Hello, everybody!

Sorry for this long off-topic email. It contains an explanation where and how to complain about junk email.

With the help of all of us, we might be able to get the GPC mailing list clean again.

Maurice Lombardi wrote:

I receive since a couple of weeks SPAM mail (with SNN in the subject).

So do I - and probably all on this list. :-(

Sender and Dest are bogus, and change each time. But the mail is always relayed through santra.hut.fi, which I suppose is the gateway of kampi.hut.fi (IP numbers are 130.233.224.2 for kampi and 130.233.224.2 for santra).

According to `host santra.hut.fi', santra has 130.233.224.1.

I suppose also that they had my mail address in the mailing list or ftp list of kampi.

I am pretty sure that it is much simpler than that: They send their spam directly to the list's address, `gpc@hut.fi'. Santra, being a good list server, delivers the junk to all subscribers.

As usual they say that if you want to unsubscribe you have to send a message to some address, which is also bogus and change each time. I have replied the first time, so I receive a couple of messages each time.

Then probably only a part of it comes from santra, and you are getting the rest directly from the spammer. :-( Congratulations. :-( :-(

Now kampi seems permanently down (not replying to ping), while santra is on. May be they are aware of that and are down for this reason. If you know somebody there, you could give them these explanations to help them to fight. But a phone call is more appropriate than an e-mail !!

I hope that this is not necessary because Juki (who administers kampi as well as santra) gets this email, too. Anyway, the junk mail is probably *not* due to a configuration problem in Finland but due to the address `gpc@hut.fi' being in some spammer's address list. :-(

If the spam were always coming from the same address, Juki could block email from there. Unfortunately, this is not the case. :-(

Okay, so what *can* we do against this?

According to a header analysis, the _actual_ relay is not santra, but some third-partie's host somewhere in Japan. Complaining to the administrator of that host can result in positive action:

* If the host is being misused as a relay, its admin can fix its broken MTA and disable the relay function.

* If the spam orginates from that host, the admin can take direct action against the abusive user.

I have been complaining about *each* junk mail I get for about two years now (about two each day), and about every third or forth of my complaints resulted at least in some answer that "something" is being done about the issue. :-] It also happened that some admin replied with unfriendly words, but that's an exception. (If this happens, one can go one step further and complain to his upstream provider.;-)

*How* to do this?

First, you need the full headers of the spam. How to get them depends on your mail user agent. (With `elm' or `mutt', pressing `h' has this effect.)

A detailed analysis of the two most recent issues follows. It is long, but don't worry: The interesting part consists of only two lines, marked by "***". The rest only serves to explain how to find those lines.

8< -------------------------------------------------------------

From gpc-request@santra.hut.fi Fri Dec 18 12:36:38 1998

^ This is the "envelope From" and can easily be faked. You can trust this line only if you know the host in question and you know a reason why you get email from there - which is the case here.

Received: (from uucp@localhost) by esmeralda.gerwinski.de (8.8.8/8.8.8) with UUCP id MAA00218 for peter@esmeralda; Fri, 18 Dec 1998 12:36:35 +0100

^ This line - the last "Received" line - was generated by the host I am reading the mail on. Since this host belongs to me, I can trust it.

Received: (qmail 13398 invoked from network); 18 Dec 1998 08:02:21 -0000 Received: from agnes.dida.physik.uni-essen.de (root@132.252.78.226) by tim.gerwinski.de with SMTP; 18 Dec 1998 08:02:21 -0000

^ These lines are generated by my own mail server, tim.gerwinski.de, who received this email from root@132.252.78.226, claiming to be agnes.dida.physik.uni-essen.de. Since 132.252.78.226 *is* agnes.dida.physik.uni-essen.de and belongs to me, this information can be trusted.

Received: from sp2.power.uni-essen.de (spf109.power.uni-essen.de [132.252.180.9]) by agnes.dida.physik.uni-essen.de (8.8.8/8.8.8) with ESMTP id JAA21186 for peter@agnes.dida.physik.uni-essen.de; Fri, 18 Dec 1998 09:10:37 +0100

^ Generated by Agnes (--> can be trusted) who received this email from spf109.power.uni-essen.de, claiming to be sp2.power.uni-essen.de - which is okay. I know this host.

Received: from uni-essen.de (aixrs5f.hrz.uni-essen.de [132.252.180.229]) by sp2.power.uni-essen.de (8.8.8/8.7) with ESMTP id JAA50540 for phy0a0@sp2.power.uni-essen.de; Fri, 18 Dec 1998 09:03:25 +0100

^ Generated by sp2.power.uni-essen.d3 who received this email from aixrs5f.hrz.uni-essen.de, claiming to be uni-essen.de - which is okay since that host is the mail server of the University of Essen.

Received: from santra.hut.fi (santra.hut.fi [130.233.224.1]) by uni-essen.de (8.8.5/8.7) with ESMTP id IAA36432 for peter.gerwinski@uni-essen.de; Fri, 18 Dec 1998 08:59:59 +0100

^ Generated by the mail server of the University of Essen who received this email from santra.hut.fi (whom we trust since it belongs to Juki:-), claiming to be santra.hut.fi. No contradiction.

Now the interesting part comes.

Received: from nst.docomosentu.co.jp (nst.docomosentu.co.jp [210.164.206.18]) by santra.hut.fi (8.9.1a/8.9.1) with ESMTP id JAA22435; Fri, 18 Dec 1998 09:55:22 +0200 (EET)

^ *** Generated by santra.hut.fi who received this email from *** nst.docomosentu.co.jp, claiming to be itself. Since a *** spammer normally would at least try to hide his identity, *** this host probably belongs to a third-party victim and *** is abused as a relay. A complaint should go to *** docomosentu.co.jp, suggesting them that they should fix *** their open relay.

From: salu8@webwork.co.jp

^ This line has been generated by the spammer's mailing program and isn't worth its bits.

Received: from nst.docomosentu.co.jp (localhost.docomosentu.co.jp [127.0.0.1]) by nst.docomosentu.co.jp (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP id QAA05121; Fri, 18 Dec 1998 16:54:36 +0900

^ *** This line was generated by nst.docomosentu.co.jp. *** Since this host probably is a victim, not the abuser, it *** might be correct. It indicates that nst.docomosentu.co.jp *** got the email from itself (localhost [127.0.0.1]) and that *** the spammer had in fact an account on this host. The *** complaint should be reformulated to take this possibility *** into account.

Received: from 207.225.207.125 by nst.docomosentu.co.jp (InterScan E-Mail VirusWall NT)

^ This line was generated by nst.docomosentu.co.jp - either by the mail transport agent or by the spammer. We should not trust it too much, but `host 207.225.207.125' yields adsl125.slkc.uswest.net, so one might consider to send another complaint to slkc.uswest.net, that maybe someone is abusing their host to send junk mail to Japan (and from there to Finland and the whole world). But maybe not: If the spammer really had an account on nst.docomosentu.co.jp, his mailing program may have procuced (faked) this line.

It is common practise for spamming programs to add a big amount of additional "Received:" lines here just to confuse people doing a header analysis. For this reason, it is important to keep track how long the "Received:" information can be trusted. Everything after the first "trust gap" is probably faked; everything before can contain important information.

Date: Fri, 18 Dec 98 00:01:55 EST To: pol90@worldnet.att.net Subject: SNN ALERT Message-ID: 359DFE77.4AC9@erols.com Content-Length: 521 Lines: 30

^ These lines have been generated by the spammer's mailing program. Looking at them is a waste of time.

Now the contents comes.

[...]

The full text of the release can be viewed at: http://biz.yahoo.com/bw/981217/nuoncology_1.html

^ It might make sense to complain to yahoo.com, so they can close that site. But since the owner of the site can always claim not to have anything to do with the junk mail, this is not a too promising option.

To be removed as a SNN subscriber please put 'delete' in the subject of an empty e-mail and send it to:

4621@usa.net

^ Maurice already has told us what this information is worth. :-( What makes sense is to complain to usa.net, so they can close that account.

8< -------------------------------------------------------------

Okay, that was the long form of the header analysis. Since we have two current junk mails, I am using the second one to give a short review of all this.

Note: Up to now I only have shown how to find out *where* to complain. See below for *how* to complain.

8< -------------------------------------------------------------

From gpc-request@santra.hut.fi Fri Dec 18 12:36:27 1998

Received: (from uucp@localhost) by esmeralda.gerwinski.de (8.8.8/8.8.8) with UUCP id MAA00210 for peter@esmeralda; Fri, 18 Dec 1998 12:36:24 +0100 Received: (qmail 13336 invoked from network); 18 Dec 1998 07:20:36 -0000 Received: from agnes.dida.physik.uni-essen.de (root@132.252.78.226) by tim.gerwinski.de with SMTP; 18 Dec 1998 07:20:36 -0000 Received: from sp2.power.uni-essen.de (spf109.power.uni-essen.de [132.252.180.9]) by agnes.dida.physik.uni-essen.de (8.8.8/8.8.8) with ESMTP id IAA21129 for peter@agnes.dida.physik.uni-essen.de; Fri, 18 Dec 1998 08:29:02 +0100 Received: from uni-essen.de (aixrs5f.hrz.uni-essen.de [132.252.180.229]) by sp2.power.uni-essen.de (8.8.8/8.7) with ESMTP id IAA157898 for phy0a0@sp2.power.uni-essen.de; Fri, 18 Dec 1998 08:21:50 +0100 Received: from santra.hut.fi (santra.hut.fi [130.233.224.1]) by uni-essen.de (8.8.5/8.7) with ESMTP id IAA29066 for peter.gerwinski@uni-essen.de; Fri, 18 Dec 1998 08:18:24 +0100 Received: from grape.pineapple.co.jp (grape.pineapple.co.jp [210.159.8.7]) by santra.hut.fi (8.9.1a/8.9.1) with ESMTP id JAA20233; Fri, 18 Dec 1998 09:15:39 +0200 (EET)

^ Santra got this email from grape.pineapple.co.jp which is not trying to fake its identity. Complain to pineapple.co.jp, so they can close their open relay.

From: salu8@webwork.co.jp

^ faked

Received: from [210.159.8.7] ([207.225.207.125]) by grape.pineapple.co.jp (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-40494U700L100S0) with SMTP id ACR146; Fri, 18 Dec 1998 15:31:18 +0900

^ Probably grape.pinapple.co.jp got this email from 207.225.207.125 (= adsl125.slkc.uswest.net), claiming to be 210.159.8.7. Complain to slkc.uswest.net that they are hosting a junk mailer at the (nameless) host 207.225.207.125.

Date: Thu, 17 Dec 98 23:30:36 EST To: pol90@worldnet.att.net Subject: SNN ALERT Message-ID: 359DFE77.4AC9@erols.com Content-Length: 521 Lines: 30

^ faked

[Content ...]

^ see above

8< -------------------------------------------------------------

Interesting: From this second header it is much clearer that 207.225.207.125 = adsl125.slkc.uswest.net is involved in this case than from the first one.

Okay, now *how* to complain?

According to the RFC standards, each domain that can receive email must have a "postmaster" account where to report problems with email. In addition, one should have an "abuse" account, specifically to report abusive emails orginating from that domain. So it is a good choice to send a compaint to postmaster@slkc.uswest.net and abuse@slkc.uswest.net - and postmaster@uswest.net and abuse@uswest.net if slkc is just a department and not a separate organization.

There is a service "abuse.net" to simplify this: If you send your complaint to uswest.net@abuse.net, it will be delivered to the correct abuse address. You will have to register before you can use the "abuse.net" service; see http://spam.abuse.net.

It is important to include full headers in the complaint, so they can do their own header analysis.

Now, what to write?

I am using the following shell script to formulate a complaint:

8< ---- shell script: `junk' -----------------------------------

#!/bin/sh

cp abuse.mail junk.mail grep -v "^Status:" >> junk.mail

8< ---- end of shell script ------------------------------------

It refers to the following preformulated mail:

8< ---- preformulated mail: `abuse.mail' -----------------------

Hello,

I just received unsolicited bulk email (UBE) orginating from or relayed through a host under your responsibility (see the headers below). Please take appropriate action.

Regards,

Peter Gerwinski

8< ---- Extract from the UBE follows -----------------------------------------

8< ---- end of preformulated mail ------------------------------

Piping the email through it (press `|' in `elm' or `mutt') will simply prepend the preformulated complaint `abuse.mail' to the email (with full headers), remove the unimportant header line "Status:" and save the result in a file `junk.mail'. When I send the complaint, I do the header analysis and determine the recipient from that file. With some practise, this takes me around ten seconds per junk mail.

I hope that these hints will help you to react adequately to the junk mail you get and will finally help us all to keep the Internet usable.

More information can be found at http://spam.abuse.net/ and http://maps.vix.com/ .

Greetings,

Peter