Wednesday, 13 May 2015

Fighting Spam

The first spam email was sent in 1978, according to Wikipedia. Since then, it has accounted at times for around 90% of all email traffic over the Internet. The effect of Bill C-28, commonly known as CASL, on spam to Canadians has not been assessed, at least not publicly, but I've taken it upon myself to fight it single-handed and sometimes I win.

Most spammers fake the "From:" field in the email. So you can't report them based on that information. Many of the addresses are legitimate, and from some innocent party who might then become the subject of abuse by the recipients. Sometimes the address may be from someone you know. This is a more targeted and dangerous type which is probably trying to gain access to your credentials rather than just push a product or service.

In general, I get very little spam. There was a run of it for a while on my personal email address but that has stopped. My email address was obtained from Yahoo group, by the way, and spammers regularly join Yahoo groups to harvest the email addresses. They also scrape web sites, so the little bit of spam I've received lately is actually from the web addresses we publish on our club web site.

The key to fighting most spam is the links they include in their messages. I've noticed increasingly that a fake unsubscribe link is provided that usually just goes to the same site they're advertising. That trend will probably disappear soon as I expect that spam filters will recognize this as an indication that the message is spam, as no legitimate email would do that.

So the method I use is this:

  1. Note the URL of the main link in the message. Usually you just hover the mouse pointer over the link at the address will appear at the bottom left of the window. This is a good idea for any message as a almost sure indication of a phishing message is that the actual link doesn't match the one printed in the message.
  2. Open a DOS windows (on Unix, just open a terminal session) and enter nslookup URL using the URL you noted. This will return the IP address of the URL. Make a note of this
  3. To identify the owner of the IP address, use a "whois" lookup. On Linux, there is a whois command, so whois ipaddress will tell you the owner of the domain and provide contact email addresses. If you're on Windows, you can use a site like to do the lookup.
  4. There should be an abuse reporting email address. You can just forward the spam to this address. Most of the time that will work. Sometimes the address will (correctly) identify your email as spam. In that case you can just write them an email and ask them what to do.
This works quite often because spammers advertise their wares on rented servers (like the one we use for our web site). These companies have contracts with their customers specifically prohibiting spam and will terminate their service if it shown that they are participating in it.

Here's a sample reply I received recently from a service provider in Buffalo.


This is to inform you that xxx domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system.

Thank you for letting us know about the issue.

I did that! Now the problem is that this victory is short lived. Spammers will just move to another service provider, but at least I'm disrupting their business model and making it less profitable to continue.

Imagine if everyone did this. It would put a big dent in a nefarious industry.


No comments:

Post a Comment