From: Bill Polhemus <bpolhem(--nospam--at)swbell.net>
Date: Wed, 31 Jan 2001 15:06:48 -0600
To anyone who is concerned about this kind of crap:
It is pretty easy to "pull the plug" at least on this particular spammer.
Simply set your email client to "show all headers", and find the ORIGINATION
POINT of the email in question. This is a tricky thing, since most spammers
"spoof" their email addresses to make you think they're from one place (e.g.
HOTMAIL.COM) but when you examine the header, it's actually from someplace else.
In Netscape Mail, you can reveal the entire header by going to VIEW | HEADERS |
ALL. In Outlook, double-click on a message subject to view the message in a
separate message window, then click VIEW | OPTIONS. The message header will
appear in a window at the bottom of that dialogue, and may be copied and pasted
into a reply message. It is important when you want to forward an offending
message to someone who needs to take action, to include ALL the header data, so
that they can track down the culprit who is abusing their system.
Now, you need to forward the COMPLETE email message (including the headers) back
to the ABUSE address for the originating source. Usually, this is
ABUSE@<SOURCE.XXX>. For example, if the origin of the email message turns out to
be PSI.NET, you would forward it to ABUSE(--nospam--at)PSI.NET.
Spam usually comes from a big ISP, since they handle mail in volumes, and
Spammers use Bulk Mailers. The ABUSE is usually an automated service at the ISP
that will reply to you with an incident number and usually, not long afterward,
the message that the offending account has been disabled.
The Spammer can then just go elsewhere and start over, but it IS a big hassle
for them, and sometimes it is a few days before they discover their stupid
bulk-mailing program isn't pumping their **** out to every mailbox on earth
And if you hassle 'em enough, some might actually QUIT.
I can tell you this: I have done this faithfully for some time now, and I just
don't get much SPAM anymore (maybe one or two a week). I think this is in part
due to the technology having gotten to them, and maybe in part because they know
I'll turn 'em in.
NEVER reply to a Spam. Those stupid "REMOVE" addresses they put at the bottom of
the message is just to get you to reply so they know they've hit a valid email
account (they spend a LOT of time pruning out bad addresses).
HERE'S AN EXAMPLE:
Here's the header for one that I got some time back (and somehow forgot to
[QUOTE MODE ON]
from mta1.rcsntx.swbell.net (mta1-pr.rcsntx.swbell.net) by
sims1.rcsntx.swbell.net (Sun Internet
Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id
bpolhem@sims-ms-daemon; Mon, 15
May 2000 02:50:58 -0500 (CDT)
from ogopogo.flash.net ([18.104.22.168]) by
mta1.rcsntx.swbell.net (Sun Internet Mail Server
sims.3.5.2000.01.05.12.18.p9) with ESMTP id
15 May 2000 02:49:37 -0500 (CDT)
from server2.ktrbhosting.com ([22.214.171.124]) by
ogopogo.flash.net (8.9.3/Pro-8.9.3) with
ESMTP id CAA16349; Mon, 15 May 2000 02:49:36 -0500 (CDT)
from fiberia.com (01-054.033.popsite.net [126.96.36.199]) by
(8.9.3/8.9.3) with SMTP id CAA25045; Mon, 15 May 2000 02:47:40
Mon, 15 May 2000 03:51:05 +0000
**Accept Credit Cards-99% Approval Rate, Free Shopping Cart
* * * * *
[QUOTE MODE OFF]
Notice that it comes allegedly from someplace called FIBERIA.COM. However, when
you examine the LAST "Received:" block, you see that FIBERIA.COM is actually
POPSITE.NET, IP Address 188.8.131.52.
Having that info in hand, I simply dash off a message to ABUSE(--nospam--at)POPSITE.NET.
Within a little while, I'll get a reply like:
[QUOTE MODE ON]
This is an AUTO-REPLY message in response to an email appearing to
have originated from your address and delivered to one of the mail
administration addresses, most likely concerning an abuse issue.
This message is _not_ intended as a response to your report, but it
does contain information regarding net-abuse issues.
Due to the volume of email that can sometimes occur, we may not be
able to respond individually to each message sent to this address,
and will likely only do so when additional information is required.
StarNet, Inc. does not condone and will not permit abusive behavior
by its users. Though no summary judgments are made, all reports we
receive are investigated and action is taken when and where it is
[QUOTE MODE OFF]
Followed by some other info. Eventually, I'll bet another message telling me
that the account has been disabled.
FWIW, I had set up some stuff on my sendmail configuration on my personal server
(runs under Linux) that subscribed to the Realtime Blackhole List (RBL), a free
service set up by some "geeks in white hats" that works under the theory that
MOST spam comes from a handful of domains, keeps track of those domains, and
essentially won't allow email from them to reach your email server.
I notice that the newest version of Linux now has automatic configuration for
this, so I essentially get NO spam whatsoever on my business email account at
polhemus.cc. Seems to work quite well.
Gerard Madden wrote:
> I'm just wondering if anyone else got this trash email (full of typos and no punchline) or if it came from somewhere else.