Sponsored by:

GFi MailEssentials
Hosted Spam Filtering
30 day trial FREE!


Home
About Spam
Help for Users
Help for Sysadmins
Help for Marketers
FAQS
Join Us
Link to Us
Site Index
About Us
Editor's Blog

Promote Responsible Net
Commerce: Fight Spam!
Fight Spam with Anti-spam Software for Exchange Server, now try it for 30days for FREE!

Pyramid schemes are turning up more and more on the newsgroups nowadays, as each newbie thinks he/she has discovered a simple way to make some easy money. Most of them believe the disclaimers that this is actually legal (some with tortured reasoning and citings of the postal laws). Of course they are not; most countries have laws against this sort of thing. Check out the US Postal Service for their view.

These people do a cross posting to as many groups as possible, so posting a followup comment here is futile. Either they stopped in just this once to post or, much more likely, they have never been here and never will. Sending flames back to them personally is fun but not a good idea; part of my local server network broke down once because of it (see the story near the bottom).

The method I recommend is to write to their postmaster. Believe me, this does work, I have received quite a few responses saying that they either have bounced the user or have given a warning that if they ever do it again they are toast; I've gotten back as many as six in one day. Every, repeat every time you come across one of these posts do the following (forgive me if this seems obvious to some of you but I have gotten a lot of E-mail asking for specifics). The button pushes described relate to FreeAgent; if you use something else it will give you the general idea.

  1. click on Article in the top row, click on Show All Header Fields
  2. Highlight this information from the posting and do Edit, Copy. You will want to include this in your letter
  3. click Post Reply via E_Mail. Put your cursor on the line after "you wrote:" and Edit, Paste the information from step 1.
  4. Look for the person who posted it. It is often right there in the "To" box with their net address, although the more clever try to steer you away. If they changed it to try disguising where they are look at the header info you just pasted in. Check out the line "NNTP-Posting-Host" as it's the hardest one for an amateur to fake. You also might note the path it took to get to the group; the last one on the list may be the entry point.
  5. edit the first line so it winds up something like:
    On Sept 24 1996 at 12:45am EST your subscriber posted the above illegal pyramid scheme
  6. In the "TO" box change the address to postmaster@<the address you found>
  7. Be sure to delete the copy of the scam itself (except perhaps the names and addresses) before you push SEND. Hold down the left mouse button and highlight the whole thing, then click Edit, Delete.
One postmaster helped me to appeciate this by responding:
>This user has been dealt with. To make better use of bandwith, sending
>just the header is enough. With the header, we can check that the
>posting was made and what kind of post it was. Sending the whole post
>uses up bandwidth, I have received this post over 200 times in the last
>24 hours.

If we keep working at it maybe this scheme will bite the dust. Or maybe not. The least we can do is to keep stomping down each new outbreak.

A newsletter from my server had the following item:
>Recently customers in the NH realm have been experiencing intermittant
>trouble retreiving their e-mail. This was caused in part by an individual
>sending out massive e-mail SPAMs. They received 100's of Megabytes of
>angry replies. Eventually they filled up the disk we use to house mail in
>NH. This prevented other customers from receiving e-mail during this time.
>A new and larger disk is currently on order for the NH mail server and
>should be installed shortly.

Remember, send it to the postmaster, don't risk trashing the server.

By the way, I only cruise a few dozen boards myself so please feel free to make a copy of this and post it to the boards you visit. The wider the exposure the better.


Addendum: I received a reply recently with something I overlooked. Another way to look up the sender is to note the information on the last name on the list (#5, the one who posted it) and trot on over to www.WhoWhere.com. You can often look up the user there, including their ISP.

Another poster pointed out that your target may not even be the fifth name. Some of the copies have six names now, and others move themselves up to positions three or four to get the money flowing even sooner.

Back to Spammers do more than Spam.


Robert Ames / boba4@ma.ultranet.com