How To Fight Spam!

Date Written: June 2, 2001
Written By: Jason Rabel

React Carefully - Your Second Line Of Defense:

So you got a spam in your inbox, you know it is complete crap, and you want to report the SOB that sent it to you. How would you do that? Well, the first step is to see WHERE the email came from. In ever email program there is a way to reveal the complete headers, and when you do it will reveal something like this (actual header taken from a spam email I received):

Return-Path: <drw@worldsubmitter.com>
Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com[65.24.0.112])
by www.extremeoverclocking.com (8.10.2/8.10.2) with ESMTP id f51GlgV02882
for <xxxxxxxxxxxxx>; Fri, 1 Jun 2001 11:47:42 -0500
Received: from TmpStr (net208-124.neo.rr.com [24.93.208.124])
by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with SMTP id f51DEZk04631;
Fri, 1 Jun 2001 09:14:35 -0400 (EDT)
Message-Id: <200106011314.f51DEZk04631@clmboh1-smtp3.columbus.rr.com>
From: DRW<drw@worldsubmitter.com>
To: drw44703@yahoo.com
Organization: DRW
Subject: 100% FREE - NO STRINGS -$$$
Sender: DRW<drw@worldsubmitter.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 1 Jun 2001 09:35:58 -0400
Status: RO

You can se it came from either "drw@worldsubmitter.com" or even "drw44703@yahoo.com", odds are that was totally bogus, you can EASILY forge the from address in your email, just go to your preferences. However it wouldn't hurt to send Yahoo an email (with the attached spam) and if that email account does exist they can investigate it.

The part you really want to look at is the Received from parts. Basically the header will show you the path the email took from the sender to the receiver. You can see that the sender used the SMTP server "clmboh1-smtp3.columbus.rr.com" who's IP address is "65.24.0.112", this is a legit server, I pinged it and did a DNS lookup on it. Then if you look down a couple lines you can see that the SMTP server received the email from net208-124.neo.rr.com (IP: 24.93.208.124) which is the actual client computer that sent the spam. Bingo, we have our bad guy.

So now that we know our culprit is a user of the Road Runner network, I went to roadrunner.com and looked up their contact info, and they had an abuse email address that I forwarded the message (making sure they also got a copy of the complete email header). Now they can trace that IP back to the physical user and they can revoke his roadrunner account and hopefully prosecute him or her.

Sometimes email headers can be faked (which you can tell by phony IP addresses) or anonymous remailers will strip out all the info that leads back to the culprit. Sometimes you are just out of luck with those people. Unless you contact the owner of the anonymous remailer, and sometimes they keep logs and you can track an email down, but generally they aren't going to be much help because they just don't care (but you can still prevent emails from those sources, just keep reading).

Also, sometimes even though they forge their email address in the header, sometimes in the email itself there will be a working email address. (They need to have some way for the people who fall for the scam to contact them). But instead of you sending an email to them directly, look at the domain the email is coming from, the domain is the part after the "@" symbol, like drw44703@yahoo.com would be yahoo.com. So go to the domain's website and see if there is some higher authority you can report the abuse to and let them investigate. If it is someone on their system then they can take the appropriate actions.

Proactive Measures - Stopping Spam Before It Gets To You:

I'm not going to tell you how to hack a spammer's computer and take it down. (FYI - Windows users, your system is really insecure by default, if you are on a cable modem or DSL, you really should look into some sort of firewall / proxy product to help protect your computer from intrusion because being on a high speed connection really puts your computer at risk.) But I am going to give a few tips and pointers for legal ways to prevent spam.

One of the greatest things out there on the net are the RBL's, which stands for "Realtime Blackhole List". These people maintain lists of known spam sources, open relay servers, Dial-up / DSL / Cable IP's where people setup local SMTP servers so they can directly connect to the victims email server, and a lot more. You can configure your sendmail server (just about every unix type OS uses sendmail) to query these lists and it will kill spam in transit. I currently filter my email using http://www.mail-abuse.org/. There have 3 lists that your sendmail program can query. There are several other maintainers of RBL's, and you can add them too if you like.

Configuring sendmail to query these DB's isn't that complicated if you know your basic unix commands. First off, you will need to find your sendmail.mc file. Generally this is located in the /etc directory, sometimes in the /etc/mail directory, if it's not there, then you will have to do a find * | grep sendmail.mc Basically you want to edit the .mc file, and add the follwing lines under the "features" section.

• FEATURE(`dnsbl', `blackholes.mail-abuse.org')dnl
• FEATURE(`dnsbl', `dialups.mail-abuse.org')dnl
• FEATURE(`dnsbl', `relays.mail-abuse.org')dnl

Once you have those added, you can then run the following command to compile the .mc into a .db file that sendmail uses. Again, the command structure will vary slightly depending on where you sendmail config files are actually located.

• m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Then you will have to restart your sendmail program. Sendmail requires restarts for the .cf files, but you don't need to for the .db files. The command to restart sendmail is:

• /etc/rc.d/init.d/sendmail restart

The next area you can configure sendmail is in your access file. It is located in the same location as your other sendmail files (/etc or /etc/mail). You can add either specific email address, IP's, or domains to reject. The generic way to do it would be like the following:

• metacomm.co.kr REJECT

Or you can be a little more creative, like:

• metacomm.co.kr 550 Mail rejected due to possible SPAM

These fields should be tab delimited (meaning a tab between the domain & the REJECT or the 550). You can add as many as you want, mine is an ongoing list, I block any domain from spam that I get so that next time they send some they will get a nice little rejected message. I've noticed that a lot of spam gets relayed through open relay servers over seas. Anyhow, once you edit your access file, you will need to build it to make your access.db file. This can be done by doing the following:

• makemap hash /etc/mail/access < /etc/mail/access

More info on this can be found at http://www.sendmail.org/m4/anti-spam.html and they detail all on other custom messages & anti-spam configurations.

These settings are really only applicable if you run your own sendmail server. However, even if you are just a regular cable modem or DSL user, you can bug the company to add preventative spam measures to their servers like the RBL's. Also, you can find ISP's that are already proactive in fighting spam (and are members or CAUCE).

Other Good Sources:

This was a very brief article on spam prevention, but you can read tons more on sites dedicated to stopping spam.

• http://spam.abuse.net/ - Excellent site on Spam info, how to block spam (on lots of different OS's), ISP info, and lots more!
• http://www.cauce.org/ - Coalition Against Unsolicited Commercial Email.
• http://www.spamfree.org/ - The Forum For Responsible & Ethical Email.
• http://www.abuse.net/ - Network Abuse Clearinghouse.
• http://www.chooseyourmail.com/spamindex.cfm - Forward them your spam, they will deal with the matter.

Conclusion:

Some people don't really care about the spam they get in their inbox, they just simply delete it, but everyone has their breaking point. I get so much spam it's ridiculous, not just email but all those stupid phone calls and junk mail. Remember for every bit of spam you get, hundreds of thousands of other people are getting the same irritating spam, so it's time to fight back and do something about it!

Spending just a little extra time doing some research when you get spam and reporting it to the proper people can help bring these scumbags to justice. I like to think that at least some of them get fined so much that they can no longer afford a computer and have realized how stupid a thing sending out all that spam was in the first place.

Back To The Main Page