Section 6 - Advanced Spamfighting

6.1 Spammer Tricks

6.1.1 What are these weird URLs?

Some spammers try to "obfuscate" the address of their website in order to make it hard to see where to complain to. A number of common tactics include:

  • The Non-Dotted-Quad IP address

    Most IP addresses have the "dotted-quad" form:

    182.175.90.10

    However, the IP address is also valid as one big decimal number, e.g.:

    3064945162

    The spammer hopes that by giving you the address in this form, you'll be confused. However, tools like traceroute and whois will quite happily work on either dotted-quads or big decimal numbers. If you're happier working with the dotted quads, there's a tool at http://combat.uxn.com/ that will convert back to them.

    IP addresses can also be represented in Octal (prefixed '0') or hexadecimal (prefixed '0x'), or even as a mixture of these within a dotted quad, in which case the above IP address might become:

    0266.0xaf.0x5a.012

    The key thing to remember is that if it works in your web browser, it'll work in traceroute and whois too, so all this obfuscation by the spammer is really a wasted effort on their part. What a shame. :)

  • The Really Long Dotted-Quad IP address

    The dotted-quad I.P. address is just a way of representing a 32-bit number using four 8-bit numbers. It's a bit like the way you might right "1153" as one thousand, one hundred, five tens and three units. Now, in a dotted-quad only the lowest eight bits of each number are significant - to continue the above analogy, if we had "one thousand, twenty-one hundreds, five tens and three units", we'd discard the "twenty" from the "hundreds" column (because that would mean an extra two thousands and if we really wanted them we'd have put them in the "thousands" column, so it must be an error, right?) and still be left with the number "1153".

    Some spammers make use of this by setting the high-bits of the four numbers in the dotted quad to make the I.P. address rather long and confusing. For example:

    http://10889035741470030830827987437816582766808.4153837
    4868278621028243970633761010.913438523331814323877303020
    44767688728495784090.54445178707350154154139937189082913
    83522/

    It looks daunting, but dealing with it is quite simple. Just take each of the four dotted quads and ignore all but the eight lowest bits (ie divide each by 256 and take the remainder). In the example above, you'll end up with:

    http://216.242.154.226/

    and from here you've got the I.P. address and can continue as normal.

    Note that only the least-significant 32 bits have meaning in an I.P. address; any other bits are put there by the spammer to further confuse us.

    Alternatively, the URL de-obfuscator at http://combat.uxn.com/ will happily decode this kind of really-long-dotted-quad URL for you.

  • The Username Trick

    You can specify a username and password in a URL using the @ symbol. For example:

    http://jjf:fred@www.myreallysecurewebsite.com/

    will log me into www.myreallysecurewebsite.com using the username "jjf" and the password "fred". But if www.myreallysecurewebsite.com didn't need a username & password, the username & password are ignored. Spammers use this to conceal their website's location. For example, is the following website located on members.aol.com or www.twinlobber.org.uk?

    http://members.aol.com@www.twinlobber.org.uk/ispammedyou/

    If you know this trick, it's fairly easy to see through it, so the spammers have now taken to trying a double-bluff. The username has to come before the first slash after the "http://" bit, and so the spammers try things like this:

    http://members.aol.com/@www.twinlobber.org.uk/ispammedyou/

    This URL references the directory "@www.twinlobber.org.uk/ispammedyou" at members.aol.com, not a website at www.twinlobber.org.uk itself.

    Many of the URL de-obfuscation tools given below for decoding Javascript-encoded URLs will also deal with this trick.

  • JavaScript

    A _really_ nasty technique is to encode the URL in JavaScript; this can result in URLs that look to you and me like absolute gobbledegook!

    Fortunately, help is at hand. Have a look at these resources:

6.1.2 Is the spammer's URL always the place to complain to?

Spammers know that no matter how hard they try to mangle their URL in the manner described above, some people will be able to decode them. Therefore, they sometimes try to hide their websites using other methods as well...

  • Page Redirections

    Another tactic favoured by some spammers is to spamvertise one URL but have that URL "redirect" visitors to another. In this way, the spammer hopes to confuse us, to misdirect complaints, and if the site that's redirected to is taken down he can just change the redirection page to point to another, identical site and still profit from his spam run.

    Fortunately, in most cases, page redirection can be followed simply by looking in your browser's history window. Once you recognise this, the thing to do is complain to the hosters of both the redirecting website _and_ the website it redirects to.

  • Frames

    A variant on the Page Redirection trick is to have a webpage on one site that contains a frame around a webpage on a second site; this way "Location:" field of the browser will contain the URL of the first site (the one containing the frame) and not the URL of the second site (the one containing the actual content). In Netscape, you can get the URL of the second site by selecting "Page Info" from the "View" menu; in Internet Explorer, right-click on the webpage and select "Properties".

6.6 Why does the spammer's website's source code look so weird?

Many spammers have learned that anti-spammers get important information about their operations from the source code of their website. So they've taken to encoding their webpages in JavaScript; this is decoded into HTML by your web-browser in order to display the page, but when you try to look at the source you just see gobbledegook-like Javascript.

Fortunately, help is at hand. Have a look at these resources:

Alternatively, users of Internet Explorer 5.x can install the "Microsoft Web Developer Accessories" add-on from Microsoft. With this tool you can highlight a portion or all of a webpage, right-click (or shift+F10) and select "View Partial Source". You now see the plain HTML that the spammer's JavaScript sent to your browser.

Some spammers go to almost insane lengths to obfuscate their websites, but the key to remember is that they have to be decodable by your web-browser, so they're decodable by you too. John McGowan has written an excellent example of how he doggedly disected a spammer's website; this can be found at http://www.spamfaq.net/examples/cyberdetective/.

6.1.4 How can I stop a spammers' website doing bad things to my computer?

Some spammers' websites can do some quite nasty tricks, such as switching Internet Explorer to full-screen mode and not letting you escape, or opening lots of pop-ups, or re-opening the site every time you try to leave it, and so forth. If you use IE, you can put the spammer's site in "Restricted Mode" which will disable all JavaScript, Java, ActiveX, cookies and anything else on the site the spammer will try to trick or trap you with. In other browsers you can disable JavaScript and Java from the configuration window.

You can also use the advert-removing program WebWasher to prevent abusive JavaScript code from executing. Look for it at http://www.webwasher.com/.

However, beware; some spammers know that many anti-spammers surf with JavaScript permanently disabled and have written websites that look as if they have been killed if JavaScript is disabled yet are still fully functional for surfers with JavaScript enabled. Some other spammers websites will immediately redirect you elsewhere if they detect you have disabled JavaScript.

6.1.5 What if a spammer's website has disabled right-click?

Spammers know that anti-spammers get a lot of information about their revenue chains by looking at the source code of their website. So they have taken to writing little bits of JavaScript that intercept right-mouse-clicks on their webpage to prevent the context-sensitive menu containing the "view source" option in Netscape and Internet Explorer from appearing.

This can, of course, be circumvented by deactivating JavaScript in your browser, but there is also a simpler solution, as the "view" menu on the menu bar allows you to bring up the page source in some versions IE and Netscape. Alternatively, Shift+F10 will simulate a right-click in some browsers. Some Windows keyboards also have a "context-sensitive menu key" which can be used to call up the menu you'd normally get by right-clicking. Note that some spammer's webpages will now intercept these keypresses as well as the right-click, but the "view" menu on the menu bar should still work. (If the website contains frames you'll only get the source of the frameset - type the URL of the frame itself into your browser. Sometimes it'll automatically stick itself back in the frame - if this happens, disable JavaScript. If the page requires JavaScript, try using the w3c.org validator.)

6.2 What can I do about Spam-Supporting ISPs?

Most ISPs hate spam. Sometimes, however, you'll come across an ISP that is either utterly clueless or refuses point-blank to act against its spamming customers. In these cases, there are a number of steps you can undertake.

6.2.1 Research

The first step is to check the archives to see whether anyone else is having a problem with this spammer or with this ISP. If you can contact others who are having the same problems as you, you can pool your resources to better achieve an affect.

6.2.1.1 news.admin.net-abuse.sightings & groups.google.com

news.admin.net-abuse.sightings is a newsgroup for reporting - not discussing - instances of Internet abuse. The idea is that anti-spammers post instances of the spam they see to this newsgroup, and then other anti-spammers can look in this newsgroup to see if other people are getting the same spam as they.

But it gets better. Google's newsgroup archiving service at http://groups.google.com/ archives most postings to news.admin.net-abuse.sightings (along with most postings to most newsgroups); you can use the advanced search feature to search these archives for instances of a particular spam! For example, if you've received a spam advertising the website "www.iamareallybadassspammer.com" you could search for "www.iamareallybadassspammer.com" in the forum (Google-speak for "newsgroup") "news.admin.net-abuse.sightings" and find some other people who have been spammed by that spammer.

Incidentally, the Google archives for news.admin.net-abuse.email are also a very useful resource for priming yourself on specific issues. There are few new ideas; most spam-related issues will have been discussed in this newsgroup at some point or another, and many spammers have too.

6.2.1.2 Halls of Shame

news.admin.net-abuse.sightings is a very useful resource but sometimes you need something a little more structured. Unlikely as it may seem, there are anti-spammers who dedicate whole websites to keeping track of the unrepentant spammers and those who run spam-support services. These can be very useful in discovering a spammer's M.O., or just why you're having trouble getting a spammer's account at a certain ISP killed. Here's just a handful of such sites...

The Spamhaus Project tracks spam support services and spam-friendly ISPs, and displays the results in a number of easy-to-navigate formats, with links to "whois" information, relevant abuse addresses, and the like. As well as currently-active spamhausen it lists deceased spamhausen, including how many times they have been terminated and by which ISPs, and when. There's even a "league" of leading spam-support services.

In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of websites that are selling Spamware or supporting Spam in other material ways, each coming with various service providers (with cross-references), handy links to traceroute tools, and their status with the MAPS RBL.

The Spammer Quick Reference Guide has by no means as many technical whizz-bangs, but it looks like a quite useful list of who's spamming what.

ROKSO is a good reference of hard-core spam operations that get thrown off Internet providers time after time after time.

whew.com has a database of postal addresses and phone numbers advertised in spams...

In less general terms, Worldwide Online publishes a list of spammers they've told to stop spamming them.

6.2.6 Posting in news.admin.net-abuse.email

If this research turns up a blank, then don't forget that a great way to contact other spamfighters about a suspected spam-supporting ISP is to post in news.admin.net-abuse.email.

6.2.2 Education

Sometimes an ISP will support their spamming customer simply because the ISP themselves don't realise that spam is bad. In these cases, it may be worthwhile taking time to briefly explain (patiently and without expletives) the problems around spam and why the ISP should take action against their spamming customers.

If you try this, you'll soon be able to tell whether an ISP is genuinely ignorant and confused or is purposefully supporting spam.

6.2.2.1 What if the ISP doesn't speak English?

There are an increasing number of ISPs, most notably those in the Far East, but also some in Europe and other parts of the non-English-speaking majority of this planet, where the technical contacts don't speak English. This can obviously lead to a communication difficulty if you yourself aren't fluent in their native language.

One solution is to use the Babelfish automatic translation service, but this technology can be a little flakey at times. It's probably better to get a bilingual friend to translate for you if at all possible.

For persistent spammers from foreign countries, you may be able to seek help from some of the foreign-language email abuse newsgroups, such as:

it.news.net-abuse - Italian net abuse newsgroup
fr.usenet.abus.d - French net abuse newsgroup
de.admin.net-abuse.mail - German net-abuse newsgroup
hr.news.net-abuse - Croatian net-abuse newsgroup
nl.internet.misbruik - Dutch net-abuse newsgroup
pl.news.mordplik - Polish net-abuse newsgroup

As a last resort, there are some anti-spam documents written in non-English languages, to which you may be able to refer non-English-speaching providers.

(All suggestions for this section are greatly appreciated!)

6.2.3 Contact their Upstream

An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large ISPs called "backbones", every ISP purchases its connectivity with the rest of the Internet from one or more other ISPs, which are called the "upstreams" of the first ISP. Many of these upstreams will have clauses in their contracts about spam, and if you can show them that their customer is allowing spam to come through their networks, they may well cut them off or pressure them to take action.

Occasionally, you'll find that a spammer has tricked you into thinking you're complaining to their ISP when really you're complaining to the spammer himself. In these cases, by going upstream you'll find the spammer's real ISP.

If an upstream provider refuses to act, you can try _their_ upstream provider, and so forth until you reach a backbone.

6.2.4 Publicise their Spam-Supporting

Spam is unpopular, so if you publicise the fact that a large organisation is supporting spam, then you may be able to force them to change their mind. A posting about them in news.admin.net-abuse.email is a good place to start. If the provider has their own newsgroups, then possibly one of them might be appropriate for a posting too. And then, if you're really determined, you can move on to online magazines, newspapers, and so forth.

6.2.5 Bitching

A very controversial tactic is that sponsored by http://www.bitch-list.net/. This is a service a little like abuse.net, except that it forwards email to _every_ known contact address for abusive and unresponsive ISPs. The idea is that by forwarding abuse reports to as many officials and unrelated departments as possible, the message will get through somehow.

However, this is considered by many (including the faq-maintainer) to be sending Unsolicited Bulk Email and thus wrong. And even if you can get over that moral hurdle, it is extremely impolite.


 
   
Copyright © 2002-2014 by SORBS | Terms & Conditions | Privacy Policy