6.1 Spammer Tricks
6.1.1 What are these weird URLs?
Some spammers try to "obfuscate" the address of their website in order to make it hard to see where to complain to. A number of common tactics include:
The Non-Dotted-Quad IP address
Most IP addresses have the "dotted-quad" form:
However, the IP address is also valid as one big decimal number, e.g.:
The spammer hopes that by giving you the address in this form, you'll be confused. However, tools like traceroute and whois will quite happily work on either dotted-quads or big decimal numbers. If you're happier working with the dotted quads, there's a tool at http://combat.uxn.com/ that will convert back to them.
IP addresses can also be represented in Octal (prefixed '0') or hexadecimal (prefixed '0x'), or even as a mixture of these within a dotted quad, in which case the above IP address might become:
The key thing to remember is that if it works in your web browser, it'll work in traceroute and whois too, so all this obfuscation by the spammer is really a wasted effort on their part. What a shame. :)
The Really Long Dotted-Quad IP address
The dotted-quad I.P. address is just a way of representing a 32-bit number using four 8-bit numbers. It's a bit like the way you might right "1153" as one thousand, one hundred, five tens and three units. Now, in a dotted-quad only the lowest eight bits of each number are significant - to continue the above analogy, if we had "one thousand, twenty-one hundreds, five tens and three units", we'd discard the "twenty" from the "hundreds" column (because that would mean an extra two thousands and if we really wanted them we'd have put them in the "thousands" column, so it must be an error, right?) and still be left with the number "1153".
Some spammers make use of this by setting the high-bits of the four numbers in the dotted quad to make the I.P. address rather long and confusing. For example:
It looks daunting, but dealing with it is quite simple. Just take each of the four dotted quads and ignore all but the eight lowest bits (ie divide each by 256 and take the remainder). In the example above, you'll end up with:
and from here you've got the I.P. address and can continue as normal.
Note that only the least-significant 32 bits have meaning in an I.P. address; any other bits are put there by the spammer to further confuse us.
Alternatively, the URL de-obfuscator at http://combat.uxn.com/ will happily decode this kind of really-long-dotted-quad URL for you.
The Username Trick
You can specify a username and password in a URL using the @ symbol. For example:
will log me into www.myreallysecurewebsite.com using the username "jjf" and the password "fred". But if www.myreallysecurewebsite.com didn't need a username & password, the username & password are ignored. Spammers use this to conceal their website's location. For example, is the following website located on members.aol.com or www.twinlobber.org.uk?
If you know this trick, it's fairly easy to see through it, so the spammers have now taken to trying a double-bluff. The username has to come before the first slash after the "http://" bit, and so the spammers try things like this:
This URL references the directory "@www.twinlobber.org.uk/ispammedyou" at members.aol.com, not a website at www.twinlobber.org.uk itself.
Fortunately, help is at hand. Have a look at these resources:
6.1.2 Is the spammer's URL always the place to complain to?
Spammers know that no matter how hard they try to mangle their URL in the manner described above, some people will be able to decode them. Therefore, they sometimes try to hide their websites using other methods as well...
Another tactic favoured by some spammers is to spamvertise one URL but have that URL "redirect" visitors to another. In this way, the spammer hopes to confuse us, to misdirect complaints, and if the site that's redirected to is taken down he can just change the redirection page to point to another, identical site and still profit from his spam run.
Fortunately, in most cases, page redirection can be followed simply by looking in your browser's history window. Once you recognise this, the thing to do is complain to the hosters of both the redirecting website _and_ the website it redirects to.
A variant on the Page Redirection trick is to have a webpage on one site that contains a frame around a webpage on a second site; this way "Location:" field of the browser will contain the URL of the first site (the one containing the frame) and not the URL of the second site (the one containing the actual content). In Netscape, you can get the URL of the second site by selecting "Page Info" from the "View" menu; in Internet Explorer, right-click on the webpage and select "Properties".
6.6 Why does the spammer's website's source code look so weird?
Fortunately, help is at hand. Have a look at these resources:
Some spammers go to almost insane lengths to obfuscate their websites, but the key to remember is that they have to be decodable by your web-browser, so they're decodable by you too. John McGowan has written an excellent example of how he doggedly disected a spammer's website; this can be found at http://www.spamfaq.net/examples/cyberdetective/.
6.1.4 How can I stop a spammers' website doing bad things to my computer?
6.1.5 What if a spammer's website has disabled right-click?
6.2 What can I do about Spam-Supporting ISPs?
Most ISPs hate spam. Sometimes, however, you'll come across an ISP that is either utterly clueless or refuses point-blank to act against its spamming customers. In these cases, there are a number of steps you can undertake.
The first step is to check the archives to see whether anyone else is having a problem with this spammer or with this ISP. If you can contact others who are having the same problems as you, you can pool your resources to better achieve an affect.
22.214.171.124 news.admin.net-abuse.sightings & groups.google.com
news.admin.net-abuse.sightings is a newsgroup for reporting - not discussing - instances of Internet abuse. The idea is that anti-spammers post instances of the spam they see to this newsgroup, and then other anti-spammers can look in this newsgroup to see if other people are getting the same spam as they.
But it gets better. Google's newsgroup archiving service at http://groups.google.com/ archives most postings to news.admin.net-abuse.sightings (along with most postings to most newsgroups); you can use the advanced search feature to search these archives for instances of a particular spam! For example, if you've received a spam advertising the website "www.iamareallybadassspammer.com" you could search for "www.iamareallybadassspammer.com" in the forum (Google-speak for "newsgroup") "news.admin.net-abuse.sightings" and find some other people who have been spammed by that spammer.
Incidentally, the Google archives for news.admin.net-abuse.email are also a very useful resource for priming yourself on specific issues. There are few new ideas; most spam-related issues will have been discussed in this newsgroup at some point or another, and many spammers have too.
126.96.36.199 Halls of Shame
news.admin.net-abuse.sightings is a very useful resource but sometimes you need something a little more structured. Unlikely as it may seem, there are anti-spammers who dedicate whole websites to keeping track of the unrepentant spammers and those who run spam-support services. These can be very useful in discovering a spammer's M.O., or just why you're having trouble getting a spammer's account at a certain ISP killed. Here's just a handful of such sites...
The Spamhaus Project tracks spam support services and spam-friendly ISPs, and displays the results in a number of easy-to-navigate formats, with links to "whois" information, relevant abuse addresses, and the like. As well as currently-active spamhausen it lists deceased spamhausen, including how many times they have been terminated and by which ISPs, and when. There's even a "league" of leading spam-support services.
In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of websites that are selling Spamware or supporting Spam in other material ways, each coming with various service providers (with cross-references), handy links to traceroute tools, and their status with the MAPS RBL.
The Spammer Quick Reference Guide has by no means as many technical whizz-bangs, but it looks like a quite useful list of who's spamming what.
ROKSO is a good reference of hard-core spam operations that get thrown off Internet providers time after time after time.
whew.com has a database of postal addresses and phone numbers advertised in spams...
In less general terms, Worldwide Online publishes a list of spammers they've told to stop spamming them.
6.2.6 Posting in news.admin.net-abuse.email
If this research turns up a blank, then don't forget that a great way to contact other spamfighters about a suspected spam-supporting ISP is to post in news.admin.net-abuse.email.
Sometimes an ISP will support their spamming customer simply because the ISP themselves don't realise that spam is bad. In these cases, it may be worthwhile taking time to briefly explain (patiently and without expletives) the problems around spam and why the ISP should take action against their spamming customers.
If you try this, you'll soon be able to tell whether an ISP is genuinely ignorant and confused or is purposefully supporting spam.
188.8.131.52 What if the ISP doesn't speak English?
There are an increasing number of ISPs, most notably those in the Far East, but also some in Europe and other parts of the non-English-speaking majority of this planet, where the technical contacts don't speak English. This can obviously lead to a communication difficulty if you yourself aren't fluent in their native language.
One solution is to use the Babelfish automatic translation service, but this technology can be a little flakey at times. It's probably better to get a bilingual friend to translate for you if at all possible.
For persistent spammers from foreign countries, you may be able to seek help from some of the foreign-language email abuse newsgroups, such as:
it.news.net-abuse - Italian net abuse newsgroup
fr.usenet.abus.d - French net abuse newsgroup
de.admin.net-abuse.mail - German net-abuse newsgroup
hr.news.net-abuse - Croatian net-abuse newsgroup
nl.internet.misbruik - Dutch net-abuse newsgroup
pl.news.mordplik - Polish net-abuse newsgroup
As a last resort, there are some anti-spam documents written in non-English languages, to which you may be able to refer non-English-speaching providers.
(All suggestions for this section are greatly appreciated!)
6.2.3 Contact their Upstream
An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large ISPs called "backbones", every ISP purchases its connectivity with the rest of the Internet from one or more other ISPs, which are called the "upstreams" of the first ISP. Many of these upstreams will have clauses in their contracts about spam, and if you can show them that their customer is allowing spam to come through their networks, they may well cut them off or pressure them to take action.
Occasionally, you'll find that a spammer has tricked you into thinking you're complaining to their ISP when really you're complaining to the spammer himself. In these cases, by going upstream you'll find the spammer's real ISP.
If an upstream provider refuses to act, you can try _their_ upstream provider, and so forth until you reach a backbone.
6.2.4 Publicise their Spam-Supporting
Spam is unpopular, so if you publicise the fact that a large organisation is supporting spam, then you may be able to force them to change their mind. A posting about them in news.admin.net-abuse.email is a good place to start. If the provider has their own newsgroups, then possibly one of them might be appropriate for a posting too. And then, if you're really determined, you can move on to online magazines, newspapers, and so forth.
A very controversial tactic is that sponsored by http://www.bitch-list.net/. This is a service a little like abuse.net, except that it forwards email to _every_ known contact address for abusive and unresponsive ISPs. The idea is that by forwarding abuse reports to as many officials and unrelated departments as possible, the message will get through somehow.
However, this is considered by many (including the faq-maintainer) to be sending Unsolicited Bulk Email and thus wrong. And even if you can get over that moral hurdle, it is extremely impolite.