Netizenship: Unix tools for working to reduce spam % is a Unix prompt. Yours may be different. Traceroute and whois are Unix commands. There are also other useful search tools. Reproduction below permitted by Stanton McCandlish 11/96. A:\netizen.doc Date: Wed, 25 Sep 1996 20:32:40 -0700 (PDT) From: Stanton McCandlish To: pagre@weber.ucsd.edu (Phil Agre) Subject: Re: spam service Note apparent spammer's site name. at Unix prompt (or with Mac or whatever traceroute util if not on unix): % traceroute site.name You get a list of all the intermediate hops to the site. Last one on list is the site's net feed. An example of the traceroute maneuver: % traceroute www.cyberpromo.com traceroute to cyberpromo.com (208.9.65.20), 30 hops max, 40 byte packets 1 gw.eff.org (204.253.162.1) 3 ms 3 ms 3 ms 2 Loopback0.GW1.SCL1.Alter.Net (137.39.2.71) 7 ms 6 ms 17 ms 3 Fddi0-0.CR2.SCL1.Alter.Net (137.39.19.6) 8 ms 8 ms 8 ms 4 107.Hssi4-0.BR1.NUQ1.Alter.Net (137.39.70.125) 12 ms 13 ms 10 ms 5 sl-mae-w-F0/0.sprintlink.net (198.32.136.11) 25 ms 17 ms 20 ms 6 sl-stk-6-H3/0-T3.sprintlink.net (144.228.10.45) 26 ms 88 ms 113 ms 7 198.67.6.5 (198.67.6.5) 96 ms 245 ms 33 ms 8 sl-dc-6-H1/0-T3.sprintlink.net (144.228.10.1) 111 ms 89 ms 92 ms 9 sl-dc-15-F0/0.sprintlink.net (144.228.20.15) 89 ms * 131 ms 10 sl-cybrprom-2-S0-T1.sprintlink.net (144.228.125.66) 95 ms * * 11 cyberpromo.com (208.9.65.20) 91 ms 96 ms 85 ms www.cyberpromo.com is obviously srved by cyberpromo.com, which is the same folks, so the "last" hop on the list should be considered sprintlink.net. > Next email abuse@site.name and abuse@net.feed's.site.name, and note > politely that a user at site.name, which appears to be getting its feed > from net.feed's.site.name is spammin' the globe, sorry if you've already > been notified. It's generally important to send to the admins of the "master" host for a domain, since "sl-cybrprom-2-SO-T1.sprintlink.net" and the like may just be routers or something. You need, in this example, to talk to abuse@sprintlink.net. In this example, cyberpromo itself is accused of spamming, so no point in mailing them. If cyberpromo appeared to be an ISP serving a spamming user, perhaps joe@cyberpromo.com, you'd want to mail abuse@cyberpromo.com, too. > If you get a bounce (not all ISPs have "abuse" aliases yet) resend the > message to postmaster@site.name (or postmaster@net.feed's.site.name - > whichever bounced.) > > If you suspect the site.name is actually a one-man operation of the > spammer himself, do: > > % whois site.name > > (or use a GUI whois application) and see if admin or tech contact is the > spammer (if they used real name). If in doubt call and ask what site.name > is (marketing biz? ISP?) At any rate, if you hit the site's net feed too, > no big deal. An example of the whois maneuver: % whois cyberpromo.com Cyber Promotions Inc (CYBERPROMO-DOM) 8001 Castor Avenue, Suite 127 Philadelphia, PA 19152 USA Domain Name: CYBERPROMO.COM Administrative Contact, Technical Contact, Zone Contact, Billing Contact: Wallace, Sanford (SW430) cyberpr@ANSWERME.COM (215) 288-9230 Record last updated on 22-Sep-96. Record created on 26-Apr-96. Domain servers in listed order: NS3.CYBERPROMO.COM 208.9.65.10 NS4.CYBERPROMO.COM 208.9.65.11 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois srver at nic.ddn.mil for MILNET Information. This should give you a tidbit or two on which to make a judgement call. If the Admin or Tech Contacts for the domain are the spammer, bingo. If not, you can't really tell what this site is, so you might as well mail abuse@cyberpromo.com too. If they are the spammers, they'll just ignore you in most cases. If they aren't, and are the spammer's ISP, you might get some action.