From: [log in to unmask] (John Cottingham)
Subject: Spam 101...Fighting Back!
Date: Sun, 1 Oct 1995 10:40:11 -5 CDT
Strange e-mail messages in your mailbox asking you to send for information,
buy something, or contribute to something are called SPAMs when sent to list
members, or Usenet newsgroups.
Why did my mail get returned when I mailed the stuff back to the SPAMer?
1. The offending Internet Service Provider (ISP) had already been deluged with
an incoming protest SPAM and had already disconnected the culprit.
2. The From: line was a HACK. The setup screen on your mail program asks you
to enter your name and e-mail address. Anything can be entered there and it
puts this 'phoney?' address on any SPAM you send. Most of the SPAMs received
here were HACKs with the exception of two. Replying to a HACKED From: line
will always return as 'user unknown'.
Why are SPAMMERS so successful posting this #$*(?
Most communities have a multitude of ISPs wanting customers. They offer free
introductory subscriptions to those who pay by credit card. SPAMMING is a
recreational business so they know which ISPs are vulnerable and available for
little or no expense. SPAMMING is legal.
Subscribing with an ISP, then SPAMMING, getting disconnected as a result, and
then refusing to pay legal charges, can be illegal. If ISPs can establish a
pattern of this conduct by an individual, authorities can bring criminal
charges.
What is the problem then?
ISPs in their contracts with end-users (subscribers), have not spelled out
the definition of 'appropriate' vs 'inappropriate' conduct. If ISP contracts
defined unrequested mass e-mailings as 'inappropriate' conduct, they could
legally request a substantial fee for administrative costs. $5,000 to $10,000
sounds substantial enough to me. Using HACKED From: lines could also be deemed
'inappropriate'.
How does mail get from Point A to Point B?
Everyone either uses an ISP or a university or business operated network to
interact with the Internet. The veins, between you and the rest of the world
wide Internet are called COMMON CARRIERS. The convoluted route from you
(Point A) to any other point is determined by the contract that your ISP.
etc., has with a COMMON CARRIER. ATT, MCI, Sprintlink, UUnet, bitnet, sunet
etc are all COMMON CARRIERS. Presently, contracts do not address
'inappropriate' network load due to security breaches at ISPs. Contracts need
to 'kick-in' additional administrative fees for offending networks.
How can I help bring about a solution?
In recent months, most but not all of the SPAMs were handled responsibly by
the originating ISPs. It took PSI/interramp.com three weeks and three SPAMs
to close the hole in their security. Our nemisis from Albuquerque is still
with us. The recent postings have had hacked From: lines so don't try to
respond to the message. A hacked From: line is a 'Trojan Horse'. The
'SPAMKING' charges $425 to do it.
I want to be an activist rather than a victim, what do I do?
All messages sent on the internet have appended to them, every point that the
message passes through before reaching the recipient. The default subscription
to the parkinsn list does not list any points passed before the listserv
receives it.
The full header subscription option shows all points from origination to the
listserv and from the listserv to you.
I want to help track these messages, how do I get full headers?
Send a message to:
[log in to unmask]
In the body of the message put only:
set parkinsn fullhdr
Messages from then on will have full headers. To set it back to the short
header configuration, send the same message as above except substitute the
words: set parkinsn shorthdr.
Now that I have full headers, what do I do now?
Here is the full header of the two spams we received this weekend:
Received: from ubvm.cc.buffalo.edu by server.iadfw.net;
(5.65v3.2/1.1.8.2/30Sep95-0125AM)
id AA02055; Sat, 30 Sep 1995 21:10:12 -0500
Received: from UBVM.CC.BUFFALO.EDU by UBVM.cc.buffalo.edu (IBM VM SMTP V2R3)
with BSMTP id 8993; Sat, 30 Sep 95 22:06:04 EDT
Received: from UBVM.CC.BUFFALO.EDU (NJE origin LISTSERV@UBVM) by
UBVM.CC.BUFFALO.EDU (LMail V1.2a/1.8a) with BSMTP id 2114; Sat,
30 Sep 1995 22:06:01 -0400
Received: from UTORONTO.BITNET by UTORONTO.BITNET (LISTSERV release 1.7f) with
NJE id 3916 for [log in to unmask]; Sat, 30 Sep 1995 22:09:31
-0400
Received: from SEARN.SUNET.SE by vm.utcc.utoronto.ca (Mailer R2.10 ptf000) with
BSMTP id 1551; Sat, 30 Sep 95 22:08:19 EDT
Received: from SEARN (NJE origin SMTPF@SEARN) by SEARN.SUNET.SE (LMail
V1.2b/1.8b) with BSMTP id 6545; Sun, 1 Oct 1995 03:06:39 +0100
Received: from ixc.ixc.net by SEARN.SUNET.SE (IBM VM SMTP V2R2) with TCP; Sun,
01 Oct 95 03:06:25 +0100
Received: from [198.70.48.46] (pm1-46.ixc.net [198.70.48.46]) by ixc.ixc.net
(8.6.12/8.6.10) with SMTP id SAA10144; Sat, 30 Sep 1995 18:45:05 -0400
X-Sender: [log in to unmask] (Unverified)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Priority: 1 (Highest)
Message-Id: <v01510102ac9374ad6f2f@[204.183.126.181]>
Newsgroups: bit.listserv.parkinsn
Date: Sat, 30 Sep 1995 18:57:53 -0500
>Reply-To: Parkinson's Disease - Information Exchange Network
<[log in to unmask]>
>Sender: Parkinson's Disease - Information Exchange Network
<[log in to unmask]>
From: Patricia Loring <[log in to unmask]>
Subject: ===> List of over 1,
Disregard everything at the top of the message until the Received: lines just
above the X-Sender: line. The first Received: line above the X-Sender line is
where this message really came from. If this example message was sent to
[log in to unmask], they could compare the information and put a real user name
on the 'Trojan Horse'.
These are the lines we are interested in:
Received: from SEARN.SUNET.SE by vm.utcc.utoronto.ca (Mailer R2.10 ptf000) with
BSMTP id 1551; Sat, 30 Sep 95 22:08:19 EDT
Received: from SEARN (NJE origin SMTPF@SEARN) by SEARN.SUNET.SE (LMail
V1.2b/1.8b) with BSMTP id 6545; Sun, 1 Oct 1995 03:06:39 +0100
Received: from ixc.ixc.net by SEARN.SUNET.SE (IBM VM SMTP V2R2) with TCP; Sun,
01 Oct 95 03:06:25 +0100
Received: from [198.70.48.46] (pm1-46.ixc.net [198.70.48.46]) by ixc.ixc.net
(8.6.12/8.6.10) with SMTP id SAA10144; Sat, 30 Sep 1995 18:45:05 -0400
This was posted at ixc.net (ISP) and used the COMMON CARRIER searn.sunet.se.
Reserve your most vehement 'finger shaking'(well at least 75% of us qualify)
to the folks at the ISP and the COMMON CARRIER.
Mail will reach them if you send it to the address below or/and at:
support@DOMAIN ie. [log in to unmask]
OR
postmaster@domain ie. [log in to unmask]
AND
Send a message to the COMMON CARRIER contact:
Coordinator:
Casula, Viveck (VC14) [log in to unmask]
(212) 758-3283
American Network, Inc. (IXC-DOM)
60 East 56th Street
NY, NY 10022
Domain Name: IXC.NET
Administrative Contact:
Chaugundia, Kent (KC49) [log in to unmask]
(212) 758-3283
SUNET (ASN-SUNET)
SUNET/KTH
S-100 44 Stockholm, Sweden
Autonomous System Name: SUNET
Autonomous System Number: 1653
Coordinator:
Eriksen, Bjorn [System Manager] (BE10) [log in to unmask]
+46 8 790 60 00
For other domains, contact e-mail addresses can be found using either gopher
or your web browser at the following URL.
gopher://rs0.internic.net:70/7waissrc%3A/rs/whois.src
Enter the domain name at the prompt.
A few of you will be interested in "killing a few snakes" like I am.<G>
Be vigilant, be vehement, be persistant.
Comments on topics like this are best handled directly by e-mail rather than
to the parkinsn list.
John Cottingham "KNOWLEDGE is of two kinds: we know a subject,
or we know where we can find information upon it."
[log in to unmask] Dr. Samuel Johnson
