Category Archives: spam

how to report spam

i use this spam policy, along with maintaining robust global email filters, running SpamAssassin, and blocking IP addresses that are used for abuse. the result of using these procedures has resulted in my having to get this far MAYBE as many as 10 times in a day, and some days i don’t have any spam at all. YOUR MILEAGE WILL VARY! and, remember… the more you do it NOW, the fewer spam messages everyone gets down the road!

this is written from the perspective of a person who uses an email client and a web browser. if you ONLY use a browser (if you use webmail), there may be extra, intermediary steps that are not written down here.

the first thing you need to know is how to extract headers from your email messages, which is different depending on how you get your email.

  1. once you’ve extracted the headers, go to this URI:

    https://www.iptrackeronline.com/email-header-analysis.php

    leave wherever you have extracted the headers — the “message source” — open, because you’re going to need to copy more of the message, later.

  2. for now, paste only the headers into the form, and click “Submit header for analysis”.

    the analysis is WAY more information than you need, but the information you DO need is right near the top: under the header “Email header analysis report” will be a table that contains “All valid IP Addresses found in the header”, and usually the top one (or, possibly, two) will have an asterisk (*) next to them, which is the “Probable originating IP address”.

  3. copy that address. if it’s two, copy the first one, do the next steps, and then come back and copy the second one and do the next steps for that number, as well.
  4. now, go to this URI:

    https://centralops.net/co/DomainDossier.aspx

    paste the IP address in the “domain or IP address” field, check the following three boxes:

    domain whois record
    network whois record
    DNS record

    and hit the “Go” button.

    then, i find that it’s easiest to use the “Edit” -> “Find In This Page” function of my browser, to search for every instance of the commercial at symbol – @ – which is used in email addresses.

  5. now, go back to the message source, where you extracted the headers (remember that?)

    select and copy the entire message, including the headers. now you can close the message source.

  6. select the message in your inbox, and choose “Forward”.
  7. this will open a new message, with the message you’re complaining about inside a forwarding header. select everything EXCEPT the forwarding header, and delete it. then paste the message source that you copied in where the other stuff used to be.
  8. then, go back to the web browser, and find every email address for the IP address you’re complaining about, and put them into the “To:” line of your new, forwarded message.

    SOMETIMES the information will tell you something like “Report abuse only to…” or something like that. you can do that, if you want to, but frequently the “abuse” address is disabled, and the other addresses aren’t, so i’ve found that it’s a good idea to send email to EVERY address, whether or not it says to.

    if your search at iptrackeronline.com came up with two “Probable originating IP addresses”, now is the time to go back to step 3), copy the second IP address, and continue from there.

    you’ll end up with a forwarded message that contains the raw, text-only message, which is addressed to at least two, and sometimes as many as 9 or 10 email addresses.

  9. if you’re REALLY hung up on privacy, at this point, you can search for YOUR email address using the “Edit” -> “Find” feature of your email client. if you do this, replace every instance of your email address with an X to make it obvious that you haven’t done anything except remove your address from the header. seriously, if you do this, and mess around with the headers too much, eventually someone will complain about it, and YOU’RE supposed to be the one who is complaining, here.

FINISHING TOUCHES:
i usually like to mark my new message “Urgent”, and i also like to get a “Return Receipt” (which is not available on all email clients). i also like to insert the words “ABUSE VIOLATION” in the subject line, prior to the original, forwarded header, so that they know that you’re complaining, and not just sending more spam.

if you (like me) run your email through SpamAssassin, or something like it, you may have a special header section that gives you reasons why this particular message is (or is not) spam. sometimes this will include things like URIBL_BLOCKED information, which gives you the URIs that are used in the message, which are blocked by various spam lists. if you get an identifiable URI, you can use the “Edit” -> “Replace…” feature in your email client to replace these URIs with human-readable, but machine-invisible equivalents, which will further attest to the fact that you’re complaining, and not just sending more spam.

——

it is important to remember that all of this information is time sensitive: if you don’t get around to reporting spam until two or three days later, it has considerably less effect than a report that is made as soon as the spam message is received. generally, if more than 12 hours has passed, i just trash the spam and continue with my life.

about half of the reports i send produce some kind of response. about half of the responses i get are automated, either telling me that the message has been received, or telling me that it has not been received for one reason or another. a few of them are, actually, human responses, usually saying that they’ve forwarded the message to their client (the spammer), or saying that there’s nothing they can do about it. this is where requesting a return receipt is helpful: if you get a return receipt, there’s a good chance that someone at least saw your message. even if the return receipt says “not read”, you know that it’s a good address, and that someone saw your complaint, even if they didn’t do anything about it.

step 9) is important if they say they have forwarded your message to the spammer, because if you have not replaced all of the instances of your email address with an X, then the spammer now has your email address, surprise! they can do whatever they like with it, which usually means sending you more spam. in extreme cases, they send a SHIT-TON of spam (like, 500,000 messages) or try to send you viruses or malware, so it’s really important to do ALL nine steps.

believe me, speaking from personal experience, cleaning up after a 500k message bomb is no fun. 😕

in the case of someone who says there’s nothing they can do about it, that’s the point where i go back to the IP address that i complained about originally, and put the /16 or /24 into my IP blocker (depending on how egregious the abuse has been).

also, i put commonly used words and phrases that typify abuse (things like “ALMIGHTY GOD” and “flight simulator” and “Pílula” and “电子邮“) into my global email filters, and update them with new information frequently.

occasionaly — VERY occasionaly — i get a response such as this one, which makes all of this rigamarole worth while.

also, why i only accept plaintext email (and why you should, as well)

spam spam spam spam spam spam spam spam spam spam MALLET!

i never get tired of this… 😎

[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <abuse@namecheap.com>
To: you know who
Date: 180520 12:37 am
Spam Status: Spamassassin
Hello,

Thank you for your report.

While the gaushmedical.us domain name is registered with Namecheap, it is hosted with another company. That is why we cannot check the logs for the domain and confirm if it is involved in sending unsolicited emails.

However, it seems the domain name is blacklisted by SURBL. Since we consider SURBL to be a trusted organization, we opened a case regarding the domain name. Please allow about 48 hours for our further investigation.

Thank you for letting us know about the issue.


[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <abuse@namecheap.com>
To: you know who
Date: 180521 08:19 pm
Spam Status: Spamassassin
Hello,

Please be informed that as a result of the investigation, the domain gaushmedical.us was suspended. It was null-routed and locked in our system, so the spamming activity should end once the propagation is over.

Thank you for letting us know about the issue.


whois gaushmedical.us
Domain Name: gaushmedical.us
Registry Domain ID: DC3FBD2D4DC1743DE92E082A91D15BEDE-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-05-22T03:18:40Z
Creation Date: 2018-05-15T06:56:45Z
Registry Expiry Date: 2019-05-15T06:56:45Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C29C72D760FD14C7FAD8D886E1C016E55-NSR
Registrant Name: New Oru
Registrant Organization:
Registrant Street: Hertzstr. 4
Registrant Street:
Registrant Street:
Registrant City: Heidelberg
Registrant State/Province: Heidelberg
Registrant Postal Code: 69126
Registrant Country: DE
Registrant Phone: +49.8635999192
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: neworu2@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Registry Admin ID: CBBCDFB2B18654CFC972C6274C0858A93-NSR
Admin Name: New Oru
Admin Organization:
Admin Street: Hertzstr. 4
Admin Street:
Admin Street:
Admin City: Heidelberg
Admin State/Province: Heidelberg
Admin Postal Code: 69126
Admin Country: DE
Admin Phone: +49.8635999192
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: neworu2@gmail.com
Registry Tech ID: C3200FE79814B420EB1FA838AEBEF9060-NSR
Tech Name: New Oru
Tech Organization:
Tech Street: Hertzstr. 4
Tech Street:
Tech Street:
Tech City: Heidelberg
Tech State/Province: Heidelberg
Tech Postal Code: 69126
Tech Country: DE
Tech Phone: +49.8635999192
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: neworu2@gmail.com
Name Server: blockedduetospam.pleasecontactsupport.com
Name Server: dummysecondary.pleasecontactsupport.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-05-22T04:57:32Z <<<

😂

spam

as of today, these are the TLDs i have blocked from sending email to my server, because of spam:

  • .bid
  • .date
  • .faith
  • .fun
  • .live
  • .online
  • .party
  • .stream
  • .trade
  • .website
  • .win

if your web site is under any one of these TLDs, you’re not going to be able to communicate with me over email, so you might as well give up now. it’s not going to work.

ETA: 180520 add to the previous list:

  • .club
  • .top

… give it up, folks. 😐

why i only accept plaintext email (and why you should, as well)

a couple days ago, a friend mentioned the fact that i only accept plaintext email, and asked if HTML email was against my religion. i said “yes”, and this is why i don’t accept rendered, HTML-formatted email. it is a story with a moral at the end, so pay attention.

today, i got an email that said it was from “DHL Customer Support <support@dhl.com>” and the subject line was “DHL Shipment Notification”…

keep in mind that the “From:” address is one of the easiest things about any email message to forge. among the other easy things to forge are the “Subject:” line, the “To:” line, and the body of the message, which is one of the reasons it’s not uncommon to get spam from “yourself”.

the spam i got contained the following message:

Notification for shipment event group “Delivery Exception” for &email&;
Dear Customer,

This is a notification that your package has experienced an exception, kindly follow the link to update your address: https://www.dhl.com/address_update

however, because of the fact that i only accept plaintext email, this is what i saw:

<p align=”LEFT”><span style=”font-size:12px;”><span style=”font-family:times new roman,times,serif;”>This is a notification that your package has experienced an exception, kindly follow the link to update your address:</span> <strong> </strong><font color=”#0000ee”><strong> <a href=”https://chicagoturfpros.com/wp-includes/css/dhl/login.php?login=ganesha@hybridelephant.com”><span style=”font-family:times new roman,times,serif;”>https://www.dhl.com/address_update</span></a></strong><span style=”font-family:times new roman,times,serif;”> </span></font></span></p>

for those who look carefully, particularly at the bigger sections of the text, you will discover that there’s a link — a href= — and the target of that link is chicagoturfpros.com…

BUT the apparent target of the link is actually dhl.com. this is compounded by the fact that SOMEONE has taken a lot of time and care to make it look like the dhl.com web site, even though it isn’t.

180513 badware
180513 badware

if i accepted rendered HTML-formatted email, i, very likely, would not have seen the fact that, instead of going to dhl.com, i was actually going to chicagoturfpros.com — WHICH IS EXACTLY WHAT THE SPAMMERS WANT TO HAPPEN!

because of the fact that the link also includes my email address, there is also the very strong probability that: 1) i would have clicked the “update address” button without noticing that i’m giving my personal information to “chicagoturfpros.com” or whoever is controlling their web site, and 2) even if i didn’t click the “update address” button, my email address is now a part of the web log for “chicagoturfpros.com” (or whoever is controlling their web site), which means that, even if they didn’t get my personal information, they have what is now a “valid” email address, with which they can, then, send me more spam.

because of the fact that i DO NOT ALLOW rendered, HTML-formatted email on my computer, they (whoever “they” is) don’t get ANY information from me.

which is precisely why you should NEVER allow your email client to render HTML-formatted email.

if you have a regular email client, not accepting rendered HTML-formatted email should be as simple as going to the settings and deselecting “Use HTML by default” or whatever your email client has (this is one of the differences in all email clients). if you use IMAP (web mail) you may or may not have that capability, so your mileage may vary. i very strongly recommend that you use an email client which is compatible with IMAP, and reply from that, even if you do use web mail. it makes things a hell of a lot easier, especially when you’re dealing with spam and identity theft.

i realise this is a lost cause, and that pretty much everyone sends, and receives HTML-formatted email by default, these days, but identity theft is still a MASSIVE problem, and it’s only being made worse by the default preponderance of HTML-formatted email. if you don’t want to have your identity stolen, ONLY ACCEPT PLAINTEXT EMAIL. it won’t guarantee that your identity won’t get stolen, but it will go a long way to make it a lot more difficult to do so.

this has been a public service announcement.

ETA: wordpress is concerned enough about my security that, yesterday, it sent me three notices concerning the fact that the link i provided above, which isn’t even a link, but just a text representation of what the link looks like, is a security risk, and offered to delete the page for me. THAT’S why i only accept plaintext mail. 👍

for further information, read In Apple Mail, There’s No Protecting PGP-Encrypted Messages which gives a contemporary example of why HTML-formatted email is evil.