How to fight junk email (was: SPAM and Virus at kampi ?)

Peter Gerwinski peter at gerwinski.de
Fri Dec 18 15:15:10 CET 1998


Hello, everybody!

Sorry for this long off-topic email.  It contains an explanation
where and how to complain about junk email.

With the help of all of us, we might be able to get the GPC
mailing list clean again.

Maurice Lombardi wrote:
> I receive since a couple of weeks SPAM mail (with SNN in the subject).

So do I - and probably all on this list. :-(

> Sender and Dest are bogus, and change each time. But the mail is always
> relayed through santra.hut.fi, which I suppose is the gateway of
> kampi.hut.fi (IP numbers are 130.233.224.2 for kampi and 130.233.224.2
> for santra).

According to `host santra.hut.fi', santra has 130.233.224.1.

> I suppose also that they had my mail address in the mailing
> list or ftp list of kampi.

I am pretty sure that it is much simpler than that:  They
send their spam directly to the list's address, `gpc at hut.fi'.
Santra, being a good list server, delivers the junk to all
subscribers.

> As usual they say that if you want to
> unsubscribe you have to send a message to some address, which is also
> bogus and change each time. I have replied the first time, so I receive
> a couple of messages each time.

Then probably only a part of it comes from santra, and you
are getting the rest directly from the spammer.  :-(
Congratulations.  :-( :-(

> Now kampi seems permanently down (not
> replying to ping), while santra is on. May be they are aware of that and
> are down for this reason. If you know somebody there, you could give
> them these explanations to help them to fight. But a phone call is more
> appropriate than an e-mail !!

I hope that this is not necessary because Juki (who administers
kampi as well as santra) gets this email, too.  Anyway, the junk
mail is probably *not* due to a configuration problem in Finland
but due to the address `gpc at hut.fi' being in some spammer's
address list.  :-(

If the spam were always coming from the same address, Juki could
block email from there.  Unfortunately, this is not the case.  :-(

Okay, so what *can* we do against this?

According to a header analysis, the _actual_ relay is not
santra, but some third-partie's host somewhere in Japan.
Complaining to the administrator of that host can result in
positive action:

  * If the host is being misused as a relay, its admin can fix
    its broken MTA and disable the relay function.

  * If the spam orginates from that host, the admin can take
    direct action against the abusive user.

I have been complaining about *each* junk mail I get for about
two years now (about two each day), and about every third or
forth of my complaints resulted at least in some answer that
"something" is being done about the issue.  :-]  It also
happened that some admin replied with unfriendly words, but
that's an exception.  (If this happens, one can go one step
further and complain to his upstream provider.;-)

*How* to do this?

First, you need the full headers of the spam.  How to get them
depends on your mail user agent.  (With `elm' or `mutt',
pressing `h' has this effect.)

A detailed analysis of the two most recent issues follows.  It
is long, but don't worry:  The interesting part consists of only
two lines, marked by "***".  The rest only serves to explain how
to find those lines.

8< -------------------------------------------------------------

>From gpc-request at santra.hut.fi  Fri Dec 18 12:36:38 1998

  ^ This is the "envelope From" and can easily be faked.
    You can trust this line only if you know the host in
    question and you know a reason why you get email from
    there - which is the case here.

Received: (from uucp at localhost)
	by esmeralda.gerwinski.de (8.8.8/8.8.8) with UUCP id MAA00218
	for peter at esmeralda; Fri, 18 Dec 1998 12:36:35 +0100

  ^ This line - the last "Received" line - was generated by the
    host I am reading the mail on.  Since this host belongs to
    me, I can trust it.

Received: (qmail 13398 invoked from network); 18 Dec 1998 08:02:21 -0000
Received: from agnes.dida.physik.uni-essen.de (root at 132.252.78.226)
  by tim.gerwinski.de with SMTP; 18 Dec 1998 08:02:21 -0000

  ^ These lines are generated by my own mail server, tim.gerwinski.de,
    who received this email from root at 132.252.78.226, claiming to be
    agnes.dida.physik.uni-essen.de.  Since 132.252.78.226 *is*
    agnes.dida.physik.uni-essen.de and belongs to me, this information
    can be trusted.

Received: from sp2.power.uni-essen.de (spf109.power.uni-essen.de [132.252.180.9])
	by agnes.dida.physik.uni-essen.de (8.8.8/8.8.8) with ESMTP id JAA21186
	for <peter at agnes.dida.physik.uni-essen.de>; Fri, 18 Dec 1998 09:10:37 +0100

  ^ Generated by Agnes (--> can be trusted) who received this
    email from spf109.power.uni-essen.de, claiming to be
    sp2.power.uni-essen.de - which is okay.  I know this host.

Received: from uni-essen.de (aixrs5f.hrz.uni-essen.de [132.252.180.229]) by sp2.power.uni-essen.de (8.8.8/8.7) with ESMTP id JAA50540 for <phy0a0 at sp2.power.uni-essen.de>; Fri, 18 Dec 1998 09:03:25 +0100

  ^ Generated by sp2.power.uni-essen.d3 who received this email
    from aixrs5f.hrz.uni-essen.de, claiming to be uni-essen.de
    - which is okay since that host is the mail server of the
    University of Essen.

Received: from santra.hut.fi (santra.hut.fi [130.233.224.1]) by uni-essen.de (8.8.5/8.7) with ESMTP id IAA36432 for <peter.gerwinski at uni-essen.de>; Fri, 18 Dec 1998 08:59:59 +0100

  ^ Generated by the mail server of the University of Essen who
    received this email from santra.hut.fi (whom we trust since
    it belongs to Juki:-), claiming to be santra.hut.fi.
    No contradiction.

    Now the interesting part comes.

Received: from nst.docomosentu.co.jp (nst.docomosentu.co.jp [210.164.206.18])
	by santra.hut.fi (8.9.1a/8.9.1) with ESMTP id JAA22435;
	Fri, 18 Dec 1998 09:55:22 +0200 (EET)

   ^ *** Generated by santra.hut.fi who received this email from
     *** nst.docomosentu.co.jp, claiming to be itself.  Since a
     *** spammer normally would at least try to hide his identity,
     *** this host probably belongs to a third-party victim and
     *** is abused as a relay.  A complaint should go to
     *** docomosentu.co.jp, suggesting them that they should fix
     *** their open relay.

From: salu8 at webwork.co.jp

   ^ This line has been generated by the spammer's mailing
     program and isn't worth its bits.

Received: from nst.docomosentu.co.jp (localhost.docomosentu.co.jp [127.0.0.1])
          by nst.docomosentu.co.jp (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP
	  id QAA05121; Fri, 18 Dec 1998 16:54:36 +0900

   ^ *** This line was generated by nst.docomosentu.co.jp.
     *** Since this host probably is a victim, not the abuser, it
     *** might be correct.  It indicates that nst.docomosentu.co.jp
     *** got the email from itself (localhost [127.0.0.1]) and that
     *** the spammer had in fact an account on this host.  The
     *** complaint should be reformulated to take this possibility
     *** into account.

Received: from 207.225.207.125 by nst.docomosentu.co.jp (InterScan E-Mail VirusWall NT)

   ^ This line was generated by nst.docomosentu.co.jp - either
     by the mail transport agent or by the spammer.  We should
     not trust it too much, but `host 207.225.207.125' yields
     adsl125.slkc.uswest.net, so one might consider to send
     another complaint to slkc.uswest.net, that maybe someone
     is abusing their host to send junk mail to Japan (and from
     there to Finland and the whole world).  But maybe not:  If
     the spammer really had an account on nst.docomosentu.co.jp,
     his mailing program may have procuced (faked) this line.

     It is common practise for spamming programs to add a big
     amount of additional "Received:" lines here just to confuse
     people doing a header analysis.  For this reason, it is
     important to keep track how long the "Received:"
     information can be trusted.  Everything after the first
     "trust gap" is probably faked; everything before can
     contain important information.

Date: Fri, 18 Dec 98 00:01:55 EST
To: pol90 at worldnet.att.net
Subject: SNN ALERT
Message-ID: <359DFE77.4AC9 at erols.com>
Content-Length: 521
Lines: 30

    ^ These lines have been generated by the spammer's mailing
      program.  Looking at them is a waste of time.

      Now the contents comes.

[...]

The full text of the release can be viewed at:
http://biz.yahoo.com/bw/981217/nuoncology_1.html

    ^ It might make sense to complain to yahoo.com, so they can
      close that site.  But since the owner of the site can
      always claim not to have anything to do with the junk
      mail, this is not a too promising option.

To be removed as a SNN subscriber please put 'delete'
in the subject of an empty e-mail and send it to:

4621 at usa.net

    ^ Maurice already has told us what this information is
      worth.  :-(  What makes sense is to complain to usa.net,
      so they can close that account.

8< -------------------------------------------------------------

Okay, that was the long form of the header analysis.  Since we
have two current junk mails, I am using the second one to give
a short review of all this.

Note:  Up to now I only have shown how to find out *where* to
complain.  See below for *how* to complain.

8< -------------------------------------------------------------

>From gpc-request at santra.hut.fi  Fri Dec 18 12:36:27 1998
Received: (from uucp at localhost)
	by esmeralda.gerwinski.de (8.8.8/8.8.8) with UUCP id MAA00210
	for peter at esmeralda; Fri, 18 Dec 1998 12:36:24 +0100
Received: (qmail 13336 invoked from network); 18 Dec 1998 07:20:36 -0000
Received: from agnes.dida.physik.uni-essen.de (root at 132.252.78.226)
  by tim.gerwinski.de with SMTP; 18 Dec 1998 07:20:36 -0000
Received: from sp2.power.uni-essen.de (spf109.power.uni-essen.de [132.252.180.9])
	by agnes.dida.physik.uni-essen.de (8.8.8/8.8.8) with ESMTP id IAA21129
	for <peter at agnes.dida.physik.uni-essen.de>; Fri, 18 Dec 1998 08:29:02 +0100
Received: from uni-essen.de (aixrs5f.hrz.uni-essen.de [132.252.180.229]) by sp2.power.uni-essen.de (8.8.8/8.7) with ESMTP id IAA157898 for <phy0a0 at sp2.power.uni-essen.de>; Fri, 18 Dec 1998 08:21:50 +0100
Received: from santra.hut.fi (santra.hut.fi [130.233.224.1]) by uni-essen.de (8.8.5/8.7) with ESMTP id IAA29066 for <peter.gerwinski at uni-essen.de>; Fri, 18 Dec 1998 08:18:24 +0100
Received: from grape.pineapple.co.jp (grape.pineapple.co.jp [210.159.8.7])
	by santra.hut.fi (8.9.1a/8.9.1) with ESMTP id JAA20233;
	Fri, 18 Dec 1998 09:15:39 +0200 (EET)

    ^ Santra got this email from grape.pineapple.co.jp which
      is not trying to fake its identity.  Complain to
      pineapple.co.jp, so they can close their open relay.

From: salu8 at webwork.co.jp

    ^ faked

Received: from [210.159.8.7] ([207.225.207.125]) by grape.pineapple.co.jp
          (Post.Office MTA v3.1.2 release (PO205-101c)
          ID# 0-40494U700L100S0) with SMTP id ACR146;
          Fri, 18 Dec 1998 15:31:18 +0900

    ^ Probably grape.pinapple.co.jp got this email from
      207.225.207.125 (= adsl125.slkc.uswest.net), claiming
      to be 210.159.8.7.  Complain to slkc.uswest.net that
      they are hosting a junk mailer at the (nameless) host
      207.225.207.125.

Date: Thu, 17 Dec 98 23:30:36 EST
To: pol90 at worldnet.att.net
Subject: SNN ALERT
Message-ID: <359DFE77.4AC9 at erols.com>
Content-Length: 521
Lines: 30

    ^ faked

[Content ...]

    ^ see above

8< -------------------------------------------------------------

Interesting:  From this second header it is much clearer that
207.225.207.125 = adsl125.slkc.uswest.net is involved in this
case than from the first one.

Okay, now *how* to complain?

According to the RFC standards, each domain that can receive
email must have a "postmaster" account where to report problems
with email.  In addition, one should have an "abuse" account,
specifically to report abusive emails orginating from that
domain.  So it is a good choice to send a compaint to
postmaster at slkc.uswest.net and abuse at slkc.uswest.net - and
postmaster at uswest.net and abuse at uswest.net if slkc is just
a department and not a separate organization.

There is a service "abuse.net" to simplify this:  If you send
your complaint to uswest.net at abuse.net, it will be delivered
to the correct abuse address.  You will have to register before
you can use the "abuse.net" service; see http://spam.abuse.net.

It is important to include full headers in the complaint, so
they can do their own header analysis.

Now, what to write?

I am using the following shell script to formulate a complaint:

8< ---- shell script: `junk' -----------------------------------

#!/bin/sh

cp abuse.mail junk.mail
grep -v "^Status:" >> junk.mail

8< ---- end of shell script ------------------------------------

It refers to the following preformulated mail:

8< ---- preformulated mail: `abuse.mail' -----------------------

Hello,

I just received unsolicited bulk email (UBE) orginating from
or relayed through a host under your responsibility (see the
headers below).  Please take appropriate action.

Regards,

    Peter Gerwinski

8< ---- Extract from the UBE follows -----------------------------------------

8< ---- end of preformulated mail ------------------------------

Piping the email through it (press `|' in `elm' or `mutt') will
simply prepend the preformulated complaint `abuse.mail' to the
email (with full headers), remove the unimportant header line
"Status:" and save the result in a file `junk.mail'.  When
I send the complaint, I do the header analysis and determine the
recipient from that file.  With some practise, this takes me
around ten seconds per junk mail.

I hope that these hints will help you to react adequately to
the junk mail you get and will finally help us all to keep the
Internet usable.

More information can be found at http://spam.abuse.net/ and
http://maps.vix.com/ .

Greetings,

    Peter

-- 
Peter Gerwinski, Essen, Germany, http://home.pages.de/~Peter.Gerwinski/
Maintainer GNU Pascal - http://home.pages.de/~GNU-Pascal/ - gpc-980830
  PGP key on request - 6C 94 45 BE 28 A4 96 - 0E CC E9 12 47 25 82 75
Fight the SPAM and UBE! - http://spam.abuse.net/ - http://maps.vix.com/




More information about the Gpc mailing list