Sponsored by:

GFi MailEssentials
Hosted Spam Filtering
30 day trial FREE!


Home
About Spam
Help for Users
Help for Sysadmins
Help for Marketers
FAQS
Join Us
Link to Us
Site Index
About Us
Editor's Blog

Promote Responsible Net
Commerce: Fight Spam!
Fight Spam with Anti-spam Software for Exchange Server, now try it for 30days for FREE!

How To Complain To The Spammer's Provider

The first step is finding out who to complain to. This can be a little bit complicated. There is often little point in complaining to the guilty party themself in most cases; complain to whoever is providing them with internet access. However, if you aren't sure, and think there is a significant chance that the sender is really ignorant, rather than disobedient, of email norms, you might try complaining to the sender.

Finding out who to complain to can be broken down into several steps. The first one is determining the domain name the spammers are using. One good place is if the body of the message includes an email address to reply to or a web page to look at. This will often be via a different provider than the one used to send the spam, but many providers forbid either use of their services by spammers.

To find out where the spam originates, tell your mail reader to display all the headers and look at the "Received" lines. Then read the Received lines from top to bottom. For example:

To: kingdon@legit.com
Received: from relay.yoyolink.net (ns2.yoyo.com [127.10.58.3]) by legit.com with SMTP id WAA12684 for <kingdon@legit.com>; Thu, 21 Nov 1996 22:28:08 -0800
Received: from forged.example.com (slime.spammer.com [10.71.84.44]) by relay.yoyolink.net (8.8.3/8.8.3) with SMTP id GAA02044 for <kingdon@legit.com>; Fri, 22 Nov 1996 01:23:46 -0500

Your own site (legit.com) got this message from ns2.yoyo.com, which in turn got it from slime.spammer.com. Intermediate sites, such as yoyo.com in this example, may simply be sites which allow anyone to forward mail using their mailer. Don't assume they are connected with the spammer or the spammer's provider, but you might want to let them know their system is being used for this purpose. You can ignore all the stuff about with and id and so on.

With experience, and/or by consulting various sources, you will learn more about Received lines, and the ways that they can vary. But the basic principle is still to read them from top to bottom, and to understand that each computer which handled the message added one or more Receieved lines. Thus each Received line may originate from your site, the spammer's site, or somewhere in between.

Once you have a suspect domain name, try to find out what kind of organization has that name. One way is to look on the various anti-spam web sites, newsgroups, and other resources. If the site has a reputation as a site which does a good job of fighting spam, you complain to them. If it is a site which is known to not respond to complaints, despite persistent and repeated attempts, you complain to their upstream provider (see section on traceroute below).

You can see if an entity has a web page by taking the domain name and add "www." to the start (use of "www." is just a convention, but it is a widely followed one). If you see a page with content similar to the email spam you received, you've probably identified the bad guys (however most, but not all, spammers are too lazy to write a web page). If you see a page telling you about internet access services and other types of legitimate business, you've probably identified the proper party to complain to.

If you have identified the offending site and you want to find who their upstream provider is, use the "traceroute" tool. You need to give it the machine name to trace to, for example slime.spammer.com in the above example. If traceroute is accessible to you on your local system, simply invoke "traceroute slime.spammer.com". If not, there are many web->traceroute gateways; searching for "traceroute" in one of the internet search engines should find one. Either way, the output from traceroute will look something like this:

traceroute to slime.spammer.com (127.126.32.23), 30 hops max, 40 byte packets
 1  siamese.legit.com (127.39.1.134)  206 ms  177 ms  198 ms
 2  persian.legit.com (127.39.1.129)  203 ms  191 ms  188 ms
 4  SR1.gotham-city.major.net (127.39.100.73)  174 ms  190 ms  208 ms
 5  core4.gomorrah.major.net (127.39.33.133)  180 ms  182 ms  159 ms
 6  retrolink-gw.gomorrah.major.net (127.157.77.25)  169 ms  185 ms  189 ms
 7  router1.retrolink.net (127.70.1.122)  469 ms  365 ms  239 ms
 8  spammer-gw.retrolink.net (127.70.1.122)  429 ms  242 ms  239 ms
 9  slime.spammer.com (127.70.3.98)  519 ms  275 ms  309 ms

This means that to get from your site (or the site hosting the web->traceroute gateway) to slime.spammer.com, data first passes through legit.com, then major.net, then retrolink.net, and finally to spammer.com. So if spammer.com is the guilty party then normally you would complain to retrolink.net. If you have reason to believe that retrolink.net is uncooperative then you could escalate by complaining to major.net. This should be done only after repeated attempts to persuade retrolink have been unsuccessful. Even sites with good spam control policies will occasionally get a spammer, so the mere fact that you have received one spam, or a handful of unrelated spams, is not by itself sufficient reason to escalate.

If you are unsure about whether you are complaining to the right party, it is good to say this in your complaint, and ask the complainee to forward the message to the appropriate party if need be. In general, especially if you are unsure, you should err on the side of complaining to only one site, and not involving sites with a distant relationship to the spammer. Help give spam-fighting a good name among providers.

You can find the email address to complain to by first seeing if the organization in question has a web page with a contact address. Generally you want the network abuse address if there is one, or if not try to figure out what the closest choice is. An alternative is the complaint forwarding service at abuse.net. If none of these seem feasible, you can always try postmaster@<the provider's site>. According to the internet standard RFC822 (STD 11), all sites are supposed to have such a mailbox.

Be polite. This is very important--you catch more flies with honey than vinegar. A good generic wording is "This is unsolicited, undesired email. Please take appropriate actions to stop it, or see http://spam.abuse.net/ for how/why you should" or take a look at a sample complaint letter. You might want to tailor your message if you have more knowledge of the provider's position on spam. Keep in mind that the people who read the abuse alias are not there to be abused, they're there to stop the abuse.

Include the full headers of the message you are complaining about, if possible. In most mail readers there is a special command to display all the headers. Make especially sure you include the Received headers - the provider can take no action without them.

After you send your complaint you probably won't get any response. But this doesn't necessarily mean that the provider has taken no action; often when there is a spammer at their site they are overwhelmed with complaints and find it difficult to acknowledge each one.

If you do get a response (such as "this would appear to violate our terms of service and we're looking into it" or "we have terminated the account of the spammer"), either send back a thank you or not, at your option. There is something to be said for letting the providers know that we appreciate their actions, but on the other hand these people get a lot of e-mail about spam complaints and it might be preferable not to increase the volume.

Back to the Home Page


Jim Kingdon