▲
A few months ago my web hosting company finally decided to allow us to delete our "ketch all" accounts. Now messages addressed to non-existing accounts are bounced back to the address indicated in the "from" field of the message. I apologize to those who end up getting my spam because the spammer decided to use their name as the sender of their junk. Most of these messages simply go into oblivion because the return domain's don't exist.
I also dropped my "Frank" account which I had been using for 6 years. The spam coming in through my primary domains has now dropped to about one message every week. For a reason too complex to explain, last week I had to reinstate my Frank account for a day. Yup, you guessed it, I got over 900 spams through that account during that 24 hour period. Even though I no longer receive the spam, it still runs through the system.
We as users are PAYING for this, as our Internet providers have to purchase wider bandwidth connections and bigger servers to handle all this junk and send it back, or try to. Much of it times-out after a few days and has to be deleted. During that time our providers have to hold it waiting for the timeout to occur. Result, bigger computers, and higher costs for us. Ever wonder why Internet service hasn't gone down in price like many other electronic services?
Update January 22, 2004
I now receive as much spam every 2 weeks as I received over the entire year I was keeping track and reporting as mentioned in the following text. I now average around 700 a day. As a result I have had to change my e-mail address. If it continues to increase I will be forced to terminate my domains, because even though I will no longer see the spam, I still have to pay for the bandwidth it takes.
July 6, 2003
I now receive almost 400 spams a day and have given up reporting most of them. 90% are coming from open relays in China or are advertising websites hosted in China. There is no one in China to report spam to, or they aparently don't care. It seems that the companys in China that are hosting this mess are making money on the process and don't apparently care that they are destroying the very market they are exploiting.
I have worked out how to filter most of this junk by searching the headers of my messages using Microsoft Outlook Rules, and any that are coming through Aisia, Europe and South America, are being deleted by Outlook. For information sake I am including the IP address blocks that I am filtering on as follows.
As you can see from my discription below, the company I receive my e-mail through places the IP address which is forwarding the mail within a set of parentheses making it fairly easy to filter. I simply set up Outlook to delete mail that contains (61. (200. and so forth, in the header. I am afraid the current version of Outlook Express doesn't allow for this level of filtering. Maybe the next version (7) will contain detailed rules capability.
All IP addresses that begin with the following 2 or 3 digit numbers are the ones I am filtering.
| Asia | Europe | Latin America | US companys |
| 60. 61. 202. 203. 210. 211. 218. 219. 220. 221. 222. |
62. 80. 81. 82. 193. 194. 195. 212. 213. 217. |
200. 201. |
24.107. Charter Communications 24.240. Charter Communications 24.241. Charter Communications 63.251. Internap networks 66.150. Qwest Communications These are US hosting companys whos clients I get a lot of spam from. Aparently these companys do not uphold their own policys because of the hundreds of reports I have sent to them, none of the sites were ever shut down. |
Total Spams received 5424
Spam forwarded through or pointing to Asia 3895
All other spams 1529
About half of the Asia spam has come in the last 3 months
About half of all other spam has come in the last 5 months
To begin with I reported all spam even to Asia. I quit reporting anything to Asia in July 2002.
I NEVER received any conformation of reported abuse to any address located within China, and, if my memory serves, I only received about 10 to 20 report conformations from other Asian country's.
There were about 200 reports which bounced due to invalid address in the ARIN database. Once I got a bad address that I could remember I didn't bother to report any more to that address.
There were about 100 reports which bounced due to invalid domain names in the ARIN database.
When you use a program such as Outlook Express to send an e-mail message, the program actually sends the message from your computer to a computer belonging to your Internet provider called a mail relay or SMTP server (Simple Mail Transfer Protocol). This relay then looks up and sends your message to another computer called a POP3 server (Post Office Protocol 3) belonging to the Internet provider of the person you are sending your message to. The message is received by the POP3 computer and holds the message until the other person retrieves his e-mail. There are other types of systems but I won't cover those here.
Most POP3 servers will not accept a message, without requiring that the relay confirms it's IP address, then the POP3 mail program inserts that address in the header of the e-mail so you can trace it. An IP address is a string of 4 sets of numbers divided by periods. There are always 4 sets, but each set of numbers may consist of the numbers 0 to 255. IP addresses are actually what make the Internet work. My primary web site, nps-vip.net uses the IP address 209.249.135.229 but that is another story.
Most Internet provider companies have their relays set so nobody can relay a message through their computer unless the sender is connected directly to that Internet provider. In other words, I can't relay a message through the SMTP server at cox.net if I am connected to aol.com.
Now here is where the real problem and source of spam comes from. An SMTP server is actually a pice of software. There are many free SMTP server programs available and anyone can download one and install it on any computer. I have one running on a computer in my basement. BUT, the average person has no idea that the software has to be set to prevent outsiders from using their computer to distribute spam. So the spammers spend their time probing the Internet looking for open relays. When they find on, they spew thousands or millions of pieces of junk mail through this "open relay" and the owner has no clue it is happening. Usually, at least in the US, as soon as the open relay is reported the connection cut off until the relay is shut down. But it may be several days before the complaint department can get around to that report. Then there are some Internet provider company's (mostly in Asia) that think they are making money by offering their relays to spammers for a price. And there is little we can do about thoes, but that is still another story.
The way to find the relay IP address is to reveal the header information in your e-mail.
In Outlook that is done by Right Clicking on the subject line in your list of received e-mails, and choosing Options, then look at the bottom of the window and you will see a box with the header information.
Outlook Express is similar except you chose Proprieties from the drop down list then click on Details. Other systems have different ways of revelling the header. No I can't help you there, I only have Outlook. If you don't know how to reveal the headers, use your help system and search for information on "headers". Most systems will tell you how to reveal them.
The next step once you can see the headers is to copy the entire header into the clip board. Use you mouse and drag across the entire window until all the text is selected. You MUST get the entire header even if it runs off the bottom of the window. Now press Ctrl C on your keyboard to copy it to the clip board.
Next close the header box and FORWARD the original message. At the top of the message hit return a few times to give you some space then paste the header to the top of the message by pressing Ctrl V on your keyboard.
Now look through the header information for the first occurrence of a full IP address. Usually this will be found within the first 2 to 4 lines and generally the address is surrounded by parens ( ) or brackets [ ] or both. Here are 2 examples, with the IP addresses highlighted.
| Outlook Spam message |  |
| Outlook Express Subscription |  |
There are currently 3 organizations in the world that keep track of IP addresses, however it looks like we are going to have to deal with more as small country's want to have a pice of the action.
Examples may be aol.com uu.net sprint.net etc. Sometimes on this page you will see an e-mail address to send spam complaints, but not very often.
Look down the list and find the e-mail contact address that occurs most often. You may find say joeblow@aol.com listed several times. You want the aol.com part. Note: do not send any complaints to anybody at arin.net, ripe.net or apnic.org. They can't help you.
Now go to this address http://www.abuse.net/lookup.phtml abuse net and enter the domain in the search field. There is an 80% chance they will have the proper address to report it to.
abuse.net which is a great place to find the correct address to report to. http://www.abuse.net/lookup.phtml
Reporting to the source IP address is only half the job. Chances are that IP address just has an open mail relay that the owner is either unaware they have or unaware that it is being used to distribute spam. It is also important to report the spam to the company who manages the IP that the junk mail is asking you to go to IE "Click here to make a million dollars" I always report my spam's to both the source IP address contained in the header and to the destination address within the message.
In order to report this destination end we need to look at the "click here" link and determine where that points to.
I'm not sure how to do this in AOL. What you need to do is to view the source html coding of the message, the raw code behind the screen. In Outlook, Outlook Express and most web based e-mail programs, you can RIGHT click on a blank area of the message and chose "view source" from the drop down menu. You are looking for an anchor tag. If you don't know HTML don't panic. It is fairly easy to locate. Click on Edit > Find, or use the shortcut Ctrl F, and enter href into the search box. 98% of the junk mail will have at least one of these. Another type of anchor tag is a mail to tag <A HREF=mailto:person@domain.com" in this case report it to the "domain.com" address.
Here is one I received this morning <A HREF=http://213.139.76.162/ (back part removed) notice the IP address (that string of numbers). This one is easy, just go to ARIN and search on this IP.
If the link is pointing to a domain name we have to use some method of finding the IP from that. Do not bother with anchor tags that point to "to be removed from our list". Half the time they don't exist, the other half they are pointing to other peoples services, or are waiting for you to use them to confirm that you are a real person so they can send you more spam.
I use a program called NetLab to find IP addresses from domain names, but this program is no longer available from it's designer. You might be able to find it somewhere, however one shareware program you can download and try for a while is called NetInfo from http://netinfo.tsarfin.com/ Over priced at $25 but that is the only one I can find at the moment that is available online.
Punch in the domain name under the Lookup tab, (or DNS tab on some programs) and this should give you an IP address which you can now use to search at ARIN. You can also use a dos, or command prompt window but you can't cut and paste from that. Open the dos window and type in "ping domain.com" If the server is live, you will get a "reply from" with the IP address.
VERY IMPORTANT!!! you MUST include the header information and the subject when you report a spam. Always use the FORWARD feature on your e-mail system and include a brief message at the top of your mail. Here are the ones I use.
General message: SPAM Report. This message appears to have either came through a mail relay server or has links within the message pointing to servers on your system. Thank you for your attention to this.
Virus message: Sirs. I received this message which was infected with a virus. My Norton AV log of the account is below. Thank you for your attention to this.
One that I use when I can't find a proper address. I have gotten a number that were using open relays in Asian elementary schools for example: SPAM Report. While the following message was funneled through an open relay server in Asia, one or more of the IP addresses within the message appear to point to a server in your system. Thank you for your attention to this.
Be nice, these people are there to help you.
This whole thing seems very complicated, but it really is fairly simple. Takes me about 30 to 45 seconds to report a spam.