Viva Liberacion: A Guide to Nuking Spammers, Part 2
In part one we looked at the fundamental problem of spam, which is theft of services, and put forth the radical notion that we are not put on this Earth merely for the convenience of marketers, but have exclusive rights to our personal property. In part two we'll look at going beyond filtering and blocking by attacking spam at its source.
Walk Softly and Carry a Big LART
The only way to stop spam at the source is to put spammers out of business. It is not enough to have one's own address removed from a spamlist (a process called listwashing). Spammers buy and sell lists every day; their evil little bots harvest and scrape addresses from Web pages, Usenet, Web forums, public databases, and anywhere else they possibly can.
Spammers do not bother to keep clean lists; what's the point? Who cares if 75% of the messages bounce and the rest are deleted on sight? Who cares if entire systems crash under the flood of spew? They are paid to hit the "send" button. The bottom line is that your address will end up on the lists again; it's a sure bet. In any case, it is wrong to have to jump through all kinds of hoops to get off lists when consent was never given in the first place.
As spammers do not enjoy having their services interrupted, they employ all manner of deceits and obfuscations to hide the true origins of their spew. They hijack unsecured proxies and relays. They abuse dialup pools and direct-to-MX (Mail eXchanger) cable and DSL connections. They play whack-a-mole with service providers, IP addresses, and DNS records. They run "joe-jobs" on innocent people and make big trouble for them. (A joe-job is faking a spam so that it appears to be from an innocent third party.) They run dictionary attacks on domains. Never mind that the rampant abuse of these resources destroys their usefulness to the rest of us. However, no matter how much they dodge and weave, they cannot hide. There are two excellent Web sites for hunting down the true origins of a spam: Spamcop and Sam Spade.
You've probably noticed that the vast majority of spams are HTML-encoded gibberish. As the war on spam escalates, spam, like the Borg, adapts. For example, this is an attempt to foil tracing tools by breaking up the IP address with garbage.
And here's a popular tactic for spamming a domain. If you have a catch-all postmaster account, all of these messages will flood your inbox.
From: "Spammy Jones" [firstname.lastname@example.org] To: <email@example.com>, <firstname.lastname@example.org>, <email@example.com>
Many spams are liberally larded with unique ID numbers, malicious scripts, and Web bugs. Do not enable HTML in your mail client! Spamcop wants the page source and full headers in any case, so plain text is the way to go.
Spamcop is excellent for analyzing headers, even if you do not use the reporting functions. Be sure to report only honest-to-gosh spam with Spamcop. Be careful when using Spamcop; it is not safe to merely click-and-send. First, make sure you are not sending spam reports to your own service provider, which can happen if your email address is in the body of the spam. Second, be careful of service providers that do not accept un-munged reports. Spamcop deletes your email address from reports by default, but some providers will not accept these, most likely because they would rather listwash than kick a spammer off their network. If you check the box to LART these fine souls, they will see your email address. Spamcop compiles statistics and builds a blocklist from spam reports, so either choice is useful.
If it is important to you to conceal your address in Spamcop reports, be aware that many spam messages will embed your email address in the body of the message, some of them many times. (Note: do not edit the mail headers, these must be unchanged for Spamcop to work.) It may even be spelled backwards. Notice also the many unique ID numbers; be sure to munge these too:
HREF=http://www.spammy.com/finish/?member_id=CARLA@BRATGRRL.COM&source_id=15&mojo=798884666"> IMG SRC=http://open.spammy.com/open?u=798884666&b=6354&mojo=798884666> !--MOC.LRRGTARB@ALRAC -->
Finally, you MUST resist the temptation to edit the comments in the reports. Leave them alone! It is mighty tempting to vent and cuss and heap abuse, but it won't help. Visit NANAE or news.spamcop.net to seek catharsis; you'll find many kindred spirits there.
Spamcop is free, although they also sell services such as filtered email and enchanced reporting. The costs are minimal, so please support them if you use them.
This site is a treasure trove of useful online digging tools: address digger, obfuscated URLs, whois, blackhole list check, and more -- you name it, it's here. I recommend Sam Spade for users who want to a deeper knowledge of networking and how the Internet works. It's also effective on the rare occasions Spamcop is buffaloed.
Real-Time Blackhole Lists are tools to drop spam before it ever hits your mailserver. Some are extremely aggressive, which often results in them blocking some legitimate mail. For example, SPEWS.org escalates their blocklists to include netblocks that may not be in use by spammers when a service provider refuses to act on spam complaints.
A favorite tactic of a spam-friendly ISP is to shuffle a spamming customer's IP addresses and DNS around; expanding the blocked range is an effective way to keep their garbage off your servers. Other DNSRBLs vary in aggressiveness -- there's one for every temperament. Please see "Why don't spam blocking lists block only the spammers?" for a more detailed discussion of why blocklists operate the way they do.
Remember rule #1 of sysadmins: MY servers, MY rules. We are under no obligation to allow traffic or content on our servers and PCs. Keep this in mind when the spam-inclined and the clueless are pestering you with their usual nonsense about 'frea speach.' Please see the Spamfaq for detailed FAQs on these issues.
I've spent considerable time on "why spam is bad" in this series as, unfortunately, too many people still do not understand. This will give you a good start on serious, effective spam-fighting. Please keep a cool head; it is far too easy to get caught up in anger. When it comes to spam, read, study, and use the tools; don't get mad, be effective.
The Spam Battle 2002: A Tactical Update -- This is a great article on spammer tactics as well as on how to get your own house in order
Why don't spam blocking lists block only the spammers?
Realtime Black-hole Lists: Heroic Spam Fighters or Crazed Vigilantes?
There's No Such Thing As Legitimate Spam
Thank The Spammers