Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives FAQ (3/3): Understanding NANAE

[ Usenet FAQs | Web FAQs | Documents | RFC Index | Forum archive ]
Archive-name: net-abuse-faq/email/terminology
Posting-Frequency: bi-weekly
Last-modified: 07-Jul-2001
Maintainer: James Farmer <>

See reader questions & answers on this topic! - Help others by sharing your knowledge
                  An FAQ For
             Part 3: Understanding


     Recent Changes



 3.1 About This Newsgroup
   3.1.1 What can be discussed in
   3.1.2 Can anyone join in?
   3.1.3 What if I've got a new idea to end spam forever?
   3.1.4 What's with all these nonsense posts and reposts?
 3.2 Colloquialisms
   3.2.1 What is "nanae"?  "nanau"?  "nanas"?
   3.2.2 Why does the word "spam" apply to junk email?
   3.2.3 What is a LART?  What is a mallet?
   3.2.4 What's an "ack"?  What's an "auto-ack"?
   3.2.5 What's a "throw-away"?
   3.2.6 What does it mean if a website is "404-compliant"?
   3.2.7 What's a TOS?  What's an AUP?
   3.2.8 What does "bulletproof" mean?
   3.2.9 What's a "spamhaus"?
   3.2.10 What's a "pink contract"?
   3.2.11 What is "spamware"?
   3.2.12 What is "mainsleaze"?
   3.2.13 What is "TRUSTe"?
   3.2.14 What's all this s/something/somethingelse/ stuff mean?
   3.2.15 What do ^H and ^W mean?
   3.2.16 What's a "sam-o-gram"?
   3.2.17 What is "Afterburner"?
   3.2.18 What's a "cartooney"?
   3.2.19 What's a "Joe Job"?
   3.2.20 What's a "murk"?
   3.2.21 What's a "black-hat"?  What's a "white-hat"?
   3.2.22 What's Rule #1?  What's Rule #3?
   3.2.23 What does "C&C" mean?
   3.2.24 What is the Lumber Cartel?
   3.2.25 What do "tinw" and "tinlc" mean?
   3.2.26 What is a "Chickenboner"?
   3.2.27 What's "Whack-a-mole"?
   3.2.28 What's a "BOFH"?
   3.2.29 What's a "pump-and-dump" scam?
   3.2.30 What is "Viral Marketing"?  What's a Pyramid Scheme?
   3.2.31 Someone said I'd invoked Godwin?  Is that bad?
   3.2.32 What's a "troll"?
   3.2.33 What's a "kook"?
   3.2.34 What's a "sock"?
   3.2.35 What does "Cut it out, Ron!" mean?
   3.2.36 Who is Dave the Resurrector?
   3.2.37 Who is "Brunner"?
   3.2.38 Who's this "Spamford" guy people talk about?
   3.2.39 Who was Rodona Garst and why do people talk about her?
   3.2.40 Who is "Hacker X"?
   3.2.41 What is a "plonk"?
   3.2.42 What does "fsck" mean?
   3.2.43 What is the "Quirk Objection"?
   3.2.44 Who is "Ralsky"?
   3.2.45 What is "SPAM-L"?

 3.3 Abbreviations

 3.4 Technical Terms
   3.4.1 What are open relays? How can I fix my open relay? What is "relay rape"? What is a "teergrube"?
   3.4.2 What is "port 25 blocking"?
   3.4.3 What is "POP-before-SMTP"?
   3.4.4 What does "direct-to-MX" mean?
   3.4.5 What is a "Smarthost"?
   3.4.6 What is "wpoison"?
   3.4.7 What do those slashes after an I.P. address mean?

 3.5 Keeping Up-To-Date

 3.6 Keeping Happy

     Use Policy

--------------------------- RECENT CHANGES ------------------------------

Finally got those last two links changed to links!

The Quirk Objections makes it into the FAQ!  Section 3.2.43 at the moment,
to be moved somewhere more relevant once I've got the FAQ marked-up in XML
(my next project).

And Ralsky also gets his own section (not so much for demand but because I
myself had no idea who the guy was).

And SPAM-L also gets a mention, although I don't have much to say about

And finally section 3.4.7 looks at network prefixes.

------------------------------- DISCLAIMER ------------------------------

The following document should, where not otherwise stated, be understood
to represent the opinions and beliefs of the FAQ-maintainer only.  I
endeavour to ensure that these opinions and beliefs are as correct as
possible, but take no responsibility for any problems caused by errors
herein.  This document should not be considered to represent the opinions
of any individuals or organisations other than the FAQ-maintainer.

Please note that in this document, "we" is intended to collectively refer
to all regular or semi-regular posters to the
newsgroup, including those of all persuasions, and should not be read as
indicating the existence of a "clique" comprising persons of similar

-------------------------------- PREFACE --------------------------------

This is one of three documents I have compiled to comprise an FAQ for the newsgroup.  Each document addresses points in a
given area, specifically:

The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use
to fight spam.  The objective isn't to teach you how to fight spam (there
are many far superior documents that do just this), but rather to
introduce some of the techniques you can use and refer you to some more
detailed works.

THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of
spam, including just what constitutes spam and the types of people who
become spammers.

UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and
sometimes impenetrable terminology that people use in (nanae).  It covers both colloquialisms (e.g.
"chickenboner") and technical terms (e.g. "direct-to-MX").

These three parts are designed to stand alone and don't have to be read in
order; feel free to pick and choose just the bits you're interested in.

These documents shouldn't be considered to be "the" FAQ, as there are
plenty of other FAQs that are superior in insight, detail, or depth of
coverage.  They are just an FAQ that I hope will answer some questions
that have been troubling you.

These documents are currently maintained by James Farmer.  If you have any
suggestions for additions or corrections, then feel free to send an email

The latest versions of all of these documents can always be found at

------------------------ 3.1 ABOUT THIS NEWSGROUP -----------------------

3.1.1 What can be discussed in

  The short answer to this is: abuse of the email system.  Please note the
  terminology here; abuse _of_ the email system is anything that endangers
  the existence or widespread usability of the email system.  Most of the
  discussion in is concerned with spam, as this
  is, by far, the most prevalent abuse of the email system in recent
  times, but discussion of other abuses (e.g. mailbombing) would be

  However, issues like electronic stalking and sexual harassment by email
  are not on-topic, as they are abuse _on_ the email system.  This means
  that, while these things are undeniably abuse, they don't threaten the
  survival of email as a communications medium.  There are other
  newsgroups far more appropriate for discussions of these issues.

    Newsgroups Related to Net Abuse

3.1.2 Can anyone join in?

  Yes.  There is no prerequisite in terms of technical knowledge or
  spamfighting success for contributing to this newsgroup.  Everyone is
  welcome!  Even spammers are welcome to post their views, so long as they
  don't mind hearing a few conflicting opinions.

  I advise newcomers to this newsgroup not to believe everything you read.
  Before making up your mind on any issue, read around and see what makes
  sense TO YOU.  There are a lot of knowledgeable people in this
  newsgroup, but also a lot of people talking about things outside their
  knowledge, and a few people who aren't above deliberately
  mis-representing the facts to fit the stories they want to tell.  My
  advice, which I repeat throughout these documents, is to take everything
  with a pinch of salt, read as many different views as you can, and form
  your own opinions.
  If there's anything you don't understand, feel free to ask.  But think
  carefully about what answers you choose to believe; adhering slavishly
  to the dogma of "accepted wisdom" in any newsgroup is not a good idea.

3.1.3 What if I've got a new idea to end spam forever?

  Let's hear it!  People on this newsgroup don't have all the answers, so
  if you think your idea has merit, we want to hear about it.  Fighting
  spam in the same way every day, it's easy to get tunnel vision and to
  overlook new possibilities.  "Out-of-the-box" thinking is ALWAYS

  The absolute worst that can happen is that people spot a hitherto-unseen
  flaw in your idea and think that it won't work.  There's absolutely no
  shame in being wrong.  But don't let anyone tell you that you're wrong
  unless they can CONVINCE you that you're wrong.

  A few people may decide to flame any newcomer who posts an idea.  This
  is an unfortunate fact of life on Usenet, and my advice is to ignore
  these people.  After all, it's always easier to criticise than create.

3.1.4 What's with all these nonsense posts and reposts?

  Ah.  Because some people done like the fact that we fight spam, this
  newsgroup is occaisionally subjected to attacks by people trying to shut
  us up.
  One form of attack is the cancel attack, whereby the attackers cancel
  lots of our posts.  Fortunately a bot called Dave the Resurrector (see
  3.2.26) is always running and when it detects such an attack it will
  repost the articles removed.  This does mean that you might see an
  article more than once, but that's generally considered to be better
  than never seeing it at all.
  The other type of attack is the posting of hundreds or even thousands of
  nonsense articles in an attempt to drown out conversation.  These
  articles are generated by a program to look enough like genuine articles
  they they'll evade filters whilst still being total and utter
  gobbledegook.  Such attacks are generally attributed to the entity
  "HipCrime" (a leading Usenet terrorist), although whether they are
  perpetrated by the real HipCrime or just someone using the software he
  wrote is unclear (and probably not very interesting).
  If your newsreader is able, you should be able to filter out HipCrime's
  spew a few hundred articles at a time by filtering on the
  NNTP-Posting-Host: header; the articles are almost always emitted
  through open news servers.  For those who cannot, several people have
  recommended the program NFilter, which sits between your newserver and
  your newsreader filtering out the stuff you don't want to see.
    Old HipCrime FAQ

--------------------------- 3.2 COLLOQUIALISMS --------------------------

Over the years, has evolved its own dialect of
abbreviations and terminology that can be quite confusing for new readers.
It is, however, not intended to exclude newcomers, and in this section I
will aim to explain the most commonly-used terms.

  Spam Jargon
  The Net Abuse Jargon File
  Jargon File Resources

3.1.1 What is "nanae"?  "nanau"?  "nanas"?

  nanae (sometimes capitalised NANAE) is short for
  "" - in short, the newsgroup this FAQ is for.

  nanau is "" - a newsgroup for discussing
  usenet abuse including newsgroup spam.  It can be a slightly rougher
  place than NANAE, populated as it is by people with radically different
  principles on what Usenet should be like, as well as people who are just
  there for the rough-and-tumble.

  nanas is "" - a newsgroup for posting
  sightings of Internet abuse.  See section in the first part of
  this FAQ, the "Spamfighting Overview".

3.2.2 Why does the word "spam" apply to junk email?

  The term is inspired by a Monty Python sketch in which a group of
  Vikings chant "SPAM! SPAM! SPAM!" repeatedly, drowning out the
  conversations around them.  (A bit like the way spam threatens to drown
  out our own electronic conversations.)  It has been applied to a number
  of different mediums over the years, most notably "newsgroup spam", and
  is now being used for "email spam" too.

    The Monty Python Spam Sketch

3.2.3 What is a LART?  What is a mallet?

  LART = Luser Attitude Readjustment Tool.  It can be used as a noun (in
  which case it's something that hopefully causes the victim to
  re-evaluate their opinions by means of a short sharp shock) or a verb
  (in which case it means to apply a short sharp shock).  Most often used
  as a euphemism for sending complaints to an ISP, as in "I've just
  LART-ed that spammer".

  One example of a Luser Attitude Readjustment Tool is a mallet (a hammer
  with a big wooden head), which is metaphorically used on a spammer's
  genitals when his account is cancelled.  In male spammers the result of
  this manner of LART-ing is sometimes described as "testicular

  Another example is a "clue-by-four"; a large wooden board (or baseball
  bat) with which spammers (or just those in urgent need of re-education)
  are metaphorically whacked.

    Mallets Ahoy!

3.2.4 What's an "ack"?  What's an "auto-ack"?

  "ack" is short for "acknowledgement", and usually refers to an
  acknowledgement that a complaint or LART has been received by an ISP.

  An "auto-ack" is an acknowledgement that is generated automatically.
  For example, many abuse departments have configured their systems so
  that a standard acknowledgement is sent upon receipt of any complaint,
  explaining that the complaint has been received and will be dealt with
  when they have the time.

  Auto-acks are called "auto-ignores" when it is believed that the sending
  of the auto-ack is the _only_ action that will be taken in response to
  the complaint.

3.2.5 What's a "throw-away"?

  An account you don't intend to keep beyond the immediate future.  Often
  used to refer to "throw-away" dial-up accounts that spammers open with
  no intention of them existing beyond the end of one spam run, but is
  sometimes also used in the context of "throw-away" email addresses -
  that is, email addresses, often from a free provider such as, that you intend to use merely for communicating with one
  party (often a spammer or suspected spammer) for a short period of time,
  and will afterwards throw away.  The motivation for this could be to not
  endanger your "main" emailbox should the spammer decide to mailbomb you.

3.2.6 What does it mean if a website is "404-compliant"?

  It's not there anymore.  404 is the number of the HTTP error message
  "Not Found".

  Note that occasionally spammers design their webpages to look as though
  they're 404-compliant (especially for surfers who have disabled
  JavaScript) when really they're not.  Take care.  In these cases, your
  browser's "view source" feature is your friend.

3.2.7 What's a TOS?  What's an AUP?

  TOS = Terms of Service.  AUP = Acceptable Use Policy.  These are
  documents that are published by an ISP describing what users are and are
  not allowed to do on their systems.  The AUP or TOS of most ISPs will
  explicitly state that their users must not send spam.

3.2.8 What does "bulletproof" mean?

  Spammers often advertise "bulletproof" web-hosting or email-hosting.
  What this means is a spam-friendly (the term in spammer circles is
  "bulk-friendly") ISP guarantees not to cancel the "bulletproof" account
  no matter how many complaints they receive about it.

3.2.9 What's a "spamhaus"?

  A spamhaus is an Internet provider that seems to exist for no reason
  other than sending spam and/or providing spam support services.  Note
  that the plural of "spamhaus" is "spamhausen" and not "spamhauses".

3.2.10 What's a "pink contract"?

  Towards the end of the year 2000, it became clear that some major ISPs
  had signed contracts with spammers that included clauses permitting the
  spammers to _not_ abide by the anti-spamming portions of the ISP's Terms
  of Service.  When these came to light, anti-spammers dubbed them "pink
  contracts" (because SPAM is a pink luncheon meat) and the ISPs almost
  universally proclaimed that they had been signed by low-level marketers
  and would not be binding.  These statements were not entirely believed
  by many in the anti-spamming community.

    Pink Contracts...  the news breaks!
    AT&T Spam Contract Discovered
    PSINet Assailed as Spam Contract Surfaces

3.2.11 What is "spamware"?

  Software designed primarily for the sending of spam.  It can often be
  distinguished from legitimate bulk email software by the presence of
  tools for abusing open relays, or for obfuscating website addresses, or
  for harvesting or de-munging email addresses, or for managing a "remove
  list" or a "flamers list", or tools for hiding the source of the
  message, or indeed the presence of any features that are needed for spam
  but not for legitimate opt-in bulk email.

3.2.12 What is "mainsleaze"?

  Mainsleaze is when a well-known, mainstream company starts to spam.
  They quickly find themselves associated in the minds of their victims
  with the sleaze of the spam world and then people don't trust them
  anymore.  Such companies often quickly come around to the idea that spam
  is bad, but it can take years to re-build the trust of their customers.

3.2.13 What is "TRUSTe"?

  TRUSTe is a programme for reassuring web site visitors about online
  privacy.  The idea is that vendors which adhere to TRUSTe's principles
  regarding disclosure of personal information sales, opt-out options (if
  any), and personal information protection get to display a TRUSTe
  privacy seal.  Web site visitors will thus know that they can find out
  just what the site will do with the visitors' personal data obtained
  through the web site, and use that disclosure to make a more informed
  decision about whether they wish to provide accurate information, or any
  information at all.

  In, TRUSTe's reputation is something of a
  joke.  It is widely believed that TRUSTe is unlikely to revoke its
  privacy seal even when a site breaches its privacy policies.  There have
  been numerous alleged cases in the past (such as when RealNetworks
  started spamming) when TRUSTe failed to do so.

    Freedom's Truth about TRUSTe and Your Privacy

3.2.14 What's all this s/something/somethingelse/ stuff mean?

  These are regular expression replacement instructions, as used in Unix
  utilities like sed.  For the most part they're fairly simple to
  understand; just substitute the second expression (the "somethingelse")
  for the first (the "something") in the text above it.  For example, the
  following follow-up to an article:

    > This FAQ is a wonderful thing


  should be read an instruction to replace "wonderful" with "horrible" -
  ie the writer is saying "This FAQ is a horrible thing".

    Learning to Use Regular Expressions
    sed Tutorial

3.2.15 What do ^H and ^W mean?

  When you press delete (or backspace) on your keyboard, it deletes the
  previous character, right?  Well, imagine it didn't...  or at least, it
  did but the deleted character didn't disappear from the screen and
  instead a ^H appeared after it.  Well, this is how some terminals work.
  So, you'd be trying to type:

    I hate spammers

  But you'd get half-way through it and find that you'd hit one wrong key,

    I lat

  What do you do?  You hit delete three times, giving you:

    I lat^H^H^H

  Then type the correction, imagining that the last three characters were
  deleted.  So in all you'd see:

    I lat^H^H^Hhate spammers

  But when you hit return, the computer would actually see:

    I hate spammers

  Because you deleted the "lat".  Clear?

  Well, that's the background.  In a newsgroup posting, ^H can be read as
  the author hitting the delete key in an effort to erase a "mistake"
  which was usually put there for humour value.  ^H^H can be read as an
  attempt to delete the last two characters, and so forth.

  Similarly, ^W can be read as an attempt to delete the last word, e.g.:

    I bow to your monumental flatulence^W intelligence.

  (Hmmm... does anyone know of a website explaining ^H and ^W that I could
  link to?)

3.2.16 What's a "sam-o-gram"?

  A particularly biting or sternly worded utterance, either by or in the
  style of noted NANAE contributor Sam, directed towards someone who has
  been shown to be in need of a clue-by-four.

3.2.17 What is "Afterburner"?

  Not "what"; "who".  Afterburner was the abuse admin at, which
  has since become part of  Apart from being very good at his
  job, he is famous for his witty and sadistic lines in account
  cancellation messages, and for calling his subordinates "Minions" and
  requiring them to take unpronounceable names.  :)  His own name is often
  abbreviated to "AB".

    RCN Abuse Administrators

3.2.18 What's a "cartooney"?

  A nonexistent attorney (or other lawyer) with whom a spammer will
  threaten you, but who will never be seen, usually because he doesn't
  exist or isn't really an attorney.

3.2.19 What's a "Joe Job"?

  The act of faking a spam so that it appears to be from an innocent third
  party, in order to damage their reputation and possibly to trick their
  provider into revoking their Internet access.  Named after,
  which was victimized in this way by a spammer some years ago.

    Spam Attack: The Story of

3.2.20 What's a "murk"?

  A "Murk" is a disclaimer in a spam email that claims it abides by the
  dead Murkowski anti-spam bill of a few years ago.  E.g.:

    Under Bill s. 1618 TITLE III passed by the 105th US Congress
    this letter cannot be considered spam as long as the sender
    includes contact information and a method of removal. This
    is a one time e-mail transmission.  No request for removal
    is necessary.

  The presence of a Murk is 100% proof that a message is spam.  Note also
  that most spam featuring this disclaimer doesn't comply with the
  provisions of the Murkowski bill anyway.

  If you're interested you could have a look at the text of this bill;
  technical reasons prevent me giving a direct link but go to
  <> and enter "S. 1618" in the
  "Bill Number" field, then select either the version passed by the Senate
  or referred in the House.

3.2.21 What's a "black-hat"?  What's a "white-hat"?

  Apparently, in the old cowboy movies, the good guys always wore white
  hats and the bad guys always wore black hats.  These terms have since
  been applied to Internet Providers, with Black Hats supporting spam and
  White Hats being anti-spam.

  In a similar veign, the term "Grey Hat" is sometimes used to refer to
  providers whose anti-spam policies seem a little schizophrenic.  "Empty
  Hat" is a term occasionally used to refer to providers who are utterly
  stupid or clueless about spam.

3.2.22 What's Rule #1?  What's Rule #3?

   Rule #1: Spammers lie
   Rule #2: If a spammer ever appears to be telling the truth, 
            consult Rule #1
   Rule #3: Spammers are stupid

  I believe the first two rules came first, and the third was tacked on at
  some point later.  Less widely stated rules include:

   Rule #0: Spam is theft
   Krueger's Corollary to Rule #3: Spammer lies are really stupid
   Russell's Corollary to Rule #3: Never underestimate the stupidity
                                     of spammers.

  There are a few alternative versions of the rules, including:

   Rule #1: Spammers lie
   Rule #2: There is no such thing as legitimate or ethical UCE
   Rule #3: Spammers are stupid

3.2.23 What does "C&C" mean?

  Coffee & Cats.  It's a warning that you should remove from your vicinity
  all tasty beverages and furry felines, as the content of the message may
  cause you to convulse with laughter in a manner which will scare furry
  felines and can result in spilling of a tasty beverage over your
  keyboard (or alternatively choking on your beverage if you are drinking
  it when you start laughing).

  Incidentally, that's what the "You owe me a new keyboard/monitor"
  statements allude to - someone forgetting to put the C&C warning on a
  funny message and endangering cats & computer equipment as a result.

3.2.24 What is the Lumber Cartel?

  The Lumber Cartel is a nonexistent organisation allegedly formed by the
  world's paper-producing companies, who were supposedly worried that the
  growth in spam would result in a decrease in junk postal mail, thus a
  decrease in demand for paper, thus a decrease in their profits.  They
  were supposedly funding anti-spammers to prevent this.

  It is, of course, a complete fiction.  Some spammer posted this story a
  few years ago and the whole thing has been a massive running joke ever

  References to the Lumber Cartel are usually suffixed "(tinlc)" (There Is
  No Lumber Cartel) in order to reflect the fact that, well, there is no
  lumber cartel.

    The Story of the Lumber Cartel
    Lumber Cartel (tinlc) Homepage

3.2.25 What do "tinw" and "tinlc" mean?

  tinw = There Is No We.  Used to reaffirm that the anti-spamming movement
  comprises individuals who have own ideas and motivations, and
  often-times don't necessarily agree with each other.

  tinlc = There Is No Lumber Cartel.  Used to reaffirm the nonexistence of
  the Lumber Cartel.

3.2.26 What is a "Chickenboner"?

  Someone's words once painted an incredibly vivid picture of an
  archetypical spammer living in a trailer, hunched in semi-darkness over
  his computer and surrounded by rotting chicken bones in half-eaten KFC
  buckets and empty beer cans.  The image has stuck, and "Chickenboner" is
  now used to describe any two-bit spammer who wants you to think he's a
  big shot with his own yacht...  but isn't.

    The Three Stages of the Chickenboner
    Things we Don't Know about Spammers

3.2.27 What's "Whack-a-mole"?

  Whack-a-mole is an old amusement park game.  You stand in front of a
  board with a fluffy mallet, and as plastic moles pop up through holes in
  the board you have to whack them over the head.

  Spamfighting is sometimes like that.  Sometimes it seems as if no sooner
  do you get one of a spammer's accounts killed then they get another
  one...  and another...  and another...  and their accounts keep popping
  up like the moles in that old amusement park game.  And you keep
  whacking them.

3.2.28 What's a "BOFH"?

  Bastard Operator From Hell.  Inspired by an extremely witty series of
  stories about a sadistic, homicidal systems administrator, this acronym
  is now applied as a compliment to any sadistic or potentially-sadistic
  admin-type, with the implication that the victims of a BOFH deserve
  everything they get.

    Simon's Stuff, including the BOFH

3.2.29 What's a "pump-and-dump" scam?

  This is a type of stock scam that often makes use of spam.  The idea is
  that the scammers buy some shares that are trading relatively cheap.
  Then they try to encourage investors to buy shares in this company,
  hoping to drive the price up as much as possible.  This is the "pump",
  and it can continue for some time.  Finally, when the scammers judge
  that they're not going to be able to force the share price any higher,
  they "dump" by selling their shares and walking away with a huge profit,
  while the investors they encouraged are left with shares worth a lot
  less than they paid for them.

  Spam is just one way that the scammers may use to try to entice people
  towards their chosen shares.  After all, spam is a cheap way of reaching
  lots of people, who probably don't have experience of investing, and
  won't be wise to the tricks of the trade.  Of course, there are others.
  Discussion boards are another favoured venue for creating hype.  Throw
  in a healthy dose of outright lying (e.g. "Microsoft is about to buy
  this company!") and the situation can quickly spin out of the control of
  the normal reality of the markets.

  In the U.S., pump and dump scams are illegal and people DO get busted
  for them.  You should report them to

    Anatomy of a Pump & Dump Stock Spam Scam (excellent article)
    MMF Hall of Humiliation: The Pump & Dump Scheme
    Pump and Dump

3.2.30 What is "Viral Marketing"?  What's a Pyramid Scheme?

  Most marketing material is broadcast; ie the promotional material is
  sent to many people at once.  Viral Marketing is a concept wherein the
  marketing message spreads gradually from person-to-person, a bit like a
  virus does.

  Imagine a man getting off a ship at Plymouth.  Now imagine that this man
  has the Plague.  This plague is very contagious, and anyone this man
  touches will be infected.  But it's a cold day and the man is wearing
  lots of thick clothes, so between the dock and his hotel he only touches
  ten people.  And then he dies, because this plague is very lethal and
  will kill 24 hours after infection.

  Let's imagine that the next day, the ten newly-infected people will each
  infect ten more people, and then die.  So after two days, there are 11
  (1+10) people dead from the plague, and a further 100 (10*10) people are
  infected.  Next day, the 100 people infect 10 each, for 1000 total, then
  die.  And so it continues on...

    Day  1,             1 infected
    Day  2,            10 infected,           1 dead
    Day  3,           100 infected,          11 dead
    Day  4,         1,000 infected,         111 dead
    Day  5,        10,000 infected,       1,111 dead
    Day  6,       100,000 infected,      11,111 dead
    Day  7,     1,000,000 infected,     111,111 dead
    Day  8,    10,000,000 infected,   1,111,111 dead
    Day  9,   100,000,000 infected,  11,111,111 dead
    Day 10, 1,000,000,000 infected, 111,111,111 dead

  Except that the population of the UK is only 60 million, and so before
  the end of the tenth day the entire country will have caught the Plague
  and died.  And all from one guy getting off a ship in Plymouth.

  The obvious type of viral marketing is the chain-letter-style
  Multi-Level Marketing scheme.  You know the type; you have to enrol
  other people in some "scheme" to make money, and each of those people
  have to enrol others, and so forth, and so before you know it everyone's
  drowning in solicitations to join the scheme.  When the solicitations
  are sent by email, the effect can be similar to spam even though no one
  individual is sending more than a handful of messages.

  But of course, not everyone who receives such a solicitation will join
  the scheme and try to enrol others.  Then again, most of these schemes
  don't place a limit on the number of people you can enrol, either, so
  people on the scheme will often send spam to thousands or millions of
  email addresses in the hopes that they'll persuade lots of people to
  enrol in the scheme.

  Such pyramid scams whereby enrolling others is the only major way to
  make money are highly illegal in most parts of the world.  Such scams
  are often referred to as "MMF schemes" after an early such scam that was
  spammed with the subject line "Make Money Fast".

  The term "viral marketing" is often also applied to legal MLM schemes in
  which people can earn more money by "referring" others.  The obvious
  examples are the Get-Paid-To-Surf schemes such as AllAdvantage.  At
  their height, solicitations to join such schemes seemed to be
  everywhere.  Many such schemes will have policies that forbid their
  users using spam to solicit referrals, but some don't and some that do
  don't enforce their policies rapidly.

  I should just point out that I've emphasized the abusive elements of
  viral marketing here, as these are the ones most often discussed in, but if used in a properly-constituted
  manner, viral marketing techniques need not constitute Internet abuse.
  An example of this would be free email providers that place an advert
  for themselves at the bottom of every email message sent.  (Although
  this in itself was controversial at one point.)

    The Bottom Line about Multi-Level Marketing Plans
    Viral Marketing for Internet Websites
    Viral Marketing - Web Marketing Today Info Center
    MMF Hall of Humiliation
    U.S. Postal Inspection Service on Chain Letters
    Don't Get Burned by a Pyramid scheme>
    What's Wrong with Chain-Letter Schemes?

3.2.31 Someone said I'd invoked Godwin?  Is that bad?

  Godwin's Law (named for Mike Godwin) states that if a discussion in
  usenet goes on for long enough, someone will eventually make a
  comparison to Hitler or the Nazis.  (This is due to the fact that
  history records Hitler and the Nazis as just about the worst people;

  The law is often mis-stated as "If you mention Hitler or the Nazis you
  automatically lose the argument" or "If you mention Hitler or the Nazis
  then the thread is over".

  Is it bad to invoke Godwin's law?  Well, comparing people to Hitler
  rarely results in anything good...

    Godwin's Law Website

3.2.32 What's a "troll"?

  In a "troll", someone will disingenuously make controversial statements
  in the hope of creating a large ruckus.

  A "troll" can also be one who trolls.

3.2.33 What's a "kook"?

  A sort-of crossbreed of troll with a paranoid conspiracy theorist.
  Handle with care, or even better, ignore.

3.2.34 What is a "sock"?

  A commonly-used abbreviation for "sock-puppet".  In the context of
  usenet, a sock-puppet is an alter-ego established by an individual for
  the purpose of posting messages that agree with his views, thus making
  it appear that the individual in question has more support than (s)he
  really does.

3.2.35 What does "Cut it out, Ron!" mean?

  This is a reference to Ron Ritzman, an insightful antispammer famous for
  some rather witty trolling of, to the extent
  to which any suspected troll is now met with cries of "Cut it out, Ron!"
  or "Cut it out, Ritzman!".


3.2.36 Who is Dave the Resurrector?

  It's not who, it's what.  You see, there are a few people who don't like
  what we talk about in this newsgroup, and will periodically try to
  sabotage our discussions by cancelling articles en masse.  Fortunately,
  this doesn't work, and Dave is what saves us from it.  Dave the
  Resurrector is a bot that sits watching this newsgroup (and several
  others), and when it sees an article cancelled it immediately reposts
  it.  This means that our discussions can't be removed from Usenet by
  rogue cancellers, but it does have the disadvantage that we cannot
  cancel our own messages in this newsgroup.

  So be sure you really want to say what you're posting before you click

    Dave the Resurrector in the Cancel Message FAQ

3.2.37 Who is "Brunner"?

  Software author Andrew Thomas Brunner got rather annoyed at people
  classifying his bulk email program "Cybercreek Avalanche" as spamware
  and came to the newsgroup to complain about it.  Thereafter the whole
  affair spiraled out of control, with Andy threatening numerous
  "lawsuites" and making alleged death-threats.  Andy has recently filed
  lawsuits for libel against his software in several small claims courts.

  Also known as "Spamdy" and "The Burglar" (after someone dug up some old
  court documents).  Andy runs (dedicated to "making sure the
  Internet is free from all types of abuse", in his words) in addition to (although he's been having trouble finding stable hosting
  for it as a result of the publicity from this affair), and can trigger
  massive threads in with a single breath.

  RELATED LINKS (although it may well be down at the moment)
    Andrew Brunner Usenet Archives
    Andrew Thomas Brunner - A History in URLs
    Brunner's Lawsuit against MAPS
    Brunner's Lawsuit against Bruce Pennypacker
    Ruling in Brunner's Lawsuit against the Blaylocks

3.2.38 Who's this "Spamford" guy people talk about?

  The King of Spam in the mid-1990s, Sanford Wallace ran Cyberpromo and
  was the most hated man on the Internet.  After failing to make a
  sustainable living from spam, he reformed.

    Sanford Wallace Biography

3.2.39 Who was Rodona Garst and why do people talk about her?

  Rodona Garst (sometimes known as "Rodentia Razzle" after her ICQ
  nickname) was apparently a spammer who tried to keep a low profile, but
  the owner of a domain she forged got angry, hacked into her computer,
  and posted a load of stuff stolen from it onto a website.

  Note that many anti-spammers consider hacking into spammers' computers
  to be a bad idea because it breaks the law and brings the anti-spammers
  down to the same level as the spammers.  It can be very important to
  occupy the high moral ground.

3.2.40 Who is "Hacker X"?

  Probably some spotty-faced adolescent sitting in a darkened room lit
  only by the glow of his monitor, as it's far too good a name not to have
  been used by someone.  In fact, someone calling themselves "Hacker X"
  hacked into Sanford Wallace's computer back in the mid-1990s and
  published the names and addresses of lots of Cyberpromo customers.  But
  these days, when people refer to "Hacker X" in, they don't mean any known individual; rather
  it's a facetious reference to people blaming an unknown hacker for
  something they did, in order to try to evade the blame.  For example,
  some spammers have claimed that they didn't send spam, but rather
  mysterious hackers hacked into their systems and sent the spam.  To put
  it mildly, such claims are not often given a lot of credence.

  More recently, variations on this have sprung up, such as "Employee X"
  (an unknown but low-level employee did something bad without the
  knowledge of management) and "Salesman X" (a junior salesman made
  promises he shouldn't have without the knowledge of management).

3.2.41 What is a "plonk"?
  The sound of a poster being added to a killfile.  Many readers of this
  newsgroup use "killfiles" to screen out posters they find annoying, so
  that their newsreader hides the objectionable articles from them.  When
  someone has said something they think is the last straw, some people
  post a followup saying "Plonk" to let the recipient know that the poster
  won't be seeing any of their messages in the future.
3.2.42 What does "fsck" mean?

  fsck is a Unix command used to repair the filesystem.  Often used as a
  "clean" version of a certain expletive that differs from it in only one
  letter and rhymes with "duck".

3.2.43 What is the Quirk Objection?
   Named for its projenitor Gym Quirk, it goes like this:
     "Objection!  Assumes organ not in evidence!"
   It's usually invoked after someone mentions the testicles or brains of
   a spammer.

3.2.44 Who is "Ralsky"?
  Alan Ralsky, believed to be one of the biggest spammers currently
  operating.  Ralksy has several hundred domains he uses for spamming, in
  order to evade filters and confuse spamfighters.
    Inside the Spammer's World
    Ralsky at ROKSO

3.2.45 What is "SPAM-L"?

  SPAM-L is a mailing list dedicated to spamfighting and discussion of
  spam-prevention measures.  See
  <> for more details.

--------------------------- 3.3 ABBREVIATIONS ---------------------------

These abbreviations are common all over usenet, and so I won't go into too
much detail.  However...

  BMOC - Big Man on Campus
  ESAD - Eat S**t and Die
  FWIW - For What It's Worth
  FYI - For Your Information
  GoAT - Go Away Troll
  HTH - Hope That Helps or Happy To Help
  IANAL - I Am Not A Lawyer
  IIRC - If I Recall Correctly
  IMHO - In My Humble Opinion
  LOL - Laugh Out Loud
  RTFM - Read The F*****g Manual
  ROFL or ROTFL - Rolling On the Floor Laughing
  YMMV - Your Mileage May Vary

There's tonnes more abbreviations listed at the following website:
  Acronyms, the Insider's Language of Usenet

-------------------------- 3.4 TECHNICAL TERMS --------------------------

3.4.1 What are open relays?

  Most mailservers (or mail relays) on the present-day Internet will
  deliver email from and to only a small set of authorised users.  For
  example, let's take an imaginary ISP "".  The mailservers at could be used to deliver email sent to users of,
  and to transmit email sent by users of, but would deliver no
  other emails.  This type of relay is generally known as "closed" or

  However, some relays are configured without this security, so that any
  unauthorised user can use them to send email messages to other
  unauthorised users (ie any email address in the world).  For example, if's mailservers were open, they could be used by a user of to send an email message to a user of

  Why is this a bad thing?  Well, spammers love to use open relays to send
  spam.  There are several reasons for this:

   * Because they don't use their own ISP's mailservers, it helps them to
     conceal their spamming from their ISP.

   * Open relays will help the spammer to conceal their identity, and help
     to deflect complaints to the wrong ISP.

   * It's more efficient to send spam using several mailservers rather
     than just one (the spammer can spread the load to make it quicker,
     and the less the load on a mailserver the less likely that the
     mailserver's administrators will notice his activities and stop him).
     And one of the main ways to get use of more than a handful of
     mailservers is to use open relays.

  All mailservers on the Internet used to be open relays (they could be
  useful; for example you could still use the email system even if your
  own ISP's mailserver was down), but constant abuse of them by spammers
  has resulted in a mass move to closed mail relays in recent years.  Many
  people now consider open relays to be nothing more than sources of
  potential email abuse.  ORBS describe open relays as an "attractive
  nuisance".  Because of this, many ISPs block email from open relays,
  often using an open-relay listing service such as ORBS
  (<>) or the MAPS RSS

  Often, the people running the open relay can be completely unaware that
  their relay is open, as much mailserver software ships with open
  relaying being the default configuration or open relaying is trivial to
  enable.  Other people leave relays open as a convenience to friends or
  customers, intending to allow them to send email no matter which
  Internet Provider they use, not realising the potential for abuse.
  Surprisingly few open relays are run as a deliberate service for
  spammers.  Many mailserver admins are only too happy to close their open
  relays when they are pointed out to them.

    Fighting Relay Spam - One Man's Opinions
      <> How can I fix my open relay?

    It's good that you're approaching this in a positive frame of mind.
    With any luck, securing an open relay should be a relatively quick and
    easy task and then you will be on your way to removing yourself from
    any lists of open relays.

    Here's a few links to get you started.  If you run into problems,
    people on the newsgroup will be happy to help you out.

      Securing and Testing Servers
      MAPS Transport Security Initiative
      Open Relays in another NANAE FAQ

    An alternative tactic some people adopt is to post to about the injustices of having to close an
    open relay in order to get off one list or another.  This doesn't
    often achieve much for the poster. What is "relay rape"?

    The "hijacking" of an open mailserver for the purposes of sending
    spam. What is a "teergrube"?

    "Teergrube" is German for "tar-pit".  The idea is that you run what
    appears to be an open mailserver that a spammer will find and try to
    abuse, but he'll find when he tries to send mail through it...  things
    seem to start going very slowly...

    In fact, what is happening, is that the teergrube holds the SMTP
    connection with the spammer open but doesn't actually do anything.
    Thus the spammer's UBE-sending software is slowed to the point of
    stopping, wasting his time and preventing him from abusing the
    Internet.  (Since the expectation is that the spammer won't be sitting
    watching in case anything goes wrong, this situation could continue
    for quite some time.)

    The teergrube may still be able to send and receive legitimate email
    for authorised users; it's only when someone tries to use it as an
    open relay that this activity kicks in.
    A teergrube is just one example of a way that fake "open relays" can
    be set up to entrap spammers.  They may be configured just to waste
    spammers' time, or they might log the spammers' activities and allow
    the administrator to report them directly to their ISP!

      Teergrubing FAQ
      Fighting Relay Spam

3.4.2 What is "port 25 blocking"?

  SMTP communications generally take place using port 25.  "Port 25
  blocking" is a technique sometimes used by ISPs who have a problem with
  users connecting to external mailservers to commit email abuse.  Put
  simply, the ISP blocks any outgoing connections on port 25 from its
  users to the outside world.  Thus the spammers cannot connect to the
  external mailservers to commit their abuse.  The downside is that their
  customers won't be able to connect to external mailservers for
  legitimate reasons either.

  Of course, the spammers will still be able to connect to external
  mailservers that listen on a non-standard port, but these are rare.

    Port 25 Blocking at Earthlink
    BYTE Column: Port 25 Blocking Still Needed

3.4.3 What is "POP-before-SMTP"?

  Recalling our discussion of open relays, I stated that a closed relay
  would only relay messages that were from or to a set of authorised
  users.  I went on to give an example where the authorised users were the
  customers of a given ISP.  This is the most common situation, but there
  are cases where an Internet Provider will want to provide a mailserver
  to users who are logging in through different systems.

  The main problem here is that normal SMTP (the Internet protocol used
  for sending email) doesn't require authentication (ie you don't require
  a username or password to use it).  There is a proposed extension to
  SMTP that allows authentication, but this is not widely supported right
  now.  So there's a problem in working out whether someone trying to use
  your mailserver to send email from an external system is one of your
  customers or a spammer trying to abuse an open relay.

  This is the problem that "POP-before-SMTP" is designed to solve.  POP3
  is an Internet protocol often used for retrieving email, and unlike SMTP
  it does require authentication.  The idea here is that the mailserver
  notes a machine successfully logging in with POP3 and then allows that
  machine to make SMTP communications (ie send email) for a period of time
  thereafter.  This way only authorised users can relay through the
  mailserver (because only they'll have POP3 passwords), but they can do
  it from anywhere on the Internet.

    RFC 2554: Authenticated SMTP
    POP before SMTP for Sendmail
    POP3 Authenticated Relaying

3.4.4 What does "direct-to-MX" mean?

  This is beyond my area of expertise, so I'll pass you over to Philip

    "MX Records" are one type of resource record (RR) used by DNS, the
    Domain Name System. They show which mail servers accept mail for a
    given domain. (MX stands for "Mail Exchanger".)

    Generally, you or your mailing program don't need to know what the
    mail exchangers for a domain that you're trying to send email to are -
    you usually send the mail to your ISP's mail server, which will look
    up the MX records and send the mail on its way (it acts as a
    "smarthost" for you so that your configuration need only include one
    mail server and you don't need to do DNS lookups for every message you
    "Direct-to-MX" spamming is where you find out the MX records for the
    target domain (by querying the DNS) and deliver mail directly to that
    domain's mail exchangers, rather than using your ISP's mail server.
    One reason why spammers do this is so that they don't leave any logs
    with their ISP that can be used to track them down.

3.4.5 What is a "Smarthost"?

  This isn't really an email abuse issue but it is a term that gets thrown
  around a lot in the newsgroup.  A Smarthost is a mail server that passes
  mail between other mailservers and doesn't necessarily interact with any
  mailboxes directly.  For example, a large organisation might have a
  firewall and a mailserver for each department within the firewall, all
  of which talk to a smarthost which handles communicating with
  mailservers outside the firewall.  This set-up has a number of
  advantages over the traditional approach of having one big mailserver,
   * the local mailservers buffer outbound traffic for users so after
     hitting the Send button their mail gets handled quickly no matter how
     busy the smarthost is (or even if it is down for maintenance)
   * the local mailservers buffer inbound traffic so the mailspool of the
     smarthost is less likely to overflow as it trickles to local servers
   * because the mailboxes are stored on local mailservers inside the
     firewall, they are less vulnerable to hacking.

  Another advantage is that, if the recipient mail exchanger can't be
  reached, the smarthost will try the other mail exchangers in preference
  order, if more than one is listed. If none are listed, most mail servers
  will attempt delivery to the domain itself (an 'A' resource record).
  Also, if none of the delivery attempts work, smarthosts will usually
  queue the mail and retry at intervals, meaning you don't have to do all
  this yourself (and dial up each time to retry the delivery).

  ISPs sometimes run "smarthosts" to allow their customers to collect
  email by SMTP.

3.4.6 What is "wpoison"?

  Another tool designed to frustrate spammers.  Many spammers obtain email
  addresses using harvesting software that extracts them from websites,
  automatically following links and exploring new sites to find new
  addresses.  What wpoison does is generates linked webpages containing
  lots of made-up email addresses, to the end of:

    (a) Filling the spammer's mailing list with useless addresses.

    (b) Wasting the spammer's harvesting program's time while it finds
    these useless addresses.

  To quote from <> :

    "So the basic idea behind Wpoison is to trap unwary and badly
    engineered address harvesting web crawlers, and to fool them into
    adding enormous quantities of completely bogus e-mail addresses to the
    E-mail address data bases of the spammers, thus polluting those data
    bases so badly that they become essentially useless, thereby putting
    the spammers who are using them out of business, or at least shutting
    them down for a time and causing them some major headaches while they
    try to clean up the mess in their now-heavily-polluted e-mail address
    data bases."

  You can install Wpoison on your own website as a CGI script.  Note that
  some spammers have now developed address harvesting systems that are
  smart to wpoison's tricks.


3.4.7 What do those slashes after an I.P. address mean?

  Sometimes you'll see something like an I.P. address, but with a slash
  and a number after it, e.g.:

  This is actually a way of specifying a block of I.P. addresses.  The
  number after the slash is the size, in bits, of the network prefix.
  Remember that, although they're written as four eight-bit integers, an
  I.P. address is really one thirty-two bit number.  The first few bits
  are what is known as the "network prefix"; that is, the number of the
  network the I.P. address is a part of.  The remainder of the I.P.
  address is the "host address"; that is, the number of the host within
  its local network.
  So, in the example above, the 32-bit I.P. adress has a network prefix 24
  bits long, so the host prefix will be 8 bits long (32-24=8).  This means
  that it specifies a block of 256 I.P. addresses, starting at
  and going all the way up to
  Another example would be:
  which specifies a block of four I.P. addresses (the network prefix is 30
  bits, leaving 2 bits for the host address, and there are only four
  two-bit numbers), starting from
  Traditionally, a /24 is known as a "Class C" network, a /16 a "Class B"
  network, and a /8 is a "Class A" network.  With the advent of classless
  addressing this terminology has fallen out of use.

------------------------ 3.5 KEEPING UP-TO-DATE -------------------------

Wonderful though it is, should not be
considered the fount of all wisdom or the source of all news where
spam-related issues are concerned.  Here are a few links you can use to
keep up-to-date about various spam issues:

  Spam News Daily Press-Clippings
    <> Anti-Spam Campaign

  MAPS has press-release and press-coverage sections

--------------------------- 3.6 KEEPING HAPPY ---------------------------

Spamfighting is tough sometimes, especially for those who've been at it
for years.  Sometimes you just don't feel like you're getting anywhere;
you LART the spammers but some more spring up and there seems like no end
to it.  When you get a little down, it's time to touch on the lighter side
of this whole business...  SPAM HUMOUR!

Here's a few funny links to get you started.  Do remember though, to
differentiate between the humorous sites and the serious ones!  :)

  Spamhaus Spammer Threats Page
    (proving that the spammers don't need any help to look like morons)
  The Humour of News.Admin.Net-Abuse.*
  The Anti-Spam Cadre
  Norman DeForest's Spam Page (includes some humour)
  Spam Hall of Fame
  Spammer's Paradise: The Album
    (I especially love "The Rant")

------------------------------- CREDITS ---------------------------------

No document of this magnitude can be the work of only one man.  I would
like to thank everyone who offered ideas and suggestions, everyone who
pointed out grammatical errors and gaps in my logic, and places where I
was just plain getting things wrong.  This wouldn't have been possible
without you, people.

Big-time thankings also to Paul Anderson for giving all this an official

----------------------------- USE POLICY --------------------------------

You may copy and redistribute this FAQ in unmodified form by any means or
media you see fit.

You may modify the presentation of this FAQ as you see fit, so long as the
content remains unaltered.

You may modify the content of this FAQ so long as you appropriately credit
both your changes and the original authors of this FAQ.  At a minimum, the
link to the FAQ's website _must_ remain in place.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer: (James Farmer, FAQ maintainer)

Last Update March 27 2014 @ 02:11 PM