Blue Moon
Fights Spam
on the Internet

You are Visitor # to this page

Last Update: Wednesday, 28-Dec-2005 12:13:16 EST

---

Have you turned on Spam Filtering for your Blue Moon Account?
Click Here to Turn It On!

Nobody likes junk mail, well almost nobody!

The fight against SPAM (Unsolicted Commercial E-Mail or UCE) starts with the recipient. We don't want the government to regulate our comings and goings on the internet and we certainly don't want Big Brother (is Bill Gates, AOL or the government Big Brother?!?!) watching our every move.


It is a responsibility all of us must accept and devote some time to. At the Blue Moon we try to protect our customers from receiving scads of UCE. SPAM Mail is becoming big business and SPAM vendors are using ever more sophisticated methods of jamming that unwanted mail into your mailbox. In order to be able to surf the net relatively unmolested by this increasing nuisance, you, the customer, need to be armed with the knowledge necessary to discourage the purveyors of SPAM from dropping further unwanted junk mail into your E-Mail box.


We go to great lengths and spend many hours per week working on our spam filters so that mail you want gets to you and the mail you don't want disappears silently. Our spam filtering is very sophisticated and we have been developing it in-house for over 5 years.


You can check a list of known contact addresses for many domains Here which can be useful for reporting abuses to the correct place without playing email tag :)


Check Here for information on viewing the full headers of email sent to you.


Most SPAM has a forged "From:" address. This means you CANNOT reply to that address, the mail just bounces right back to your box markes as "Undeliverable." Many times a novice spammer will still leave clues as to where their unwanted message originated from. Many mail clients have an option to display a "full header" or "rich header" which shows the mail server relay path the mail has taken to reach your mailbox. I use "pine" to read mail from the shell account rather than use a PPP connection with a POP client. Pine has an "h" command to turn full header display on. In Netscape you can view the "source" to the current message from the "View" menu. This will sometimes display more information from the header. Many EMail clients have a "full header" or "rich header" option to display more about the origin of the mail, contact the EMail client's support staff if you can't find it in yours. If that feature isn't available in the client you use now we recommend changing EMail programs.


Our mail server (net.bluemoon.net) will leave its mail signature in the header of the mail as we are final relay before it lands in your box. One of the ways spammers try to hide their identity is by relaying mail through several servers, most of which they have no right to use. Some call this "hijacking" mail servers to do their dirty work. A more recent tactic of the spammers is to use viruses (no, viri and virii are not the plural of virus) to infect as many people's computers as possible and then hijack them to send out spam. It is my belief that most of the new viruses are specifically designed for sending spam.


When I receive SPAM I examine the header to see what servers the mail came from. I then forward the spam mail to "abuse@" and "postmaster@" whatever domain sent or relayed the email. The topmost "Received: from" header will show the last IP address and hostname of the computer which sent the mail to our mail server, that's the offender we are interested in and not the visible "From:" line of the email as that was almost surely a forgery. If I receive no reply from either address or the mail bounces back to me as undeliverable I will add the relay domain or ip address to one of the SPAM filters, whichever one is most appropriate, which should deny any further mail of that type or from the offending network. If something smells fishy to me I will do host lookups on the entire class C (/24) address block of the offending server and if it turns out to be a "Spamhaus" operation I will block all the domain names listed and the IP address block from sending us email. I have found literally tens of thousands of spam domains and address blocks this way and usually find 100 to 1000 new ones every week. This can be sticky business. You don't want to cut large groups of people off from being able to correspond with their friends. That would defeat the purpose of the internet! Obviously filtering all mail from aol.com is not practical (and that's one of the reasons many spammers forge the "From:" line as being from some_spammer@aol.com) and would prevent a huge number of people from corresponding with each other. I can't cut them off, BUT, I can bounce copies of that mail to postmaster@aol.com and abuse@aol.com. Of course AOL is notorious for ignoring spam complaints, but that is another subject. If they only relayed the mail through AOL's mail servers then AOL has a responsibility to do everything reasonable to prevent the spammers from hijacking their mail servers for spamming. If someone manages to relay spam through our mail server I sure want to know about it and you can bet I'll beat my brains out until I find a way to prevent that method from being used again. If someone from our domain spams people on the net you can bet they won't have access to our network ever again. We have terminated both personal account and business account holders for spamming and I'm sure we'll be forced to do that again.


Back to what you can do.


Send a copy of the spam to postmaster@ and abuse@ the domains you received it from. If you don't get a reply that the problem will be looked into (many sites have auto-responders for abuse@ and postmaster@) after 24 hours or so then consider using the Spam Reporting feature at http://www.spamcop.net/ which is also a great place to learn more about fighting spam. If it appears to be some chronic spammer then by all means drop some mail to SpamReport -AT- bluemoon.net with a copy of the spam mail including the FULL headers. We'll look into it and if the domain is a spam factory we'll block it as many ways as we can. I believe it is the duty of each of our network's clients to notify every admin of every domain and backbone network used to convey that unwanted spam mail to our mailboxes.


Please do not send SPAM mail directly to our staff without first trying to resolve the issue yourself. We just don't have the time to chase down every spammer there's too much spam to fight! We also cannot do anything about spam mail forwarded to us which does not include all of the header information showing which servers forwarded it to us. Any email program worth its salt has the option to "show full headers" or "show all headers" which provides the nesessary information for tracking. Due to the volume of junk mail out there we are not able to reply to forwarded spam which does not originate on our network, but if the full header is included we will look into it. Check Here for information on viewing the full headers of email sent to you.


Two powerful tools you can use to trace the path of responsibility are "whois" and "traceroute" which is called "tracert" on win95/98 machines. The whois service will report the contact email addresses and domain servers used for the domain in question. Traceroute will show each connection used to reach a host on the internet. Another neat trick is using telnet to open a session to a mail host for a domain on port 25 which is the SMTP mail port and using the VRFY command to attempt to verify a valid email request. Many servers won't let you do that anymore, we don't allow it on our mail server and went to some trouble to hack the server code to block it. If "VRFY username" doesn't work, just close the connection or type QUIT to have their server close the connection. This isn't illegal, don't worry, it's just talking directly to a mail server in the language of SMTP.


Here is the raw header of some spam mail I received recently:


Received: from mail.goodnet.com (mail.goodnet.com [207.98.129.2]) by
net.bluemoon.net (8.8.5-r-ANTI-SPAM/8.8.5) with ESMTP id BAA25058 for
; Wed, 6 Aug 1997 01:15:37 -0400 (EDT)
From: jewelry@uspronet.com
Received: from uspronet.com (phx-ts16-17.goodnet.com [207.98.132.242])
        by mail.goodnet.com (8.8.6/8.8.6) with SMTP id WAA07433;
        Tue, 5 Aug 1997 22:06:39 -0700 (MST)
Date: Tue, 5 Aug 1997 22:06:39 -0700 (MST)
Message-Id: <199708060506.WAA07433@mail.goodnet.com>
To: jewelry@uspronet.com
Subject: Monthly special




Let's go through the process of determining responsibility for this mail and taking appropriate measures to express our displeasure at being spammed.


The first part of the mail shows our server receiving the mail from one of goodnet's servers. The "for <root@bogus-bluemoon.net>" shows it was specifically sent to my box. The "From:" field shows it was intended to appear to be from jewelry@uspronet.com, lets see if we can find out if that's a valid address:


BlueMoon 1> telnet uspronet.com 25
Trying 207.159.136.23...
Connected to uspronet.com.
Escape character is '^]'.
220 uspronet.com ESMTP Sendmail 8.8.5 ready at 
Sat, 16 Aug 1997 10:56:26 -0600 (MDT)
VRFY jewelry
250 <jewelry@uspronet.com>
quit
221 uspronet.com closing connection
Connection closed by foreign host.
BlueMoon 2> 




uspronet says jewelry is a valid user name which means you can send their spam right back at them. Don't send 1000 pieces of it back in their face, they'll just delete them and maybe harass us because you spammed them (typical!) when one piece of forwarded mail to their address as well as carbon copies (CC) to abuse@uspronet.com and postmaster@uspronet expressing your great displeasure at being the target of their junk mail will get the point across that they have made an enemy and not a potential sale.


Let's pretend that the user name "jewelry" isn't a valid mail address at uspronet or that the VRFY wouldn't tell us if it was. Mail abuse and postmaster there right off the bat. We also know they used goodnet's mail server to relay it so mail abuse and postmaster@goodnet.net at the same time. Now it is time to see exactly how the mail comes and goes to "uspronet.com" by using "traceroute" or win95's "tracert" utility:


BlueMoon 1> traceroute uspronet.com
traceroute to uspronet.com (207.159.136.23), 30 hops max, 40 byte packets
 1  gatekeeper (63.237.147.2)  1 ms  1 ms  1 ms
 2  uunet (157.130.1.101)  8 ms  10 ms  6 ms
 3  120.Hssi1-0.CR2.CLE1.Alter.Net (137.39.31.62)  10 ms  12 ms  12 ms
 4  119.Hssi4-0.CR2.SEA1.Alter.Net (137.39.58.194)  126 ms  526 ms  443 ms
 5  Fddi1-0.GW2.SEA1.Alter.Net (137.39.42.194)  68 ms  69 ms  69 ms
 6  lightrealm-gw.customer.ALTER.NET (157.130.176.50)  72 ms  69 ms  73 ms
 7  sea-border1-f41.lightrealm.net (207.159.128.17)  72 ms  70 ms  93 ms
 8  uspronet.com (207.159.136.23)  72 ms  72 ms  71 ms
BlueMoon 2>

"gatekeeper" is one of our routers. "uunet" was one of our connections to the backbone. Alter.Net is a part of UUNet's backbone. I have never heard of any backbone named "lightrealm.net" and that's the first hop off UUNet's backbone so it is a safe assumption to make that lightrealm who obviously provides services to uspronet uses UUNet for their services. Bam, add abuse@lightrealm.net, postmaster@lightrealm.net, abuse@uu.net and postmaster@uu.net to a list of carbon copy recipients of your spam mail response. Each of those networks has a duty to impress upon their customers the necessity of adhering to an acceptable use policy. They may act like you are bothering them, but hey, THEY allowed their customer to SPAM YOU! You can bet your bippy that they'll pay more attention to who they sell connections to and what those people do with those connections if a million or people a year forward their customer's SPAM to them with a nasty little note about how displeased we are that they allow this type of internet menace to line their pockets with cash.


We know how it got here, but is there some way we can actually determine who may be personally responsible for this invasion of our internet space? In many cases there is :) That's where the whois service comes in.


BlueMoon 1> whois uspronet.com
Dakota Engravings, Etc. (USPRONET-DOM)
   5923 E. Hillery Dr.
   Scottsdale, AZ 85284
   USA

   Domain Name: USPRONET.COM

   Administrative Contact:
      Holen, Bob  (BH1447)  engrave@GETNET.COM
      (602) 953-2413
   Technical Contact, Zone Contact:
      Wayrynen, Darin  (DW970)  darin@GOOD.NET
      (602) 303-9500 ext 3234 (FAX) (602) 303-0550
   Billing Contact:
      Holen, Bob  (BH1447)  engrave@GETNET.COM
      (602) 953-2413

   Record last updated on 27-Jun-96.
   Record created on 27-Jun-96.
   Database last updated on 16-Aug-97 04:20:12 EDT.

   Domain servers in listed order:

   NS1.GOODNET.COM              207.98.129.11
   NS2.GOODNET.COM              207.98.129.12


The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
BlueMoon 2>




Well, well, well. They do use goodnet for services, the nameserver addresses verify that. The best part is we now have some email addresses of individuals directly responsible for their domain. The Administrative contact is engrave@GETNET.COM and the technical contact is darin@GOOD.NET. Send out copies to both of them. You got it, they should certainly get copies too. I didn't want it and I'm sure they don't want it, but darn it, they made it happen and they're going to get a carbon of every piece of spam from their domain that I receive. You can also do a whois on each network used to relay that spam mail. Win95/98/2k/XP users can download a whois client at ftp.bluemoon.net/pub/pc/tcp/whois32.zip. Remember to use only the two names surrounding the last period in the hostname, mail.goodnet.com would be in the domain "goodnet.com", the "mail." is just the individual machine name.


Fighting spam can be a detective game, but if each us takes the trouble to stir up the providers we can all help to make the point that SPAMMING us means we won't ever want to have anything to do with their company, products or services.


---




There are many sites dedicated to fighting internet spam mail. The best I have found yet is spam.abuse.net which contains a wealth of information on how you too can join the war against spam mail. We heartily urge you to visit this site and learn all you can about how to discourage the spammers from bothering us all.

---

Any Comments? E-Mail

Any Comments? E-Mail Webmaster

Be sure to replace " AT " with @ in your mailer

© 1998 - 2006 Blue Moon Internet Corp.

Unauthorized Use Prohibited

Back to the Blue Moon Home Page