Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives FAQ (1/3): Spamfighting Overview

[ Usenet FAQs | Web FAQs | Documents | RFC Index | Schools ]
Archive-name: net-abuse-faq/email/spamfighting
Posting-Frequency: bi-weekly
Last-modified: 07-Jul-2001
Maintainer: James Farmer <>

See reader questions & answers on this topic! - Help others by sharing your knowledge
                  An FAQ For
                      Part 1: Spamfighting Overview


     Recent Changes



 1.1 Introduction
   1.1.1 Whom is this document for?
   1.1.2 What is spam and why do we fight it?

 1.2 Basic Spamfighting
   1.2.1 I've received some spam...  what can I do?
   1.2.2 How can I find a spammer's ISP?
   1.2.3 Can I do anything about a spammer's website?
   1.2.4 What if a spam doesn't have include a website?
   1.2.5 What if the spam doesn't even include an email address?
   1.2.6 Who else can I complain to?
   1.2.7 What email address do I complain to?
   1.2.8 Can't this all be automated?
   1.2.9 Should I hack into the spammer's computer?

 1.3 Advanced Spamfighting
   1.3.1 Spammer Tricks What are these weird URLs? Is the spammer's URL always the place to complain to? Why does the spammer's website's source code look so weird? How can I stop a spammer's website doing bad things to my 
             computer? What if a spammer's website has disabled right-click?
   1.3.2 What can I do about Spam-Supporting ISPs? Research & Halls of Shame Posting in Education What if  the ISP doesn't speak English? Contact their Upstream Publicise their Spam-Supporting Submit an RBL Nomination Bitching

 1.4 Spam Prevention
   1.4.1 How can an individual reduce the amount of spam they get? How do spammers get our email addresses? Choose a non-obvious email address Be careful with your email address Address Munging Whitelisting Filtering
   1.4.2 How can an ISP reduce the amount of spam their customers get? Stop Accepting All Email Filtering Blackholing Lists MAPS ORBS Did ORBS die in June 2001?
   1.4.3 How can an ISP reduce the amount of spam their customers send?

 1.5 About anti-spammers
   1.5.1 Why do anti-spammers fight spam?
   1.5.2 Aren't anti-spammers just a load of anti-business communists?
   1.5.3 Aren't anti-spammers just a load of anti-commerce net-nazis?
   1.5.4 Don't anti-spammers just want to control email on the Internet?
   1.5.5 Why don't anti-spammers spend their time stamping out porn
   1.5.6 Why don't you anti-spammers just get a life?
   1.5.7 Are anti-spammers all Systems Administrators?
   1.5.8 If you anti-spammers are so smart, why am I still getting spam?

     Use Policy

--------------------------- RECENT CHANGES ------------------------------

Added section, about

Linked to <> from 1.2.1

Linked to an Esperanto Anti-Spam FAQ at
<>. now links to <> as an alternative way of
eliminating JavaScript. - the "Death of ORBS" section - has been updated with
information about the new ORBS-related lists.

------------------------------- DISCLAIMER ------------------------------

The following document should, where not otherwise stated, be understood
to represent the opinions and beliefs of the FAQ-maintainer only.  I
endeavour to ensure that these opinions and beliefs are as correct as
possible, but take no responsibility for any problems caused by errors
herein.  This document should not be considered to represent the opinions
of any individuals or organisations other than the FAQ-maintainer.

Please note that in this document, "we" is intended to collectively refer
to all regular or semi-regular posters to the
newsgroup, including those of all persuasions, and should not be read as
indicating the existence of a "clique" comprising persons of similar

-------------------------------- PREFACE --------------------------------

This is one of three documents I have compiled to comprise an FAQ for the newsgroup.  Each document addresses points in a
given area, specifically:

The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use
to fight spam.  The objective isn't to teach you how to fight spam (there
are many far superior documents that do just this), but rather to
introduce some of the techniques you can use and refer you to some more
detailed works.

THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of
spam, including just what constitutes spam and the types of people who
become spammers.

UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and
sometimes impenetrable terminology that people use in (nanae).  It covers both colloquialisms (e.g.
"chickenboner") and technical terms (e.g. "direct-to-MX").

These three parts are designed to stand alone and don't have to be read in
order; feel free to pick and choose just the bits you're interested in.

These documents shouldn't be considered to be "the" FAQ, as there are
plenty of other FAQs that are superior in insight, detail, or depth of
coverage.  They are just an FAQ that I hope will answer some questions
that have been troubling you.

These documents are currently maintained by James Farmer.  If you have any
suggestions for additions or corrections, then feel free to send an email

The latest versions of all of these documents can always be found at

--------------------------- 1.1 INTRODUCTION ----------------------------

1.1.1 Whom is this document for?

  This document is intended for anyone who feels confused about any of the
  spamfighting techniques discussed in the
  newsgroup.  It aims to briefly summarise what each of the commonly used
  techniques is, and provide links to sites where you can find more
  detailed information.

  This document is not a tutorial for spamfighters.  While there is much
  in here that will be of interest to a newcomer, reading this document
  alone will teach you only what techniques you can employ to fight spam,
  not how to use them.

1.1.2 What is spam and why do we fight it?

  These are issues that are discussed in great depth in the second part of
  this FAQ, "The Evils of Spam".  However, to briefly summarise, spam is a
  type of email that endangers the very existence of the email system by
  threatening to overwhelm it with a massive and uncontrollable volume of
  messages.  Spam usually takes the form of advertising or promotional
  material that arrives in your emailbox without you having requested it.

  UBE (Unsolicited Bulk Email) and UCE (Unsolicited Commercial Email) are
  terms that are often used to describe different types of spam.

    NANAE FAQ part 2: The Evils of Spam

------------------------ 1.2 BASIC SPAMFIGHTING -------------------------

1.2.1 I've received some spam...  what can I do?

  Most people ignore the spam they receive.  They either don't have the
  time or the expertise to deal with it.  Their decision is
  understandable, but in the end inaction only helps the spammers because
  they can point to statistics and say "I sent my spam to 7 million email
  addresses and only 190 people complained so the other 6,999,810 must
  have been happy to receive it".

  Alternatively, spam-victims might try to use a spam's "remove address".
  The concept here is that by sending a message to a given email address
  you will tell the spammer to remove you from their mailing list.
  However, these things almost universally fail to work.  In the rare
  cases where your "remove request" actually reaches the spammer, they'll
  just take it as an indication that email sent to your address is
  actually read by a human, and thus your address becomes _more_ valuable
  to them, and they send you _more_ spam.

  The best thing to do is: complain, complain, complain!  Most ISPs have
  Terms of Service (or Acceptable Use Policies) that forbid spamming, so
  if you can tell the spammer's ISP that their customer broke these rules,
  then you can get the spammer's account cancelled!  As well as giving you
  personal satisfaction, this will serve as a deterrent to this and other
  spammers, and with any luck prevent him from profiting in any way from
  his spam.

  (As an aside, an ISP will sometimes try to "educate" a spammer before
  terminating their account, as sometimes a company will send a spam
  without considering the issues involved.  This topic is explored in the
  second part of this FAQ, "The Evils of Spam".)

    Elsop's How To Fight Spam Links

1.2.2 How can I find a spammer's ISP?

  The tricky bit is working out just who is the spammer's ISP.  The
  address in the "From:" field is almost certainly forged in order to
  throw you off the scent (and may even belong to an innocent
  third-party), so you have to learn to read the "full message headers",
  which are a bit like a log of an email message's travels through the
  internet.  The spammer will try to forge these too, but in most cases
  it's still pretty easy to work out which ISP the message came from.

  Header-reading is beyond the scope of this document, but here are a few
  links where you can find out more:

    How do I get my email program to reveal the full headers?
    Getting Full Headers

    SPAM-L FAQ : Tracking Spam
    Reading Email Headers
    Dealing with Junk Email
    Tracking the Source of Email Spam
      <> Reporting Abuse

  BUT...  when complaining, please remember that the people at the
  spammer's ISP are not the bad guys.  They didn't know their customer
  would turn out to be a spammer.  There is a great temptation to fire off
  a few pages of verbal abuse, but remember that you are angry with the
  spammer, not the abuse staff at his ISP.  The spammer will have abused
  them too, probably breaking their Terms of Service.  And there is
  nothing an ISP can do to prevent, completely, any chance of Internet
  abuse emanating from their machines.  So be polite.  Point out what has
  happened without dramatic or obscenity-clad embellishment.  Hostile or
  infantile behaviour will do you no good at this stage.

  If the abuse staff sends you a response that is blatantly offensive,
  then it may be time to revise your opinion of them (although always be
  aware of the potential for a misunderstanding), but you should start out
  from the assumption that these people are your friends.

  Most abuse departments won't act against a spammer until a non-trivial
  number of complaints have been received. This is because people
  sometimes forget that they have signed up for legitimate mailing lists
  or requested other types of email, and complain about it as spam.  If
  you are convinced that a message was spam but the spammer's ISP claims
  that it wasn't, then there are further steps you can take. We will
  discuss these in later sections of this document.

    Step-By-Step Spam Reporting
    Reporting Abuse to ISPs

1.2.3 Can I do anything about a spammer's website?

  Assuming that the ISP agrees to take action, the spammer's account with
  that ISP will often be cancelled.  Unfortunately, the spammers have
  caught on that their accounts rarely last long after they send their
  spam, so they've taken to using cheap "throw-away" accounts, opened
  solely for the purpose of sending spam which advertises ("spamvertises")
  websites held on other providers.  The spamming accounts will get
  cancelled soon after the spam-run is complete, but the website will
  remain intact and thus the spammer can safely benefit from their spam
  (in terms of sales over the web, or clicks on banner advertisements, or
  whatever).  That's the idea, at any rate.

  Largely, this doesn't work as most web-hosting companies have clauses in
  their Terms of Service forbidding the use of spam to advertise the
  websites they host.  Sending a quick complaint to the hosting company
  will often result in the spammer's website being removed.

  But how to find the web-hosting company?  The spammers may try to
  conceal this, but there's one snag - they want potential customers to
  reach their website, which means that the website's URL is probably
  somewhere in the spam.  Once you find it, you can use tools like
  "traceroute" and "whois" to work out who's hosting the site.  Here are
  some useful online versions of these tools:

    UXN Spam Combat

  But if you'd prefer to run them from your desktop, rather than surfing
  over to a webpage every time you want to run a traceroute, then you can
  download versions of the tools from these links:

    SamSpade for Windows
    Net.Demon for Windows

  "traceroute" is a tool that gives you the list of machines on the
  Internet, where a message sent from the source machine to another
  machine would pass through.  "Whois" is a tool for looking up the owner
  of a domain or IP address.  A detailed look at either of these is beyond
  the scope of this document, but again here are some useful links:

    Whois Tutorial
    Spam Tracking 103 - The Whois Tool
    Traceroute Tutorial
    Traceroute and Spam
    Death to Spam (includes a traceroute guide)
    Tools to Help You

  NOTE: Make sure you know what you're doing before you start writing
  complaints based on the results of tools like "traceroute" or "whois",
  as it's very easy to make mistakes.  If in doubt, ask in the newsgroup
  for confirmation.

  Spammers will often try to obscure the true address of their website by
  spamvertising the address of an intermediate site or giving the address
  in an obscure format, but in most cases it's pretty easy to work through
  their tricks.  We'll look at this in more detail in section 1.3.1.

1.2.4 What if the spam doesn't include a website?

  Alternatively, the spam may not advertise a website and will instead be
  soliciting replies by email.  You can use the techniques described above
  to work out who is hosting this email address and complain to the
  provider, which will probably cancel the spammer's email account.  Good,

1.2.5 What if the spam doesn't even include an email address?

  A few spammers - particularly chain-letter spammers - don't include any
  electronic ways of contacting them, giving only a postal address or a
  telephone number in their spams.  In these cases, there tends to be less
  you can do.
  Most postal addresses found in spams will actually be P.O. boxes (e.g.
  Mailboxes Etc).  Some of these mailbox providers may have rules against
  business use or certain types of business uses (e.g. chain letters or
  MLM); if so and you complain, they may take action.

  In fact, chain letters soliciting money are illegal pyramid schemes in
  many countries, so reporting them to the authorities may be a good idea.
  For example, in the United States you can forward such chain letters to
  your local postmaster or postal inspector, or the postmaster/postal
  inspector local to each address on the chain letter, or present them to
  the clerk at your local post office saying "I received this illegal
  chain letter asking for money".  You can also send them by email to or
  Incidentally, I do NOT recommend making personal visits to addresses
  advertised in spams.  Nothing good can come of such episodes.  If you
  desperately want to contact the spammer, send him a letter.
  Many spams will include phone numbers you're supposed to call for more
  information.  Sometimes these will play recorded messages giving the
  address of a website or an email address, in which case you can complain
  to the relevent ISP as usual.  In other cases, it can be worthwhile
  checking the type of phone number it is - many spammers give
  premium-rate numbers and don't include legally required warnings, in
  which case you can complain the provider or the regulator or whatever is
  relevant to the locality.  (On this note, _always_ check the call
  charges before calling a spamvertised phone number.  If in doubt, don't
  call it.)
  Note that in many countries, a freephone number can still detect your
  number even if you have call blocking enabled.  Use a pay-phone if this
  worries you.
  By the way, if you call a spammer's phone number and actually reach the
  spammer or his family, DON'T be abusive.  It does no good and only makes
  the spammer feel like the victim.
  (Well that's all I know.  Can anyone think of anything more for this

    U.S. Postal Inspection Service on Chain Letters
    Mail Fraud Complaints

1.2.6 Who else can I complain to?

  The key with most spamfighting is summed up by this simple motto:
  "Follow the Money".  Have a look at the spam and the spammed website and
  see how the spammer's intending to earn off it.  Is he using an external
  merchant to charge credit cards?  If so, complain to them and often
  they'll stop dealing with the spammer.  Does he have banner ads?  If so,
  complain to the suppliers of the banner ads.  If there's a form on the
  spammer's website that sends information to an email address, complain
  to the ISP of that email address.  Most legitimate businesses on the
  Internet aren't keen to sully their reputations by working with

  Remember: always be polite.  The ISPs are not your enemies and a single
  polite word will get you a lot farther than a screenful of abuse.

  As an aside, the U.S. Federal Trade Commission has a project for
  analysing and classifying spam, and have invited Internet users to
  forward their spam to  This won't help you in the
  short-term but it could be of long-term benefit in the fight against
  spam.  They also occaisionally take action against outright scams that
  are reported in this way.

1.2.7 What email address do I complain to?

  At most ISPs, the address for sending complaints is
  "abuse@<isp-domain>", e.g. or  However, a
  few ISPs have non-standard abuse department email addresses; in these
  cases it can be hard to know where to send your complaint.  To the
  rescue comes; a database of ISP abuse addresses.  It can even
  forward complaints automatically to the relevant abuse addresses if you
  supply the complaint and the name of the Internet provider!  Have a look
  at <>

1.2.8 Can't this all be automated?

  All this reading headers, working out webhosting providers, and so forth
  is a pain.  Spamcop is a service that aims to automate this process; you
  give it your spam and it writes and mails the complaint for you.

  Spamcop has a reputation for sending complaints to a few incorrect
  places, so you have to keep an eye on what it's doing, but if you think
  you might find it useful, then have a look at <>.
  (Note that has no relation to

1.2.9 Should I hack into the spammer's computer?

  No; hacking is very seriously frowned upon by most of the anti-spamming
  community.  Apart from the fact that it's illegal, it allows the
  spammers to portray themselves as honest businessmen being assaulted by
  electronic terrorists.  If we are to eliminate spam it is important that
  we retain the moral high ground.

----------------------- 1.3 ADVANCED SPAMFIGHTING -----------------------

1.3.1 Spammer Tricks What are these weird URLs?

    Some spammers try to "obfuscate" the address of their website in order
    to make it hard to see where to complain to.  A number of common
    tactics include:

     * The Non-Dotted-Quad IP address
       Most IP addresses have the "dotted-quad" form:

       However, the IP address is also valid as one big decimal number,


       The spammer hopes that by giving you the address in this form,
       you'll be confused.  However, tools like traceroute and whois will
       quite happily work on either dotted-quads or big decimal numbers.
       If you're happier working with the dotted quads, there's a tool at
       <> that will convert back to them.

       IP addresses can also be represented in Octal (prefixed '0') or
       hexadecimal (prefixed '0x'), or even as a mixture of these within a
       dotted quad, in which case the above IP address might become:


       The key thing to remember is that if it works in your web browser,
       it'll work in traceroute and whois too, so all this obfuscation by
       the spammer is really a wasted effort on their part.  What a shame.

     * The Really Long Dotted-Quad IP address
       The dotted-quad I.P. address is just a way of representing a 32-bit
       number using four 8-bit numbers.  It's a bit like the way you might
       right "1153" as one thousand, one hundred, five tens and three
       units.  Now, in a dotted-quad only the lowest eight bits of each
       number are significant - to continue the above analogy, if we had
       "one thousand, twenty-one hundreds, five tens and three units",
       we'd discard the "twenty" from the "hundreds" column (because that
       would mean an extra two thousands and if we really wanted them we'd
       have put them in the "thousands" column, so it must be an error,
       right?) and still be left with the number "1153".
       Some spammers make use of this by setting the high-bits of the four
       numbers in the dotted quad to make the I.P. address rather long and
       confusing.  For example:
       It looks daunting, but dealing with it is quite simple.  Just take
       each of the four dotted quads and ignore all but the eight lowest
       bits (ie divide each by 256 and take the remainder). In the example
       above, you'll end up with:
       and from here you've got the I.P. address and can continue as
       Alternatively, the URL de-obfuscator at <>
       will happily decode this kind of really-long-dotted-quad URL for

     * The Username Trick
       You can specify a username and password in a URL using the @
       symbol.  For example:

       will log me into using the username
       "jjf" and the password "fred".  But if didn't need a username & password,
       the username & password are ignored.  Spammers use this to conceal
       their website's location.  For example, is the following website
       located on or

       If you know this trick, it's fairly easy to see through it, so the
       spammers have now taken to trying a double-bluff.  The username has
       to come before the first slash after the "http://" bit, and so the
       spammers try things like this:

       This URL references the directory
       "" at, not a
       website at itself.

       Many of the URL de-obfuscation tools given below for decoding
       Javascript-encoded URLs will also deal with this trick.

     * JavaScript
       A _really_ nasty technique is to encode the URL in JavaScript; this
       can result in URLs that look to you and me like absolute

       Fortunately, help is at hand.  Have a look at these resources:

         net.demon URL Decoder
         SamSpade URLomatic
         De-obfuscating JavaScript
         URL Revealer
         Downloadable Spam Decoder
           <> Is the spammer's URL always the place to complain to?

    Spammers know that no matter how hard they try to mangle their URL in
    the manner described above, some people will be able to decode them.
    Therefore, they sometimes try to hide their websites using other
    methods as well...
     * Page Redirections

       Another tactic favoured by some spammers is to spamvertise one URL
       but have that URL "redirect" visitors to another.  In this way, the
       spammer hopes to confuse us, to misdirect complaints, and if the
       site that's redirected to is taken down he can just change the
       redirection page to point to another, identical site and still
       profit from his spam run.

       Fortunately, in most cases, page redirection can be followed simply
       by looking in your browser's history window.  Once you recognise
       this, the thing to do is complain to the hosters of both the
       redirecting website _and_ the website it redirects to.
     * Frames
       A variant on the Page Redirection trick is to have a webpage on one
       site that contains a frame around a webpage on a second site; this
       way "Location:" field of the browser will contain the URL of the
       first site (the one containing the frame) and not the URL of the
       second site (the one containing the actual content).  In Netscape,
       you can get the URL of the second site by selecting "Page Info"
       from the "View" menu; in Internet Explorer, right-click on the
       webpage and select "Properties". Why does the spammer's website's source code look so weird?

    Many spammers have learned that anti-spammers get important
    information about their operations from the source code of their
    website.  So they've taken to encoding their webpages in JavaScript;
    this is decoded into HTML by your web-browser in order to display the
    page, but when you try to look at the source you just see
    gobbledegook-like Javascript.

    Fortunately, help is at hand.  Have a look at these resources:

      Encrypted-HTML Decryption Tools
      De-obfuscating JavaScript
      SamSpade JavaScript Browser
      Net.Demon Haywyre Decoder
      Decrypt URLencoded HTML sources
      Downloadable Spam Decoder

    Alternatively, users of Internet Explorer 5.x can install the
    "Microsoft Web Developer Accessories" add-on from Microsoft. With this
    tool you can highlight a portion or all of a webpage, right-click (or
    shift+F10) and select "View Partial Source". You now see the plain
    HTML that the spammer's JavaScript sent to your browser. How can I stop a spammers' website doing bad things to my

    Some spammers' websites can do some quite nasty tricks, such as
    switching Internet Explorer to full-screen mode and not letting you
    escape, or opening lots of pop-ups, or re-opening the site every time
    you try to leave it, and so forth.  If you use IE, you can put the
    spammer's site in "Restricted Mode" which will disable all JavaScript,
    Java, ActiveX, cookies and anything else on the site the spammer will
    try to trick or trap you with.  In other browsers you can disable
    JavaScript and Java from the configuration window.  For more
    information see:

      Improving Security in IE5 and OE5
    You can also use the advert-removing program WebWasher to prevent
    abusive JavaScript code from executing.  Look for it at

    However, beware; some spammers know that many anti-spammers surf with
    JavaScript permanently disabled and have written websites that look as
    if they have been killed if JavaScript is disabled yet are still fully
    functional for surfers with JavaScript enabled.  Some other spammers
    websites will immediately redirect you elsewhere if they detect you
    have disabled JavaScript. What if a spammer's website has disabled right-click?

    Spammers know that anti-spammers get a lot of information about their
    revenue chains by looking at the source code of their website.  So
    they have taken to writing little bits of JavaScript that intercept
    right-mouse-clicks on their webpage to prevent the context-sensitive
    menu containing the "view source" option in Netscape and Internet
    Explorer from appearing.

    This can, of course, be circumvented by deactivating JavaScript in
    your browser, but there is also a simpler solution, as the "view" menu
    on the menu bar allows you to bring up the page source in some
    versions IE and Netscape.  Alternatively, Shift+F10 will simulate a
    right-click in some browsers.  Some Windows keyboards also have a
    "context-sensitive menu key" which can be used to call up the menu
    you'd normally get by right-clicking.  Note that some spammer's
    webpages will now intercept these keypresses as well as the
    right-click, but the "view" menu on the menu bar should still work.

1.3.2 What can I do about Spam-Supporting ISPs?

  Most ISPs hate spam.  Sometimes, however, you'll come across an ISP that
  is either utterly clueless or refuses point-blank to act against its
  spamming customers.  In these cases, there are a number of steps you can
  undertake. Research

    The first step is to check the archives to see whether anyone else is
    having a problem with this spammer or with this ISP.  If you can
    contact others who are having the same problems as you, you can pool
    your resources to better achieve an affect. & is a newsgroup for reporting - not
      discussing - instances of Internet abuse.  The idea is that
      anti-spammers post instances of the spam they see to this newsgroup,
      and then other anti-spammers can look in this newsgroup to see if
      other people are getting the same spam as they.

      But it gets better.  Google's newsgroup archiving service at
      <> archives most postings to (along with most postings to most
      newsgroups); you can use the advanced search feature to search these
      archives for instances of a particular spam!  For example, if you've
      received a spam advertising the website
      "" you could search for
      "" in the forum (Google-speak for
      "newsgroup") "" and find some other
      people who have been spammed by that spammer.

      Incidentally, the Google archives for are
      also a very useful resource for priming yourself on specific issues.
      There are few new ideas; most spam-related issues will have been
      discussed in this newsgroup at some point or another, and many
      spammers have too.

        Spamfighting 102 - The Many Uses of DejaNews
          <> Charter
        Google's Advanced Newsgroups Search
          <> Halls of Shame is a very useful resource but
      sometimes you need something a little more structured.  Unlikely as
      it may seem, there are anti-spammers who dedicate whole websites to
      keeping track of the unrepentant spammers and those who run
      spam-support services.  These can be very useful in discovering a
      spammer's M.O., or just why you're having trouble getting a
      spammer's account at a certain ISP killed.  Here's just a handful of
      such sites...

      The Spamhaus Project tracks spam support services and spam-friendly
      ISPs, and displays the results in a number of easy-to-navigate
      formats, with links to "whois" information, relevant abuse
      addresses, and the like.  As well as currently-active spamhausen it
      lists deceased spamhausen, including how many times they have been
      terminated and by which ISPs, and when.  There's even a "league" of
      leading spam-support services.

        The Spamhaus Project

      In a similar vein is Sapient Fridge's Spamware Sites Listing; a list
      of websites that are selling Spamware or supporting Spam in other
      material ways, each coming with various service providers (with
      cross-references), handy links to traceroute tools, and their status
      with the RBL.

        Sapient Fridge's Spamware Sites Listing!

      The Spammer Quick Reference Guide has by no means as many technical
      whizz-bangs, but it looks like a quite useful list of who's spamming

        Spammer Quick Reference

      ROKSO is a good reference of hard-core spam operations that get
      thrown off Internet providers time after time after time.

        ROKSO (Register of Known Spam Operations)
          <> has a database of postal addresses and phone numbers
      advertised in spams...

        Spammer Addresses & Phone Numbers

      In less general terms, Worldwide Online publishes a list of spammers
      they've told to stop spamming them.

        What is Worldwide Online doing to Stop Spam?
          <> Posting in

      If this research turns up a blank, then don't forget that a great
      way to contact other spamfighters about a suspected spam-supporting
      ISP is to post in Education

    Sometimes an ISP will support their spamming customer simply because
    the ISP themselves don't realise that spam is bad.  In these cases, it
    may be worthwhile taking time to briefly explain (patiently and
    without expletives) the problems around spam and why the ISP should
    take action against their spamming customers.

    If you try this, you'll soon be able to tell whether an ISP is
    genuinely ignorant and confused or is purposefully supporting spam. What if the ISP doesn't speak English?

      There are an increasing number of ISPs, most notably those in the
      Far East, but also some in Europe and other parts of the
      non-English-speaking majority of this planet, where the technical
      contacts don't speak English.  This can obviously lead to a
      communication difficulty if you yourself aren't fluent in their
      native language.

      One solution is to use the Babelfish automatic translation service,
      but this technology can be a little flakey at times.  It's probably
      better to get a bilingual friend to translate for you if at all

      For persistant spammers from foreign countries, you may be able to
      seek help from some of the foreign-language email abuse newsgroups,
      such as: - Italian net abuse newsgroup
        fr.usenet.abus.d - French net abuse newsgroup - German net-abuse newsgroup - Hungarian I *think*

      As a last resort, there are some anti-spam documents written in
      non-English languages, to which you may be able to refer
      non-English-speaching providers.

        BabelFish translation service
        Chinese Spam FAQ
        Japanese Anti-Relay Links
        Italian Spamfighting Tutorial
        French Anti-spam FAQ
        German Header-Reading Tutorial
        Esperanto Anti-Spam FAQ

      (All suggestions for this section gratefully received!) Contact their Upstream

    An ISP's "upstream" is a bit like an ISP's ISP.  Apart from a few very
    large ISPs called "backbones", every ISP purchases its connectivity
    with the rest of the Internet from one or more other ISPs, which are
    called the "upstreams" of the first ISP.  Many of these upstreams will
    have clauses in their contracts about spam, and if you can show them
    that their customer is allowing spam to come through their networks,
    they may well cut them off or pressure them to take action.

    Occasionally, you'll find that a spammer has tricked you into thinking
    you're complaining to their ISP when really you're complaining to the
    spammer himself.  In these cases, by going upstream you'll find the
    spammer's real ISP.

    If an upstream provider refuses to act, you can try _their_ upstream
    provider, and so forth until you reach a backbone. Publicise their Spam-Supporting

    Spam is unpopular, so if you publicise the fact that a large
    organisation is supporting spam, then you may be able to force them to
    change their mind.  A posting about them in
    is a good place to start.  If the provider has their own newsgroups,
    then possibly one of them might be appropriate for a posting too.  And
    then, if you're really determined, you can move on to online
    magazines, newspapers, and so forth. Submit an RBL Nomination

    Before we start, I have been asked to emphasize that where not
    otherwise specified, everything in this section is the personal
    opinion of the FAQ-maintainer and should not be considered to be
    statements on behalf of MAPS, whose policies are set out at the
    website <>

    We'll discuss the MAPS RBL in more detail in the "Spam Prevention"
    section a little later; to quote from
    <>, however - "The MAPS
    (Mail Abuse Prevention System) RBL (Realtime Blackhole List) is a list
    of networks which are known to be friendly, or at least neutral, to
    spammers who use these networks either to originate or relay spam. As
    we discover such networks, we deny them access to the part of the
    Internet that we are paying for. Because our research into the
    attitudes and policies of network owners is hard to duplicate, many
    dozens of other network owners have asked for and are now receiving a
    real time mirror of our MAPS RBL. "

    These measures serve to exert pressure on a spam-supporting provider
    to clean up their act, in addition to protecting parts of the Internet
    from their spam.  MAPS themselves actively work to encourage providers
    whose machines are on the RBL to reform and thus escape the RBL.

    Many entries on the RBL come about as a result of nominations from
    members of the general public.  If you can't touch a spam-supporting
    provider by any other legal means, then nominating them for the RBL
    may be appropriate.  Preparing an RBL nomination does not require a
    great deal of technical knowledge but it does require some time and
    effort.  For full information on how to nominate a provider for the
    RBL, see the following resource:

      Reporting Abuse to the MAPS RBL team

    There is a mailing list for discussion of potential RBL nominations.
    To join, just send a message to:

    with the command

      subscribe rbl-nominate

    in the body of the message.  You will be required to confirm your
    subscription, of course. Bitching
    A very controversial tactic is that sponsored by
    <>.  This is a service a little like, except that it forwards email to _every_ known contact
    address for abusive and unresponsive ISPs.  The idea is that by
    forwarding abuse reports to as many officials and unrelated
    departments as possible, the message will get through somehow.
    However, this is considered by many (including the faq-maintainer) to
    be sending Unsolicited Bulk Email and thus wrong.  And even if you can
    get over that moral hurdle, it is extremely impolite.

------------------------- 1.4 SPAM PREVENTION ---------------------------

Spamfighting is very important for reducing the amount of spam we'll all
receive in the future but it doesn't do much to affect your spam intake
for today.  This section looks at some popular methods that are used to
reduce the amount of spam currently ending up in mailboxes.

  Abuse Prevention
  SPAM-L FAQ: Blocking Spam
  Blocking Spam Relaying and Junk Mail (rather technical)

1.4.1 How can an individual reduce the amount of spam they get? How do spammers get our email addresses?

    The obvious way to reduce the amount of spam you receive is to make
    sure that spammers don't have your email address!  Before we can go
    further with this, however, we must learn how spammers get hold of
    email addresses in the first place.  As it turns out, there are five
    main ways:

     * They pick them up when they're used publicly on the Internet, e.g.
       in a newsgroup posting or on a webpage.  This is by far the most
       common way, and is known as "harvesting".  Using your email address
       in a newsgroup or on a webpage is generally understood to solicit
       personal, topical replies from individuals, but is not a
       solicitation to receive broadcast advertising.

     * They buy a CD of addresses from another spammer.  These addresses
       were probably harvested from newsgroups or webpages in the manner
       described above, and are often years out-of-date to boot.  As the
       saying goes, there is no honour among thieves...

     * They guess them.  For example, it's a fair bet that
       "" could be a valid email address, although there's
       no way of knowing to whom it leads.  When spammers concentrate this
       technique on one domain it is sometimes called a "dictionary
       attack".  (As it happens, isn't a valid email
       address, because "" is a domain reserved for testing and

     * Our ISPs sell them our email addresses.  This is extremely rare.

     * We give them to them.  Always carefully read the privacy policy of
       any website before you give your email address to it, as sometimes
       email addresses are passed on or used for purposes other than those
       we intended when we gave them.

    For a more detailed look at how spammers find email addresses, have a
    look at this document:

     FAQ: How do spammers get people's email addresses?
       <> Choose a non-obvious email address

    Some spammers guess email addresses, so it may be a good idea to use
    something that spammers can't guess easily.  For example, instead of, why not have Be careful with your email address

    The only way to totally eliminate the chance of receiving spam is not
    to have an emailbox.  Even if you have an emailbox and never ever show
    your email address to anyone else, there's still the chance that a
    spammer might guess your email address.  However, there are a few less
    extreme steps you can take to at least reduce the amount of spam you

     * Never, ever give your email address to a company you do not trust
       entirely.  If in doubt, open a free email account with a web-based
       provider such as and use that address for communicating
       with the company; that way, if they do spam, you can close the
       account and you've only lost a free email account you weren't using
       for anything else.

     * Never, ever post to usenet using an unmunged email address you care
       about.  Use a throw-away address from a free email provider or
       munge your email address as described in  (Some people
       have reported that you can reduce spam without impacting upon the
       ease of contacting you, by posting with a munged From: address or
       an unmunged Reply-To: address, but I can't believe the spammers
       won't catch on to this eventually.)

     * Never, ever allow your email address to appear on a website,
       including on a web-based discussion board.

    Some people concerned about privacy enter made-up email addresses into
    online application forms and the like.  This seems like a good idea,
    but it is important to make sure that the made-up domain you use
    doesn't actually belong to anyone, otherwise you'll just be sending
    spam to the innocent third-party who owns it.  This can become a very
    serious problem for the owners of some domains popularly used in such


      GOOD MADE-UP EMAIL ADDRESS: go@away.invalid

    There are several free mail-forwarding services that can be used to
    reduce your spam-level.  The idea is simple; you give a different mail
    forwarding email address to each company that asks for your email
    address, and the mail forwarder forwards all mail to these addresses
    to your usual mailbox.  If a company ever starts to spam you, you just
    disable the forwarding address you gave them and you won't get their
    spam, without affecting your other incoming mail.  Companies who
    provide this service include:

      Spam Motel
      Despammed (filters mail using the MAPS and ORBS blackhole lists)
          Address Munging

    "Munging" is the act of mangling your email address so that it can
    still be read by a human but cannot be automatically harvested by

    For example, my email address:

    Could be munged into any of the following:

    When munging, you have to be careful not to accidentally munge your
    own email address so that it's identical to someone else's, and should
    always munge the bits to the RIGHT of the @-sign and not just the bits
    to the LEFT (otherwise your ISP will still get your spam even if you
    don't yourself).  Also, you should ensure that your munged domain name
    is NOT an existing domain (else the poor sod who owns it could get
    your spam).

    Recent drafts of the Usenet message format RFC specifies that the
    From: line of a newsgroup posting must contain either a valid email
    address or an email address ending in ".invalid".  Your munged email
    address should really comply with this forthcoming standard, e.g.:

    Note that some spammers now have harvesting software that can remove
    widely-used munges like "NOSPAM".

      Address Munging FAQ
        <> Whitelisting

    Some ISPs forbid their customers from using a munged email address.
    In these cases, whitelisting can be an alternative.  In this, you set
    up your mail account such that some given word or string of characters
    must be in the subject line for any mail to be accepted, and then you
    explain this in any newsgroup postings and webpages containing your
    address.  This way people can respond to you, but spam will be deleted
    from the server without you having to spend time downloading and
    reading it.  This works especially well with webpages, e.g. use:

      <A HREF=" Comments
      about my webpage">Send me email!</A>

    Then kill any mail that doesn't have FRIENDLYMAIL: in the subject line
    and have the rest forwarded to your real email address. Filtering

    You can filter your personal email if you wish, deleting messages
    based upon the appearance of certain strings of characters or based
    upon the sender.  For example, depending upon your tastes, it may be a
    fair bet that any message with "FREE LIVE SEX" in the subject line is
    spam.  The risk of filtering, of course, is that some non-spam mail
    will accidentally trigger these filters (perhaps by someone trying to
    discuss a piece of spam with you?) and this legitimate email will get
    deleted too.  In order to prevent this, some people just filter
    suspected spam into a separate folder, which they clean out by hand
    from time to time.

      The Spam Bouncer

1.4.2 How can an ISP reduce the amount of spam their customers get? Stop Accepting All Email
    This will immediately reduce the spam intake of their customers to
    zero.  Unfortunately, it also destroys email as a usable communication
    medium.  In order to prevent this becoming necessary whilst still
    taking action to reduce their customers' spam levels, many ISPs adopt
    policies that are midway between blocking everything and doing
    nothing... Filtering

    One tactic used by some ISPs to cut down on spam is filtering.  The
    ISP scans incoming mail and any messages that match the pattern of a
    known piece of spam are discarded.  The big danger with filtering is
    that of false positives; users are unlikely to be very pleased if some
    non-spam mails are mistaken for spam by the filter and never arrive. Blackholing

    Blackholing (or Blacklisting) is a variation on filtering whereby an
    ISP refuses to accept any email from machines that have a reputation
    for producing a disproportionate amount of spam.  Many administrators
    have had some success with this tactic, although there are two main
    problems with it: firstly, someone will have to add more spam-sending
    machines to their list as more emerge if the effectiveness of the list
    is to be maintained, and secondly it is hard for the ISP to know when
    a machine on the list has reformed and is no longer emitting spam.

    Of course, with any type of blackholing, any legitimate email from
    machines on the blackhole list will be lost along with the spam
    emails. Lists

    There are several publically available lists of machines that many
    ISPs use for blackholing as described above.  Having a reliable third
    party manage such a list neatly avoids the ISP having to take
    responsibility for maintaining a blackholing list, although it does
    raise censorship concerns for some people.  The oft-repeated mantra in
    such discussions is that the list maintainers are not actually
    blocking email at third-party ISPs; rather, the ISPs themselves are
    blocking the email.

    However, the influence of these lists can itself be a powerful weapon
    in the war on spam; many organisations will reform or fix their
    problems rather than risk remaining on one of these lists. MAPS

      I have been asked to emphasize that where not otherwise specified,
      everything in this section is the personal opinion of the
      FAQ-maintainer and should not be considered to be statements on
      behalf of MAPS, whose policies are set out at the website

      MAPS (Mail Abuse Prevention Systems) LLC is a not-for-profit
      organisation which has in recent years become an important combatant
      in the battle against email abuse.  Amongst other things, MAPS
      publishes non-definitive lists of IP addresses classified according
      to various criteria.  It is commonly believed that many Internet
      Providers and others use some or all of these lists, in a variety of
      ways, in order to reduce the amount of spam received by them or
      their customers.

      Among the lists maintained by MAPS are:

       * MAPS RBL - To quote from
         <> - "The MAPS (Mail
         Abuse Prevention System) RBL (Realtime Blackhole List) is a list
         of networks which are known to be friendly, or at least neutral,
         to spammers who use these networks either to originate or relay
         spam. As we discover such networks, we deny them access to the
         part,of the Internet that we are paying for. Because our research
         into the attitudes and policies of network owners is hard to
         duplicate, many dozens of other network owners have asked for and
         are now receiving a real time mirror of our MAPS RBL."

       * MAPS RSS - "Relay Spam Stopper", an initiative aimed at the
         problem of spam sent through open mailservers (see 3.4.1 in the
         Understanding NANAE chapter of this FAQ for information on open
         mailservers).  To quote from <> - "The
         MAPS Relay Spam Stopper (RSS) is a freely queryable DNS-based
         database of spam-relaying mail servers. If you run your own mail
         server, you can configure it to utilize our list, if you'd like
         to refuse mail from these types of servers."

       * MAPS DUL - "Dial-up User List".  Quoting from
         <> - "The MAPS DUL lists dial-up and
         other dynamically assigned IP addresses for the convenience of
         mail administrators wishing to stop this trespassing, and for
         Internet providers to help prevent trespassing from their
         networks by volunteering their dial-up information to us.".
         Because most legitimate (non-spam) email is sent via an ISP's
         mailserver, rather than directly from a dynamically-assigned IP
         address, blocking email from machines on the DUL can reduce the
         amount of spam received.  Note that machines on the DUL have not
         necessarily ever been used for abusive purposes. ORBS

      ORBS was a validated list of open mail relays (see section 3.4.1 in
      the "Understanding NANAE" part of this FAQ) and other types of
      system.  Many Internet Providers and others choose to refuse to
      receive email from machines on this list, on the grounds that such
      email may be spam.  By doing this they:

       1) Reduce the amount of spam they and their customers receive.

       2) Apply pressure to those running open relays to close them.

      Other Internet providers choose simply to flag or statistically
      count mail coming from machines on the list.
      ORBS could be a rather controversial entity, and long and robust
      discussions of it often broke out in
      Rather than go into the details here, this FAQ maintainer recommends
      that you use to sample the opinions on both sides of the
      argument and form your own views if you're interested.
    Did ORBS die in June 2001?
        Probably.  There's been a great deal of conjecture but the facts
        seem to be as follows:
         * In early June 2001, two New Zealand ISPs went to court to force
           ORBS to remove (allegedly erroneous) entries for their
           mailservers from their list.  The court upheld their complaint.
         * Thereafter Alan Brown of ORBS posted a public apology to these
           ISPs which also included the announcement that for unrelated
           reasons ORBS was closing immediately.
        There has been a great deal of conjecture about whether the timing
        of the closure of ORBS was entirely coincidental with this court
        case, but I haven't seen any evidence to suggest otherwise.  And I
        have seen it suggested that Mr Brown was having problems with his
        own ISP anyway.
        There has been no indication that ORBS will be returning. Several
        other organisations have stepped up to fill the breach left by
          ORBZ/ORB UK
        More information will be forthcoming once the situation has
          ORBS now split into three!

1.4.3 How can an ISP reduce the amount of spam their customers send?

  With difficulty.  However, experience has shown that there are a few
  things that can make a difference...

   * If an ISP has a reputation for dealing with spammers quickly and
     decisively, many spammers will avoid them.  If spammers are dealt
     with very rapidly indeed, the ISP may be able to shut down a spam-run
     before it has completed.

   * An ISP can have a clause in their terms of service that allows them
     to charge "clean-up fees" to any customers that send spam.
     Unfortunately, many spammers sign up using stolen credit-card
     numbers, and in these cases clean-up fees aren't much of a deterrent.
     It can be messy to collect clean-up fees, too.

   * An ISP can implement "port 25 filtering" (see 3.4.2 in "Understanding
     NANAE") to prevent their customers from spamming via open relays.
     Note that this, however, will prevent their customers from using
     external mailservers for legitimate reasons too.

------------------------ 1.5 ABOUT ANTISPAMMERS -------------------------

1.5.1 Why do anti-spammers fight spam?

  There's no collective answer to this - different people will have
  different motivations.  However, three of the most common ones are:

   1) Fear.  We've calculated our email boxes will become useless if spam
   becomes a widespread marketing method, and we don't like the idea.
   2) Anger.  We don't like people stealing our computer resources and so
   we're going to defend ourselves.
   3) Altruism.  We want to make the Internet a better place.

1.5.2 Aren't anti-spammers just a load of anti-business communists?

  No.  Some anti-spammers own businesses, and most of the rest work for
  businesses.  Anti-spammers are generally NOT anti-business.  In fact,
  many anti-spammers happen to believe that businesses that cannot survive
  without stealing the computing resources of others (i.e. spamming)
  should go the way of the dodo.  It's called "capitalism".

1.5.3 Aren't anti-spammers just a load of anti-commerce net-nazis?

  See 1.5.2 above.
1.5.4 Don't anti-spammers just want to control email on the Internet?

  No.  Controlling all email on the Internet, apart from being a practical
  impossibility due to the distributed nature of the system, would be an
  extremely big job to undertake purely to satiate a few egos.

1.5.5 Why don't anti-spammers spend their time stamping out porn instead?

  Porn isn't what gets anti-spammers hot-under-the-collar; spam is.
  Anti-spammers are drawn from a surprising cross-section of society and
  you'll find that they hold wildly divergent views about the contentious
  issues of the day, pornography included.  However, they are drawn
  together by the simple opinion that spam endangers the email system,
  which they really rather like.

1.5.6 Why don't you anti-spammers just get a life?

  We have lives.  Part of our lives involve sending and receiving email
  and so we want to protect this when it is endangered.

1.5.7 Are anti-spammers all Systems Administrators?

  Sometimes, when reading, you can get the
  impression that in order to be an anti-spammer you have to be a
  technical wizard and run your own mailserver.  This isn't the case at
  all, and the point to remember here is that the only people who
  contribute to highly-technical discussions will be those with
  highly-technical knowledge, but this doesn't mean that there's not
  less-technically-minded people reading.

  Anti-spammers tend to be drawn from many sectors of life with many
  different types of knowledge.  Some do run their own networks and their
  own mailservers, but many do not.  This FAQ-maintainer, for example, is
  a Java programmer.  Many anti-spammers don't even work in the computer
  industry; they can be florists or brick-layers, brain surgeons or
  secretaries.  It doesn't matter.  The skills needed for most
  spamfighting are fairly easy to learn and the more voices that are heard
  on this issue, the better.

1.5.8 If you anti-spammers are so smart, why am I still getting spam?

  So who said we were smart?  ;-)
  As a problem, spam has not been solved.  We will probably never be able
  to completely eliminate spam from this world, any more than we can
  expect to eliminate robbery, assault, or bad music.  Realistically, our
  aim must be to reduce the spam levels as much as possible, to a level
  where it doesn't greatly impinge on the usability of electronic mail.
  That's an achievable goal.  We aren't there yet, and we have a long way
  to go, but we've come a long way too.  Someday, someway, we _will_ get
------------------------------- CREDITS ---------------------------------

No document of this magnitude can be the work of only one man.  I would
like to thank everyone who offered ideas and suggestions, everyone who
pointed out grammatical errors and gaps in my logic, and places where I
was just plain getting things wrong.  This wouldn't have been possible
without you, people.

Thanks also to Paul Anderson for giving the document an official

----------------------------- USE POLICY --------------------------------

You may copy and redistribute this FAQ in unmodified form by any means or
media you see fit.

You may modify the presentation of this FAQ as you see fit, so long as the
content remains unaltered.

You may modify the content of this FAQ so long as you appropriately credit
both your changes and the original authors of this FAQ.  At a minimum, the
link to the FAQ's website _must_ remain in place.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer: (James Farmer, FAQ maintainer)

Last Update March 27 2014 @ 02:11 PM