; 1 - Egloos
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

1 - Egloos


  • pg 1

                        1.3 Advanced Spamfighting

1.3.1 Spammer Tricks What are these weird URLs?

Some spammers try to "obfuscate" the address of their website in order to
make it hard to see where to complain to. A number of common tactics

      The Non-Dotted-Quad IP address

       Most IP addresses have the "dotted-quad" form:


       However, the IP address is also valid as one big decimal number,


       The spammer hopes that by giving you the address in this form,
       you'll be confused. However, tools like traceroute and whois will
       quite happily work on either dotted-quads or big decimal numbers.
       If you're happier working with the dotted quads, there's a tool at
       http://combat.uxn.com/ that will convert back to them.

       IP addresses can also be represented in Octal (prefixed '0') or
       hexadecimal (prefixed '0x'), or even as a mixture of these within a
       dotted quad, in which case the above IP address might become:


       The key thing to remember is that if it works in your web browser, it'll
       work in traceroute and whois too, so all this obfuscation by the
       spammer is really a wasted effort on their part. What a shame. :)


      The Really Long Dotted-Quad IP address

       The dotted-quad I.P. address is just a way of representing a 32-bit
       number using four 8-bit numbers. It's a bit like the way you might
       right "1153" as one thousand, one hundred, five tens and three units.
       Now, in a dotted-quad only the lowest eight bits of each number are
       significant - to continue the above analogy, if we had "one thousand,
       twenty-one hundreds, five tens and three units", we'd discard the
       "twenty" from the "hundreds" column (because that would mean an
       extra two thousands and if we really wanted them we'd have put
       them in the "thousands" column, so it must be an error, right?) and
       still be left with the number "1153".

       Some spammers make use of this by setting the high-bits of the
       four numbers in the dotted quad to make the I.P. address rather long
       and confusing. For example:


       It looks daunting, but dealing with it is quite simple. Just take each
       of the four dotted quads and ignore all but the eight lowest bits (ie
       divide each by 256 and take the remainder). In the example above,
       you'll end up with:


       and from here you've got the I.P. address and can continue as

       Note that only the least-significant 32 bits have meaning in an I.P.
       address; any other bits are put there by the spammer to further
       confuse us.

       Alternatively, the URL de-obfuscator at http://combat.uxn.com/ will
       happily decode this kind of really-long-dotted-quad URL for you.


      The Username Trick

       You can specify a username and password in a URL using the @
       symbol. For example:


       will log me into www.myreallysecurewebsite.com using the username
       "jjf" and the password "fred". But if www.myreallysecurewebsite.com
       didn't need a username & password, the username & password are
       ignored. Spammers use this to conceal their website's location. For
       example, is the following website located on members.aol.com or


       If you know this trick, it's fairly easy to see through it, so the
       spammers have now taken to trying a double-bluff. The username
       has to come before the first slash after the "http://" bit, and so the
       spammers try things like this:


       This URL references the directory
       "@www.twinlobber.org.uk/ispammedyou" at members.aol.com, not a
       website at www.twinlobber.org.uk itself.

       Many of the URL de-obfuscation tools given below for decoding
       Javascript-encoded URLs will also deal with this trick.

      JavaScript

       A _really_ nasty technique is to encode the URL in JavaScript; this
       can result in URLs that look to you and me like absolute

       Fortunately, help is at hand. Have a look at these resources:

          o   net.demon URL Decoder


          o   SamSpade URLomatic ((half-way down the page))
          o   De-obfuscating JavaScript
          o   URL Revealer
          o   Downloadable Spam Decoder
          o   URL De-Obfuscator

                                                                 RELATED LINKS
                                     How Spammers and Scammers Hide and Confuse Is the spammer's URL always the place to complain to?

Spammers know that no matter how hard they try to mangle their URL in
the manner described above, some people will be able to decode them.
Therefore, they sometimes try to hide their websites using other methods
as well...

      Page Redirections

       Another tactic favoured by some spammers is to spamvertise one
       URL but have that URL "redirect" visitors to another. In this way, the
       spammer hopes to confuse us, to misdirect complaints, and if the
       site that's redirected to is taken down he can just change the
       redirection page to point to another, identical site and still profit
       from his spam run.

       Fortunately, in most cases, page redirection can be followed simply
       by looking in your browser's history window. Once you recognise
       this, the thing to do is complain to the hosters of both the
       redirecting website _and_ the website it redirects to.

      Frames

       A variant on the Page Redirection trick is to have a webpage on one
       site that contains a frame around a webpage on a second site; this
       way "Location:" field of the browser will contain the URL of the first
       site (the one containing the frame) and not the URL of the second


       site (the one containing the actual content). In Netscape, you can
       get the URL of the second site by selecting "Page Info" from the
       "View" menu; in Internet Explorer, right-click on the webpage and
       select "Properties". Why does the spammer's website's source code look so

Many spammers have learned that anti-spammers get important
information about their operations from the source code of their website.
So they've taken to encoding their webpages in JavaScript; this is decoded
into HTML by your web-browser in order to display the page, but when you
try to look at the source you just see gobbledegook-like Javascript.

Fortunately, help is at hand. Have a look at these resources:

      Encrypted-HTML Decryption Tools
      De-obfuscating JavaScript
      SamSpade JavaScript Browser ((half way down the page))
      Net.Demon Haywyre Decoder
      Decrypt URLencoded HTML sources
      Downloadable Spam Decoder

Alternatively, users of Internet Explorer 5.x can install the "Microsoft Web
Developer Accessories" add-on from Microsoft. With this tool you can
highlight a portion or all of a webpage, right-click (or shift+F10) and select
"View Partial Source". You now see the plain HTML that the spammer's
JavaScript sent to your browser.

Some spammers go to almost insane lengths to obfuscate their websites,
but the key to remember is that they have to be decodable by your web-
browser, so they're decodable by you too. John McGowan has written an
excellent example of how he doggedly disected a spammer's website; this
can be found at http://www.spamfaq.net/examples/cyberdetective/.

http://www.spamfaq.net/spamfighting.shtml How can I stop a spammers' website doing bad things to
my computer?

Some spammers' websites can do some quite nasty tricks, such as
switching Internet Explorer to full-screen mode and not letting you escape,
or opening lots of pop-ups, or re-opening the site every time you try to
leave it, and so forth. If you use IE, you can put the spammer's site in
"Restricted Mode" which will disable all JavaScript, Java, ActiveX, cookies
and anything else on the site the spammer will try to trick or trap you with.
In other browsers you can disable JavaScript and Java from the
configuration window.

You can also use the advert-removing program WebWasher to prevent
abusive JavaScript code from executing. Look for it at

However, beware; some spammers know that many anti-spammers surf
with JavaScript permanently disabled and have written websites that look
as if they have been killed if JavaScript is disabled yet are still fully
functional for surfers with JavaScript enabled. Some other spammers
websites will immediately redirect you elsewhere if they detect you have
disabled JavaScript. What if a spammer's website has disabled right-click?

Spammers know that anti-spammers get a lot of information about their
revenue chains by looking at the source code of their website. So they
have taken to writing little bits of JavaScript that intercept right-mouse-
clicks on their webpage to prevent the context-sensitive menu containing
the "view source" option in Netscape and Internet Explorer from appearing.

In Internet Explorer, you can also type into the Address box "view-source:"
followed by the URL in question to see the page source, for example


This can, of course, be circumvented by deactivating JavaScript in your
browser, but there is also a simpler solution, as the "view" menu on the
menu bar allows you to bring up the page source in some versions IE and
Netscape. Alternatively, Shift+F10 will simulate a right-click in some
browsers. Some Windows keyboards also have a "context-sensitive menu
key" which can be used to call up the menu you'd normally get by right-
clicking. Note that some spammer's webpages will now intercept these
keypresses as well as the right-click, but the "view" menu on the menu bar
should still work. (If the website contains frames you'll only get the source
of the frameset - type the URL of the frame itself into your browser.
Sometimes it'll automatically stick itself back in the frame - if this happens,
disable JavaScript. If the page requires JavaScript, try using the w3c.org

1.3.2 What can I do about Spam-Supporting ISPs?

Most ISPs hate spam. Sometimes, however, you'll come across an ISP that
is either utterly clueless or refuses point-blank to act against its spamming
customers. In these cases, there are a number of steps you can undertake.

                                                                      RELATED LINKS
 Spam Reaper's Spamfighting for Newbies (especially relevant to spam from spamfriendly
                                                                            providers) Research

The first step is to check the archives to see whether anyone else is having
a problem with this spammer or with this ISP. If you can contact others
who are having the same problems as you, you can pool your resources to
better achieve an affect. news.admin.net-abuse.sightings & groups.google.com


news.admin.net-abuse.sightings is a newsgroup for reporting - not
discussing - instances of Internet abuse. The idea is that anti-spammers
post instances of the spam they see to this newsgroup, and then other
anti-spammers can look in this newsgroup to see if other people are
getting the same spam as they.

But it gets better. Google's newsgroup archiving service at
http://groups.google.com/ archives most postings to news.admin.net-
abuse.sightings (along with most postings to most newsgroups); you can
use the advanced search feature to search these archives for instances of
a particular spam! For example, if you've received a spam advertising the
website "www.iamareallybadassspammer.com" you could search for
"www.iamareallybadassspammer.com" in the forum (Google-speak for
"newsgroup") "news.admin.net-abuse.sightings" and find some other
people who have been spammed by that spammer.

Incidentally, the Google archives for news.admin.net-abuse.email are also
a very useful resource for priming yourself on specific issues. There are
few new ideas; most spam-related issues will have been discussed in this
newsgroup at some point or another, and many spammers have too.

                                                                     RELATED LINKS
                                              news.admin.net-abuse.sightings Charter
                                              Google's Advanced Newsgroups Search Halls of Shame

news.admin.net-abuse.sightings is a very useful resource but sometimes
you need something a little more structured. Unlikely as it may seem, there
are anti-spammers who dedicate whole websites to keeping track of the
unrepentant spammers and those who run spam-support services. These
can be very useful in discovering a spammer's M.O., or just why you're
having trouble getting a spammer's account at a certain ISP killed. Here's
just a handful of such sites...


The Spamhaus Project tracks spam support services and spam-friendly
ISPs, and displays the results in a number of easy-to-navigate formats,
with links to "whois" information, relevant abuse addresses, and the like.
As well as currently-active spamhausen it lists deceased spamhausen,
including how many times they have been terminated and by which ISPs,
and when. There's even a "league" of leading spam-support services.

      The Spamhaus Project

In a similar vein is Sapient Fridge's Spamware Sites Listing; a list of
websites that are selling Spamware or supporting Spam in other material
ways, each coming with various service providers (with cross-references),
handy links to traceroute tools, and their status with the MAPS RBL.

      Sapient Fridge's Spamware Sites Listing!

The Spammer Quick Reference Guide has by no means as many technical
whizz-bangs, but it looks like a quite useful list of who's spamming what.

      Spammer Quick Reference

ROKSO is a good reference of hard-core spam operations that get thrown
off Internet providers time after time after time.

      ROKSO (Register of Known Spam Operations)

SenderBase seems to be a good way of checking the spam-reputation of
a domain or I.P. address, including blacklists and other statistics:

      SenderBase Posting in news.admin.net-abuse.email

If this research turns up a blank, then don't forget that a great way to
contact other spamfighters about a suspected spam-supporting ISP is to
post in news.admin.net-abuse.email.

http://www.spamfaq.net/spamfighting.shtml Education

Sometimes an ISP will support their spamming customer simply because
the ISP themselves don't realise that spam is bad. In these cases, it may
be worthwhile taking time to briefly explain (patiently and without
expletives) the problems around spam and why the ISP should take action
against their spamming customers.

If you try this, you'll soon be able to tell whether an ISP is genuinely
ignorant and confused or is purposefully supporting spam. What if the ISP doesn't speak English?

There are an increasing number of ISPs, most notably those in the Far East,
but also some in Europe and other parts of the non-English-speaking
majority of this planet, where the technical contacts don't speak English.
This can obviously lead to a communication difficulty if you yourself aren't
fluent in their native language.

One solution is to use the Babelfish automatic translation service, but this
technology can be a little flakey at times. It's probably better to get a
bilingual friend to translate for you if at all possible.

For persistent spammers from foreign countries, you may be able to seek
help from some of the foreign-language email abuse newsgroups, such

it.news.net-abuse - Italian net abuse newsgroup
fr.usenet.abus.d - French net abuse newsgroup
de.admin.net-abuse.mail - German net-abuse newsgroup
hr.news.net-abuse - Croatian net-abuse newsgroup
nl.internet.misbruik - Dutch net-abuse newsgroup
pl.news.mordplik - Polish net-abuse newsgroup

                                       - 10 -

As a last resort, there are some anti-spam documents written in non-
English languages, to which you may be able to refer non-English-
speaching providers.

(All suggestions for this section are greatly appreciated!)

                                                                       RELATED LINKS
                                                          BabelFish translation service
                                     Boiler-plate open relay LARTS in many languages
                                                                   Chinese Spam FAQ
                                                de.admin.net-abuse.mail FAQ (german)
                                                            Esperanto Anti-Spam FAQ
                                                               French Anti-spam FAQ
                                                      German Header-Reading Tutorial
                                                           Italian Spamfighting Tutorial
                                                            Japanese Anti-Relay Links
                                        Spamming Warfare - German spamfighting site Contact their Upstream

An ISP's "upstream" is a bit like an ISP's ISP. Apart from a few very large
ISPs called "backbones", every ISP purchases its connectivity with the rest
of the Internet from one or more other ISPs, which are called the
"upstreams" of the first ISP. Many of these upstreams will have clauses in
their contracts about spam, and if you can show them that their customer
is allowing spam to come through their networks, they may well cut them
off or pressure them to take action.

Occasionally, you'll find that a spammer has tricked you into thinking
you're complaining to their ISP when really you're complaining to the
spammer himself. In these cases, by going upstream you'll find the
spammer's real ISP.

If an upstream provider refuses to act, you can try _their_ upstream
provider, and so forth until you reach a backbone.

                                       - 11 -
http://www.spamfaq.net/spamfighting.shtml Publicise their Spam-Supporting

Spam is unpopular, so if you publicise the fact that a large organisation is
supporting spam, then you may be able to force them to change their mind.
A posting about them in news.admin.net-abuse.email is a good place to
start. If the provider has their own newsgroups, then possibly one of them
might be appropriate for a posting too. And then, if you're really
determined, you can move on to online magazines, newspapers, and so
forth. Bitching

A very controversial tactic is that sponsored by http://www.bitch-list.net/.
This is a service a little like abuse.net, except that it forwards email to
_every_ known contact address for abusive and unresponsive ISPs. The
idea is that by forwarding abuse reports to as many officials and unrelated
departments as possible, the message will get through somehow.

However, this is considered by many (including the faq-maintainer) to be
sending Unsolicited Bulk Email and thus wrong. And even if you can get
over that moral hurdle, it is extremely impolite.

                                       - 12 -

To top