[Don't Buy Chinese] [Do The Right Thing]

[No Frames]

Spam is not from Immune.Com

Contents
Spam is not from Immune.Com
Confirmation Is Required
The Boulder Pledge
How To Stop Spam
Who Really Sent A Message
This Is Where You Are
Fake Headers
But Where Did This Junk Come From?
Black Hole Lookups
Reporting With Abuse Net Service
Reporting Spam Directly
Trace Route
Reporting Spamvertised Web Sites
Reporting Drop Boxes
Reporting Spam E-mail Sources
Even More Anti-Spam Help

Spammers (worthless, garbage-mouthed vermin) are attacking this service and many other services. We are being attacked by spammers because we believe your e-mail address is private and confidential and should never be used without your permission.

Spammers are also not happy with us because we report their disgusting spew. Spam is a repugnant abuse of and affront to the whole Internet community, and we'll likely continue to vigorously report spam.

We regret that repeated, widespread, and continuing retaliation attacks by spammers have besmirched the good name of Immune.Com. Spammers try to cause trouble by sending out spam which appears to be from Immune.Com. Because most of an e-mail message can be forged (including who it is "From:"), spammers can and do send e-mail messages with illegal, false "from" addresses @Immune.Com in an attempt to discredit us.

Spammers usually don't want you to reply by e-mail, and they certainly don't want you to know who they are. That's why they cheat and use fake e-mail addresses in the From: lines of their junk messages.

Recently Chinese spammers have been attacking Immune.Com more intensely, creating the false impression that their Chinese spew is somehow from Immune.Com. Yuck!

We have tracked down and reported several kinds of spam that falsely uses a fictitious @Immune.Com, or a real but receive-only @Immune.Com e-mail address as a From: address or return address, forging the dispicable wrong impression that Immune.Com was in any way involved in sending spam. Immune.Com has never, and will never, send unsolicited electronic messages of any kind. Never.

Confirmation Is Required

All Immune.Com services have always operated on a request-confirmation basis. It is impossible for an e-mail address to be added to our member lists without both a request, and also a valid confirmation by e-mail. Subscription requests result in an immediate, automatic confirmation message sent to that same e-mail address.

If a subscription request is forged, the automatic confirmation message alerts the owner of that e-mail address about the attempted larceny. If the confirmation code is not returned promptly, the code expires. The code is only sent to the newly requested member e-mail address, so others cannot forge a confirmation unless they have access to your computer, and access to your e-mail.

The Boulder Pledge

The most important thing we all can do is to be sure that we do not support SPAM. Spammers dread the Boulder Pledge, so we should all support the Boulder Pledge.

The Boulder Pledge by Roger Ebert (the "Thumbs up!" guy) December 1996:

"Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community."

Simply never buy anything promoted by SPAM. That way spam advertisers can never be 'satisfied' with spammer senders, and spammers will go out of business more quickly.

In addition to the Boulder Pledge to never support spam, it is also possible for all of us to help with the fight against spam.

In fighting spam, you can take on many different tasks, including tracking down the source, where the spam got into the Internet, and various kinds of complaints to the parties who are, intentionally or not, supporting spam. The rest of this page gives you the tools you need to fight spam.

How To Stop Spam

Now that you are here, please look around and learn what you can do to stop the spamming low-lifes from invading your inbox with their junk.

Today can be the day you begin really fighting spam. Don't worry to much about the jargon and technical terms - links to a glossary and jargon explantions are below. This page is designed to help beginners learn to track and report spam, so the most complicated and intricate details are simplified and the most basic spam fighting skills are emphasized.

First off, it's usually not a good idea to "reply" to spam directly. Spammers use all replies to confirm that your address is real, not to remove you, as they claim. They lie. Confirmed addresses are far more valuable to sell to other spammers, so please don't reply at all!

Here next are many resources available to help fight spam. There are links from this page to many sites to help you learn about all the issues involved and what you should and/or should not do about spam.

How To See Who Really Sent A Message

It takes some effort and experience to read the technical details that reveal where a spam message really came from. You must find how to see the "transport headers" in your e-mail program, and you must figure out the true meaning of the headers after you find them.

Many e-mail programs do not automatically show you the true information about where an e-mail message really came from. There are many reasons for this choice, but it is a fact, regardless of the reasons. This choice, by software developers, to make their e-mail programs very vulnerable to and protective of liars, is the whole reason why nasty people can so easily get away lying. Bad people can easily set up, and frame, innocent others, who have NOTHING to do with the bad message, but the innocent person appears to have been the one who sent a bad message.

To investigate such lies, you must learn to tame the conspiratorial instincts of your e-mail program, and FORCE it to cough up the truth. Most people do not know how to force their e-mail program to stop playing nice with liars. That makes lying very easy for spammers.

Some e-mail programs make finding the truth easy, and some make it very hard. Here are some links to Web pages that can help you find the e-mail transport headers in your e-mail program:

How do I get my email program to reveal the full, unmodified email?
How to Show Full Headers
To View the E-mail Header
Forwarding Full Mail Headers
How to get full headers in your e-mail program
How to Expand or Get Full Headers

Once you find the transport headers in your e-mail program, the fun has just begun. Now, you must figure out what they really mean. It may help to remember that e-mail messages have only three parts - headers, body, and possibly any attachments.

This Is Where You Are

As an e-mail message is passed from the point of origin to the recipient, each device that handles that message is likely to leave a trace of its activities. These traces, showing where the message began, and where it traversed, are added at each step along the pathway. The original record, at the beginning of the message's journey, is likely to be in those traces nearest to the message body - at the bottom of the headers, close to the message body.

So, the headers at the top, farthest from the message body, will probably show facts about your e-mail server, where you collect your e-mail from. Each header entry between the point of origin and your own e-mail server should be in the order that the e-mail message was passed. As you work through the headers from the top, toward the bottom, you're getting closer and closer to the spammer who sent it.

Because headers are added at the top of the headers at every stop along the way, e-mail messages grow a little bit larger at every stop as they get closer to their destination.

These pages try to help you understand what e-mail transport headers really mean:

What Email Headers can Tell You About the Origin of Spam
How to Interpret Email Headers
How to read Email Headers
Figuring Out Fake E-Mail & Newsgroup Posts
How to Interpret Email Headers (do not log in - just say cancel,cancel,cancel,cancel...15 times)
E-mail Headers

Fake Headers

Spammers lie. Spammers try to hide the details about the bad things that they do. As the pages cited above point out, spammers frequently use multiple ways to lie and obscure their dirty deeds.

In learning to read e-mail transport headers, it is smart to begin by studying legitimate e-mail messages, so you can learn to read real headers from known addresses before you get into the tricky stuff that spammers do.

One of the many ways that spammers lie is to place fake headers in spam messages. Remember that the headers nearest to the message body are the "oldest," and closest to the point of origin (the spam 'insertion point'). So, if a message has any fake headers, the fake headers will probably be next to the body, at the bottom of the header section. It is possible to fake one, two, or more headers - but, usually the fake headers will all be before (below) the real headers.

You'll need to know how to read, at least, the Received: transport headers. There are many deeper layers to spam tracking, but the Received: lines are the key, at least at first. From here on, when we say "transport headers" you can assume I'm talking primarily about Received: headers.

In reading e-mail transport headers, you'll discover that the lines beginning with "Received:" tell the truest story. Because every server passing an e-mail message along in its journey not only records that server's own name (and/or IP address), but every intermediate server also records where the message came in from (in numerical IP [Internet Protocol] address form). The IP record of where the message came from is vital, as we will soon see.

Then, you just compare who a server "claimed" to be with what the next subsequent server says. If two sequential servers don't closely match, the older (lower) Received: line was probably forged. So, the best "real origin" of the e-mail message is shown by where the server immediately after (above) the forged Received: line(s) says it received the spam message from.

Use the Openrbl Multi DNSBL Lookup tool (covered in more detail later) to look up the server's name from the IP address of the real spam sending computer.

This is the essense of finding out where a spam message really came from.

You should know that there are some misconfigured mail servers that relay mail without adding a Received: line. The relay server then appears to be and becomes the spam injection point to report. These mail servers are misconfigured, accidentally or deliberately, and they need repair (instructions here). If you find a new broken e-mail server that is relaying spam, you can send them a message like this.

But Where Did This Junk Come From?

As you discover more and more about an e-mail message's transport headers, eventually you'll become concerned with the numerical IP (Internet Protocol) address of the computer (server) that sent the spam message. The dotted quad IP, such as 127.0.0.1, is four numbers [0 to 255] separated by period dots.

Two powerful online tools will be your friends: WHOIS and black hole lookups. You'll also learn about trace-route, but be careful that you understand traceroute before you jump to any conclusions - reporting your own Internet Service Provider to their Internet pipeline supplier is probably not going to help stop spam in your INBOX.

WHOIS is an Internet tool to allow anyone to find out the name, and how to contact, any Internet domain name owner. you should become familiar with the parts of the WHOIS report. WHOIS is now handled by many different WHOIS servers, so the output report looks different from different servers, but often the information has just been rearranged. On the other hand, spammers often deliberately falsify WHOIS records.

Here are some WHOIS pages that will allow you to look up the owner of almost any Internet domain:

Network Tools
Hexillion Tools
Betterwhois
Domain name registries around the world
WHOIS and root server check

Note: If a WHOIS record ever contains any detectable bogus information, like a telephone number of 101-555-1212 or a street address in the middle of a river, be sure to report the falsehoods to this free public service database: RFC-ignorant.org

Here are some map sites for looking up the address you find in the WHOIS report.

RFC-ignorant.org is the clearinghouse on sites who think that the rules of the Internet don't apply to them. All WHOIS domain records should contain (at least) a contact name, an e-mail address, a telephone number, and a street address. If these requirements are not met, or if bogus data is given, please report the domain to the bad-WHOIS database at RFC-ignorant.org. There may be recent privacy exceptions in Europe - but the point is that there must be a way to contact the domain owner to complain.

Black Hole Lookups

Let's say you just received spam from the bad computer at this IP address: 66.102.130.156

To get an e-mail address to complain to, plug the IP address number of the bad computer that originally sent the spam (in this case, 66.102.130.156) into this tool:

Openrbl Multi DNSBL Lookup

Red in the output result is bad, and green is okay. If the page turns red, the whole network is probably controlled by spammers - so complaining to them is of little use. Instead, learn to use traceroute and figure out the pipeline supplier(s) used by the spam sender, and the product or service that was spamvertised. Complain at least one level above the spammers. Complaining more than two levels above the spammer doesn't usually help - it shows you're frustrated, but clueless, so the complaint may be ignored as a waste of time.

To identify the best e-mail addresses to complain to, look near the bottom of the output from OpenRBL. You should find a line that ends with [Whois & Abuse|SpamCop] like this:

Track "haw-66-102-130-156.vel.net" at [Whois & Abuse|SpamCop]

Click on [Whois & Abuse|SpamCop] to see which network is responsible for that IP address range. In this case (just above), the network is VEL.NET, and the appropriate complaint address(es) is(are) given.

There are other black hole lookup tools, listed in the linked resources below, for instance, but the Openrbl Multi DNSBL Lookup is so powerful, easy to use, and so quick, we always just use it first.

You might wonder why these tools are called black hole lookups. When these tools are used most effectively, as mentioned at the end of this page, they remove the spammers from our Internet, by confining spammers to a different internet all their own - spammers then can converse only with other spammers, in their own "special" network. Putting spammers into such a black hole is a natural consequence of their rude and incorrigable behavior.

Reporting With Abuse Net Addressing Service

If you are using the ABUSE.NET Spam Complaint e-mail forwarding service, you would just send the above complaint to VEL.NET@Abuse.Net. To use the Abuse.net addressing service, you must first register by sending them an e-mail message and you must agree to follow their rules. Here is the page to find out more about this free addressing service:

How does the abuse.net mail forwarder work?

Reporting Spam Directly

Every Internet domain that sends or accepts e-mail must accept e-mail to postmaster@domain.name. Most Internet domains should also accept e-mail to abuse@domain.name.

If you want to send your complaint message directly, you can send complaints to abuse@ and/or postmaster@ at the network identified by the openrbl tool. In the example above, the default addresses to write to would be:

abuse@vel.net
postmaster@vel.net

To check, in advance, if abuse@ and postmaster@ do work, use the free tool here:

EmailDossier

or here:

Verify Email Addresses

If either the abuse@ and/or postmaster@ fail, be sure to save the evidence output until you nominate the rouge domain for listing at RFC-ignorant.org.

Trace Route

To identify the upstream pipeline suppliers for a spammer, trace the path to the spammer's e-mail server and the spamvertised Web page IP addresses using one or more of the NAP looking-glasses here:

Looking Glasses for Public NAPs

Pick one of the looking-glasses, then select trace. Fill in the spammers IP address, and press enter or go.

The closer they are to the source IP, the more likely that are involved in the SPAM, one way or another. Some big spammers have multiple upstream pipelines, so search by traceroute from several geographical directions to find all the suppliers. Then, complain to all the suppliers.

Other online trace route tools are available here:

Traceroute Network Test
Dreamhost Network Check
Openrbl Multi DNSBL Lookup
Network Tools
Hexillion Tools

Most computers on the Internet should have both a numerical IP address and a "host" name, like mp.vel.net. If you know an IP address, you can use one of several lookup tools to find out the host name - ping and traceroute will both usually do it, and nslookup is another tool that does it, too. When you look up the IP address number from the host name, or lookup the host name from the IP address, you're using the Internet Domain Name System (DNS) service to "resolve" the information you want from the information you already have.

Official name: mp.vel.net
IP addr: 207.182.227.213

If an IP address in the trace route report does not resolve to a host (server) name (like mp.vel.net, or even longer), you can still use the openrbl tool (above) to identify the responsible network to complain to. Networks, especially spam-friendly and spammer-support networks, may deliberately fail to resolve their spam-supporting devices. So don't forget to check to see which network is responsible, and then report the spam to their upsteam supplier.

For more help on traceroute, try this: Understanding a Tracert or this Online Trace Route Utility or this How to Tracert.

Be sure you understand traceroute before you use it to complain. Careful targeting of spam complaints is much more useful and much more effective than a shotgun approach. Complaining more than two levels above the spammer is usually a mistake - and only indicates cluelessness and frustration.

Don't send too many spam reports - they might be ignored. Keep the overall number of reports on a single spam message to a reasonable minimum. Too many reports to a large number of addresses at a single provider, or too many reports to a large number of providers, is considered abusive and clueless. All spam reports must be based on an initial unsolicited contact - if you have already contacted someone, even a spammer, all later messages are technically part of an "ongoing or pre-existing relationship," so they are not considered spam. Don't bother getting into a conversation with the spammer, until you are very skilled and knowlegeable about how it can go wrong.

An example:

If you identified 211.101.160.210 as a suspect IP address number for the bad e-mail server that sent you spam, or a Web site spamvertised in an unrequested e-mail message, then

The openrbl tool says:

Network: 211.101.128-255 CAPITALNETWORK Beijing, Beijing @capitalnet.com.cn

So, complaining to abuse@capitalnet.com.cn might help. Or, register at Abuse.Net and just complain to capitalnet.com.cn@Abuse.Net. The Abuse.Net contacts database has other proven good abuse contact addresses - so your complaint will go directly to the right people.

Before you get too far down the spam-complaint road, it is very important to know that, generally, the people you are writing to also hate spam, and they are on our side. Please do not be short or rude with them out of your anger with spam. Be factual, be direct, and file a complete report so that they can act on your spam complaint.

At first, you should be looking to report just three things:

  1. Spamvertised Web sites - the site the spammer is working for
  2. Spam drop boxes - often used in spammer WHOIS domain records
  3. Spam sources - computer IP addresses that are sending spam

Reporting Spamvertised Web Sites

Figuring out the person to complain to about spam may be a little easier for a Website that the spammer sends you to, because the dirty scum probably do want people to come and visit - so it's not necessarily so hard to find the spammer's Website. Because spamming Websites are a little easier to track down than spamming mail servers, you may want to start learning here.

When you are about to visit a spammer's Website, consider using an anonymizing browser, for safer surfing. If the spammer's Website has nasty software code to take advantage of a visiting browser, or if the spammer is collecting IP addresses of visitors for other purposes, using a safe browser is smart. Here is a link to several safe browsing options.

Spamming Websites are trying to sell the spammer's putrid wares. Because of the Boulder Pledge nobody should ever buy anything from a spammer. But, in order to collect information to better report the spammer, sometimes a visit to the spammer's Website is appropriate.

At the spammer's Website we're looking for two things:

Check the WHOIS listing for the spammer's Website domain names. The WHOIS listing may have bogus information in it that you can report to RFC-Ignorant, and the spammer's WHOIS listing probably contains a dropbox listed as the primary contact person. If your spam report results in the drop box being closed, the spammer must start all over. Good.

If the the spammer's Webpage is still active, report the Website address (like http://www.spammer.ick) and the spam to the supplier of the Web service, and to the upstream supplier of Internet access. Reporting to the upstream supplier may not always be necessary - it's just a precaution in case the spammer actually is or controls the Website provider, too.

Many times spammers use tricks to hide their real Website address. There are dozens of methods spammers use to hide and obscure their addresses. But, anybody can usually get past all their tricks by just pinging or doing a traceroute to the spammer's Website. This is because, if the spammer's Website is available for visiting, the Internet computers must somehow know how to find the site.

After you have the Website open for viewing, copy and paste the address from the Web browser into a ping or traceroute tool. If the address is understandable to Internet computers, you'll likely get the real address as output in the ping or traceroute results.

Now that you have the real address for the spammer's Website, use the openrbl lookup tool to identify the network responsible for the Website, and complain to them and their upstream supplier of Internet access.

Reporting Drop Boxes

In reporting drop boxes, the object of the game is to ask the e-mail provider to close the account and inactivate the drop box, preventing the spammer from using that e-mail address.

Drop boxes should be reported to the site allowing the e-mail address (spammer@yahoo.com should be reported to yahoo.com), and possibly one level upstream from the e-mail provider. Get the addresses to complain to as described above, using the openrbl lookup tool, and traceroute to find the upstream supplier for the e-mail provider. Here are some lists of freemail and Webmail providers, so you'll know what you're looking for:

You may want to open a freemail account or two of your own, to use for reporting spam. Sometimes your spam reports will get into the hands of the spammers themselves, and they often do bad things to people who report spam. Some spam-friendly Internet services will give your spam reports to the spammer, for the spammer to "list wash" (remove) your address. Spammers call spam address lists that have had the complaining addresses removed "clean" lists - and spammers sell clean lists to each other. If a spammer wants to sabotage the competition, they include lots of complainer addresses in a "dirty" list, and sell it as a clean list. Remember, spammers lie for a buck.

If you open a freemail account for reporting spam, carefully remove from all your spam reports your real e-mail address(es) and other information that could identify you, or the spammers will find out you reported them, anyway. When you remove your e-mail address from a spam report, you are "munging" your report, or munging your address, to prevent list washing and/or retaliation.

Another kind of identifying item to remove or munge from your spam reports is the often coded way the spammers include your e-mail address in the headers or body of the spam. These are called "listwashing tokens." Listwashing tokens can be decoded using the advanced methods here. They usually look like a long series random characters, something like this:

Note that the final listwashing token above is a Website address. The Website address was embedded within the spam message, and if the linked is clicked on, the spam victim has just ensured more spam, because the spammer will know that the message was received. To see this listwashing token, you must read the source code within the e-mail message. Remember, each e-mail program has its own way to reveal the source codes within a message - help for finding the hidden codes is above.

If you remove these listwashing tokens from your spam reports, or scramble them, be careful of the Message ID in the e-mail transport header. Internet service providers, especially large providers, sometimes may need a real (not listwashing) Message ID code to identify the spammer. Many good mail servers add the Message ID when the original message is being created, so they can use the Message ID to figure out who the spammer is. If you do not supply the Message ID in your report, sadly, they may ignore your spam report.

Reporting Spam E-mail Sources

Once you've read and understood the use of trace route, WHOIS, and the openrbl lookup tool, the only remaining skill you'll need, to report servers sending spam, is the ability to rightly understand e-mail full (transport) headers. We read all the articles above, and a lot more, before we began reporting spam e-mail sources.

Always send your spam reports as part of the e-mail message BODY text. Never send spam reports with/as attachments - abuse desk workers often won't open any attachments (attachments are dangerous!). For reports going to international locations, try to send in plain text, rather than 'styled text' or HTML, because plain text can be read by any e-mail program. (The words "plain" and "text" in the previous sentence link to clear instructions for how to send plain text.)

There are lots of more complicated things you can do to stop spam. One thing you should know about, even at the beginning of your journey, is the most powerful way your e-mail provider can filter out most of the spam, but they may also lose some good messages, if they are too vigorous in their filtering. Before accepting an e-mail message, a mail server can check the message origin (and several other details) to see if the message is coming from a "known" spam source.

Instructions for how to set up these strong spam filters on an e-mail server are here. This method uses an adaptation of the very efficient Internet DNS system to house and query lists of known spam sources - it's call DNSBL - Domain Name System Block Listing. All mail servers can use this method, so you may want to ask your Internet provider if they are already using a DNSBL for your e-mail account. If not, why not? Are you willing to lose a little good e-mail, along with much of the spam?

The next five links give much more good advice and even examples and sample spam reports, so your spam complaints will be effective enough to expose and nuke a spammer! Now you have the tools to really fight spam. Welcome to the anti-spam struggle, and happy hunting!

Even More Anti-Spam Help

How to report spam
How To Complain About Spam
How do I report spam?
Exterminating Spam Step by Step - Really! Example Spam Reports
How to Track Spammers and Complain to Their ISP
Anti-Spam Resources
Spam Glossary
The Net Abuse Jargon File
Internet and Spam Jargon Links
Spam Fighting Tools
Spam Links
Spam-Fighting Resources
SpamFAQ.Net
SamSpade.Org
Anti-Spam Resources: Halting the Junk E-Mail Juggernaut - Privacy Rights Clearinghouse - Identity Theft
IP Address Locator
Spam Slammer
How to "Can" Unwanted Email - USA Federal Trade Commission
Google Search news.admin.net-abuse.email
Internet Fraud Watch - USA National Fraud Information Center
USA Secret Service 419 Advance Fee Fraud Advisory
More on 419 Fraud Spam
Spam Watch
Donate Your Spam To Science
SpamCop - Basic spam-reporting service is free
Internet Fraud Complaint Center
DNS Digger
SPAM Laws
Abuse.Net
Spam Tracing Tools


Contents
Spam is not from Immune.Com
Confirmation Is Required
The Boulder Pledge
How To Stop Spam
How To See Who Really Sent A Message
This Is Where You Are
Fake Headers
But Where Did This Junk Come From?
Black Hole Lookups
Reporting With Abuse Net Addressing Service
Reporting Spam Directly
Trace Route
Reporting Spamvertised Web Sites
Reporting Drop Boxes
Reporting Spam E-mail Sources
Even More Anti-Spam Help


For more information, please contact: SpamSucks@Immune.Com
Owner: Ballew Kinnaman <kinnaman@Immune.Com>
Version 2.0
This page resides at http://www.Immune.Com/SpamNotFromImmune.Com.html
Copyright 2003, Immune.Com, all rights reserved worldwide.