New spamfighter orientation

This is transferred to the new board at
Spammers should not profit, so post information here that hits their pockets.

New spamfighter orientation

Postby AlphaCentauri » Sat Jan 02, 2010 11:38 pm

Welcome to!

Have you had it with spam? Can't find important messages? Sent important emails to other people who apparently never found them in their spam folders? Or worse, are you having emails blocked altogether by ISP's that have instituted draconian anti-spam measures? Frustrated that despite all the filtering going on, you're still getting an inbox full of emails from Nigerian widows, password resets for banks where you don't have accounts, Valentine's Day cards from computer malware distributors, ads for fake pharmacies/watches, etc? Worried about your kids or parents clicking on something dangerous in an email? Maybe you clicked on something yourself and ended up spending a lot of time or money getting your computer cleaned up. Maybe your passwords/identity were stolen and you're still finding new frauds being perpetrated with the information. Maybe you've been notified by your ISP that your computer is mailing spam, and you want to know what you did and how you can avoid doing it again. We don't have to tell you that spam is about a lot more than annoying emails. Spammers are criminals, and they have your email address.

This forum is home to some highly accomplished spamfighters, but we're specifically interested in helping newbies get started defending their own inboxes. If you know absolutely nothing about spam, you're in the right place. There are no stupid questions. But we hope you'll read through this thread so we only have to answer the most common questions once. We also invite you to visit the spamwiki, at , where many spam-related topics are covered in more detail.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: New spamfighter orientation

Postby AlphaCentauri » Sat Jan 02, 2010 11:38 pm

About the forum:

While some topics are open to guests, there are others than can only be viewed by registered members. You also must register to post. Due to frequent attacks by spammers, new registrations must be approved by an administrator. You will be contacted to provide information about yourself. You don't have to give your name, but please tell us enough about how you got here that we know you aren't a forum-spamming bot. Add: We are trying an experiment where newly registered members may post, but a moderator will have to approve it. Those new members will not have access to the members-only forums. Once you have responded to the email, we can switch you to full membership with immediate postings and access to additional forums.

Use a temporary password to register, then change it. You must choose a complex password, as hackers regularly attempt to guess members' passwords. For the time being, once your registration is approved, SiL isn't really going to delete your username if you don't post within 24 hours. So go ahead and register, even if you don't have anything to say yet. However, if you don't sign in at all after registering, your username will be deleted after a while.

There's a new member thread at
if you would like to introduce yourself

Important things to know about this site:
* The primary administrator is spamislame (SiL).
* Others include Red Dwarf and AlphaCentauri
In addition, there are moderators who can edit/delete other people's posts. (You can always edit your own.) You should alert them if you see any spam posted on the forum or if there are inappropriate posts of other sorts, like flame wars. You can do that by clicking the exclamation point icon at the upper right corner of a post. You can also flag one of your own posts should you need help with it. If you think there is some issue that can't wait until the next mod logs on, Red Dwarf, trobbins, and I (in addition to SiL) are probably available via PM fastest.

* Mail: You can get notifications of replies to your posts and get notifications when other people send you private messages if you set your forum preferences that way. You can get notifications of replies to a thread you haven't posted to by clicking "Subscribe topic" at the bottom left of the page. Even if you choose not to get routine email notifications, please keep your email address up to date, as that is how you would be notified if the forum relocates due to DDoS.

* This site does not have a time limit for editing your own posts. You can edit any time you want (but only a mod can completely delete one). We use that feature liberally, and it allows people to revise things that maybe sound more harsh than they were intended so the discussions remain respectful. But remember that if you edit an old post, it will not be flagged as new, so if you want people to notice your change, make a new post or add a "bump" post at the end.

* Since we got DDoS'd out of our original URL and moved a couple times since, you will still find internal links in older posts that go to our old locations. You can substitute in the new URL if you find them. So for example,

should be changed to

* Should this forum be down, some of us can be contacted via private message on other forums such as or We also have alternative blog sites for news updates if you can't reach this site at all:
However, the email accounts related to those blogs aren't monitored under normal circumstances.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: New spamfighter orientation

Postby AlphaCentauri » Sat Jan 02, 2010 11:39 pm

Munging links:

Please remember that search engines and spambots crawl the forum. You don't want them collecting the email addresses of good people or the URLs of bad sites. You also don't want anyone accidentally clicking through to a site that could be dangerous. (Linking to good sites is okay and is encouraged, as antispammers need to support one another.)

For email addresses: Minimally, you can select the "@" sign and make it italic or bold or change the color, so the parsers looking for strings with "@" in the middle are confused. But I'm sure the spammers will figure that out, so it's a good idea to vary how you do it, change the color of part of the domain or username to black, etc. For example:
will end up like this:
You can read it, but email harvesting bots can't.

In order to munge URLs, any "http://" or any "www." must be broken up with formatting tags. For example:
....."http:[color=#000000]//[/color]" becomes
....."www[i].[/i]" becomes
On this forum, you can easily add tags by highlighting the character and clicking one of the buttons above the message window. In order to do colors, highlight the word, then choose the color from the spectrum on the right.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: New spamfighter orientation

Postby AlphaCentauri » Sun Jan 03, 2010 12:38 am

Domains/Registars/Nameservers - what is everyone talking about?

Spammers are criminals, but they rely on legitimate businesses to carry on their activities. One of the most important ways to fight spam is to notify those businesses when they are being abused by spammers.

One of those types of businesses is the "domain registrar." A "domain name" is a name like "" that identifies a website. The actual computers where websites are located have numeric "IP addresses" like Giving those websites domain names makes the internet much easier to use. But that means there have to be records and roadmaps on the internet, so that when you type "" in your internet browser, the computer with that website can receive your request to view their webpage.

Someone who wants a website has to arrange to register a domain name with a registrar. The registrar then submits that domain name to a "registry," which governs the registration of all domain names for particular "TLD's" or "top level domains." TLD's you will be familiar with are ".com" and ".net," which are governed by ICANN and the InterNIC registry, but there are numerous other registries. A single registrar may register domain names with TLD's governed by several different registries, and a single registry will usually deal with multiple competing registrars. In addition, large registrars may work with "resellers," independent affiliates who bring in business for the registrar and who may do the direct customer support. Registrars must be "accredited" by the registry, and they are responsible for the actions of their resellers (who are not accredited directly).

As you will notice, the "top" level domain name is the one on the far right of the domain name in the "URL" (or "uniform resource locator"), just before the first single "/" mark. (The URL is the full address of the web page, like, and includes the domain name.) In addition to the domain name like "," a domain may have "subdomains" on the left of the domain name, like "" or ""

The person setting up the website also has to arrange for his site to be hosted by an internet service provider, which is basically someone with a computer who will allow other people to store their website files there. His domain name will have to be associated with the IP address of that ISP's computer. He can have his site hosted on several IP addresses and even several different ISP's at once, and he can have his subdomains hosted on different computers than the main domain.

How would anyone find his website with all that going on? The information is stored on a computer that acts as a "nameserver." The registrars keep track of which nameservers have information for which domains and submit that information to the registries. The nameservers themselves have to have domain names registered, but they don't have to have websites. Their IP addresses have the special name "glue records," to distinguish the fact that nameservers don't need other nameservers to store their IP addresses. A domain name can (and should) have several nameservers (in case one goes down, the others can allow people to visit the website). And a nameserver can keep records for thousands of domains. If all the nameservers for a domain fail to function, it is impossible to view that site.

When we report a spamvertised website, we frequently report them to registrars. We look at the URL to find the domain name. We read until we hit the first single "/" then work backward. So for this URL:

the domain name is "," not "" nor "microsoft.html."

We can report that individual domain name, but often the spammers have dozens or hundreds or thousands of identical websites with different domain names. If we can get all the nameservers for those domains shut down, we can get all those spamvertised sites off line at once. The Complainterator tool (available at ) will look up the registrar for the domain name and the nameservers' domain names and will compose reports to send to each of them.

The caveat is that you can't shut down a nameserver that serves good websites, only nameservers controlled by the criminals. How do you know the difference? Complainterator helps, because it will automatically suppress many of the nameservers controlled by registrars themselves. In addition, if you see a nameserver's domain name was registered years ago, it is more likely to be legitimate; in any case, you will have difficulty convincing a registrar to shut down a long term customer. Most spammers' domains are registered only a few days before they show up in spam, and those that aren't shut down are abandoned once spam filters add them to their definitions. Again, shutting down the nameserver can even shut down domains that have not yet been mailed in spam.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: New spamfighter orientation

Postby Red Dwarf » Sat Mar 03, 2012 1:14 am

The tools for spam fighting are well documented. They target the owner of the IP address used for sending the spam, for hosting the spammed website, for name servers resolving access to the spammed website. They also target the registrar who has a service contract for the domain name of the web site, or the domain name of the name servers.

But there is another form of spam that is not covered by these actions. That is the spam that does not rely on a web site, but an exchange of emails between the perpetrator and the victim. These scams are often referred to as 419 or Nigerian scams. They all seek to separate the victims from their money by various forms of psychological trickery.

To combat these scams a different approach is required. The most effective approach is to educate users about these scams so they will not be easily taken in. A second approach is to terminate the email address before they can be involved in an ongoing email exchange, or before a fraud can be completed.
The typical fraudster uses free emali service providers, and we have seen over 70% of frauds coming from just these three
  • Microsoft
  • Yahoo!
  • Google
The rest are spread over hundreds of other providers, making it difficult to know where to send reports.

Microsoft allows reports to be sent via email to their abuse reporting address.
Both Yahoo! and Google refuse to accept scam abuse reports via email, and insist that they come from a web form.

Tools exist that make the reporting a whole lot easier.

One report generator is called ScamerAtor. It consists of one neat web page that you can load from your own machine. It contains information on where to report a scammer email address, and quick drop-down menus that will generate the report for you.

Another is called 419 Automated Reporter. Running under Windows with Firefox, it will work from a Gmail spam folder and run through each scam, identifying the category of scam from the context, and sending correctly formatted reports to any one of 600 email service providers, including the big 3 of course.

ScamerAtor and 419 Automated Reporter can both be found at under the Spam Reporter section.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: New spamfighter orientation

Postby AlphaCentauri » Mon May 11, 2015 12:23 pm

Reporting shortened links:

Spammers often will use a disposable domain name in their spam emails or forum comments. That domain will redirect traffic to the real domain. By doing this they can avoid having their own domain trigger spam filters or get downranked by search engines. (In this case, you'd want to report both domains, proceeding cautiously, as there may be dangerous links and URLs that encode your identity involved.)

If they control the disposable domain, they can usually get enough traffic before it is shut down to be worth doing this.

However, sometimes they use public "link shortening" services. They are used to make a long URL easier to type or to make it fit into a twitter post. These public services tend to be proactive at shutting down spam, because a negative reputation from a single spammed URL can make their entire service worthless to other users. Here are some reporting links:
Report spam links to Include the word 'spam' in the message and include the link and information about how you received it. They will then insert a warning page for users trying to follow the link, though they don't just kill the link (lest it appear is broken).
You can append a "+" to any link to get information about the target URL without actually following the link.
If you have a Twitter account and see spam, you can report the post to Twitter through their usual reporting button on each post.
I don't see any way of reporting spam through a comment form for people whose ISPs block outgoing "spammy" messages. ... protection
They will redirect spamming links to the Anti-Phishing Working Group. Online contact form is at
Red Dwarf wrote:Redirecting service has a very fast take-down service. At the bottom of the page is a link,

© 2013-2015 Сервис коротких ссылок Пожаловаться на ссылку which translates as
© 2013-2015 Shortened links Report link

When you click on that link, you get a new data entry box, also entitled Пожаловаться на ссылку for "Report this link"

In that box, key in the spammed URL in the form where xxx is the 3-character code.

In less than one minute, the link will be dead - no questions asked. That means that all the other millions of spams for that link will be a waste of the spammer's time, giving no financial return.

There is a simple reporting form at
All I can find is a reporting email, which may not help if your ISP blocks the spam emails from being sent:
Only appears on Twitter; report through their usual reporting button.
Only used by LinkedIn. Their reporting policies are listed here: ... l/a_id/146
Email reporting only:

There are many others, and professional marketers also create their own URL shorteners (in order to avoid their messages being marked as spam because another user of a public shortening service is spamming). I would start by checking the whois of the shortened link domain to find out how to proceed.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Return to Fight Spammers

Who is online

Users browsing this forum: Ahrefs and 1 guest