addresses, or for managing a "remove list" or a "flamers list", or tools for hiding the source of the message, or indeed the presence of any features that are needed for spam but not for legitimate opt-in bulk email.

3.2.14 What is "mainsleaze"?

Mainsleaze is when a well-known, mainstream company starts to spam. They quickly find themselves associated in the minds of their victims with the sleaze of the spam world and then people don't trust them anymore. Such companies often quickly come around to the idea that spam is bad, but it can take years to re-build the trust of their customers.

3.2.15 What is "TRUSTe"?

TRUSTe is a programme for reassuring web site visitors about online privacy. The idea is that vendors which adhere to TRUSTe's principles regarding disclosure of personal information sales, opt-out options (if any), and personal information protection get to display a TRUSTe privacy seal. Web site visitors will thus know that they can find out just what the site will do with the visitors' personal data obtained through the web site, and use that disclosure to make a more informed decision about whether they wish to provide accurate information, or any information at all.

In news.admin.net-abuse.email, TRUSTe's reputation is something of a joke. It is widely believed that TRUSTe is unlikely to revoke its privacy seal even when a site breaches its privacy policies. There have been numerous alleged cases in the past (such as when RealNetworks started spamming) when TRUSTe failed to do so.

3.2.16 What's all this s/something/somethingelse/ stuff mean?

These are regular expression replacement instructions, as used in Unix utilities like sed. For the most part they're fairly simple to understand; just substitute the second expression (the "somethingelse") for the first (the "something") in the text above it. For example, the following follow-up to an article:

> This FAQ is a wonderful thing


should be read an instruction to replace "wonderful" with "horrible" - ie the writer is saying "This FAQ is a horrible thing".

3.2.17 What do ^H and ^W mean?

When you press delete (or backspace) on your keyboard, it deletes the previous character, right? Well, imagine it didn't... or at least, it did but the deleted character didn't disappear from the screen and instead a ^H appeared after it. Well, this is how the old CP/M word processor Wordstar worked, and the behaviour persists in some terminals. So, you'd be trying to type:

I hate spammers

But you'd get half-way through it and find that you'd hit one wrong key, e.g.:

I lat

What do you do? You hit delete three times, giving you:

I lat^H^H^H

Then type the correction, imagining that the last three characters were deleted. So in all you'd see:

I lat^H^H^Hhate spammers

But when you hit return, the computer would actually see:

I hate spammers

Because you deleted the "lat". Clear?

Well, that's the background. In a newsgroup posting, ^H can be read as the author hitting the delete key in an effort to erase a "mistake" which was usually put there for humour value. ^H^H can be read as an attempt to delete the last two characters, and so forth.

Similarly, ^W can be read as an attempt to delete the last word, e.g.:

I bow to your monumental flatulence^W intelligence.

(Hmmm... does anyone know of a website explaining ^H and ^W that I could link to?)

3.2.18 What is "Afterburner"?

Not "what"; "who". Afterburner was the abuse admin at erols.com, which has since become part of rcn.com. Apart from being very good at his job, he is famous for his witty and sadistic lines in account cancellation messages, and for calling his subordinates "Minions" and requiring them to take unpronounceable names. :) His own name is often abbreviated to "AB".

3.2.19 What was the Joey McNicol affair?

Joey was a spamfighter from Australia who was sued by some Australian spammers in late 2002. The spammers claimed that Joey had got them erroneously listed by SPEWS (see Unsurprisingly, given that they had no evidence and admitted in court that they sent spam, the spammers lost. They initially decided to appeal, but withdrew and the affair has now ended.

3.2.20 What's a "cartooney"?

A nonexistent attorney (or other lawyer) with whom a spammer will threaten you, but who will never be seen, usually because he doesn't exist or isn't really an attorney.

3.2.21 What is "frea speach"?

Sometimes spammers claim a "right" to spam, on the grounds that spam is protected as free speech. Or, as one spammer memorably mis-spelt it, "free speach". These days "free speach" is used to refer to this mythic right, with the mis-spelling retained to differentiate it from actual free speech rights.

This spelling is sometimes further mutilated into "frea speach" in order to emphasize this difference.

3.2.22 What's a "Joe Job"?

The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.

3.2.23 What's a "murk"?

A "Murk" is a disclaimer in a spam email that claims it abides by the dead Murkowski anti-spam bill of a few years ago. E.g.:

Under Bill s. 1618 TITLE III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is a one time e-mail transmission. No request for removal is necessary.

The presence of a Murk is 100% proof that a message is spam. Note also that most spam featuring this disclaimer doesn't comply with the provisions of the Murkowski bill anyway.

If you're interested you could have a look at the text of this bill; technical reasons prevent me giving a direct link but go to http://thomas.loc.gov/home/c105query.html and enter "S. 1618" in the "Bill Number" field, then select either the version passed by the Senate or referred in the House.

(see also section

3.2.24 What's a "black-hat"? What's a "white-hat"?

Apparently, in the old cowboy movies, the good guys always wore white hats and the bad guys always wore black hats. These terms have since been applied to Internet Providers, with Black Hats supporting spam and White Hats being anti-spam.

In a similar veign, the term "Grey Hat" is sometimes used to refer to providers whose anti-spam policies seem a little schizophrenic. "Empty Hat" is a term occasionally used to refer to providers who are utterly stupid or clueless about spam.

3.2.25 What's Rule #1? What's Rule #3?

Rule #1: Spammers lie
Rule #2: If a spammer ever appears to be telling the truth, consult Rule #1
Rule #3: Spammers are stupid

I believe the first two rules came first, and the third was tacked on at some point later. Less widely stated rules include:

Rule #0: Spam is theft
Krueger's Corollary to Rule #3: Spammer lies are really stupid
Russell's Corollary to Rule #3: Never underestimate the stupidity of spammers.

There are a few alternative versions of the rules, including:

Rule #1: Spammers lie
Rule #2: There is no such thing as legitimate or ethical UCE
Rule #3: Spammers are stupid

3.2.26 What is the Quirk Objection?

Named for its progenitor Gym Quirk, it goes like this:

"Objection! Assumes organ not in evidence!"

It's usually invoked after someone mentions the testicles or brains of a spammer.

3.2.27 What does "C&C" mean?

Coffee & Cats. It's a warning that you should remove from your vicinity all tasty beverages and furry felines, as the content of the message may cause you to convulse with laughter in a manner which will scare furry felines and can result in spilling of a tasty beverage over your keyboard (or alternatively choking on your beverage if you are drinking it when you start laughing).

Incidentally, that's what the "You owe me a new keyboard/monitor" statements allude to - someone forgetting to put the C&C warning on a funny message and endangering cats & computer equipment as a result.

3.2.28 What is the Lumber Cartel?

The Lumber Cartel is a nonexistent organisation allegedly formed by the world's paper-producing companies, who were supposedly worried that the growth in spam would result in a decrease in junk postal mail, thus a decrease in demand for paper, thus a decrease in their profits. They were supposedly funding anti-spammers to prevent this.

It is, of course, a complete fiction. Some spammer posted this story a few years ago and the whole thing has been a massive running joke ever since.

References to the Lumber Cartel are usually suffixed "(tinlc)" (There Is No Lumber Cartel) in order to reflect the fact that, well, there is no lumber cartel.

3.2.29 What do "tinw" and "tinlc" mean?

tinw = There Is No We. Used to reaffirm that the anti-spamming movement comprises individuals who have own ideas and motivations, and often-times don't necessarily agree with each other.

tinlc = There Is No Lumber Cartel. Used to reaffirm the nonexistence of the Lumber Cartel.

3.2.30 What is a "Chickenboner"?

Someone's words once painted an incredibly vivid picture of an archetypical spammer living in a trailer, hunched in semi-darkness over his computer and surrounded by rotting chicken bones in half-eaten KFC buckets and empty beer cans. The image has stuck, and "Chickenboner" is now used to describe any two-bit spammer who wants you to think he's a big shot with his own yacht... but isn't.

3.2.31 What's "Whack-a-mole"?

Whack-a-mole is an old amusement park game. You stand in front of a board with a fluffy mallet, and as plastic moles pop up through holes in the board you have to whack them over the head.

Spamfighting is sometimes like that. Sometimes it seems as if no sooner do you get one of a spammer's accounts killed then they get another one... and another... and another... and their accounts keep popping up like the moles in that old amusement park game. And you keep whacking them.

3.2.32 What's a "BOFH"?

Bastard Operator From Hell. Inspired by an extremely witty series of stories about a sadistic, homicidal systems administrator, this acronym is now applied as a compliment to any sadistic or potentially-sadistic admin-type, with the implication that the victims of a BOFH deserve everything they get.

3.2.33 What does "fsck" mean?

fsck is a Unix command used to repair the filesystem. Often used as a "clean" version of a certain expletive that differs from it in only one letter and rhymes with "duck".

3.2.34 Someone said I'd invoked Godwin? Is that bad?

Godwin's Law (named for Mike Godwin) states that if a discussion in usenet goes on for long enough, someone will eventually make a comparison to Hitler or the Nazis. (This is due to the fact that history records Hitler and the Nazis as just about the worst people; ever.)

The law is often mis-stated as "If you mention Hitler or the Nazis you automatically lose the argument" or "If you mention Hitler or the Nazis then the thread is over".

Is it bad to invoke Godwin's law? Well, comparing people to Hitler rarely results in anything good...

3.2.35 What's a "troll"?

In a "troll", someone will disingenuously make controversial statements in the hope of creating a large ruckus.

A "troll" can also be one who trolls.

3.2.36 What's a "kook"?

A sort-of crossbreed of troll with a paranoid conspiracy theorist. Handle with care, or even better, ignore.

3.2.37 What is a "sock"?

A commonly-used abbreviation for "sock-puppet". In the context of usenet, a sock-puppet is an alter-ego established by an individual for the purpose of posting messages that agree with his views, thus making it appear that the individual in question has more support than (s)he really does.

3.2.38 What is a "plonk"?

The sound of a poster being added to a killfile. Many readers of this newsgroup use "killfiles" to screen out posters they find annoying, so that their newsreader hides the objectionable articles from them. When someone has said something they think is the last straw, some people post a followup saying "Plonk" to let the recipient know that the poster won't be seeing any of their messages in the future.

3.2.39 What does "Cut it out, Ron!" mean?

This is a reference to Ron Ritzman, an insightful antispammer famous for some rather witty trolling of news.admin.net-abuse.email, to the extent to which any suspected troll is now met with cries of "Cut it out, Ron!" or "Cut it out, Ritzman!".

3.2.40 Who is Dave/Guido the Resurrector?

It's not who, it's what. You see, there are a few people who don't like what we talk about in this newsgroup, and will periodically try to sabotage our discussions by cancelling articles en masse. Fortunately, this doesn't work, and Dave is what saves us from it. Dave the Resurrector is a bot that sits watching this newsgroup (and several others), and when it sees an article cancelled it immediately reposts it. This means that our discussions can't be removed from Usenet by rogue cancellers, but it does have the disadvantage that we cannot cancel our own messages in this newsgroup.

So be sure you really want to say what you're posting before you click "send".

(Incidentally, I believe that Dave is now called Guido.)

3.2.41 Who's this "Spamford" guy people talk about?

The King of Spam in the mid-1990s, Sanford Wallace ran Cyberpromo and was the most hated man on the Internet. After failing to make a sustainable living from spam, he reformed.

3.2.42 Who is "Ralsky"?

Alan Ralsky, believed to be one of the biggest spammers currently operating. Ralksy has several hundred domains he uses for spamming, in order to evade filters and confuse spamfighters.

Ralsky achieved mainstream publicity in late 2002 due to an episode in which his postal address became public knowledge and enraged spam-victims proceeded to sign him up for lots and lots of junk mail. This document in no way endorses this abuse of junk postal mailers.

3.3 Abbreviations

These abbreviations are common all over usenet, and so I won't go into too much detail. However...

BMOC - Big Man on Campus
ESAD - Eat S**t and Die
FWIW - For What It's Worth
FYI - For Your Information
GoAT - Go Away Troll
HTH - Hope That Helps or Happy To Help
IANAL - I Am Not A Lawyer
IIRC - If I Recall Correctly
IMHO - In My Humble Opinion
LOL - Laugh Out Loud
RTFM - Read The F*****g Manual
ROFL or ROTFL - Rolling On the Floor Laughing
NANAE - news.admin.net-abuse.email
NANAS - news.admin.net-abuse.sightings
NANAU - news.admin.net-abuse.usenet
YMMV - Your Mileage May Vary

There's tonnes more abbreviations listed at the following website:

3.4 Specific Types of Spam

Spam is about delivery methods, not content; an Unsolicited Bulk Email is spam regardless of whether it's advertising Microsoft or Mike's Fruit & Veg Store. However, there are some messages that have been spammed so often that they have passed into the language of news.admin.net-abuse.email.

3.4.1 What's a "pump-and-dump" scam?

This is a type of stock scam that often makes use of spam. The idea is that the scammers buy some shares that are trading relatively cheap. Then they try to encourage investors to buy shares in this company, hoping to drive the price up as much as possible. This is the "pump", and it can continue for some time. Finally, when the scammers judge that they're not going to be able to force the share price any higher, they "dump" by selling their shares and walking away with a huge profit, while the investors they encouraged are left with shares worth a lot less than they paid for them.

Spam is just one way that the scammers may use to try to entice people towards their chosen shares. After all, spam is a cheap way of reaching lots of people, who probably don't have experience of investing, and won't be wise to the tricks of the trade. Of course, there are others. Discussion boards are another favoured venue for creating hype. Throw in a healthy dose of outright lying (e.g. "Microsoft is about to buy this company!") and the situation can quickly spin out of the control of the normal reality of the markets.

In the U.S., pump and dump scams are illegal and people DO get busted for them. You should report them to enforcement@sec.gov.

3.4.2 What is "Viral Marketing"? What's a Pyramid Scheme? What's MMF?

Most marketing material is broadcast; ie the promotional material is sent to many people at once. Viral Marketing is a concept wherein the marketing message spreads gradually from person-to-person, a bit like a virus does.

Imagine a man getting off a ship at Plymouth. Now imagine that this man has the Plague. This plague is very contagious, and anyone this man touches will be infected. But it's a cold day and the man is wearing lots of thick clothes, so between the dock and his hotel he only touches ten people. And then he dies, because this plague is very lethal and will kill 24 hours after infection.

Let's imagine that the next day, the ten newly-infected people will each infect ten more people, and then die. So after two days, there are 11 (1+10) people dead from the plague, and a further 100 (10*10) people are infected. Next day, the 100 people infect 10 each, for 1000 total, then die. And so it continues on...

Day  1,             1 infected
Day 2, 10 infected, 1 dead
Day 3, 100 infected, 11 dead
Day 4, 1,000 infected, 111 dead
Day 5, 10,000 infected, 1,111 dead
Day 6, 100,000 infected, 11,111 dead
Day 7, 1,000,000 infected, 111,111 dead
Day 8, 10,000,000 infected, 1,111,111 dead
Day 9, 100,000,000 infected, 11,111,111 dead
Day 10, 1,000,000,000 infected, 111,111,111 dead

Except that the population of the UK is only 60 million, and so before the end of the tenth day the entire country will have caught the Plague and died. And all from one guy getting off a ship in Plymouth.

The obvious type of viral marketing is the chain-letter-style Multi-Level Marketing scheme. You know the type; you have to enrol other people in some "scheme" to make money, and each of those people have to enrol others, and so forth, and so before you know it everyone's drowning in solicitations to join the scheme. When the solicitations are sent by email, the effect can be similar to spam even though no one individual is sending more than a handful of messages.

But of course, not everyone who receives such a solicitation will join the scheme and try to enrol others. Then again, most of these schemes don't place a limit on the number of people you can enrol, either, so people on the scheme will often send spam to thousands or millions of email addresses in the hopes that they'll persuade lots of people to enrol in the scheme.

Such pyramid scams whereby enrolling others is the only major way to make money are highly illegal in most parts of the world. Such scams are often referred to as "MMF schemes" after an early such scam that was spammed with the subject line "Make Money Fast".

The term "viral marketing" is often also applied to legal MLM schemes in which people can earn more money by "referring" others. The obvious examples are the Get-Paid-To-Surf schemes such as AllAdvantage. At their height, solicitations to join such schemes seemed to be everywhere. Many such schemes will have policies that forbid their users using spam to solicit referrals, but some don't and some that do don't enforce their policies rapidly.

I should just point out that I've emphasized the abusive elements of viral marketing here, as these are the ones most often discussed in news.admin.net-abuse.email, but if used in a properly-constituted manner, viral marketing techniques need not constitute Internet abuse. An example of this would be free email providers that place an advert for themselves at the bottom of every email message sent. (Although this in itself was controversial at one point.)

3.4.3 What is the Nigerian 419 Scam?

This is another elderly type of scam that has made the move from paper-based mail to Unsolicited Bulk Email. It's quite simple really; you receive a message from an alleged civil servant or government official of some foreign country, usually Nigeria. He needs your help to embezzle away a very large sum of money, and if you let him use your bank account he will let you keep a few million bucks of the ill-gotten gains.

But, if you take him up on this offer, problems will eventually emerge and you will be asked to contribute some of your own money to help save the deal. And thus the scammers make their money...

The scam can be quite sophisticated, including documents bearing the Nigerian government seal, and sometimes even meetings between the victims and the fake "government officials", but thus far none of the victims have become millionaires. In fact, the U.S. Treasury estimates that the scam annually grosses hundreds of millions of dollars for the scammers. If you receive a copy of the 419 scam in your email, you should email it to them at uce@ftc.gov as well as doing your usual spamfighting.

It's called the "419 scam" after the article of Nigerian law that defines fraud.

3.5 Technical Terms

3.5.1 What is a DNSBL List?

A specific, and very popular, type of Blackhole List (see DNSBL stands for "Domain Name Service-delivered Blocking List" (or "DNS-delivered Blackhole List") and refers to the delivery mechanism more than the content of the list itself; the list data is queried using the standard DNS protocol usually used for turning hostnames into I.P. addresses.

Each DNSBL list will have a "zone". To query a DNSBL list for a certain I.P. address, you reverse the address, prepend it to the zone name, and make a DNS query for the result. For example, to see if "" is listed in the DNSBL list "relays.osirusoft.com", I do a DNS query (e.g. nslookup) on:

By having your mailserver check the source of mail against a DNSBL service, the hope is that mail from spam-friendly providers can be rejected (since it's probably spam), while other email is allowed to pass unmolested.

Most DNSBL services can also be queried from their websites.

3.5.2 What are open relays?

Most mailservers (or mail relays) on the present-day Internet will deliver email from and to only a small set of authorised users. For example, let's take an imaginary ISP "example.com". The mailservers at example.com could be used to deliver email sent to users of example.com, and to transmit email sent by users of example.com, but would deliver no other emails. This type of relay is generally known as "closed" or "secure".

However, some relays are configured without this security, so that any unauthorised user can use them to send email messages to other unauthorised users (ie any email address in the world). For example, if example.com's mailservers were open, they could be used by a user of aol.com to send an email message to a user of twinlobber.org.uk.

Why is this a bad thing? Well, spammers love to use open relays to send spam. There are several reasons for this:

All mailservers on the Internet used to be open relays (they could be useful; for example you could still use the email system even if your own ISP's mailserver was down), but constant abuse of them by spammers has resulted in a mass move to closed mail relays in recent years. Many people now consider open relays to be nothing more than sources of potential email abuse. ORBS described open relays as an "attractive nuisance". Because of this, many ISPs block email from open relays, often using an open-relay listing service such as one of the many successors to ORBS (e.g. http://www.ordb.org/), or the MAPS RSS (http://www.mail-abuse.org/rss/).

Often, the people running the open relay can be completely unaware that their relay is open, as much mailserver software ships with open relaying being the default configuration or open relaying is trivial to enable. Other people leave relays open as a convenience to friends or customers, intending to allow them to send email no matter which Internet Provider they use, not realising the potential for abuse. Surprisingly few open relays are run as a deliberate service for spammers. Many mailserver admins are only too happy to close their open relays when they are pointed out to them. How can I fix my open relay?

It's good that you're approaching this in a positive frame of mind. With any luck, securing an open relay should be a relatively quick and easy task and then you will be on your way to removing yourself from any lists of open relays.

Here's a few links to get you started. If you run into problems, people on the newsgroup will be happy to help you out.

An alternative tactic some people adopt is to post to news.admin.net-abuse.email about the injustices of having to close an open relay in order to get off one list or another. This doesn't often achieve much for the poster. What is "relay rape"?

The "hijacking" of an open mailserver for the purposes of sending spam. What is a "teergrube"?

"Teergrube" is German for "tar-pit". The idea is that you run what appears to be an open mailserver that a spammer will find and try to abuse, but he'll find when he tries to send mail through it... things seem to start going very slowly...

In fact, what is happening, is that the teergrube holds the SMTP connection with the spammer open but doesn't actually do anything. Thus the spammer's UBE-sending software is slowed to the point of stopping, wasting his time and preventing him from abusing the Internet. (Since the expectation is that the spammer won't be sitting watching in case anything goes wrong, this situation could continue for quite some time.)

The teergrube may still be able to send and receive legitimate email for authorised users; it's only when someone tries to use it as an open relay that this activity kicks in.

A teergrube is just one example of a way that fake "open relays" can be set up to entrap spammers. They may be configured just to waste spammers' time, or they might log the spammers' activities and allow the administrator to report them directly to their ISP! What is a "honeypot"?

A honeypot in general is a computer well-buttressed with security features yet crafted to look like an ordinary or insecure system. Its purpose is to help detect illicit activity and log it or take countermeasures. In the context of spam fighting a honeypot is a more limited concept: it is a system that is intended to look like an open proxy or open email relay but to in fact not be either. The idea here is that this will deceive spammers into using the honeypot as though it is an abusable system. The goals are multiple. Some try to eliminate some confusion by referring to these anti-spam honeypots as proxypots and relaypots.

First of all the goal is to keep some spam from being delivered - the spam that the honeypot traps. A second goal is to detect systems that are the direct or indirect sources of spammer abuse and to act to end that abuse. If a proxypot grabs spam direct from the spammer then the spammer's IP is known and the spammer can be reported to his ISP. (This also works for relaypots, but many spammers now feed the relaypots through proxypots so their IP isn't visible to the relaypot owner.

A third goal is to interfere with the spammers where otherwise they would have an easy task. If all systems either reject abuse or are vulnerable to it then the spammers can make a simple assumption: they can safely abuse all systems of the second type. If some systems which don't reject are decoys (honeypots) then the spammers cannot safely abuse every system that doesn't appear secure. Given a reasonable number of honeypots, that creates a lot more work for the spammer - work in the most resource-intensive part of spamming.

A fourth goal ties in with the second: use the trapped information to alert law enforcement officers of the source of spammer abuse.

If honeypots proliferate it is probable that they will have to be advanced in sophistication as the spammers advance their methods used to discriminate between honeypots and true abusable systems. If this is successful, honeypots will directly reduce the delivered spam volume at about their proportion to abusable systems. This is a small reduction for small numbers of honeypots. This may give satisfaction to the honeypot operator but the effect on spam volume is negligible. In order to have a major direct effect honeypots must exist in more than trivial numbers. Honeypots can be implemented and be effective anywhere in the internet that spammers look for abusable systems. In principle this could be the entire internet. Certainly most businesses, most ISPs, and most universities could run honeypots. Home users with permanent connections (cable, DSL) can probably run a successful honeypot as well. In some cases there surely are considerations (technical competance, corporate policy, etc) that prevent the running of a honeypot. That's no problem: to have a major effect honeypots do not have to be universal - just numerous.

Customers of ISPs who block outgoing port 25 probably will have little success with relaypots but then the spammers probably have stopped looking in such network spaces - they can't find many abusable open relays if the ISP is taking such action (only if the system had an open relay and smart-hosted through a server run by the ISP might the spammer succeed. In such a case it might be quicker and better to warn the ISP of the open relay that is feeding its server spam.)

In addition to the reduction in delivered spam the honeypot captures information about how the spammers operate. Conceptually a honeypot is to open proxies and open relays what a spamtrap address is to the set of all email addresses: it is an entity that looks to be normal but is in reality an anti-spam weapon. Larts from a honeypot can cite multiple spams from the same source (whatever the spammer attempted to send through the honeypot) and may sometimes be more effective than larts from spam recipients (who have only a single spam to report). In addition to the greater number of spam messages the honeypot is also reporting attempted theft of service, which again may increase the effectiveness of the lart. Larts should probably go to upstream providers (if they go to the spammers themselves they will reveal the honeypot IP). For example, one relaypot trapped the spam of big-time spammer Alan Ralsky, and allowed one ISP to be notified in real time of which accounts were being abused to send it.

3.5.3 What is "port 25 blocking"?

SMTP communications generally take place using port 25. "Port 25 blocking" is a technique sometimes used by ISPs who have a problem with users connecting to external mailservers to commit email abuse. Put simply, the ISP blocks any outgoing connections on port 25 from its users to the outside world. Thus the spammers cannot connect to the external mailservers to commit their abuse. The downside is that their customers won't be able to connect to external mailservers for legitimate reasons either.

Of course, the spammers will still be able to connect to external mailservers that listen on a non-standard port, but these are rare.

3.5.4 What is "POP-before-SMTP"?

Recalling our discussion of open relays, I stated that a closed relay would only relay messages that were from or to a set of authorised users. I went on to give an example where the authorised users were the customers of a given ISP. This is the most common situation, but there are cases where an Internet Provider will want to provide a mailserver to users who are logging in through different systems.

The main problem here is that normal SMTP (the Internet protocol used for sending email) doesn't require authentication (ie you don't require a username or password to use it). There is a proposed extension to SMTP that allows authentication, but this is not widely supported right now. So there's a problem in working out whether someone trying to use your mailserver to send email from an external system is one of your customers or a spammer trying to abuse an open relay.

This is the problem that "POP-before-SMTP" is designed to solve. POP3 is an Internet protocol often used for retrieving email, and unlike SMTP it does require authentication. The idea here is that the mailserver notes a machine successfully logging in with POP3 and then allows that machine to make SMTP communications (ie send email) for a period of time thereafter. This way only authorised users can relay through the mailserver (because only they'll have POP3 passwords), but they can do it from anywhere on the Internet.

3.5.5 What are open proxies?

As open relays have become increasingly blacklisted and closed, spammers have turned to other ways to send their spam, such as open or insecure proxies. Proxies are normally used to route data from a LAN to the Internet; however, if misconfigured they can be abused to to route data from the Internet into the LAN, or even to another part of the Internet. Spammers sometimes use an open proxy to send spam using a mail server on the LAN, or to anonymously abuse a mailserver elsewhere on the Internet.

3.5.6 What does "direct-to-MX" mean?

This is beyond my area of expertise, so I'll pass you over to Philip Newton:

"MX Records" are one type of resource record (RR) used by DNS, the Domain Name System. They show which mail servers accept mail for a given domain. (MX stands for "Mail Exchanger".)

Generally, you or your mailing program don't need to know what the mail exchangers for a domain that you're trying to send email to are - you usually send the mail to your ISP's mail server, which will look up the MX records and send the mail on its way (it acts as a "smarthost" for you so that your configuration need only include one mail server and you don't need to do DNS lookups for every message you send).

"Direct-to-MX" spamming is where you find out the MX records for the target domain (by querying the DNS) and deliver mail directly to that domain's mail exchangers, rather than using your ISP's mail server. One reason why spammers do this is so that they don't leave any logs with their ISP that can be used to track them down.

3.5.7 What is a "Smarthost"?

This isn't really an email abuse issue but it is a term that gets thrown around a lot in the newsgroup. A Smarthost is a mail server that passes mail between other mailservers and doesn't necessarily interact with any mailboxes directly. For example, a large organisation might have a firewall and a mailserver for each department within the firewall, all of which talk to a smarthost which handles communicating with mailservers outside the firewall. This set-up has a number of advantages over the traditional approach of having one big mailserver, including:

Another advantage is that, if the recipient mail exchanger can't be reached, the smarthost will try the other mail exchangers in preference order, if more than one is listed. If none are listed, most mail servers will attempt delivery to the domain itself (an 'A' resource record). Also, if none of the delivery attempts work, smarthosts will usually queue the mail and retry at intervals, meaning you don't have to do all this yourself (and dial up each time to retry the delivery).

ISPs sometimes run "smarthosts" to allow their customers to collect email by SMTP.

3.5.8 What is "wpoison"?

Another tool designed to frustrate spammers. Many spammers obtain email addresses using harvesting software that extracts them from websites, automatically following links and exploring new sites to find new addresses. What Ron Guilmette's wpoison does is generates linked webpages containing lots of made-up email addresses, to the end of:

  1. Filling the spammer's mailing list with useless addresses.

  2. Wasting the spammer's harvesting program's time while it finds these useless addresses.

To quote from Wpoison's website :

"So the basic idea behind Wpoison is to trap unwary and badly engineered address harvesting web crawlers, and to fool them into adding enormous quantities of completely bogus e-mail addresses to the E-mail address data bases of the spammers, thus polluting those data bases so badly that they become essentially useless, thereby putting the spammers who are using them out of business, or at least shutting them down for a time and causing them some major headaches while they try to clean up the mess in their now-heavily-polluted e-mail address data bases."

You can install Wpoison on your own website as a CGI script. Note that some spammers have now developed address harvesting systems that are smart to wpoison's tricks.

3.5.9 What do those slashes after an I.P. address mean?

Sometimes you'll see something like an I.P. address, but with a slash and a number after it, e.g.:

This is actually a way of specifying a block of I.P. addresses. The number after the slash is the size, in bits, of the network prefix.

Remember that, although they're written as four eight-bit integers, an I.P. address is really one thirty-two bit number. The first few bits are what is known as the "network prefix"; that is, the number of the network the I.P. address is a part of. The remainder of the I.P. address is the "host address"; that is, the number of the host within its local network.

So, in the example above, the 32-bit I.P. address has a network prefix 24 bits long, so the host address will be 8 bits long (32-24=8). This means that it specifies a block of 256 I.P. addresses, starting at and going all the way up to

Another example would be:

which specifies a block of four I.P. addresses (the network prefix is 30 bits, leaving 2 bits for the host address, and there are only four two-bit numbers), starting from

Traditionally, a /24 is known as a "Class C" network, a /16 a "Class B" network, and a /8 is a "Class A" network. With the advent of classless addressing this terminology has fallen out of use.

3.6 Keeping Up-To-Date

Wonderful though it is, news.admin.net-abuse.email should not be considered the fount of all wisdom or the source of all news where spam-related issues are concerned. Here are a few links you can use to keep up-to-date about various spam issues:

3.7 Keeping Happy

Spamfighting is tough sometimes, especially for those who've been at it for years. Sometimes you just don't feel like you're getting anywhere; you LART the spammers but some more spring up and there seems like no end to it. When you get a little down, it's time to touch on the lighter side of this whole business... SPAM HUMOUR!

Here's a few funny links to get you started. Do remember though, to differentiate between the humorous sites and the serious ones! :)


No document of this magnitude can be the work of only one man. I would like to thank everyone who offered ideas and suggestions, everyone who pointed out grammatical errors and gaps in my logic, and places where I was just plain getting things wrong. This wouldn't have been possible without you, people.

Use Policy

You may copy and redistribute this FAQ in unmodified form by any means or media you see fit.

You may modify the presentation of this FAQ as you see fit, so long as the content remains unaltered.

You may modify the content of this FAQ so long as you appropriately credit both your changes and the original authors of this FAQ. At a minimum, the link to the FAQ's website _must_ remain in place.