Seattle Community Network
SCN Home  >  Help  >  E-mail  >  spamcomplaint.html

How to be a Good Complainer

Spam Complaints to an ISP



Purpose

This is just my take on making effective spam complaints. This mostly applies to spam which is not obviously spam when forwarded to an ISP's "abuse desk".

NOTE: This page relates to complaining to the ISPs who host spam and "spamvertised" sites. Our "abuse@scn.org" address is for the purpose of receiving complaints about email which appears to originate at SCN.


The Problem

Imagine sifting through hundreds of email messages. You are not going to study each one to see what the writer is really getting at.

Some of these are going to be obvious. If the subject line is the "(fwd)" of the spam copy, with a set of headers, somehow coming from the same ISP, and the message itself is obviously spam, the "abuse desk" person will try to take action.

But if the ISP is identified somewhere as a hosted "spamvertised" site (usually without displaying the corresponding IP address), the "abuse desk" person would have no idea why he/she received the complaint.

At the other extreme, useful, but very verbose data, explaining in painful detail why the forwarded message is spam won't be read. Nobody has the time.



The Technique

Obvious Spam
First decide if the spam needs explanation. If you are forwarding a message about a Penis Enhancement Supplement to the originating ISP, everything will probably be self-evident from the forwarded message. Nobody needs to know that you really didn't "opt-in" for the spam.

On the other hand, if there are other facts, like forged headers, or tags violating your state's anti-wiretap act, briefly point these out.

Spamvertised Host
If you identified a spamvertised host, include the identifier. Example:
> spam_address.com = 192.168.0.1
    or
> spam_address.com = 192.168.0.1 ("spamvertised" site in body of spam)
Presumably, the "abuse desk" person will recognize their own IP address range, but don't expect that person to automatically know each hosted domain name. (To clarify, the numerical IP address for a private domain name will match a range of numbers assigned to the ISP. Spam reporting services also include the date the address was looked up because these numerical address change whenever the domain is moved to a different ISP. Spammers move often.)

This tells the "abuse desk" person what to look for, where and why it's relevant to the ISP.

Spam Disguised as Legitimate Mail
Usually these are the most tenacious. The spammer will "appear" to be a standard "distribution" newsletter, and in some cases is a distribution newsletter which wants to expand its circulation by spamming people. Fortunately if they're spamming you, there will be prior spam reports you can point to.

The idea is to show the "abuse desk" person that this really is spam. The problem is that explaining that this is spam will be too verbose.

One approach is to include basic statements at the top, and something pointing the "abuse desk" person to a further explanation. Here's one way to do this:
> "Evidence of Spam" follows forwarded spam copy.
Then you can include such things as blackhole report listings and prior abuse sightings. In that way, the "abuse desk" person can look at the spam copy and then look at the "Evidence of Spam". This also may be the only way you can show that you're not "The Only Person Who Ever Complained About This." (Well, maybe you are, but you've pointed to previous instances of others who are The Only Person Who Complained!)

Helpful items:
  • Use email list quoting ( > ) in front of your comments:
    > I received this against my will.
    > spam_address.com = 192.168.0.1 ("spamvertised" site in body of spam)
    > Please institute and enforce an "Acceptable Use Policy"
  • Be polite. Don't include "cartooney threats".
  • Use plain text. If the spam includes HTML or uuencoded stuff, the ISP can analyze it if necessary.


Make sure you have the real spammer. Usually careful reading of the IP numbers works, but using SpamCop to decode the headers is much easier.

It usually isn't worth the trouble to chase down the more obvious forms of spam. Probably you are not the only one in a mailing list for that Sex Enhanced Vitamin promotion.

If you see "web bug" tags which automatically return personally identifying confirmations, it may be worth pursuing this with your state attorney general. These are nonstandard "<IMG SRC=...>" tags, usually containing "CID:".
Normally this only applies to spam with a single personal address (i.e., one accurate address in the "to:" field). This has not yet been legally tested. A proper email "request for confirmation" is a separate header or a "click-on" item; not embedded code. Embedded code to report viewing is eavesdropping because it is done without the user's consent. Like most forms of eavesdropping, the use of such embedded code in email would probably be considered a violation of state or federal anti-wiretap laws, which could be a serious matter.


Personal Information and Parsing

Personal identification should be removed from the spam, especially from the body of the spam because:
  1. The spammer could use the information to retaliate against the complainant.
  2. The spammer will use the information for listwashing (removing complainers).

Depending on whom you are reporting the spam to, you may wish to remove your personally identifying information from the spam copy. Spamcop uses " <> " when it removes names from headers. Spamcop does not remove personal information from the body of spam or even from the subject line. So, in cases where identification of the individual victim is a problem:

Unless you know whom you are reporting the spam to, delete personal information from anything which could go to the spammer.
The only exceptions I can think of are Yahoo, Hotmail and AOL, and spamblocking services, because it appears their procedures don't include sending spam copies to the spammer. Even if not done maliciously, don't expect the ISP to clean the body of the spam for you prior to sending the "spam evidence" to the spammer.

Pay close attention to spam delivered to a single email address (meaning your address in the "From" header).
Assume the spammer has a reason to send mail to a single address. It could be convenience or it could be an attempt at identification.

Look for nonstandard "<IMG SRC=...>" tags.
Place fillers in the identifying informtion and point this out to the ISP as privacy violation.

Replace personal identification information.
Do so in a manner permitted by the rules, whether they are Spamcop's rules or common sense.

Look at the "Message-id" header.
After looking at a few, you should be able to spot if this is a normal ID or one intended to identify the reporting spam victim. Look at a couple of Spamcop previews.

Individually addressed spam with uuencoded text is always suspect.
uuencoding in text is used to hide what's in the text or HTML text. This can be used to hide it from the spam victim or to hide it from anti-spam software.

There are various techniques to quickly view uuencoded text.
This is described by SpamCop, linked at our spam.html page . This is different from the HTML codes, although disguising HTML is the main reason for including uuencoded text messages. For example, Pegasus has an option to forward mail with full headers, but you need to move uuencoded text to a blank message if uu want to to decode it. (This is described in the SpamCop webpage.)

Use the search function (<ctrl><H>) of a text editor to clean text from the body of spam.
It's called "not missing anything".


Complaint Links

... are at our main spam.html page.

This includes links to:

On SCN:

SCN's main spam.html site
SCN's Email Abuse site
spamblock.html page - explanation of why particular email is blocked




The opinions herein do not represent an official position of SCN other than the fact that SCN is opposed to email spam.

first posted 3-Jan-03; rev 21 Jan 03.

SCN Home Page
Seattle Community Network
SCN help index