1.3 Advanced Spamfighting
1.3.1 Spammer Tricks
18.104.22.168 What are these weird URLs?
Some spammers try to "obfuscate" the address of their website in order to
make it hard to see where to complain to. A number of common tactics
The Non-Dotted-Quad IP address
Most IP addresses have the "dotted-quad" form:
However, the IP address is also valid as one big decimal number,
The spammer hopes that by giving you the address in this form,
you'll be confused. However, tools like traceroute and whois will
quite happily work on either dotted-quads or big decimal numbers.
If you're happier working with the dotted quads, there's a tool at
http://combat.uxn.com/ that will convert back to them.
IP addresses can also be represented in Octal (prefixed '0') or
hexadecimal (prefixed '0x'), or even as a mixture of these within a
dotted quad, in which case the above IP address might become:
The key thing to remember is that if it works in your web browser, it'll
work in traceroute and whois too, so all this obfuscation by the
spammer is really a wasted effort on their part. What a shame. :)
The Really Long Dotted-Quad IP address
The dotted-quad I.P. address is just a way of representing a 32-bit
number using four 8-bit numbers. It's a bit like the way you might
right "1153" as one thousand, one hundred, five tens and three units.
Now, in a dotted-quad only the lowest eight bits of each number are
significant - to continue the above analogy, if we had "one thousand,
twenty-one hundreds, five tens and three units", we'd discard the
"twenty" from the "hundreds" column (because that would mean an
extra two thousands and if we really wanted them we'd have put
them in the "thousands" column, so it must be an error, right?) and
still be left with the number "1153".
Some spammers make use of this by setting the high-bits of the
four numbers in the dotted quad to make the I.P. address rather long
and confusing. For example:
It looks daunting, but dealing with it is quite simple. Just take each
of the four dotted quads and ignore all but the eight lowest bits (ie
divide each by 256 and take the remainder). In the example above,
you'll end up with:
and from here you've got the I.P. address and can continue as
Note that only the least-significant 32 bits have meaning in an I.P.
address; any other bits are put there by the spammer to further
Alternatively, the URL de-obfuscator at http://combat.uxn.com/ will
happily decode this kind of really-long-dotted-quad URL for you.
The Username Trick
You can specify a username and password in a URL using the @
symbol. For example:
will log me into www.myreallysecurewebsite.com using the username
"jjf" and the password "fred". But if www.myreallysecurewebsite.com
didn't need a username & password, the username & password are
ignored. Spammers use this to conceal their website's location. For
example, is the following website located on members.aol.com or
If you know this trick, it's fairly easy to see through it, so the
spammers have now taken to trying a double-bluff. The username
has to come before the first slash after the "http://" bit, and so the
spammers try things like this:
This URL references the directory
"@www.twinlobber.org.uk/ispammedyou" at members.aol.com, not a
website at www.twinlobber.org.uk itself.
Many of the URL de-obfuscation tools given below for decoding
can result in URLs that look to you and me like absolute
Fortunately, help is at hand. Have a look at these resources:
o net.demon URL Decoder
o SamSpade URLomatic ((half-way down the page))
o URL Revealer
o Downloadable Spam Decoder
o URL De-Obfuscator
How Spammers and Scammers Hide and Confuse
22.214.171.124 Is the spammer's URL always the place to complain to?
Spammers know that no matter how hard they try to mangle their URL in
the manner described above, some people will be able to decode them.
Therefore, they sometimes try to hide their websites using other methods
Another tactic favoured by some spammers is to spamvertise one
URL but have that URL "redirect" visitors to another. In this way, the
spammer hopes to confuse us, to misdirect complaints, and if the
site that's redirected to is taken down he can just change the
redirection page to point to another, identical site and still profit
from his spam run.
Fortunately, in most cases, page redirection can be followed simply
by looking in your browser's history window. Once you recognise
this, the thing to do is complain to the hosters of both the
redirecting website _and_ the website it redirects to.
A variant on the Page Redirection trick is to have a webpage on one
site that contains a frame around a webpage on a second site; this
way "Location:" field of the browser will contain the URL of the first
site (the one containing the frame) and not the URL of the second
site (the one containing the actual content). In Netscape, you can
get the URL of the second site by selecting "Page Info" from the
"View" menu; in Internet Explorer, right-click on the webpage and
126.96.36.199 Why does the spammer's website's source code look so
Many spammers have learned that anti-spammers get important
information about their operations from the source code of their website.
into HTML by your web-browser in order to display the page, but when you
Fortunately, help is at hand. Have a look at these resources:
Encrypted-HTML Decryption Tools
Net.Demon Haywyre Decoder
Decrypt URLencoded HTML sources
Downloadable Spam Decoder
Alternatively, users of Internet Explorer 5.x can install the "Microsoft Web
Developer Accessories" add-on from Microsoft. With this tool you can
highlight a portion or all of a webpage, right-click (or shift+F10) and select
"View Partial Source". You now see the plain HTML that the spammer's
Some spammers go to almost insane lengths to obfuscate their websites,
but the key to remember is that they have to be decodable by your web-
browser, so they're decodable by you too. John McGowan has written an
excellent example of how he doggedly disected a spammer's website; this
can be found at http://www.spamfaq.net/examples/cyberdetective/.
188.8.131.52 How can I stop a spammers' website doing bad things to
Some spammers' websites can do some quite nasty tricks, such as
switching Internet Explorer to full-screen mode and not letting you escape,
or opening lots of pop-ups, or re-opening the site every time you try to
leave it, and so forth. If you use IE, you can put the spammer's site in
and anything else on the site the spammer will try to trick or trap you with.
You can also use the advert-removing program WebWasher to prevent
However, beware; some spammers know that many anti-spammers surf
websites will immediately redirect you elsewhere if they detect you have
184.108.40.206 What if a spammer's website has disabled right-click?
Spammers know that anti-spammers get a lot of information about their
revenue chains by looking at the source code of their website. So they
clicks on their webpage to prevent the context-sensitive menu containing
the "view source" option in Netscape and Internet Explorer from appearing.
In Internet Explorer, you can also type into the Address box "view-source:"
followed by the URL in question to see the page source, for example
browser, but there is also a simpler solution, as the "view" menu on the
menu bar allows you to bring up the page source in some versions IE and
Netscape. Alternatively, Shift+F10 will simulate a right-click in some
browsers. Some Windows keyboards also have a "context-sensitive menu
key" which can be used to call up the menu you'd normally get by right-
clicking. Note that some spammer's webpages will now intercept these
keypresses as well as the right-click, but the "view" menu on the menu bar
should still work. (If the website contains frames you'll only get the source
of the frameset - type the URL of the frame itself into your browser.
Sometimes it'll automatically stick itself back in the frame - if this happens,
1.3.2 What can I do about Spam-Supporting ISPs?
Most ISPs hate spam. Sometimes, however, you'll come across an ISP that
is either utterly clueless or refuses point-blank to act against its spamming
customers. In these cases, there are a number of steps you can undertake.
Spam Reaper's Spamfighting for Newbies (especially relevant to spam from spamfriendly
The first step is to check the archives to see whether anyone else is having
a problem with this spammer or with this ISP. If you can contact others
who are having the same problems as you, you can pool your resources to
better achieve an affect.
220.127.116.11.1 news.admin.net-abuse.sightings & groups.google.com
news.admin.net-abuse.sightings is a newsgroup for reporting - not
discussing - instances of Internet abuse. The idea is that anti-spammers
post instances of the spam they see to this newsgroup, and then other
anti-spammers can look in this newsgroup to see if other people are
getting the same spam as they.
But it gets better. Google's newsgroup archiving service at
http://groups.google.com/ archives most postings to news.admin.net-
abuse.sightings (along with most postings to most newsgroups); you can
use the advanced search feature to search these archives for instances of
a particular spam! For example, if you've received a spam advertising the
website "www.iamareallybadassspammer.com" you could search for
"www.iamareallybadassspammer.com" in the forum (Google-speak for
"newsgroup") "news.admin.net-abuse.sightings" and find some other
people who have been spammed by that spammer.
Incidentally, the Google archives for news.admin.net-abuse.email are also
a very useful resource for priming yourself on specific issues. There are
few new ideas; most spam-related issues will have been discussed in this
newsgroup at some point or another, and many spammers have too.
Google's Advanced Newsgroups Search
18.104.22.168.2 Halls of Shame
news.admin.net-abuse.sightings is a very useful resource but sometimes
you need something a little more structured. Unlikely as it may seem, there
are anti-spammers who dedicate whole websites to keeping track of the
unrepentant spammers and those who run spam-support services. These
can be very useful in discovering a spammer's M.O., or just why you're
having trouble getting a spammer's account at a certain ISP killed. Here's
just a handful of such sites...
The Spamhaus Project tracks spam support services and spam-friendly
ISPs, and displays the results in a number of easy-to-navigate formats,
with links to "whois" information, relevant abuse addresses, and the like.
As well as currently-active spamhausen it lists deceased spamhausen,
including how many times they have been terminated and by which ISPs,
and when. There's even a "league" of leading spam-support services.
The Spamhaus Project
In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of
websites that are selling Spamware or supporting Spam in other material
ways, each coming with various service providers (with cross-references),
handy links to traceroute tools, and their status with the MAPS RBL.
Sapient Fridge's Spamware Sites Listing!
The Spammer Quick Reference Guide has by no means as many technical
whizz-bangs, but it looks like a quite useful list of who's spamming what.
Spammer Quick Reference
ROKSO is a good reference of hard-core spam operations that get thrown
off Internet providers time after time after time.
ROKSO (Register of Known Spam Operations)
SenderBase seems to be a good way of checking the spam-reputation of
a domain or I.P. address, including blacklists and other statistics:
22.214.171.124.3 Posting in news.admin.net-abuse.email
If this research turns up a blank, then don't forget that a great way to
contact other spamfighters about a suspected spam-supporting ISP is to
post in news.admin.net-abuse.email.
Sometimes an ISP will support their spamming customer simply because
the ISP themselves don't realise that spam is bad. In these cases, it may
be worthwhile taking time to briefly explain (patiently and without
expletives) the problems around spam and why the ISP should take action
against their spamming customers.
If you try this, you'll soon be able to tell whether an ISP is genuinely
ignorant and confused or is purposefully supporting spam.
126.96.36.199.1 What if the ISP doesn't speak English?
There are an increasing number of ISPs, most notably those in the Far East,
but also some in Europe and other parts of the non-English-speaking
majority of this planet, where the technical contacts don't speak English.
This can obviously lead to a communication difficulty if you yourself aren't
fluent in their native language.
One solution is to use the Babelfish automatic translation service, but this
technology can be a little flakey at times. It's probably better to get a
bilingual friend to translate for you if at all possible.
For persistent spammers from foreign countries, you may be able to seek
help from some of the foreign-language email abuse newsgroups, such
it.news.net-abuse - Italian net abuse newsgroup
fr.usenet.abus.d - French net abuse newsgroup
de.admin.net-abuse.mail - German net-abuse newsgroup
hr.news.net-abuse - Croatian net-abuse newsgroup
nl.internet.misbruik - Dutch net-abuse newsgroup
pl.news.mordplik - Polish net-abuse newsgroup
- 10 -
As a last resort, there are some anti-spam documents written in non-
English languages, to which you may be able to refer non-English-
(All suggestions for this section are greatly appreciated!)
BabelFish translation service
Boiler-plate open relay LARTS in many languages
Chinese Spam FAQ
de.admin.net-abuse.mail FAQ (german)
Esperanto Anti-Spam FAQ
French Anti-spam FAQ
German Header-Reading Tutorial
Italian Spamfighting Tutorial
Japanese Anti-Relay Links
Spamming Warfare - German spamfighting site
188.8.131.52 Contact their Upstream
An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large
ISPs called "backbones", every ISP purchases its connectivity with the rest
of the Internet from one or more other ISPs, which are called the
"upstreams" of the first ISP. Many of these upstreams will have clauses in
their contracts about spam, and if you can show them that their customer
is allowing spam to come through their networks, they may well cut them
off or pressure them to take action.
Occasionally, you'll find that a spammer has tricked you into thinking
you're complaining to their ISP when really you're complaining to the
spammer himself. In these cases, by going upstream you'll find the
spammer's real ISP.
If an upstream provider refuses to act, you can try _their_ upstream
provider, and so forth until you reach a backbone.
- 11 -
184.108.40.206 Publicise their Spam-Supporting
Spam is unpopular, so if you publicise the fact that a large organisation is
supporting spam, then you may be able to force them to change their mind.
A posting about them in news.admin.net-abuse.email is a good place to
start. If the provider has their own newsgroups, then possibly one of them
might be appropriate for a posting too. And then, if you're really
determined, you can move on to online magazines, newspapers, and so
A very controversial tactic is that sponsored by http://www.bitch-list.net/.
This is a service a little like abuse.net, except that it forwards email to
_every_ known contact address for abusive and unresponsive ISPs. The
idea is that by forwarding abuse reports to as many officials and unrelated
departments as possible, the message will get through somehow.
However, this is considered by many (including the faq-maintainer) to be
sending Unsolicited Bulk Email and thus wrong. And even if you can get
over that moral hurdle, it is extremely impolite.
- 12 -