IETF RUN Working Group Sally Hambridge / Intel
draft-ietf-run-spew-03.txt Albert Lunde / Northwestern University
March 1998
DON'T SPEW
A Set of Guidelines for Mass Unsolicited
Mailings and Postings (spam*)
Abstract
This document explains why mass unsolicited electronic mail
messages are harmful in the Internetworking community. It gives
a set of guidelines for dealing with unsolicited mail for users,
for system administrators, news administrators, and mailing list
managers. It also makes suggestions Internet Service Providers
might follow.
Status of This Memo
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted
by other documents at any time. It is not appropriate to use
Internet Drafts as reference material or to cite them other than
as a "working draft" or "work in progress."
Please check the I-D abstract listing contained in each Internet Draft
directory to learn the current status of this or any other Internet
Draft.
It is intended that this document will be submitted to the IESG for
consideration as an FYI document. Distribution of this document is
unlimited.
1. Introduction
The Internet's origins in the Research and Education communities
played an important role in the foundation and formation of Internet
culture. This culture defined rules for network etiquette (netiquette)
and communication based on the Internet's being relatively off-limits
Hambridge & Lunde Expires: 9Sep98 [Page 1]
�
Internet Draft Make Enemies Fast March 1998
to commercial enterprise.
As we know, this all changed when U.S. Government was no longer the
primary funding body for the U.S. Internet, when the Internet truly
went global, and when all commercial enterprises were allowed to
obtain Fully Qualified Domain Names. Internet culture had become
deeply embedded in the protocols the network used. Although the
social context has changed, the technical limits of the Internet
protocols still require a person to enforce certain limits on resource
usage for the 'Net to function effectively. Strong authentication was
not built into the News and Mail protocols. The only thing that is
saving the Internet from congestion collapse is the inclusion of TCP
backoff in almost all of the TCP/IP driver code on the Internet.
There is no end-to-end cost accounting and/or cost recovery.
Bandwidth is shared among all traffic without resource
reservation (although this is changing).
Unfortunately for all of us, the culture so carefully nurtured through
the early years of the Internet was not fully transferred to all those
new entities hooking into the bandwidth. Many of those entities
believe they have found a paradise of thousands of potential customers
each of whom is desperate to learn about stunning new business
opportunities. Alternatively, some of the new netizens believe all
people should at least hear about the one true religion or political
party or process. And some of them know that almost no one wants to
hear their message but just can't resist how inexpensive the net can
be to use.
While there may be thousands of folks desperate for any potential
message, mass mailings or Netnews postings are not at all appropriate
on the 'Net. This document explains why mass unsolicited email and
Netnews posting (aka spam) is bad, what to do if you get it, what
webmasters, postmasters, and news admins can do about it, and how an
Internet Service Provider might respond to it.
2. What Is Spam*?
The term "spam" as it is used to denote mass unsolicited mailings or
netnews postings derives from a Monty Python sketch set in a movie/tv
studio cafeteria. During that sketch, the word "spam" takes over each
item offered on the menu until the entire dialogue consists of nothing
but "spam spam spam spam spam spam and spam." This so closely
resembles what happens when mass unsolicited mail and posts take over
mailing lists and netnews groups that the term has been pushed into
common usage in the Internet community.
When unsolicited mail is sent to a mailing list and/or news group it
Hambridge & Lunde Expires: 9Sep98 [Page 2]
�
Internet Draft Make Enemies Fast March 1998
frequently generates more hate mail to the list or group or apparent
sender by people who do not realize the true source of the message.
If the mailing contains suggestions for removing your name from a
mailing list, 10s to 100s of people will respond to the list
with "remove" messages meant for the originator. So, the original
message (spam) creates more unwanted mail (spam spam spam spam), which
generates more unwanted mail (spam spam spam spam spam spam and spam).
Similar occurrences are perpetrated in newsgroups, but this is held
somewhat in check by "cancelbots" (programs which cancel postings)
triggered by mass posting. Recently, cancelbots have grown less in
favor with those administering News servers since the cancelbots are
now generating the same amount of traffic as spam. Even News admins
are beginning to use filters, demonstrating that spam spam spam spam
spam spam and spam is a monumental problem.
3. Why Mass Mailing is Bad
In the world of paper mail we're all used to receiving unsolicited
circulars, advertisements, and catalogs. Generally we don't object to
this - we look at what we find of interest, and we discard/recycle the
rest. Why should receiving unsolicited email be any different?
The answer is that the cost model is different. In the paper world,
the cost of mailing is borne by the sender. The sender must pay for
the privilege of creating the ad and the cost of mailing it to the
recipient. An average paper commercial mailing in the U.S. ends up
costing about $1.00 per addressee. In the world of electronic
communications, the recipient bears the majority of the cost. Yes,
the sender still has to compose the message and the sender has to pay
for Internet connectivity. However, the recipient ALSO has to pay for
Internet connectivity and possibly also connect time charges and for
disk space, so for electronic mailings the recipient is expected to
help share the cost of the mailing. Bulk Internet mail from the U.S.
ends up costing the sender only about 1/100th of a cent per address;
or FOUR ORDERS of magnitude LESS!
Of course, this cost model is very popular with those looking for
cheap methods to get their message out. By the same token, it's very
unpopular with people who have to pay for their messages just to find
that their mailbox is full of junk mail. Consider this: if you had to
pay for receiving paper mail would you pay for junk mail?
Frequently spammers indulge in unethical behavior such as using mail
servers which allow mail to be relayed to send huge amounts of
electronic solicitations. Or they forge their headers to make it look
as if the mail originates from a different domain. These kinds of
people don't care that they're intruding into a personal or business
Hambridge & Lunde Expires: 9Sep98 [Page 3]
�
Internet Draft Make Enemies Fast March 1998
mailbox nor do they care that they are using other people's resources
without compensating them.
The huge cost difference has other bad effects. Because even a very
cheap paper mailing is going to cost tens of (U.S.) cents, there is a
real incentive to send only to those really likely to be interested.
So paper bulk mailers frequently pay a premium to get high quality
mailing lists, carefully prune out bad addresses and pay for services
to update old addresses. Bulk email is so cheap that hardly anyone
sending it bothers to do any of this. As a result, the chance that
the receiver is actually interested in the mail is very, very, very
low.
Doesn't the U.S. Constitution guarantee the ability to say whatever
one likes? First, the U.S. Constitution is law only in the U.S., and
the Internet is global. There are places your mail will reach where
free speech is not a given. Second, the U.S. Constitution does NOT
guarantee one the right to say whatever one likes. In general, the
U.S. Constitution refers to political freedom of speech and not to
commercial freedom of speech. Finally, there are laws which govern
other areas of electronic communication, namely the "junk fax" laws.
Although these have yet to be applied to electronic mail they are
still an example of the "curbing" of "free speech." Free speech does
not, in general, require other people to spend their money and
resources to deliver or accept your message.
Most responsible Internet citizens have come to regard unsolicited
mail/posts as "theft of service". Since the recipient must pay for
the service and for the most part the mail/posts are advertisements of
unsolicited "stuff" (products, services, information) those receiving
it believe that the practice of making the recipient pay constitutes
theft.
The crux of sending large amounts of unsolicited mail and news is not
a legal issue so much as an ethical one. If you are tempted to send
unsolicited "information" ask yourself these questions: "Whose
resources is this using?" "Did they consent in advance?" "What would
happen if everybody (or a very large number of people) did this?" "How
would you feel if 90% of the mail you received was advertisements for
stuff you didn't want?" "How would you feel if 95% of the mail you
received was advertisements for stuff you didn't want?" "How would
you feel if 99% of the mail you received was advertisements for stuff
you didn't want?"
Although hard numbers on the volume and rate of increase of spam are
not easy to find, seat-of-the-pants estimates from the people on the
spam mailing list [1] indicate that unsolicited mail/posts seems to be
following the same path of exponential growth as the Internet as a
Hambridge & Lunde Expires: 9Sep98 [Page 4]
�
Internet Draft Make Enemies Fast March 1998
whole [2]. This is NOT encouraging, as this kind of increase puts a
strain on servers, connections, routers, and the bandwidth of the
Internet as a whole. On a per person basis, unsolicited mail is also
on the increase, and individuals also have to bear the increasing cost
of increasing numbers of unsolicited and unwanted mail. People
interested in hard numbers may want to point their web browsers to
www.junkproof.com where the webmaster there lists the number of spam
messages he has filtered away from his users.
Finally, sending large volumes of unsolicited email or posting
voluminous numbers of Netnews postings is just plain rude. Consider
the following analogy: suppose you discovered a large party going on
in a house on your block. Uninvited, you appear, then join each group
in conversation, force your way in, SHOUT YOUR OPINION (with a
megaphone) of whatever you happen to be thinking about at the time,
drown out all other conversation, then scream "discrimination" when
folks tell you you're being rude.
To continue the party analogy, suppose instead of forcing your way
into each group you stood on the outskirts a while and listened to the
conversation. Then you gradually began to add comments relevant to
the discussion. Then you began to tell people your opinion of the
issues they were discussing; they would probably be less inclined to
look badly on your intrusion. Note that you are still intruding. And
that it would still be considered rude to offer to sell products or
services to the guests even if the products and services were relevant
to the discussion. You are in the wrong venue and you need to find
the right one.
Lots of spammers believe that they can be forgiven their behavior by
beginning their messages with an apology, or by personalizing their
messages with the recipient's real name, or by using a number of
ingratiating techniques. But much like the techniques used by Uriah
Heep in Dicken's _David Copperfield_, these usually have an effect
opposite to the one intended. Poor excuses ("It's not illegal," "This
will be the only message you receive," "This is an ad," "It's easy to
REMOVE yourself from our list") are still excuses. Moreover, they are
likely to make the recipient MORE aggravated rather than less
aggravated.
In particular, there are two very severe problems with believing that
a "remove" feature to stop future mail helps: (1) Careful tests have
been done with sending remove requests for "virgin" email accounts
(that have never been used anywhere else). In over 80% of the cases,
this resulted in a deluge of unsolicited email, although usually from
other sources than the one the remove was sent to. In other words, if
you don't like unsolicited mail, you should think carefully before
using a remove feature because the evidence is that they result in
Hambridge & Lunde Expires: 9Sep98 [Page 5]
�
Internet Draft Make Enemies Fast March 1998
more mail not less. (2) Even if they did work, it would not stop lots
of new unsolicited email every day from new businesses that hadn't
mailed before.
4a. ACK! I've Been Spammed - Now What?
It's unpleasant to receive mail which you do not want. It's even more
unpleasant if you're paying for connect time to download it. And it's
really unpleasant to receive mail on topics which you find offensive.
Now that you're good and mad, what's an appropriate response?
First, you always have the option to delete it and get on with your
life. This is the easiest and safest response. It does not guarantee
you won't get more of the same in the future, but it does take care of
the current problem.
Second, you may consider sending the mail back to the originator
objecting to your being on the mailing-list, but we recommend against
this. First, a lot of spammers disguise who they are and where their
mail comes from by forging the mail headers. Unless you are very
experienced at reading headers discovering the true origin of the mail
will probably prove difficult. Although you can engage your local
support staff to help you with this, they may have much higher
priorities (such as setting up site-wide filters to prevent spam from
entering the site). Second, responding to this email will simply
verify your address as valid and allow them to sell your address to
other spammers. (As was mentioned above in Section 3). Third, even
if the two previous things do not happen, very probably your mail will
be directed to the bit-bucket!
Certainly we advocate sending mail back to the originator (as best as
you can tell) to let them know you will NOT be buying any products
from them as you object to the method they have chosen to conduct
their business (aka spam).
Next, you can carbon copy or forward the questionable mail messages or
news postings to the postmaster of the offending site. You can do
this by sending mail To: Postmaster@offending-site.example. Good
sites are now using an "abuse" address for people to complain about
spam, so you can send complaints about unsolicited mail and posts to
abuse@offending-site.example. Many organizations which send
unsolicited mail have this address aliased to go nowhere, but it can't
hurt to try.
As mentioned above, much spam uses forged headers, and unless you are
experienced at reading the headers it is hard to tell where the mail
was really sent from. Don't assume that the recipient of your wrath
Hambridge & Lunde Expires: 9Sep98 [Page 6]
�
Internet Draft Make Enemies Fast March 1998
was involved with or supports the spam. If your message is polite,
often they will help you identify the actual perpetrator. Realize
that they are probably getting a large number of complaints, and if
yours is particularly nice, they may be also, but don't be surprised
if you get a canned response either.
*** IMPORTANT ***
Wherever you send a complaint, be sure to include the full message
headers. (Most mail and news programs don't display the full headers
by default.) For mail it is especially important to show the Received:
headers; for Usenet news, the Path: header, as these normally show the
route by which the mail or news was delivered. Without them, it's
impossible to even begin to tell where the message originated. See
the appendix for an example of a mail header.
Everything above regarding complaints to the offending site can be
applied equally to the Service Provider, if you can determine who
their ISP actually is. This is probably the most effective complaint
you can make: If the Service Provider has Terms and Conditions which
have been violated, they can boot the offender from their network.
Much of the success in fighting the spam war has been the result of
very dedicated people complaining to Internet Service Providers about
offenders. At the very least, the ISP who appears to be their Service
Provider, if not actually, is probably running a mail server without
relay blocks, and are thus an open window for spam. Getting them to
close it will help make it that much harder for spammers to hide.
Your own organization or your local Internet Service Provider may have
the ability to block unwanted mail at their mail relay machines. If
your postmaster wants to know about unsolicited mail, be sure s/he
gets a copy, including headers. You will need to find out the local
policy and comply.
If your personal mailer allows you to write rules, write a rule which
sends mail from the originator of the unwanted mail to the trash.
That way, although you still have to pay to download it, you won't
have to read it!
There is lively and ongoing debate about the validity of changing
one's email address in a Web Browser in order to have Netnews posts
and email look as if it is originating from some spot other than where
it does originate. The reasoning behind this is that web email
address harvesters will not be getting a real address when it
encounters these. There is reason on both sides of this debate: If
you change your address, you will not be as visible to the harvesters,
but if you change your address, real people who need to contact you
will be cut off as well. Also, if you are using the Internet through
Hambridge & Lunde Expires: 9Sep98 [Page 7]
�
Internet Draft Make Enemies Fast March 1998
an organization such as a company, the company may have policies about
"forging" addresses - even your own! Most people agree that the
consequences of changing your email address on your browser or even in
your mail headers is fairly dangerous and will nearly guarantee your
mail goes into a black hole unless you are very sure you know what you
are doing. (Here there be dragons.)
Finally, DO NOT respond by sending back large volumes of unsolicited
mail. Two wrongs do not make a right; do not become your enemy; and
take it easy on the network.
There is a web site called www.abuse.net which allows you to register,
then send your message to the name of the offending-domain@abuse.net,
which will re-mail your message to the best reporting address for the
offending domain. The site contains good tips for reporting abuse
netnews or email messages. It also has some automated tools you may
download to help you filter your messages. Also check CIAC bulletin
I-005 at:
http://ciac/llnl.gov/ciac/bulletins/i-005a.shtml
or
http://spam.abuse.net/spam/tools/mailblock.html.
Check the Appendix for a detailed explanation of tools and methodology
to use when trying to chase down a spammer.
4b. There's a Spam in My Group!
Netnews is also subject to spamming. Here, several factors help to
mitigate against the propagation of spam in news, although they don't
entirely solve the problem. Newsgroups and mailing lists may be
moderated, which means that a moderator approve all mail/posts. If
this is the case, the moderator usually acts as a filter to removed
unwanted and off-topic posts/mail.
In Netnews, there are programs which detect posts which have been sent
to multiple groups or which detect multiple posts >from the same
source to one group. These programs cancel the posts. While these
work and keep unsolicited posts down, they are not 100% effective and
spam in newsgroups seems to be growing at an even faster rate than
spam in mail or on mailing lists. After all, it's much easier to post
to a newsgroup for which there are thousands of readers than it is to
find individual email addresses for all those folks. Hence the
development of the "cancelbots" (sometimes called "cancelmoose") for
Netnews groups. Cancelbots are triggered when one message is sent to
a large number of newsgroups or when many small messages are sent (from
one sender) to the same newsgroup. In general these are tuned to
the "Breidbart Index" [3] which is a somewhat fuzzy measure of the
Hambridge & Lunde Expires: 9Sep98 [Page 8]
�
Internet Draft Make Enemies Fast March 1998
interactions of the number of posts and number of groups. This is
fuzzy purposefully, so that people will not post a number of messages
just under the index and still "get away with it." And as noted
above, the cancel messages have reached such a volume now that a lot
of News administrators are beginning to write filters rather than send
cancels. Still, spam gets through, so what can a concerned netizen
do?
If there is a group moderator, make sure s/he knows that off-topic
posts are slipping into the group. If there is no moderator, you
could take the same steps for dealing with news as are recommended for
mail with all the same caveats.
5. Help For Beleaguered Admins
As a system administrator, news administrator, local Postmaster, or
mailing-list administrator, your users will come to you for help in
dealing with unwanted mail and posts. First, find out what your
institution's policy is regarding unwanted/unsolicited mail. It is
possible that it won't do anything for you, but it is also possible to
use it to justify blocking a domain which is sending particularly
offensive mail to your users. If you don't have a clear policy, it
would be really useful to create one. If you are a mailing-list
administrator, make sure your mailing-list charter forbids off-topic
posts. If your internal-only newsgroups are getting spammed from the
outside of your institution, you probably have bigger problems than
just spam.
Make sure that your mail and news transports are configured so that
you don't inadvertently contribute to the spam problem. Ensure your
mail and news transports are configured to reject messages injected by
parties outside your domain. Recently misconfigured Netnews servers
have become subject to hijacking by spammers. SMTP source routing
<@relay.host:user@dest.host> is becoming deprecated due to its
overwhelming abuse by spammers. You should configure your mail
transport to reject relayed messages (when neither the sender nor the
recipient are within your domain). Your firewall should prohibit SMTP
(mail) and NNTP (news) connections from clients within your domain to
outside servers. If your firewall is a gateway host that itself
contains an NNTP server ensure that it is configured so it does not
allow access from external sites except your news feeds. If your
firewall acts as a proxy for an external news-server ensure that it
does not accept NNTP connections other than from your internet
network. Both these potential holes have recently been exploited by
spammers. Ensure that messages generated within your domain have
proper identity information in the headers, and users cannot forge
headers. Be sure your headers have all the correct information as
Hambridge & Lunde Expires: 9Sep98 [Page 9]
�
Internet Draft Make Enemies Fast March 1998
stipulated by RFC 822 [4] and RFC 1123 [5].
If you have the capability (are running a mail transfer agent which
allows it) consider blocking well known offending sites from ever
getting mail into your site. Be careful not to block out sites for
which you run MX records! It is a well-known problem that offenders
create domains more quickly than postmasters can block them. Also,
help your users learn enough about their mailers so that they can
write rules to filter their own mail, or provide rules and kill files
for them to use.
There is information about how to "blackhole" netblocks at
maps.vix.com. There is information about how to configure sendmail
available at www.sendmail.org. Help on these problems is also
available at spam.abuse.net.
Use well-known Internet tools, such as whois and traceroute to find
which ISP is serving your problem site. Notify the postmaster/abuse
address that they have an offender. Be sure to pass on all header
information in your messages to help them with tracking down the
offender. If they have a policy against using their service to post
unsolicited mail they will need more than just your say-so that there
is a problem. Also, the "originating" site may be a victim of the
offender as well. It's not unknown for those sending this kind of
mail to bounce their mail through dial-up accounts, or off unprotected
mail servers at other sites. Use caution in your approach to those
who look like the offender.
News spammers use similar techniques for sending spam to the groups.
They have been known to forge headers and bounce posts off "open" news
machines and remailers to cover their tracks. During the height of
the infamous David Rhodes "Make Money Fast" posts, it was not unheard
of for students to walk away from terminals which were logged in, and
for sneaky folks to then use their accounts to forge posts. Much to
the later embarrassment of both the student and the institution.
One way to lessen problems is to avoid using mail-to URLs, which allow
email addresses to be easily harvested by those institutions grabbing
email addresses off the web. If you need to have an email address
prevalent on a web page, consider using a cgi script to generate the
mailto address.
Participate in mailing lists and news groups which discuss unsolicited
mail/posts and the problems associated with it.
News.admin.net-abuse.misc is probably the most well-known of these.
Hambridge & Lunde Expires: 9Sep98 [Page 10]
�
Internet Draft Make Enemies Fast March 1998
6. What's an ISP To Do
As an ISP, you first and foremost should decide what your stance
against unsolicited mail and posts should be. If you decide not to
tolerate unsolicited mail, write a clear acceptable use policy which
states your position and delineates consequences for abuse. If you
state that you will not tolerate use of your resource for unsolicited
mail/posts, and that the consequence will be loss of service, you
should be able to cancel offending accounts relatively quickly.
(Verifying, of course, that the account really IS being mis-used.) If
you have downstreaming arrangements with other providers, you should
make sure they are aware of any policy you set. Likewise, you should
be aware of your upstream providers' policies.
Consider limiting access for dialup accounts so they cannot be used by
those who spew. Make sure your mail servers aren't open for mail to
be bounced off them (except for legitimate users). Make sure your
mail transfer agents are the most up-to-date version (which pass
security audits) of the software.
Educate your users about how to react to spew and spewers. Make sure
instructions for writing rules for mailers are clear and available.
Support their efforts to deal with unwanted mail at the local level -
taking some of the burden from your sys admins.
Make sure you have an address for abuse complaints. If complainers
can routinely send mail to "abuse@BigISP.example" and you have someone
assigned to read that mail, workflow will be much smoother. Don't
require people complaining about spam to use some unique local address
for complaints. Read and use 'postmaster' and 'abuse'. We recommend
adherence to RFC 2142, _Mailbox Names for Common Services, Roles and
Functions._ [6].
Finally, write your contracts and terms and conditions in such
language that allows you to suspend service for offenders. Make sure
all your customers sign it before their accounts are activated.
Legally, you may be able to stop spammers and spam relayers, but this
is certainly dependent on the jurisdictions involved. Potentially,
the passing of spam via third party computers, especially if the
headers are forged, could be a criminal action depending on the laws
of the particular jurisdiction(s) involved. If your site is being
used as a spam relay, be sure to contact local and national criminal
law enforcement agencies. Site operators may also want to consider
the bringing of civil actions against the spammer for expropriation of
property, in particular the computer time and network bandwidth. In
addition, when a mailing list is involved, there is a potential
intellectual property rights violation.
Hambridge & Lunde Expires: 9Sep98 [Page 11]
�
Internet Draft Make Enemies Fast March 1998
There are a few law suits in the courts now which claim spammers
interfered with and endangered network connectivity. At least one
company is attempting to charge spammers for the use of its networks
(www.kclink.com/spam/).
7. Security
Certain actions to stop spamming may cause problems to legitimate
users of the net. There is a risk that filters to stop spamming will
unintentionally stop legitimate mail too. Overloading postmasters with
complaints about spamming may cause trouble to the wrong person,
someone who is not responsible for and cannot do anything to avoid the
spamming activity, or it may cause trouble out of proportion to the
abuse you are complaining about. Be sure to exercise discretion and
good judgment in all these cases. Check your local escalation
procedure. The Site Security Handbook [2] can help define an
escalation procedure if your site does not have one defined.
Lower levels of network security interact with the ability to trace
spam via logs or message headers. Measures to stop various sorts of
DNS and IP spoofing can make this information more reliable. Spammers
can and will exploit obvious security weaknesses, especially in NNTP
servers. This can lead to denial of service, either from the sheer
volume of posts, or as a result of action taken by upstream providers.
8. Acknowledgements
Thanks for help from the IETF-RUN working group, and also to all the
spew-fighters. Specific thanks are due to J.D. Falk, whose very
helpful Anti-spam FAQ proved helpful. Thanks are also due to the
vigilance of Scott Hazen Mueller and Paul Vixie, who run
spam.abuse.net/, the Anti-spam web site. Thanks also to Jacob Palme,
Chip Rosenthal, Karl Auerbach for specific text: Jacob for the
Security Considerations section, Chip for the configuration
suggestions in section 5, Karl for the legal considerations. Andrew
Gierth was very helpful with Netnews spam considerations.
Hambridge & Lunde Expires: 9Sep98 [Page 12]
�
Internet Draft Make Enemies Fast March 1998
9. Appendix - How to Track Down Spammers
In a large proportion of spams today, complaining to the postmaster of
the site that is the apparent sender of a message will have little
effect because, either the headers are forged to disguise the source
of the message, or the sender of the message runs their own
system/domain, or both.
As a result, it may be necessary to look carefully at the headers of a
message to see what parts are most reliable, and/or to complain to the
second or third-level Internet providers who provide Internet service
to a problem domain.
In many cases, getting reports with full headers from various
recipients of a spam can help locate the source. In extreme cases of
header forgery, only examination of logs on multiple systems can trace
the source or a message.
With only one message in hand, one has to make an educated guess as to
the source. The following are only rough guidelines.
In the case of mail messages, "Received:" headers added by systems
under control of the destination organization are most likely to be
reliable. You can't trust what the source domain calls itself, but you
can usually use the source IP address since that is determined by the
destination domain's server.
In naive mail forgeries, the "Message-ID:" header may show the first
SMTP server to handle the message and/or the "Received:" headers may
all be accurate, but neither can be relied on. Be especially wary
when the Received: headers have other headers intermixed. Normally,
Received: headers are all together in a block, and when split up, one
or the other blocks is probably forged.
In the case of news messages, some part of the Path: header may be a
forgery; only reports from multiple sites can make this clear. In
naive news forgeries, the "NNTP-Posting-Host:" header shows the actual
source, but this can be forged too.
If a spam message advertises an Internet server like a WWW site, that
server must be connected to the network to be usable. Therefore that
address can be traced. It is appropriate to complain to the ISP
hosting a web site advertised in a SPAM. Even if the origin of the
spam seems to be elsewhere. Be aware that the spam could be an attack
on the advertised site also, however -- the perpetrator knows they'll
get deluged with complaints and their reputation will be damaged. Any
spam with an electronic address is it is suspect because most spammers
know they're unwelcome and won't make themselves so readily
Hambridge & Lunde Expires: 9Sep98 [Page 13]
�
Internet Draft Make Enemies Fast March 1998
accessible.
Some other "seat-of-the-pants" ways to tell if headers are forged: it
has an X-pmflags: header; it has an X-Advertisement: header; it has a
Comments: header with the string "Authenticated sender is"; it has a
NULL Message=ID: (i.e. <>).
Here is a sample mail header:
----
From friendlymail@209.214.12.258.com Thu Feb 26 20:32:47 1998
Received: from clio.sc.intel.com by Ludwig.sc.intel.com (4.1/SMI-4.1)
id AA05377; Thu, 26 Feb 98 20:32:46 PST
Received: from 209.214.12.258.com (209.214.12.258.com [208.26.102.16])
by clio.sc.intel.com (8.8.6/8.8.5) with ESMTP id UAA29637
for ; Thu, 26 Feb 1998 20:33:30 -0800 (PST)
Received: ok
X-Sender: promo1@gotosportsbook.com
X-Advertisement: Click here to be removed.
Date: Thu, 26 Feb 1998 23:23:03 -0500
From: Sent By
Reply-To: Sent By
To: friend@bulkmailer
Subject: Ad: FREE $50 in Sportsbook & Casino
X-Mailer: AK-Mail 3.0b [eng] (unregistered)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: friendlymail@aqua.258.com
Message-Id:
Status: R
----
Doing a traceroute on an IP address or DNS address will show what
domains provide IP connectivity from you to that address.
Using whois and nslookup, one can try to determine who is
administratively responsible for a domain.
In simple cases, a user of a responsible site may be exploiting an
account or a weakness in dial-up security; in those cases a complaint
to a single site may be sufficient. However, it may be appropriate to
complain to more than one domain, especially when it looks like the
spammer runs their own system.
If you look at the traceroute to an address, you will normally see a
Hambridge & Lunde Expires: 9Sep98 [Page 14]
�
Internet Draft Make Enemies Fast March 1998
series of domains between you and that address, with one or more
wide-area/national Internet Service Providers in the middle and "smaller"
networks/domains on either end. It may be appropriate to
complain to the domains nearer the source, up to and including the
closest wide-area ISP. However, this is a judgement call.
If an intermediate site appears to be a known, responsible domain,
stopping your complaints at this point makes sense.
Hambridge & Lunde Expires: 9Sep98 [Page 15]
�
Internet Draft Make Enemies Fast March 1998
10. References
[1] As reported in messages on the spam@zorch.sf.bay.org (private)
mailing list in May, 1997.
[2] Fraser, B. _Site Security Handbook, RFC 2196_,
Sepetember 1997. Available via anonymous ftp at
ftp://ds.internic.net/rfc/rfc2196.txt
[3] _Current Spam thresholds and guidelines_. Lewis, Chris and Tim Skirvin.
http:www.uiuc.edu/~tskirvin/spam.html.
[4] Crocker, D. _Standard for the format of ARPA Internet
text messages; RFC 0822,_ August, 1982. Available via anonymous
ftp at: ftp://ds.internic.net/rfc/rfc822.txt.
[5] Braden, R.T. _Requirements for Internet hosts - application
and support; RFC 1123,_ October, 1989. Available via anonymous
ftp at: ftp://ds.internic.net/rfc/rfc1123.txt.
[6] Crocker, D. _Mailbox Names for Common Services, Roles
and Functions; RFC 2142,_ May, 1997. Available via anonymous
ftp at: ftp://ds.internic.net/rfc/rfc2142.txt.
Authors' Addresses
Sally Hambridge
Intel Corp, SC11-321
2200 Mission College blvd
Santa Clara, CA 95052
sallyh@ludwig.sc.intel.com
Albert Lunde
Northwestern University
2129 Campus Drive North
Evanston, IL 60208
Albert-Lunde@nwu.edu
* Spam is a name of a meat product made by Hormel. "spam" (no
capitalization) is routinely used to describe unsolicited bulk email and
netnews posts.
Hambridge & Lunde Expires: 9Sep98 [Page 16]