Reporting Spam

From Spamwiki
Revision as of 21:14, 29 January 2012 by MarkGiles (Talk | contribs)

Jump to: navigation, search

Introduction

The most effective way to put an end to spam is by contacting the service providers that are responsible for bringing the content to your desktop. Of those, the registrar is often the most effective administrative body to contact. This is because often the spams are sent from hacked machines, whose administrators may be slow or unable to respond to the problem.

Registrars on the other hand, as ICANN accredited administrative organizations, are obliged to uphold certain rules and regulations, and have the resources necessary for dealing with abuse complaints.


Not all registrars respond with equal force to abuse complaints, but addressing your complaint to the correct person, and composing your letter in a correct and clear way may make the difference between a suspended spammer domain, and an ignored complaint.


Why Complain?

One of the proven methods in combating spam, has been to file a complaint with the registrar of a spamming domain, or its web host.

A well composed and targeted complaint will in most cases result in a quick suspension of a spamming domain.


How do I report spam advertising web sites?

Registrars

Complainterator is a new program for the Windows OS for complaining to the registrars who provide the DNS records that resolve access to spammed sites. It generates an optimized complaint report and sends it to the correct addresses.

This program is quickly becoming one of the most effective reporting tools today. For a list of some successful removals, check out this forum.

A list of spammer name server domains can be found at snslist.com.


As a general rule, each abuse complaint should include a sample of the spam you received, along with the spam's full header. This is because the "from" is nearly always fake.

The Fight Back! forum has an excellent and well-developed section devoted to spam fighting tips and techniques.

What if the registrar does not act?

If you don't get a response at all, try a different e-mail address before all else.


If the registrar customer service agent does not seem to understand what it is you are talking about (as in this example), ask that your e-mail be sent to his or her supervisor, or to someone in the legal department.

see also WDPRS

Web hosting companies

Web hosting companies may be varied. Some ISPs operate web hosting as a side business, while other ISPs offer primarily web hosting services. Some are shared webhosting, while another type of web hosting is dedicated hosting. Understanding this, helps one know that how you have an upstream provider, such as Sprint who may provide the bandwidth. The downstream may be a hosting company itself and/or its own resellers. Such information is obtained in the nameservers of the domain. Typically you will find this when researching spamvertised domains.


For more detailed information about web hosting, check out the web hosting wiki entry. In nearly all cases, when one reports spam, it will involve more than one ISP (or web hosting company).


Sometimes when doing WHOIS on an IP address or a domain, a spam researcher may figure out there are layers of upstream providers and downstreams. In other cases, it may not be that obvious unless one investigates spamming reports over and over and starts noticing the same providers come up on a regular basis.

After a period of time, a spam reporter may often tell in most cases whether or not the spam in question is sent through a compromised host, or is set up to be allowed to send out spam. Pill-related spam is often relayed through web servers that are compromised. The server reported spewing spam could have an open relay or the mail software is misconfigured or in need of software updates. Some of these servers may be rooted or compromised, so that they are part of a larger botnet which sends out massive amounts of spam.

When reporting spam, make sure to put in all the headers and body of the spam because the spam could be originating through a zombie at one host, but spamvertised at another host or ISP. Some spam may even be relayed through more than 1 zombie.


The action taken by various abuse desks who manage the abuse email inboxes for web hosting companies vary tremendously. Some web hosting providers have very proactive abuse departments, while others seem to be non-responsive to the abuse reporter. It seems that some abuse desks are so poorly managed, that the actual abuse email account does not even accept email. One can research this or report such activity at the official InterNIC report site for ICANN. If you are curious about specific providers, researching Google groups may give you an idea of how responsive a particular web hosting company is. One can also research a web host by reading its (Acceptable Use Policy) AUP typically found on its website.

How do I report spam that doesn't advertise any websites?

Many common types of spam do not include a URL, or website address. It requires more effort to report some of these, and it can be difficult to know if your report has been acted upon. On the other hand, these are often very malignant types of spam as far as the monetary impact on victims. Spending some of your time can help save a lot of other people's retirement savings when reporting stock scams or 419 spams, for instance.

Stock spams

The classic stock spam is called "pump and dump:" The sponsor of these spams will buy a large amount of a stock that sells for a very low amount of money -- less than one US dollar often. He then hires mailers to send out spam that claims that company is on the verge of a major change in fortunes that will cause a tremendous increase in stock price. Everyone has heard how much money people made by being the first to buy IBM stock, and they'd like to be that lucky themselves -- so they all try to buy the stock being promoted. All those buyers makes the price rise. It may only go up a dollar or two, but as a percentage of the price the spam sponsor paid, it is massive. The sponsor sells his stock at the new higher price. The victims then watch as the price settles back down to the original price. Again, the decrease is only a few dollars, but as a percentage of the price they paid, it means they have lost a huge portion of their investments. And since companies selling for under one dollar a share are often on their way to bankruptcy, even a buy-and-hold strategy won't allow them to make up their losses over time.

In reality, if any of these stocks were such a good deal, the sponsors would be taking out loans to buy more shares for themselves while the price was still low, not sending out emails to strangers to cause the price to rise sooner.

Most of these spams relate to stocks traded in the U.S. and should be reported to U.S. regulatory agencies:

  • The Security and Exchange Commission (SEC): For all stocks and investments. enforcement@sec.gov
  • The National Association of Securities Dealers (NASD): For stocks traded on the NASDAQ exchange spam@nasd.com
  • Over the counter stocks (not listed on NYSE, AMEX, or NASDAQ, generally because their prices are too low to qualify -- "penny stocks"): info@pinksheets.com
  • U.S. Department of Justice (DOJ): investigates violations of federal law; includes the FBI and other national law enforcement agencies. AskDOJ@usdoj.gov
  • The Federal Trade Commission (FTC): regulates advertising, such as commercial email, on the national level. This address accepts reports about any spam. uce@ftc.gov

Advanced fee fraud spams

This includes 419 spam ("Nigerian" spams, which ask for help transferring large sums of money, such as an inheritance or the estate of someone who died without heirs, in exchange for a percentage of the total), lotteries you won without entering, dying people looking to bequeath their wealth to someone more deserving than their own ungrateful relatives and associates, etc. All of these schemes appear to require no risk on the part of the victim, but once someone responds, the scammer starts pumping them for money to cover taxes, shipping, bribes, etc. Each new communication promises that this one last payment will solve the problem and release the promised money to the victim. It plays on people's greed -- if the amount of money involved is large enough, the are willing to lose more of their own money on the chance the offer is real.

One especially pernicious variant of this is the pet-rescue scheme, where good Samaritans are asked to adopt abandoned pets from war zones. In this case, the victims are not even acting out of greed, but are swindled anyway. Contrary to what George C. Scott's character in the movie The Flim-flam Man says, you can cheat an honest man.

In these cases, any URL in the spam is generally an innocent third party, such as a news source with an article describing the plane crash that killed the fabled Nigerian princess. The victim is expected to contact the spammer via an email address in the body of the spam or a "reply-to" address in the headers, or else occasionally there will be a postal address that is actually the address of a mail drop company. The email addresses are usually with free email services (no advance fee fraud spammer ever spends a penny of his own money), and complaints should go to those email services' abuse departments. The most common ones are listed below.

Reporting Addresses

Registrar Addresses

The response time of a complaint can vary greatly depending on where you sent your complaint.

ICANN maintains a list of contact details for all accredited registrars.


Below are some effective complaint e-mail addresses for some of the more commonly abused registrars.

Where to send your complaints:

Name of the registrar Reporting addresses
ALANTRON BLTD. destek@alantron.com
BEIJING INNOVATIVE LINKAGE TECHNOLOGY zhaifeng@dns.com.cn
BIZCN.COM support@cnobin.com abuse@12321.com
CHINA SPRINGBOARD alex@chinaspringboard.cn service@namerich.com
DIRECTI INTERNET SOLUTIONS abuse@publicdomainregistry.com
DYNAMIC DOLPHIN admin@dynamicdolphin.com
ENOM legal@enom.com
GODADDY.COM abuse@godaddy.com
MIT help@melbourneit.com.au
MONIKER ONLINE SERVICES abuse@moniker.com legal@moniker.com
NAUNET-REG-RIPN domreg@naunet.ru
NIC.AT reports@cert.at
ONLINENIC icann@onlinenic.com onlinenic-partner@onlinenic.com
REGRU-REG-RIPN info@reg.ru
TODAYNIC.COM info@todaynic.com service@todaynic.com
TUCOWS abuse@abuse.tucows.com
WILD WEST DOMAINS support@wildwestdomains.com
XIAMEN ENAME NETWORK TECHNOLOGY www@ename.com yyc@ename.com
XIN NET admin1@xinnet.com

Law Enforcement Reporting Addresses

An excellent list of reporting addresses across multiple categories has been assembled by SpamCop. Categories included are

  • Software piracy
  • Multimedia piracy (Music, Video, Cable)
  • 419 or "Nigerian" scams
  • Lottery scams
  • "Spoofing" or "Phishing" for banking or credit card data
  • Other spoofs, password scams
  • MLM / Ponzi / Pyramid schemes & chain letters
  • Stock fraud, securities fraud and investment-related spam
  • Pornography involving children ("kiddie porn") or animals
  • Drugs, On-line pharmacies, (bogus) health products
  • General spam and country-specific reporting addresses

Abuse of free email addresses

Many of the internet service providers (ISPs) which either have large numbers of subscribers or which provide free email addresses often have their addresses spoofed in the "from" field of spam. People can't blacklist all emails with those addresses, since they are sure to have friends using those services. A large number of spams will list "from" addresses of [somebody]@aol.com, but almost none of those will actually come from America Online, for instance.

That means those ISPs get a huge number of reports from people who receive such emails and don't understand that the "from" address is meaningless, accusing them of sending spam. They put filters on their abuse mailboxes to block any reports that don't include headers showing the spam originated on their networks.

So what do you do when you already know the spam didn't originate on their network, but the spammer is using their email service to receive replies from victims? You have to be persistent. When you get the initial autoreply, paste the entire autoreply, with its headers, into a second report, again explaining that you know the spam didn't originate from their network and that they need to suspend the contact email for violation of their terms of service. (Remember, no one actually saw your first report, so be polite and explain from the beginning.) Try to explain the problem succinctly in the subject of your reports, and try to use the same wording every time, in case their filters are learning which reporters' emails are "good." For example: "Subject: Lottery spam with Yahoo contact address in BODY of spam."

  • America Online: abuse@aol.com
  • Comcast: abuse@comcast.net
  • Hotmail: report_spam@hotmail.com . Note that Hotmail has special reporting addresses for child pornography, phishing, threats/harrassment, or hacked accounts: abuse@hotmail.com
  • MSN: report_spam@msn.com . As with Hotmail, more urgent types of spam reports go to abuse@msn.com
  • Yahoo/Geocities: Either use the webform at http://helpme.att.net/servabuse.php or else email mail-abuse@yahoo-inc.com


Security Incident Reporting Addresses

For reporting of major criminal events involving security breaches, you can select from a list of FIRST groups.

FIRST stands for the Forum for Incident Response and Security Teams.

Websites