e-Spam Complaint Addresses - Steven J. Coker
Subject: e-Spam Complaint Addresses
From: Steven J. Coker
Date: April 04, 1998

http://ddi.digital.net/~gandalf/spamfaq.html

A list of complaint addresses
==============================

O.K... So you have a common site that you can complain to. Good. If you cannot
figure out where the message came from, you can post the FULL HEADERS (this is
*very* important for tracing) to news.admin.net-abuse.misc,
news.admin.net-abuse.email or news.admin.net-abuse.usenet (see the section
entitled Reporting Spam and tracing a posted message). Usually you can get
someone to help with the message.

If you complain to the spammer directly, you may just be confirming a "real"
live e-mail address, which may lead to even more junk e-mail. I would suggest
complaining to the owner of the site only. You can send e-mail to
[email protected] (where foo.bar.com is the provider you are complaining to)
and it will get forwarded to the "best" e-mail address.. See
http://www.abuse.net

There is a list of admins to contact (besides the list contained here):

http://NCTUCCCA.Edu.Tw/ftp/documents/Internet/MaasInfo/Other/ComplainToWhom.html

http://www-fofa.concordia.ca/spam/complaints.shtml

Greg reminds us that if you are complaining to a postmaster about a week-old
post, don't bother. It's not on their server, they can't verify it. Make sure
you use terms correctly. A recent trend is to call any off-topic post "spam".
It's not. I deal with spammers and off-topic or advertising posters differently.
Other providers do also. Also, try to keep the clutter in your complaints down.
I don't need a copy of the referenced RFC or statute. It doesn't help either of
us if I can't find your complaint in between all the mumbo jumbo.

Send complaint with FULL HEADERS in e-mail to any or all of the below :

[email protected]
[email protected]
[email protected]

Note : [email protected] and [email protected] are not "standard" complaint e-mail
addresses, but I have seen those listed more and more frequently.

A nice Perl script put together to complain about spam (by Nate) is at :

http://www.metareality.com/~nathan/visit.cgi/spam/html.Perl

Chris tells us :

If you see MMFs or other gross abuses from AOL, MSN, MCI (_not_internetmci),
Primenet, Panix, please do not report them to news.admin.net-abuse.misc. Just
wastes bandwidth. Email your report directly to the provider:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

By "gross abuses", please try to ensure that it really is likely to be spam. Not
one article cross-posted lots, but lots of articles that you see yourself. In
AOL or MCI's case, the definition of abuse is somewhat stricter (AOL bans
commercial use. MCI's tolerance thresholds is lower)

For the following providers the correct e-mail address is:

4websites.com / www.4cruises.com - Connectivity by netcom.net. Send complaints
to [email protected] or [email protected]

ABSnet - [email protected] or [email protected]

AGIS.NET - You can complain to [email protected] or [email protected] , but it is
probably a waste of your time. AGIS.NET should be UDP'ed (Usenet Death Penalty,
i.e. no Usenet (news) connectivity to or from AGIS.NET), and cut off from all
SMTP mail exchanges. They do not put any restrictions on SPAM sent out by their
customers. I complained enough to sprintlink.net (they provide connectivity to
AGIS.NET for me, found thru a traceroute) and eventually I stopped getting all
SPAM from CyberPromo. AGIS.NET is partially owned by
http://www.alltel.com/overview/news/n411m19a.html

For the full story on AGIS.NET see :
http://members.aol.com/macabrus/agisfaq.html

Aloha.Net - [email protected] 

AOL - [email protected]. Emergency - send complete copies to [email protected]

www.angelfire.com or angelfire.com - [email protected]

answerme.com - See CyberPromo.com

AT&T WorldNet Services - [email protected]

Bellatlantic.net - [email protected]

Bellsouth - [email protected]

Best.com - [email protected]

Cais.net - [email protected] - http://www.cais.net/caisweb/cais-aup.html - CAIS
acceptable use

Com.BR - Policy - [email protected] security violations write the list
[email protected]

Compuserve - compumail [email protected] or [email protected] or
[email protected], compunews [email protected]

CyberPromo.com - You can try [email protected] since they provide connectivity
but see above. You can try contacting [email protected],
[email protected] or [email protected] or any of the other backbone
providers. Maybe they can do something.

For the full story on CyberPromo.com see :
http://members.aol.com/macabrus/cpfaq.html

Demon.net - [email protected], [email protected] or [email protected]

DejaNews - [email protected] - See http://postnews.dejanews.com/post.xp

Digex.net - [email protected] (along with your name & postal address (including
city & state) http://www.access.digex.net/~policy/digex-aup.html

Digital-market.com - www.digital-market.com - See CyberPromo

Direct.CA - [email protected]

earthlink.net - [email protected] or [email protected]
http://www.earthlink.net/company/aupolicy.html - Acceptable use

Erols.com - [email protected]

Exec-PC Inc. - [email protected]

Freenet.carleton.ca - [email protected]

Geocities.com - [email protected]

gergs_bane.org (does not exist, it is faked) - See UUNET - [email protected]

GNN.Com - For help regarding a problem with a GNN member - [email protected].

GTE.net - [email protected]

hitsrus.com - Another AGIS.NET spamming domain. See AGIS.NET

Hongkong's ISPs - send an email to [email protected] with anything in the
subject/body. You'll get a most recent version of the list contacts by email
within minutes.

IBM Net - [email protected] - Also see http://www.ibm.net/helpdesk.html

IDT.Net - [email protected], but [email protected] is an emergency contact

interramp.com - [email protected] or [email protected]

interserve.com.hk - Mr. K H Lee - [email protected].

INS Info Services (netins.net) - [email protected] 

iSTAR Canada (istar.ca, inforamp.net, hotstar.net, magi.com, or nstn.ca) -
[email protected]

Juno.com - [email protected]

LAKER.NET [email protected] or VOICE 1-954-359-3670 FAX 1-954-359-2741

LLV.COM - Yet another Spam domain that uses AGIS.net as a provider.

Loop.Com or Loop.net - [email protected]

MALIBU - [email protected]

MCI Net - [email protected] For security problems see
http://www.security.MCI.NET

Campus.MCI.Net - [email protected]

MCSNet - [email protected]

mkt-america.com - See AGIS.net

Mindspring.com - [email protected] Note : Mindspring is no longer affiliated
with INTERRAMP.COM

money.com or money.now - [email protected]

MS.UU.Net - Example CustXX.MaxXX.city.ST.MS.UU.NET and explicitly contains an
MSN e-mail address (@msn.com) -
[email protected]

MS.UU.Net - Example CustXX.MaxXX.city.ST.MS.UU.NET and does not have @msn.com -
[email protected]

Netcom or any account with an @ix.netcom.com address - [email protected] for
standard SPAM junk. [email protected] is for instances of forgery, cracking
etc. NetCruiser Technical Support - [email protected]. For a Netcom network
customer (like shippingplanet.com) send e-mail to [email protected].

Netins.net - [email protected]

NEVWEST.COM - Yet another AGIS Spam domain in conjunction with LLV.COM.

pacbell.net - [email protected], [email protected]

Pipeline.com - [email protected], [email protected] bounced back to me.

PIPEX- [email protected], International - [email protected], Unipalm
PIPEX - [email protected]

portal.com - [email protected]

Prodigy - [email protected] or [email protected] (but many times this mailbox
is full). I don't think [email protected] is read by a person. Security
issues can be sent to [email protected] .

pwrnet - [email protected]

PSI Net - [email protected], [email protected] PSI Net policies -
http://www.psi.net/csg/netabuse.html ... Note : Earthlink uses PSINet's pops

QUANTCOM.COM - See AGIS.net. A long time reputation of spamming on the Internet.

Rain.net - [email protected]

savetrees.com - See CyberPromo.com

Slip Net - [email protected] - Tech Support

Southwindent.com - [email protected] - See
http://www.southwindent.com/policies.htm

Sprint - [email protected]

Sprintlink - 800-669-8303 [email protected], [email protected]. For
dialsprint.net abuse reports send to [email protected] . For sprintmail.com
abuse reports send to [email protected] . You can view Sprint's Policy at
http://www.sprintbiz.com/data1/ip/policy.html

sprynet - [email protected]

Teleport System Administration - teleport.com - [email protected]

tip.net - [email protected] [email protected]

University of Pennsylvania - [email protected] - For security matters :
[email protected]

Other matters: [email protected]

USA.Net - http://netaddress.usa.net/nospam.html

UUNET Customer Liaison - MASSMAIL (E-Mail SPAMS) - [email protected], Newsgroup Spams
- [email protected]. [email protected] See Also MS.UU.Net - For abuse of the
open UUNET NNTP port, UUNET will block the site if you complain. See
Gergsbane.org

From : David Jackson ([email protected]) (and this applies to *any* abuse) :

To report an instance of USENET abuse send mail to [email protected] - please
remember to include a complete copy of the USENET article, including all
headers, to help us quickly quash the abuse.

Scott reminds us :

It might also be a good idea to remind people that sometimes the postmaster _is_
the spammer. Joe Spam might have his own domain (since they _used_ to be free)
inside of which they are the postmaster. This is terrifyingly common with
net.twits (kooks, etc.) but seems rare for spam. A quick note that if the
spammer is the admin contact in whois, notifying the postmaster will surely
generate laughs on their end.

In the letter to the postmaster, you might wish to mention Joel's very good FAQ
about advertising on the Internet :

http://www.cs.ruu.nl/wais/html/na-dir/usenet/advertising/how-to/part1.html

http://www.cis.ohio-state.edu/hypertext/faq/usenet/usenet/advertising/how-to/part1/faq.html

And where they *should* advertise :

http://www.cs.ruu.nl/wais/html/na-dir/finding-groups/general.html

Or for why posting business or e-mailing business ads are bad :

http://www.phoenix.net/~lildan/FAQ/commercial-ads-faq.html

If you don't get a proper response from the postmaster, remember, Whois -
rs.internic.net is your friend. You can get information on / about a site by:

telnet rs.internic.net

whois spammer.site.net

The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's). Please use the whois server at
nic.ddn.mil for MILNET Information.

This *should* get you a person to talk to & their personal e-mail address. If
you don't get any response from that postmaster, then you should try the
provider to that site. This gets a little trickier, but a multinet traceroute
should show you the upstream provider, and from there you can try contacting the
postmasters of *that* site.

Any non-profit organization (like a University) should be very happy to help get
rid of a spammer if the non-profit organizations resources are being used to
spam a for-profit business. The IRS can take their non-profit status away for
such things. Talk to the legal council at the non-profit organization if you
don't get a positive response from the postmaster.

Worst case, a site can be UDP (Usenet Death Penalty) out so that other sites
stop accepting news or even e-mail from that site. They are cut off from the
net. Decisions like this are discussed in the news group
news.admin.net-abuse.misc .

Thanx to Leslie, whom to contact about domains that have invalid contact
information :

Internic Registration Services should be contacted by phone:

703/742-4777

or email:

[email protected]

If the spammer site has problems trying to figure out where the spam came from,
they can *always* get help from the denizens of news.admin.net-abuse.misc, but
have them take a look at their logs first and see if they see something like
(Thanks to help from Michael):

My news logs (for INND) are:

$ cd /usr/log/news
$ ls

OLD expire.log news.err unwanted.log

errlog news news.notice
expire.list news.crit nntpsend.log
and here is my syslog.conf:
## news stuff
news.crit /usr/log/news/news.crit
news.err /usr/log/news/news.err
news.notice /usr/log/news/news.notice
news.info /usr/log/news/news
news.debug /usr/log/news/news.debug

but, what they need to remember, is they HAVE TO LOOK QUICK!. INND expire puts
all these logs in OLD, and recycles them, and expires them at the 7th day (and
gzips them), i.e., OLD/:

ls -l news.?.*

-r--r----- 1 news news 181098 May 23 06:26 news.1.gz

...

-r--r----- 1 news news 319343 May 17 06:29 news.7.gz

so... to grep an old log looking for sfa.ufl.edu:

(the {nn} is how many days ago, 1 is yesterday, 2 is 2 days ago, etc)

cd {log/OLD}

gunzip -c news.1.gz | grep sfa.ufl.edu | more

Trying to catch the suspect still logged on
===========================================

If you think you know a machine close to the spammer, you can change your
default DNS lookup server (and get *lots* more info ;-)) by :

$ nslookup
server wb3ffv.abs.net
Default Server: wb3ffv.abs.net
Address: 206.42.80.130
ls -d kjl.com
[wb3ffv.abs.net]
kjl.com. SOA kjl.com dns-admin.abs.net. (10 21600 3600604800 86400)
kjl.com. NS ns1.abs.net
kjl.com. NS ns2.abs.net
kjl.com. MX 10 abs.net
kjl.com. SOA kjl.com dns-admin.abs.net. (10 21600 3600604800 86400)

If you are quick enough, you can see if the spammer is still on by :

multinet RUSERS rust.nmt.edu

And you might get :

kuller ray timbers jweinman timbers john timbers rayzer

Assuming that the spammer is from ingress.com you can expand the Spammers UserID
(some sites have expn / vrfy turned off) by:

telnet ingress.com smtp

Trying 199.171.57.2 ...

Connected to ingress.com.

Escape character is '^]'.

220 ingress.com Sendmail 4.1/SMI-4.1 ready at Sun, 22 Oct 95 15:13:39 EDT

expn krazykev

250 Lipsitz Kevin [email protected]

We connect to port 25 (smtp) and issues an expn command. Looks like
[email protected] is being used as a maildrop for this user. I'll would send my
complaint to [email protected] as well (not that it would do any good in Krazy
Kevin's case... but the reply to your e-mail might be amusing).

To find out the Mail Exchange records, do a nslookup for the MX records only.
You can then look up the expansion of the postmaster or root to see who they
really are. For example :

% nslookup
set type=mx
gnn.com
gnn.com preference = 20, mail exchanger = mail-e1a.gnn.com
gnn.com preference = 10, mail exchanger = mail-e1b.gnn.com
% telnet mail-e1a.gnn.com smtp
220 mail-e1a.gnn.com ESMTP Sendmail 8.7.1/8.6.9 ready at Thu, 11 Jan 1996
12:54:26 -0500 (EST)
expn postmaster
[email protected]
250 [email protected]
expn root
[email protected]
250 [email protected]

You can use the 'host' command. It's really simple:

% host -t any domain.name

This will give you anything your name server can find out.

% host -t ns domain.name

This tells you the name servers. Not all systems have host, but it's a small
program which should be easy to compile (like whois).

The command "last" will tell where the spammer logged on from last, but it has
to be done by a user from that site. For example :

last imrket4u

Would produce :
imrket4u ttypf ip30.abq-dialin.hollyberry.com Fri Sep 15 00:27 - 00:34 (00:06)
imrket4u ttyq8 ip30.abq-dialin.hollyberry.com Fri Sep 15 00:19 - 00:20 (00:01)
imrket4u ttyqc abq-ts1 Thu Sep 14 20:42 - 22:21 (01:39)
imrket4u ttyqc rust.nmt.edu Thu Sep 14 18:39 - 18:41 (00:01)
imrket4u ttypb abq-ts1 Thu Sep 14 17:55 - 17:57 (00:02)

Filtering E-Mail using procmail or News with Gnus
==================================================

Get the procmail FAQ :
http://www.ii.com/internet/faqs/launchers/mail/filtering-faq
http://www.best.com/~ii/internet/faqs/launchers/mail/filtering-faq
http://www.ii.com/internet/robots
http://www.best.com/~ii/internet/robots
http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/filtering-faq/faq.html

Or read about it when it is posted to :

Newsgroups: comp.mail.misc , comp.mail.elm , comp.mail.pine , comp.answers ,
news.answers
   Subject: Filtering Mail FAQ

Bob tells me that Eudora Pro has a good filtering capability. You can filer
based on who you send e-mail to, known spammers, etc. Enough filters and you may
see hardly any Spam. Claris E-Mailer, likewise, has a filter option.

Brian has a Gnus scorefile from the Internet blacklist : 
http://www.cs.ubc.ca/spider/edmonds/usenet/gnus/BLACKLIST

Or his example global scorefile :
http://www.cs.ubc.ca/spider/edmonds/usenet/gnus/SCORE

Many news readers have a "kill" file that will filter out the posts from either
a certain user-id, or posts with certain titles. Each news reader is unique. You
might wish to read the help file on the subject of kill files.

Rejecting E-Mail from domains that continue to Spam
====================================================

Spamfilters can be found at:
http://www.io.com/~johnbob/jm/index.html
http://www.samiam.org/spam/index.html
http://www.best.com/~ariel/nospam

List of spammers: 
http://www.samiam.org/spam/spammers.txt
http://www.idot.aol.com/preferredmail

Or look at a page on how to block e-mail : 
http://www.nepean.uws.edu.au/users/david/pe/blockmail.html

Ask your admin to add the following to their sendmail.cf. This will reject all
mail that continues to come in from domains that only send out spam. This is a
group effort from many admins :

Modify your sendmail.cf in the following way.

1. Setup a hash table with the domains you wish to block:

# Bad domains (spam kings)
FK/etc/mailspamdomains

2. Add the following rules to S98 (be sure that there are three lines (i.e. the
lines are not split up) and be sure to put a TAB character between the $* and
the $#error, not a space) :

### Spam blockage

R$* @$*$=K . $* $#error $@ 5.1.3 $: "Your domain has been blocked due to spam
problems. Contact your administrator."

R$* @$*$=K $* $#error $@ 5.1.3 $: "Your domain has been blocked due to spam
problems. Contact your administrator."

3. Make your hash table. Here are some suggestions :

moneyworld.com
interramp.com
dm1.com
zygon.com
zygn.com
stockpick.com
netamerica1.com
selfhelpnet.com
helpnet.net
buytime.com
jackpots.com
cyberpromo.com
californiakid.com
lsat.com
megd.com
pwrnet.com
bulk-e-mail.com
bigprofits.com
bbbiiizzz.com
owlsnest.com
natureplus.com
globalfn.com

Mail that comes in from any of these domains will be returned to sender with the
error. If the sender is bogus, it will bother the postmaster at the bad domain
in an appropriate manner.

Keep in mind that *ALL* email from these domains will be blocked. This is really
only a good solution for domains that are setup by spammers for spamming.
Blocking something like aol.com, although it may seem initially attractive ;-),
would cause problems for legitimate users of email in that domain. Compile your
list after careful verification that these domains fit the above description.

http://ddi.digital.net/~gandalf/spamfaq.html

==== SCROOTS Mailing List ====




Go To:  #,  A,  B,  C,  D,  E,  F,  G,  H,  I,  J,  K,  L,  M,  N,  O,  P,  Q,  R,  S,  T,  U,  V,  W,  X,  Y,  Z,  Main