Viva Liberacion: A Guide to Nuking Spammers, Part 2

All the Bayesian filters, Perl scripts, blocklists, and hosting services do nothing to actually stop spam from proliferating; they merely prevent some of it from reaching your inbox. The second article in Carla Schroder's new two-part series takes a look at going beyond filtering and blocking by attacking spam at its source.

By Carla Schroder | Posted Apr 30, 2003
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

In part one we looked at the fundamental problem of spam, which is theft of services, and put forth the radical notion that we are not put on this Earth merely for the convenience of marketers, but have exclusive rights to our personal property. In part two we'll look at going beyond filtering and blocking by attacking spam at its source.

Walk Softly and Carry a Big LART

The only way to stop spam at the source is to put spammers out of business. It is not enough to have one's own address removed from a spamlist (a process called listwashing). Spammers buy and sell lists every day; their evil little bots harvest and scrape addresses from Web pages, Usenet, Web forums, public databases, and anywhere else they possibly can.

Spammers do not bother to keep clean lists; what's the point? Who cares if 75% of the messages bounce and the rest are deleted on sight? Who cares if entire systems crash under the flood of spew? They are paid to hit the "send" button. The bottom line is that your address will end up on the lists again; it's a sure bet. In any case, it is wrong to have to jump through all kinds of hoops to get off lists when consent was never given in the first place.

As spammers do not enjoy having their services interrupted, they employ all manner of deceits and obfuscations to hide the true origins of their spew. They hijack unsecured proxies and relays. They abuse dialup pools and direct-to-MX (Mail eXchanger) cable and DSL connections. They play whack-a-mole with service providers, IP addresses, and DNS records. They run "joe-jobs" on innocent people and make big trouble for them. (A joe-job is faking a spam so that it appears to be from an innocent third party.) They run dictionary attacks on domains. Never mind that the rampant abuse of these resources destroys their usefulness to the rest of us. However, no matter how much they dodge and weave, they cannot hide. There are two excellent Web sites for hunting down the true origins of a spam: Spamcop and Sam Spade.

Spamcop

You've probably noticed that the vast majority of spams are HTML-encoded gibberish. As the war on spam escalates, spam, like the Borg, adapts. For example, this is an attempt to foil tracing tools by breaking up the IP address with garbage.

HREF="http://19%33.%3231.%324%38.72/%763/%69%6e%64ex.php?%73t%72%61t">

And here's a popular tactic for spamming a domain. If you have a catch-all postmaster account, all of these messages will flood your inbox.

From: "Spammy Jones" [fw79fzn84x@cnn.com]
To: <200211061753.42700.carla@bratgrrl.com>,
 <200211030016.14801.carla@bratgrrl.com>,
 <200211031006.56264.carla@bratgrrl.com>

Many spams are liberally larded with unique ID numbers, malicious scripts, and Web bugs. Do not enable HTML in your mail client! Spamcop wants the page source and full headers in any case, so plain text is the way to go.

Spamcop is excellent for analyzing headers, even if you do not use the reporting functions. Be sure to report only honest-to-gosh spam with Spamcop. Be careful when using Spamcop; it is not safe to merely click-and-send. First, make sure you are not sending spam reports to your own service provider, which can happen if your email address is in the body of the spam. Second, be careful of service providers that do not accept un-munged reports. Spamcop deletes your email address from reports by default, but some providers will not accept these, most likely because they would rather listwash than kick a spammer off their network. If you check the box to LART these fine souls, they will see your email address. Spamcop compiles statistics and builds a blocklist from spam reports, so either choice is useful.

If it is important to you to conceal your address in Spamcop reports, be aware that many spam messages will embed your email address in the body of the message, some of them many times. (Note: do not edit the mail headers, these must be unchanged for Spamcop to work.) It may even be spelled backwards. Notice also the many unique ID numbers; be sure to munge these too:

HREF=http://www.spammy.com/finish/?member_id=CARLA@BRATGRRL.COM&source_id=15&mojo=798884666">
IMG SRC=http://open.spammy.com/open?u=798884666&b=6354&mojo=798884666>
!--MOC.LRRGTARB@ALRAC -->

Finally, you MUST resist the temptation to edit the comments in the reports. Leave them alone! It is mighty tempting to vent and cuss and heap abuse, but it won't help. Visit NANAE or news.spamcop.net to seek catharsis; you'll find many kindred spirits there.

Spamcop is free, although they also sell services such as filtered email and enchanced reporting. The costs are minimal, so please support them if you use them.

Page 2: Sam Spade

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter