Now that you know spammers retrieve email addresses, how can you fight back? Depending on your mood and temperament, your response may range from politeness to hostility. While you may ignore and simply delete most spam, some may enrage you.
When you receive spam, the message may include an email address that you can write to in order to remove your address from the spammer's email list. Sometimes this works, but more often this email address itself is phony, or replying simply alerts the spammers that your email address is valid, which can encourage them to sell your email address to others and keep sending spam to you.
To protect themselves against retaliation, most spammers either strip out or fake their return email addresses. But even if you can't find a valid return address in the email to respond to, you may still be able to uncover one. To do so, search the spam's header for the ISP's address, such as earthlink.net, buried in the From or Message-ID header. Once you identify the ISP, you can complain directly to them.
In the following example, a quick search of the email header reveals that the spammer's ISP is example.com (which could be forged to hide the spammer's true ISP).
Subject: Absolutely NOT Risky ! Nothing to lose !!! From: Hidden <email@example.com> Date: Fri, 01 Aug 1997 00:02:54 +0800 Message-ID: <33E0B72E.firstname.lastname@example.org>
Because spam is so annoying, most ISPs prohibit their subscribers from sending bulk email. If they receive complaints, the ISP will often cancel the spammer's account.
To notify an ISP of a spammer, email your complaint to email@example.com, firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org, where "spammer.site" is the site the spammer used to send the junk email. ISPs can't monitor all of their users, but if they receive a flood of complaints about one of their customers, they can take action against the spammer and stop future abuses (maybe).
Unfortunately, whenever there's money involved, there's always someone willing to take it regardless of the consequences. While many ISPs explicitly forbid spamming, other ISPs specialize in it, such as EmailSending.com (http://www.emailsending.com), which sells their services solely to bulk emailing customers. Another such ISP even advertises:
Does your website get shut down as a result of your email marketing campaigns? If so, then Bulk Email Superstore's Bulk Friendly Web Hosting is a must! Our high speed servers are linked to bulk friendly backbones specifically designed to absorb excessive traffic and heat linked to your email marketing campaigns.
So if you complain to a bulk email ISP about one of their customers, chances are you'll just add your valid email address to their "customer lists" that they'll just sell to someone else.
Since many spammers promote get-rich-quick schemes, there's a good chance they may not keep proper tax records of their earnings, so one way to take revenge on these spammers is to contact the Internal Revenue Service (or your own government's tax agency) so they can investigate whether the spammer is properly reporting all income. American citizens can forward spam to either email@example.com to report fraudulent make-money-fast (MMF) schemes or firstname.lastname@example.org to report tax evaders. Reports of tax fraud should be sent directly to your regional IRS Service Center; there is currently no Internet email address for reporting those suspected offenses.
Email programs like Microsoft Outlook, Eudora Pro, and the web-based email sites like Hotmail and Yahoo! let you filter incoming email based on From addresses, subjects, and keywords. You can set the filtering rules to search for particular spammer email addresses or keywords in messages or subjects (like "MAKE MONEY FAST") and have the filter automatically delete the message or route it to a special folder. Some of the more common keywords found in spam include: "to be removed," "not mlm," "serious inquiries only," "earn $2000-$5000 weekly," "sent in compliance," "at no cost to you," "spam," "work from home," "dear friend," "not multi-level marketing," "xxx," and "call now," so try using these.
Or you can subscribe to an email filtering service like SpamCop (http://spamcop.net), which can screen your email for spam and route suspicious messages to a designated location, so you can review it just in case a legitimate message got routed there by mistake. Anti-spam programs like Spam Buster (http://www.contactplus.com) automatically filter suspicious email, analyze email headers, and track down spammers' ISPs by checking received email against a database of known spammer addresses or by searching for keywords (see Figure 16-3). When the program finds a likely match, it moves the suspect email to a special folder where you can review or delete it later.
Perhaps the most satisfying way to deal with spam is to find the spammer's actual email address, phone number, or postal address—and use it. If a spammer registered a particular address for a website, visit the Network Solutions registry at http://www.networksolutions.com/cgi-bin/whois/whois, type in the domain you want to search, and the Network Solutions database cheerfully provides you with the postal address of the person who registered the domain name, along with the server currently hosting the web pages.
If the spammer doesn't list a web address but gives you his or her real email address, strip away the spammer's ID to find the domain. For example, if the address is email@example.com, remove "spammer" and you're left with the domain name of the spammer's ISP, which in this case is isp.com. By typing this domain into the Network Solutions registry, you can find out how to reach the ISP by mail or phone, or you can add "www" to the front of the domain, which in this example would give you http://www.isp.com, and visit its website, which should list an email address that you can complain to.
Unfortunately, spammers know that their websites will become targets, so they often disguise their real website address through a third-party server, such as a specialized bulk email ISP. When you receive spam, the spammer lists an address that leads directly to the bulk emailing ISP, which then redirects a potential customer's browser to the actual spammer's website. By masking and redirecting the actual website address, spammers can advertise their website without worrying that a hacker will attack it or complain to their ISP.
One bulk emailing ISP even advertises the following:
IP Tunneling is a method where the recipient of your email message accesses your web site through a (non traceable) binary encrypted link similar in appearance to the following:(.....unique.site.net.co.fr|https.am2002.opt.com:8096)
Once the recipient clicks the email message, their browser references our servers through the binary encoding within the link. Our servers (behind the scenes) then call upon your web site's IP which resides either on your server or a 3rd party's server. This technology provides its users with COMPLETE protection and anonymity.
As a result, it's possible to browse a spammer's website without ever knowing the exact domain address, which means you can't look up and find the spammer's actual address and telephone number.
If a spammer opens a temporary email account just to spam the Internet, there's not much you can do about it—the spammer can keep opening up new email accounts and shutting them down afterwards. However, if the spammer forges a return email address, there's still hope.
Forged email addresses may hide the spammer's email address, but the email itself can reveal the spammer's ISP if you know how to decipher its cryptic-looking headers, which contain information on the route the email traveled.
Most email programs hide email headers to avoid burying you in irrelevant technical email–routing details. However, by revealing these headers, you can trace the route a spam email has taken and possibly identify the spammer. For more information about displaying email headers from a variety of email programs, including Outlook, AOL, Eudora, Pegasus, Netscape, and WebTV, visit the SpamCop site (http://spamcop.net).
Let's take a look at some headers sent from a valid email account to see what they mean.
Received: from db3y-int.prodigy.net [127.0.0.1] by wflda-db3y-int.prodigy.net; Sat, 9 Dec 2000 10:38:19 - 0500 Received: from yorktown.stratfor.com (yorktown. stratfor.com [126.96.36.199]) by db3y-int.prodigy.net (8.8.5/8.8.5) with ESMTP id KAA45964 for <BO@prodigy. net>; Sat, 9 Dec 2000 10:36:04 -0500 Received: from verdun.stratfor.com (verdun. stratfor.com [188.8.131.52]) by yorktown.stratfor.com (8.8.7/8.8.5) with SMTP id JAA07105 for <BO@prodigy. net>; Sat, 9 Dec 2000 09:38:25 -0600 (CST) Received: by verdun.stratfor.com with Microsoft Mail id <01BD0485.F3790CC0@verdun.stratfor.com>; Sat, 9 Dec 2000 09:36:39 -0600
In the preceding message, the Received headers describe where the email came from, along with the time and date it was sent. Starting with the bottom Received header, you can see that this email came from a domain named stratfor.com, sent on Saturday, December 9, 2000, at 9:36 a.m.
The next Received header (starting from the bottom and working your way up) shows that the email was transferred within the stratfor.com domain (from verdun. stratfor.com to yorktown.stratfor.com) on Saturday, December 9, 2000, at 9:38 a.m. Notice that the stratfor.com domain is also identified by its numeric (IP) address in square brackets, [184.108.40.206].
The next Received header shows that the stratfor.com domain sent the email to the prodigy.net domain on Saturday, December 9, 2000, at 10:36 a.m.
The top Received header shows that the email was transferred within the prodigy.net domain to the receiving email inbox on Saturday, December 9, 2000, at 10:38 a.m. Notice that the prodigy.net domain is also identified by its numeric address in square brackets, [127.0.0.1].
This example shows how each Received header records the transfer of the email from one domain to another. Forged email often omits all the Received headers that show the route of the email, or displays too many Received headers in an attempt to confuse you.
The following example of spam is obviously a forgery, because the Received headers do not show how the email got from the Sender domain (infosonic.com) to the receiving email account, a CompuServe account.
Sender: firstname.lastname@example.org Received: from Blaze.cscent.net ([220.127.116.11]) by arl-img-10.compuserve.com (8.8.6/8.8.6/2.9) with ESMTP id TAA09818; Sun, 3 Dec 2000 19:52:30 -0500 (EST) Date: Sun, 3 Dec 2000 19:52:30 -0500 (EST) From: email@example.com Message-Id: <199712040052.TAA09818@arl-img-10. compuserve.com> To: firstname.lastname@example.org Subject: ''Earn Insane Profits At Home!''
Besides not showing enough Received headers to trace the email's route, another big clue that the email address has been forged is the use of a single capital letter ("B") in the Received header, listing Blaze.cscent.net. (Most Received headers use either all lowercase or all uppercase, but rarely a mix of both.)
From first appearance alone, you might conclude that the spammer is using either infosonic.com or cscent.net to send the spam, but in both cases these domain addresses could be forged. Unless you know for sure, you shouldn't complain to either domain, because they might be completely innocent.
Here's another example of a forged email address:
Return-Path: <More.Info.email@example.com> Received: from relay27.mail.aol.com (relay27.mail.aol.com [172.31.109.27]) by air27.mail.aol.com (v36.0) with SMTP; Wed, 13 Dec 2000 14:09:15 -0500 Received: from ul1.satlink.com (ul1.satlink.com [18.104.22.168]) by relay27.mail.aol.com (8.8.5/8.8.5/AOL-4.0.0) with ESMTP id MAA21540; Tue, 12 Dec 2000 12:23:29 -0500 (EST) From: More.Info.firstname.lastname@example.org Received: from 34lHT27yw (sdn-ts-003nynyorP15. dialsprint.net [22.214.171.124]) by ul1.satlink.com (8.8.8/8.8.8) with SMTP id OAA13401; Tue, 12 Dec 2000 14:23:04 -0300 (GMT-3) Received: From j1dqu3p1J (sdn-ts-003nyorP04. dialsys33.net [306.203.08.10]) by cor.ibuyitnow22.net (8.8.5/8.7.3) with SMTP id JJA109; Tue, 12 Dec 2000 12:20:35 -400 (EDT)
You can tell this email has been forged because the bottom Received header sports three glaring flaws. First, you can't trace the email from the recipient's email address to the sender's email address (in this case, it's an America Online email account).The top three Received headers show that America Online received the email from ul1.satlink.com, which in turn received it from sdn-ts-003nynyorP15.dialsprint.net. The bottom Received header is garbage designed to confuse you, because it doesn't trace any email being sent to the sdn-ts-003nynyorP15.dialsprint.net domain.
The second flaw in the bottom Received header is the sdn-ts-003nynyorP15.dialsprint.net domain, which claims to have an IP numeric address of [306.203.08.10]. The numbers used in an IP numeric address can only range from 0 to 255, so any number greater than 255 (306 in this example) immediately reveals that this particular Received header is forged.
The third flaw is that the word "From" begins with a capital letter; the other Received headers use "from" instead.
Because the bottom Received header is obviously forged, you can ignore it completely. Studying the remaining Received headers, you can conclude that the email originated from the sdn-ts-003nynyorP15.dialsprint.net domain. To verify that this is an actual domain and not a forged one, look at its numeric address in square brackets. In this case, the numeric address is [126.96.36.199].
Once you have identified a spammer's name and numeric Internet address, you can verify the domain's existence by using a handy online tool called Whois. To run it, visit the Network Solutions registry (http://www.networksolutions.com/cgibin/whois/whois). Or run the Whois command using a DNS lookup program like one of these:
For additional help in tracking down spammers, visit the UXN Spam Combat website (http://combat.uxn.com) where you will find more tools for doing DNS lookups, traceroute, DNS probes, and so on (see Figure 16-4).
Whichever version of Whois you use, it will tell you whether the dialsprint.net domain really exists. In this example, Whois reports the following:
Sprint Business Operations (DIALSPRINT-DOM) 12490 Sunrise Valley Dr. Reston, VA 22090 US Domain Name: DIALSPRINT.NET Administrative Contact, Technical Contact, Zone Contact: Sprint DNS Administrator (SDA4-ORG) dns-admin@ SPRINT.NET (800)232-6895 Fax-(703)478-5471 Billing Contact: Sprint Internic Billing (SIB2-ORG) nicbills@SPRINT.NET (800)232-6895 Fax-(703)478-5471 Record last updated on 23-Jan-00. Record created on 12-Feb-96. Database last updated on 22-Dec-99 05:27:44 EDT. Domain servers in listed order: NS1.DIALSPRINT.NET 188.8.131.52 NS2.DIALSPRINT.NET 184.108.40.206 NS3.DIALSPRINT.NET 220.127.116.11
This tells us that dialsprint.net is a valid domain and gives us the administrator's email address.
To further verify that the Received header information is correct, try one of the DNS lookup programs like Sam Spade or NetScanTools to see whether the IP address belongs to a specific domain name. In this example, the last valid Received header is:
from 34lHT27yw (sdn-ts-003nynyorP15.dialsprint. net [18.104.22.168])
This shows that the domain name has been masked by the garbled string of characters "34lHT27yw." Examining the other Received headers shows that this string should list the same domain name as that which appears in parentheses (sdn-ts-003nynyorP15.dialsprint.net). Because the spammer deliberately scrambled this information, you can be pretty sure that this information reveals the address of the ISP they used to send the email.
Examining the [22.214.171.124] numeric address with the Name Server Lookup (NSLookup) command confirms that it belongs to the sdn-ts-003nynyorP15.dialsprint.net domain. Thus, we can be pretty sure that the spammer sent email from the dialsprint.net domain. Of course, the spammer might have opened an account with dialsprint.net just to send spam and then canceled it, but at least you can complain to the ISP.
To retrieve valid email addresses, many spammers run website extractor programs that grab the HTML code that makes up a web page and searches for an email address. So one way to fool website extractor programs is to disguise your email address with ASCII code equivalents within your HTML code. Normally, an email address appears as raw HTML code in plain English. For example, if you wanted to list your email address as email@example.com on a web page, it would look like this in the equivalent HTML code:
<p>Email address: <a href=''mailto:firstname.lastname@example.org''>email@example.com</a></p>
With the email address clearly visible in the HTML code, website extractor programs have little trouble retrieving any email addresses. But if you substitute each letter of your email address with the ASCII character equivalent, such as typing m for the letter "m", y for the letter "y" and so on, your HTML code now looks like this:
<p>Email address: <a href=''mailto:myname@is& #112;.com''>myname 4;isp.com</p>
Both versions of the HTML code displays the email address firstname.lastname@example.org on a web page, but the ASCII version prevents spammers from retrieving your email address since the spammer programs won't recognize the ASCII code as a valid email address.
To find the ASCII code for each character in an email address, visit ASCII table (http://www.asciitable.com).
One of the earliest methods for fighting spam was to maintain a database of known spammer email addresses and ISPs. Unfortunately, spammers can change ISPs rapidly, making most anti-spammer databases obsolete. To avoid this problem, the Kill The Spams program (http://www.zipstore.com) uses a list of rules to screen the headers of incoming emails for signs of spam. If a header looks suspicious, the program can flag the email as possible spam or just delete the message automatically.
Programs like Spam Buster (http://www.contactplus.com), SpamButcher (http://www.spambutcher.com), and SpamKiller (http://www.mcafee.com) combine both filtering and a database of known spammers to help keep spam out of your inbox. For more accuracy, Spam Buster can do a DNS lookup on email to verify that the header lists a real address. To avoid having the anti-spam program mistake valid email for spam, many anti-spam programs offer a special Friends list, which tells the anti-spam program which email addresses you will always accept messages from.
To reduce the chances of receiving spam in the first place, give out your email address sparingly. Create a separate email account with a free service such as Hotmail, and use it for posting messages in Usenet newsgroups or when buying online (many companies sell your email address when you register with them). By creating a decoy email account, you can redirect spam to accounts that you rarely use, and keep your everyday email account free from most annoying spam.