Subject: e-Spam Complaint Addresses From: Steven J. Coker Date: April 04, 1998 http://ddi.digital.net/~gandalf/spamfaq.html A list of complaint addresses ============================== O.K... So you have a common site that you can complain to. Good. If you cannot figure out where the message came from, you can post the FULL HEADERS (this is *very* important for tracing) to news.admin.net-abuse.misc, news.admin.net-abuse.email or news.admin.net-abuse.usenet (see the section entitled Reporting Spam and tracing a posted message). Usually you can get someone to help with the message. If you complain to the spammer directly, you may just be confirming a "real" live e-mail address, which may lead to even more junk e-mail. I would suggest complaining to the owner of the site only. You can send e-mail to [email protected] (where foo.bar.com is the provider you are complaining to) and it will get forwarded to the "best" e-mail address.. See http://www.abuse.net There is a list of admins to contact (besides the list contained here): http://NCTUCCCA.Edu.Tw/ftp/documents/Internet/MaasInfo/Other/ComplainToWhom.html http://www-fofa.concordia.ca/spam/complaints.shtml Greg reminds us that if you are complaining to a postmaster about a week-old post, don't bother. It's not on their server, they can't verify it. Make sure you use terms correctly. A recent trend is to call any off-topic post "spam". It's not. I deal with spammers and off-topic or advertising posters differently. Other providers do also. Also, try to keep the clutter in your complaints down. I don't need a copy of the referenced RFC or statute. It doesn't help either of us if I can't find your complaint in between all the mumbo jumbo. Send complaint with FULL HEADERS in e-mail to any or all of the below : [email protected] [email protected] [email protected] Note : [email protected] and [email protected] are not "standard" complaint e-mail addresses, but I have seen those listed more and more frequently. A nice Perl script put together to complain about spam (by Nate) is at : http://www.metareality.com/~nathan/visit.cgi/spam/html.Perl Chris tells us : If you see MMFs or other gross abuses from AOL, MSN, MCI (_not_internetmci), Primenet, Panix, please do not report them to news.admin.net-abuse.misc. Just wastes bandwidth. Email your report directly to the provider: [email protected] [email protected] [email protected] [email protected] [email protected] By "gross abuses", please try to ensure that it really is likely to be spam. Not one article cross-posted lots, but lots of articles that you see yourself. In AOL or MCI's case, the definition of abuse is somewhat stricter (AOL bans commercial use. MCI's tolerance thresholds is lower) For the following providers the correct e-mail address is: 4websites.com / www.4cruises.com - Connectivity by netcom.net. Send complaints to [email protected] or [email protected] ABSnet - [email protected] or [email protected] AGIS.NET - You can complain to [email protected] or [email protected] , but it is probably a waste of your time. AGIS.NET should be UDP'ed (Usenet Death Penalty, i.e. no Usenet (news) connectivity to or from AGIS.NET), and cut off from all SMTP mail exchanges. They do not put any restrictions on SPAM sent out by their customers. I complained enough to sprintlink.net (they provide connectivity to AGIS.NET for me, found thru a traceroute) and eventually I stopped getting all SPAM from CyberPromo. AGIS.NET is partially owned by http://www.alltel.com/overview/news/n411m19a.html For the full story on AGIS.NET see : http://members.aol.com/macabrus/agisfaq.html Aloha.Net - [email protected] AOL - [email protected]. Emergency - send complete copies to [email protected] www.angelfire.com or angelfire.com - [email protected] answerme.com - See CyberPromo.com AT&T WorldNet Services - [email protected] Bellatlantic.net - [email protected] Bellsouth - [email protected] Best.com - [email protected] Cais.net - [email protected] - http://www.cais.net/caisweb/cais-aup.html - CAIS acceptable use Com.BR - Policy - [email protected] security violations write the list [email protected] Compuserve - compumail [email protected] or [email protected] or [email protected], compunews [email protected] CyberPromo.com - You can try [email protected] since they provide connectivity but see above. You can try contacting [email protected], [email protected] or [email protected] or any of the other backbone providers. Maybe they can do something. For the full story on CyberPromo.com see : http://members.aol.com/macabrus/cpfaq.html Demon.net - [email protected], [email protected] or [email protected] DejaNews - [email protected] - See http://postnews.dejanews.com/post.xp Digex.net - [email protected] (along with your name & postal address (including city & state) http://www.access.digex.net/~policy/digex-aup.html Digital-market.com - www.digital-market.com - See CyberPromo Direct.CA - [email protected] earthlink.net - [email protected] or [email protected] http://www.earthlink.net/company/aupolicy.html - Acceptable use Erols.com - [email protected] Exec-PC Inc. - [email protected] Freenet.carleton.ca - [email protected] Geocities.com - [email protected] gergs_bane.org (does not exist, it is faked) - See UUNET - [email protected] GNN.Com - For help regarding a problem with a GNN member - [email protected]. GTE.net - [email protected] hitsrus.com - Another AGIS.NET spamming domain. See AGIS.NET Hongkong's ISPs - send an email to [email protected] with anything in the subject/body. You'll get a most recent version of the list contacts by email within minutes. IBM Net - [email protected] - Also see http://www.ibm.net/helpdesk.html IDT.Net - [email protected], but [email protected] is an emergency contact interramp.com - [email protected] or [email protected] interserve.com.hk - Mr. K H Lee - [email protected]. INS Info Services (netins.net) - [email protected] iSTAR Canada (istar.ca, inforamp.net, hotstar.net, magi.com, or nstn.ca) - [email protected] Juno.com - [email protected] LAKER.NET [email protected] or VOICE 1-954-359-3670 FAX 1-954-359-2741 LLV.COM - Yet another Spam domain that uses AGIS.net as a provider. Loop.Com or Loop.net - [email protected] MALIBU - [email protected] MCI Net - [email protected] For security problems see http://www.security.MCI.NET Campus.MCI.Net - [email protected] MCSNet - [email protected] mkt-america.com - See AGIS.net Mindspring.com - [email protected] Note : Mindspring is no longer affiliated with INTERRAMP.COM money.com or money.now - [email protected] MS.UU.Net - Example CustXX.MaxXX.city.ST.MS.UU.NET and explicitly contains an MSN e-mail address (@msn.com) - [email protected] MS.UU.Net - Example CustXX.MaxXX.city.ST.MS.UU.NET and does not have @msn.com - [email protected] Netcom or any account with an @ix.netcom.com address - [email protected] for standard SPAM junk. [email protected] is for instances of forgery, cracking etc. NetCruiser Technical Support - [email protected]. For a Netcom network customer (like shippingplanet.com) send e-mail to [email protected]. Netins.net - [email protected] NEVWEST.COM - Yet another AGIS Spam domain in conjunction with LLV.COM. pacbell.net - [email protected], [email protected] Pipeline.com - [email protected], [email protected] bounced back to me. PIPEX- [email protected], International - [email protected], Unipalm PIPEX - [email protected] portal.com - [email protected] Prodigy - [email protected] or [email protected] (but many times this mailbox is full). I don't think [email protected] is read by a person. Security issues can be sent to [email protected] . pwrnet - [email protected] PSI Net - [email protected], [email protected] PSI Net policies - http://www.psi.net/csg/netabuse.html ... Note : Earthlink uses PSINet's pops QUANTCOM.COM - See AGIS.net. A long time reputation of spamming on the Internet. Rain.net - [email protected] savetrees.com - See CyberPromo.com Slip Net - [email protected] - Tech Support Southwindent.com - [email protected] - See http://www.southwindent.com/policies.htm Sprint - [email protected] Sprintlink - 800-669-8303 [email protected], [email protected]. For dialsprint.net abuse reports send to [email protected] . For sprintmail.com abuse reports send to [email protected] . You can view Sprint's Policy at http://www.sprintbiz.com/data1/ip/policy.html sprynet - [email protected] Teleport System Administration - teleport.com - [email protected] tip.net - [email protected] [email protected] University of Pennsylvania - [email protected] - For security matters : [email protected] Other matters: [email protected] USA.Net - http://netaddress.usa.net/nospam.html UUNET Customer Liaison - MASSMAIL (E-Mail SPAMS) - [email protected], Newsgroup Spams - [email protected]. [email protected] See Also MS.UU.Net - For abuse of the open UUNET NNTP port, UUNET will block the site if you complain. See Gergsbane.org From : David Jackson ([email protected]) (and this applies to *any* abuse) : To report an instance of USENET abuse send mail to [email protected] - please remember to include a complete copy of the USENET article, including all headers, to help us quickly quash the abuse. Scott reminds us : It might also be a good idea to remind people that sometimes the postmaster _is_ the spammer. Joe Spam might have his own domain (since they _used_ to be free) inside of which they are the postmaster. This is terrifyingly common with net.twits (kooks, etc.) but seems rare for spam. A quick note that if the spammer is the admin contact in whois, notifying the postmaster will surely generate laughs on their end. In the letter to the postmaster, you might wish to mention Joel's very good FAQ about advertising on the Internet : http://www.cs.ruu.nl/wais/html/na-dir/usenet/advertising/how-to/part1.html http://www.cis.ohio-state.edu/hypertext/faq/usenet/usenet/advertising/how-to/part1/faq.html And where they *should* advertise : http://www.cs.ruu.nl/wais/html/na-dir/finding-groups/general.html Or for why posting business or e-mailing business ads are bad : http://www.phoenix.net/~lildan/FAQ/commercial-ads-faq.html If you don't get a proper response from the postmaster, remember, Whois - rs.internic.net is your friend. You can get information on / about a site by: telnet rs.internic.net whois spammer.site.net The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. This *should* get you a person to talk to & their personal e-mail address. If you don't get any response from that postmaster, then you should try the provider to that site. This gets a little trickier, but a multinet traceroute should show you the upstream provider, and from there you can try contacting the postmasters of *that* site. Any non-profit organization (like a University) should be very happy to help get rid of a spammer if the non-profit organizations resources are being used to spam a for-profit business. The IRS can take their non-profit status away for such things. Talk to the legal council at the non-profit organization if you don't get a positive response from the postmaster. Worst case, a site can be UDP (Usenet Death Penalty) out so that other sites stop accepting news or even e-mail from that site. They are cut off from the net. Decisions like this are discussed in the news group news.admin.net-abuse.misc . Thanx to Leslie, whom to contact about domains that have invalid contact information : Internic Registration Services should be contacted by phone: 703/742-4777 or email: [email protected] If the spammer site has problems trying to figure out where the spam came from, they can *always* get help from the denizens of news.admin.net-abuse.misc, but have them take a look at their logs first and see if they see something like (Thanks to help from Michael): My news logs (for INND) are: $ cd /usr/log/news $ ls OLD expire.log news.err unwanted.log errlog news news.notice expire.list news.crit nntpsend.log and here is my syslog.conf: ## news stuff news.crit /usr/log/news/news.crit news.err /usr/log/news/news.err news.notice /usr/log/news/news.notice news.info /usr/log/news/news news.debug /usr/log/news/news.debug but, what they need to remember, is they HAVE TO LOOK QUICK!. INND expire puts all these logs in OLD, and recycles them, and expires them at the 7th day (and gzips them), i.e., OLD/: ls -l news.?.* -r--r----- 1 news news 181098 May 23 06:26 news.1.gz ... -r--r----- 1 news news 319343 May 17 06:29 news.7.gz so... to grep an old log looking for sfa.ufl.edu: (the {nn} is how many days ago, 1 is yesterday, 2 is 2 days ago, etc) cd {log/OLD} gunzip -c news.1.gz | grep sfa.ufl.edu | more Trying to catch the suspect still logged on =========================================== If you think you know a machine close to the spammer, you can change your default DNS lookup server (and get *lots* more info ;-)) by : $ nslookup server wb3ffv.abs.net Default Server: wb3ffv.abs.net Address: 206.42.80.130 ls -d kjl.com [wb3ffv.abs.net] kjl.com. SOA kjl.com dns-admin.abs.net. (10 21600 3600604800 86400) kjl.com. NS ns1.abs.net kjl.com. NS ns2.abs.net kjl.com. MX 10 abs.net kjl.com. SOA kjl.com dns-admin.abs.net. (10 21600 3600604800 86400) If you are quick enough, you can see if the spammer is still on by : multinet RUSERS rust.nmt.edu And you might get : kuller ray timbers jweinman timbers john timbers rayzer Assuming that the spammer is from ingress.com you can expand the Spammers UserID (some sites have expn / vrfy turned off) by: telnet ingress.com smtp Trying 199.171.57.2 ... Connected to ingress.com. Escape character is '^]'. 220 ingress.com Sendmail 4.1/SMI-4.1 ready at Sun, 22 Oct 95 15:13:39 EDT expn krazykev 250 Lipsitz Kevin [email protected] We connect to port 25 (smtp) and issues an expn command. Looks like [email protected] is being used as a maildrop for this user. I'll would send my complaint to [email protected] as well (not that it would do any good in Krazy Kevin's case... but the reply to your e-mail might be amusing). To find out the Mail Exchange records, do a nslookup for the MX records only. You can then look up the expansion of the postmaster or root to see who they really are. For example : % nslookup set type=mx gnn.com gnn.com preference = 20, mail exchanger = mail-e1a.gnn.com gnn.com preference = 10, mail exchanger = mail-e1b.gnn.com % telnet mail-e1a.gnn.com smtp 220 mail-e1a.gnn.com ESMTP Sendmail 8.7.1/8.6.9 ready at Thu, 11 Jan 1996 12:54:26 -0500 (EST) expn postmaster [email protected] 250 [email protected] expn root [email protected] 250 [email protected] You can use the 'host' command. It's really simple: % host -t any domain.name This will give you anything your name server can find out. % host -t ns domain.name This tells you the name servers. Not all systems have host, but it's a small program which should be easy to compile (like whois). The command "last" will tell where the spammer logged on from last, but it has to be done by a user from that site. For example : last imrket4u Would produce : imrket4u ttypf ip30.abq-dialin.hollyberry.com Fri Sep 15 00:27 - 00:34 (00:06) imrket4u ttyq8 ip30.abq-dialin.hollyberry.com Fri Sep 15 00:19 - 00:20 (00:01) imrket4u ttyqc abq-ts1 Thu Sep 14 20:42 - 22:21 (01:39) imrket4u ttyqc rust.nmt.edu Thu Sep 14 18:39 - 18:41 (00:01) imrket4u ttypb abq-ts1 Thu Sep 14 17:55 - 17:57 (00:02) Filtering E-Mail using procmail or News with Gnus ================================================== Get the procmail FAQ : http://www.ii.com/internet/faqs/launchers/mail/filtering-faq http://www.best.com/~ii/internet/faqs/launchers/mail/filtering-faq http://www.ii.com/internet/robots http://www.best.com/~ii/internet/robots http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/filtering-faq/faq.html Or read about it when it is posted to : Newsgroups: comp.mail.misc , comp.mail.elm , comp.mail.pine , comp.answers , news.answers Subject: Filtering Mail FAQ Bob tells me that Eudora Pro has a good filtering capability. You can filer based on who you send e-mail to, known spammers, etc. Enough filters and you may see hardly any Spam. Claris E-Mailer, likewise, has a filter option. Brian has a Gnus scorefile from the Internet blacklist : http://www.cs.ubc.ca/spider/edmonds/usenet/gnus/BLACKLIST Or his example global scorefile : http://www.cs.ubc.ca/spider/edmonds/usenet/gnus/SCORE Many news readers have a "kill" file that will filter out the posts from either a certain user-id, or posts with certain titles. Each news reader is unique. You might wish to read the help file on the subject of kill files. Rejecting E-Mail from domains that continue to Spam ==================================================== Spamfilters can be found at: http://www.io.com/~johnbob/jm/index.html http://www.samiam.org/spam/index.html http://www.best.com/~ariel/nospam List of spammers: http://www.samiam.org/spam/spammers.txt http://www.idot.aol.com/preferredmail Or look at a page on how to block e-mail : http://www.nepean.uws.edu.au/users/david/pe/blockmail.html Ask your admin to add the following to their sendmail.cf. This will reject all mail that continues to come in from domains that only send out spam. This is a group effort from many admins : Modify your sendmail.cf in the following way. 1. Setup a hash table with the domains you wish to block: # Bad domains (spam kings) FK/etc/mailspamdomains 2. Add the following rules to S98 (be sure that there are three lines (i.e. the lines are not split up) and be sure to put a TAB character between the $* and the $#error, not a space) : ### Spam blockage R$* @$*$=K . $* $#error $@ 5.1.3 $: "Your domain has been blocked due to spam problems. Contact your administrator." R$* @$*$=K $* $#error $@ 5.1.3 $: "Your domain has been blocked due to spam problems. Contact your administrator." 3. Make your hash table. Here are some suggestions : moneyworld.com interramp.com dm1.com zygon.com zygn.com stockpick.com netamerica1.com selfhelpnet.com helpnet.net buytime.com jackpots.com cyberpromo.com californiakid.com lsat.com megd.com pwrnet.com bulk-e-mail.com bigprofits.com bbbiiizzz.com owlsnest.com natureplus.com globalfn.com Mail that comes in from any of these domains will be returned to sender with the error. If the sender is bogus, it will bother the postmaster at the bad domain in an appropriate manner. Keep in mind that *ALL* email from these domains will be blocked. This is really only a good solution for domains that are setup by spammers for spamming. Blocking something like aol.com, although it may seem initially attractive ;-), would cause problems for legitimate users of email in that domain. Compile your list after careful verification that these domains fit the above description. http://ddi.digital.net/~gandalf/spamfaq.html ==== SCROOTS Mailing List ==== Go To: #, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, Main |