tomhudson's Journal: Fighting Spam - Alices Restaurant Style

Instead of filtering it, here's what I've started doing:

1. Look at the header info. Get the ip of the machine that sent it to my mail server.
   Example whois "219.75.16.60". This gives me the connectivity provider (netname) - SINGNET-SG
2. Drop a zero into the 4th quad: "whois 219.75.16.0" - still the same provider, as expected.
3. Drop a zero into the 3rd quad: "whois 219.75.0.0" - still the same provider.
4. Drop a zero into the 2nd quad: "whois 219.0.0.0" - BBTECH - the provider's provider - just who I want!
   Forward email to abuse contact (in this case abuse@bbtec.net)

Yesterday was a bit more fun - forwarded one to Level3 and, since it was real estate spam with valid contact info, cc'd them. Level3 replied within the hour.

What are they going to do - send me more spam?

I've had good results with Yahoo as well.

Google - they don't answer, but hopefully they do something about it ...

Anyway, here's where Alice's Restaurant comes in. If I do this, it's no big deal. But if I tell everyone I know, and 10% of them start sending one or two spam notifications a day, and telling others how to do it, and they tell everyone ...

My guess is that if enough people start doing it, the spammers will have to implement better lists of email addresses NOT to spam - and that's a list you want to be on.

Thank you

[RM6f9]

On behalf of all of us who had been too lazy to learn how to do this - thank you.
Typing/spelling lesson of the day: "Restaurant: r-e-s-t-a-u-r-a-n-t, restaurant."

Yeah, you can do that....

[jawtheshark]

Which becomes fun when they find out. My dad did exactly that and became target of a Joe-Job [wikipedia.org]. Then you byte your tongue and wished you never did it.

Re:

[tomhudson]

Let them joe-job all they want -

• it's not to my main account :-)
• everyone who falls for said joe job will be notified, and given instructions as to how to find the real spammer - great way to recruit new bodies.

Maybe I'll script the whole thing ...

Re:

[jawtheshark]

it's not to my main account :-)

Good thing.... Still, it will make that account unusable.

everyone who falls for said joe job will be notified, and given instructions as to how to find the real spammer

I strongly doubt that. You will get thousands of "Not Deliverable" emails, hundreds of emails from people with non-RFC compliant mailservers, more of people using whitelists and then a handful of people actually replying. This *per hour*. You'll also note that those who reply will not be the people you want to

Arlo had a song, all you have is a journal posting

[Jimmy_Slimmy]

Maybe if you provided a web service to do the heavy lifting, you would get people to send the emails.

Or a cgi in perl, so I can put it on my own machine and not have to remember your techniques... in goes the domain, out comes the higher level emails, highlighting the first non-cutout.

Re:

[tomhudson]

Actually, that's not a bad idea. I was going to do it as a perl script on the local machine, but a web thing wouldn't be a bad idea ...

Gmail takes care of SPAM for me

[Com2Kid]

My Gmail account gets from dozens to a hundred+ spams per day.

I don't see them. I don't care about them. Not the most economically efficient approach to spam, but, well, Google has some damn fine spam filters.

Re:

[tomhudson]

gmail is also the #1 host of spammers. The reason you don't see them is that, if they catch it after it's sent but before you look at it, they can reclassify it as spam. Post-hoc spam filtering is a lot easier than real-time spam filtering, which gmail fails at.

I get more bogus crap from gmail than from everywhere else combined.

Please don't abuse whois like that.

[laptop006]

Please don't abuse whois like that.

Do a whois on the *full* IP only, then use traceroute to determine provider chains.

In this case BBTECH has nothing to do with it, they just have the first /10 of 219/8 (see the inetnum line of whois output).

Re:

[tomhudson]

Good point. But I've since come up with a better way.

Reporting spam

[Tet]

I used to do this back in the day. But the problem is just so extreme now, there isn't a hope in hell of me being able to do so. FWIW, I'm currently getting 10,000+ per day. I have pretty effective filters, and only get a false negative perhaps once a fortnight. Because of the sheer quantity, I automatically delete positives, so I have no way of checking how many false positives I get, but I don't seem to be missing any mail, so I'd say it's very few. But to respond to individual messages? It's just not goi