Spam glossary

This page is perpetually under construction. Corrections and additions are welcome.

For more information, see the FAQ: Current Usenet spam thresholds and guidelines, by Chris Lewis & Tim Skirvin.

See also Jargon.txt, the official dictionary of the computer world, Andrew Nellis' jargon file, The Canonical Abbreviation/Acronym List, Acronyms, he insider's language of Usenet, Spammer quick-reference list


  • 1618
  • 404
  • 419
  • Address Harvester
  • Alias
  • Alphabetic Spam
  • AUP
  • Backhoe
  • Bandwidth Hugger
  • Backscatter
  • BI
  • BI2
  • BOFH
  • Blowback
  • Breidbart Index
  • Bincancel
  • 'Bot
  • Botnet
  • Brand
  • Bullet-Proof
  • Cabal
  • Cancel
  • Cancel 'Bot
  • C & C
  • Cartooney
  • Challenge-Response
  • Chicken Boner
  • Clewbie
  • Click Fraud
  • Click-Through
  • Clue-By-Four
  • Coffee & Cats
  • Comment Spam
  • Crosspost
  • Cyberspam Convention
  • DDOS
  • Dead Chicken
  • Despew
  • DNSbl
  • Domain Kiting
  • DOS
  • Drop Box
  • DUL
  • EBay
  • ECP
  • EDT
  • EMP
  • ESP
  • EST
  • Flame Bait
  • Flood
  • Golden Mallet
  • GRE and IPIP Tunneling
  • Hacker X
  • Hash Buster
  • Hat color
  • Haven Spam
  • HayWyre
  • Headers
  • Hijacking
  • Honeypot
  • Horizontal Spam
  • IDP
  • Ignorebot
  • Internet
  • Internet 2
  • ISP
  • Issue Poster
  • Joe
  • Kook Cabal
  • LART
  • Link Farm
  • Listwashing
  • Lock-In
  • Lumber Cartel
  • Lusenet Cabal
  • Mail Drop
  • Mainsleaze
  • Meow
  • MMF
  • Morph
  • Mousetrap
  • Multi-Post
  • Munge
  • Murk
  • Nadine
  • Net.Scum
  • Nanae
  • Nigerian 419 Scam
  • Night Of The Long Knives
  • NoCeM
  • NSP
  • Opt-In
  • Opt-Out
  • Page-Jacking
  • Page Waxing
  • Payload
  • Pink
  • Pink Contract
  • Phish
  • POP
  • PPP
  • Pseudo Site
  • Pump-n-Dump
  • RBL
  • Redirect
  • Referrer Spam
  • Relaying
  • Retromoderation
  • Revenge Spam
  • Robocanceller
  • Rogue
  • Rule #1
  • Rule #2
  • Rule #3
  • $alz Convention
  • SEO
  • Search Engine Spam
  • Sender Policy Framework
  • Sender Verification Callout
  • SLIP
  • Smart Hosting
  • Snowshoe Spam
  • Sock Puppet
  • Socks
  • Sound
  • Spam
  • Spambone
  • Spamhandling
  • Spamhaus
  • Spamouflage
  • Spam Trap
  • Spew
  • Spewcancel
  • SPF
  • Spam Blog
  • Sporgery
  • Spyware
  • Tagged Address
  • Tarpit
  • TeerGrube
  • Throw-Away account
  • [TINC]
  • [TINLC]
  • TOS
  • Troll
  • Typo Squatting
  • UCE
  • UDP
  • Usenet
  • Usenet II
  • Usenet Cabal
  • Vampire
  • Velveeta
  • Vertical Spam
  • Viral Marketing
  • Whack-A-Weasel
  • Web Spam
  • Wpoison
  • Zombie
  • Spam

    Any massive flood of drivel which serves to flood a communications channel, reduce the signal-to-noise ratio and annoy the hell out of a large number of people.

    The word comes from an old Monty Python skit where some folks in a diner are unable to have a conversation because a group of Vikings at a nearby table keep singing the "Spam" song. (This is a gross oversimplification of the skit, but covers the important point.)

    The term became connected with computers in 1985 when somebody harassed one of the original Pern MUSHes by echoing:

    on all their terminals every few seconds until they booted him.

    Today, "Spamming" is flooding netnews or email with tons of useless garbage, thus reducing the signal-to-noise ratio and driving people nuts. This typically means flooding the net with one single message (often an advertisement) posted to hundreds or even thousands of newsgroups. It can also mean posting over and over again to a single newsgroup in the hopes of drowning someone out.

    The first major netnews spam was executed circa January of 1994 when a junior admin at an Adventist college in Michigan named Clarence Thomas IV spammed approximately 5000 newsgroups to warn everybody that Jesus was coming. He was fired and the offending posts were cancelled. (See sample post & amusing reply.) Shortly afterwards, Laurence Canter & Martha Seigal spammed ~7000 newsgroups with the famous "Green Card" spam and the Second Age of Usenet began. Canter & Seigal have since divorced, and Canter has been disbarred (again), but their legacy lives on.

    Perhaps the first recorded usenet spam of all was the "JJ incident" which happened May, 1988. See netnews article first case of spam??. An earlier example is known as "the dinette set heard 'round the World" -- only two posts, but they were posted to net.general, which is seen everywhere.

    The first known email spam was sent by DEC salesman Gary Thuerk on May 3, 1978 when he sent a sales pitch to 400 email addresses which were hand-typed into the computer.

    Some people have coined phrases for the various flavors of spam, such as "velveeta" or "EMP". The definitions revolve around whether or not a message was cross-posted or multi-posted (which is worse) and other details, but it's all just spam to me.

    When referring to the Hormel product SPAM®, the word should be capitalized. When referring to the internet nuisance, spam should be written in lowercase.

    The Hormel corporation has been pretty good-natured about the use of their trademark in discussions of on-line spam, even giving Spamhaus permission to register Spamhaus® as a trademark in Europe.


    Excessive Cross-Posting. Crossposting an article to many newsgroups at once. Such articles are rarely relevant to so many newsgroups at once and are usually the hallmark of a clueless newbie or a spammer.


    Excessive Multi-Posting. Posting an article to dozens of newsgroups or more, one newsgroup per post. Worse than
    ECP, because it consumes much more bandwidth and is a greater annoyance to readers.

    The FAQ states that EMP means, essentially, "too many separate copies of a substantively identical article".


    Another name for ECP.

    Alphabetic Spam

    (AKA Alpha Spam.)
    Spam which is transmitted to newsgroups in alphabetic order. Alphabetic spam generally indicates that the spammer plans to hit every newsgroup on the net and is completely unconcerned with whether or not the message is appropriate to the newsgroups spammed. The newsgroup alt.3d invariably gets hit first and hardest by alphabetic spam.

    Horizontal Spam

    Spam which consists of a large number of messages sent to a large number of newsgroups. Horizontal spam typically represents someone trying to get a message across to the greatest number of people, regardless of whether or not the message is is relevant to those newsgroups or of interest to the people who receive it. See also spam and vertical spam

    Vertical Spam

    Spam which consists of a large number of messages sent to a single newsgroup. Vertical spam may represent a clueless newbie who has screwed up a posting command, or a malicious spammer who is trying to drown out a newsgroup. See also spam and horizontal spam


    (v.) To cross-post is to send a single message to multiple newsgroups. This is preferable to sending single copies of a message to each newsgroup for three reasons: First, by only sending a single copy, you reduce network resource consumption. Second, most newsreaders allow users to view and discard a crossposted message with just one reading, even if they subsequently visit other newsgroups to which the message was posted. Third, a followup reponse to the original article will be seen in all the relavent newsgroups, instead of just the one.

    Articles should be crossposted to the newsgroups to which they are relevant and no more. Crossposting is not, in itself, considered net abuse unless done to excess (see ECP), or to many non-relavent newsgroups (see troll.)

    See also multi-post


    (v.) To multi-post is to send a single message over and over again to multiple newsgroups; as opposed to crossposting which is to send a message just once with multiple newsgroups specified in the headers.

    Multi-posting is especially annoying, as it forces readers to encounter the same post over and over again as they peruse the net.

    Some people multi-post because they are using broken news software which does not allow crossposting. Others do it under the mistaken belief that crossposting is considered anti-social (it's not.)

    Spammers will multi-post in order to force potential customers to see the same ad over and over again. This is the same logic that causes people to plaster hundreds of copies of an advertisement on a wall right next to each other.


    Large quantities of material posted to the net at once, typically in a binaries group. For example, someone might decide to post all of his nude pictures of Pamela Anderson, which could take days. Although floods can be annoying, they are not considered spam if each post contains unique and relavent material.

    Some floods are done purposely to drown out discussion in a group. Most common are the floods in alt.religion.scientology intended to drown out criticism of Scientology. These classify as vertical spam.


    Large quantities of garbage sent to the net by a malfunctioning news program or robot. A typical cause of spew can be a netnews-to-BBS gateway which strips out or reassigns message id's before forwarding articles to the BBS. Fidonet used to be notorious for this problem, although there haven't been any major Fidonet spews in recent years.

    See also Despew.


    Combination of Spam or Spew and Forgery. Massive floods of forged articles, typically intended to disrupt a newsgroup. A favorite tactic in newsgroup alt.religion.scientology, in which gibberish articles containing reasonable-looking headers are spammed to the group, making the legitimate articles too difficult to find.

    For more information, see web page The Attack Against ALT.RELIGION.SCIENTOLOGY


    Spam which has been reflected back to innocent third parties by a mis-configured system as it rejects spam. A typical scenario is for spam to be sent with a forged "From:" line. The recipient system rejects the spam and sends a rejection notice to the puported sender.

    If the forged "From:" line refers to a spam trap, the system responsible for the backscatter can find itself listed as a spam source.

    Backscatter can be caused by other ways, such as challenge-response.


    The actual spreadable meat product Spam® is pink in color. Thus, the adjective "pink" is often used to refer to things associated with spam.

    Pink Contract

    A contract written by an ISP expressly permitting a spammer to commit net-abuse. For example, see netnews article
    AT&T writes pink contracts, confirmed!

    Another example: fax of a pink contract between AT&T and

    See also AT&T Spam Contract Discovered and CNet article Giving spam the network boot.

    See also several mentions of pink contracts by Ronnie Scelson in his testimony before the U.S. Senate Committee on Comerce, Science & Transportation

    One final note: many spammers will claim to have a pink contract with their provider. This is done to discourage complaints. Always remember rule 1. Genuine pink contracts are probably relatively rare, and only two have been definitively proven (AT&T and PSI).


    Unsolicited Commercial Email.

    Haven Spam

    Spam from a "safe haven" -- a site which permits spammers to maintain web sites. For example, a spammer might set up a web site at
    Netcom and then spam ads for it from throw-away accounts on other providers. As long as Netcom provides safe haven for the spammer, the spam will continue.

    Address Harvester

    A robot that searches netnews, web pages or other sources for anything that looks like a valid email address. The addresses thus acquired are used for email spam, or sold to email spammers. See also

    Spam Trap

    An email account which has never signed up for any mailing list or done anything else which would cause someone to legitimately send email to it. Unsolicited email to a spam trap is invariably spam and will cause a near-instantaneous listing of the sending server as a spam source.

    Flame Bait

    Stupid and/or offensive posts deliberately made to attract flames. Often done by posting questions on controversial issues to disparate newsgroups. See the various articles in Netiquette in


    (v.)The act of dragging
    flame bait through the murky waters of usenet to see who bites.
    (n.)One who trolls.


    Used in flame wars. Too complicated to explain here. See web page
    The History of the Empire of Meow.

    Sock Puppet

    Sock Puppets are multiple screen names all controlled by one individual, they talk to each other even though they are one person. This gives the impression of discussion between different people, while one person controls the debate.
    --anon, Anatomy of a Pump & Dump


    Refers to a false web page or other trojan horse intended to trick users into giving up their credit card, account password or other valuable information.

    A typical scenario works like this: Aol users receive email telling them that there's a problem with their bill, or informing them of some great givaway. The email refers to a web page that looks like an AOL signon page but isn't. The hapless user enters their signon information. A week later, the user doesn't understand why their account has been shut down for spamming.

    For a real education, execute the command "whois aol." (note the trailing dot) and look at all the privately-owned domains with names like "", "", "" and so on.

    Hacker X

    Hacker X is a mythical computer hacker who hacks into unsuspecting ISP's user's accounts, and spams the world using an innocent person's ISP account. This way, the abuse center can shine on spam victims simply by spewing out something like; "Our user wasn't spamming, he/she was the victim of a hacker, who used a trojan to access their account and this hacker spammed you, so it is not our user's fault."

    This way, they get to keep their pet spammer, and some spam victims will believe that malarky.

    The original "Hacker X" was the alleged hacker that broken into Cyberpromo's system and posted their password file to the internet. See Cyberpromo FAQ, item #17.

    Sometimes hackers really do break into systems to send spam (although this is more commonly done to launch attacks on yet another system. See zombie.)

    Here's an amusing example of "hacker X" in action: At, a site which promotes various get-rich-quick schemes, readers are enticed to spend $40 on trial offers at porn sites, with a promise of receiving $500 worth of rebates and valuable prizes. In the end, after everybody has kicked in their money, they're informed that a hacker has broken in and ruined everything and now they won't get their $500.

    Another example of Hacker X is the Ameritrade press release which claims that a recent leak of Ameritrade customer information to stock spammers was caused by "unauthorized code" (i.e. spyware) in their system.

    Revenge Spam

    Spam which has had some poor innocent person's identification planted in the headers or message body. The intent is to make life miserable for the victim.

    Revenge spam is another reason why you should not blindly reply to spams you receive.


    (v.) The act of destroying a domain's good name via revenge spam or other attack.

    Named after, a web-hosting service which was vicitimized in this way. (See sample spam.)

    According to Follower of the Clawed Albino, this is what happened: had a web-hosting service. A rather notorious and evil spammer known as Yuri Rutman happened to get a web page at (if memory serves, it was for some bogus quack remedy or other) and proceeded to spamvertise it via another account.'s admin did not like this. had an AUP which said, in part, "Thou shalt not spamvertise sites hosted here, lest the wrath of the Administrator be just and verily smite thine account". Said website was smited.

    Yuri, as most sociopathic serial-spammers [yes, I know that's a double adjective, but...) tend to do, got pissy. He proceeded to forge a spam from Yet Another Account, with the admin of's address, basically going "We'll let folks do what we want here and we like spam so neener neener neener".

    Literally a cast of thousands got downright rabid at this point. Many folks, who did not carefully check the headers, proceeded to send tons of angry mail at best and pingfloods and mailbombs at worst towards

    The proceeding shitstorm that was raised not only knocked off the net, but also knocked its UPSTREAM off the net too. ended up being taken down as a result, a guy lost a business, and the term "joe-job" (meaning a forged spam meant to cause a denial-of-service-by- proxy attack) came into the Internet spamfighting lexicon.

    <set voice=Paul_Harvey.voice>

    And now you know...the REST of the story. Good day...

    <set voice=normal.voice>

    Other references:


    The story of how one mis-entered email address on a web page resulted in a flood of undeliverable spam to The story serves to illustrate why "just hit delete" and "just unsubscribe" don't work.

    See for the full story.

    Today, "Nadine" is sometimes used as a generic term to describe a non-existant or spamtrap address which should never receive any kind of commercial email.


    MMF stands for Make Money Fast, the title of a popular pyramid scheme that has been floating around the internet like a virus. Pyramid schemes are a form of gambling. You receive a list (via mail or internet) with five names on it. You send money to the top name on the list, cross it off, add your own name to the bottom and send it on to five soon-to-be-ex friends. After the list has propagated five generations, you should receive a whole lot of money.

    In reality, pyramid schemes only work for the people who start them or happen to be near the top of the pyramid. Everyone else in the list is out five bucks. You are in effect gambling that you'll be at the top of the pyramid. This scam has been floating around the net for so long that your chances of being near the top are nil.

    Pyramid schemes are a major annoyance on the internet and are considerd cancel-on-sight. They are grounds for losing your account at many sites.

    Pyramid schemes are serious business. The post office considers them to be mail fraud and will prosecute. In 1996, pyramid schemes caught on in the country of Albania where the populace is new to the idea of capitalism and naive when it comes to fraud. The resulting economic collapse resulted in the fall of the government and social anarchy. (CNN Article.)

    Some pyramid schemes come with window dressing to make them look legitimate. There may be text in the letter assuring you that the sender's lawyer has verified that it's legal, or some sort of worthless commodity such as recipes or mailing lists may change hands. Don't be fooled -- if success depends on being at the top of the pyramid then it's a pyramid scheme and illegal in most places.

    For more information, visit Dave Rhode's web site (believed not actually written by Rhodes), Wikipedia entry, the Make Money Fast Myth Page at and the U.S. Postal Service's Chain Letters page. See also the MMF Hall of Humiliation, and Google's archive of the very first MMF.

    If you are annoyed enough to take action, here's what you do: Print a hardcopy of the MMF and send it to the postmaster(s) where the snail-mail addresses are located

    Anytown, USA
    Include a note to the effect that you think it's an illegal chain letter. Finally, if the address is a post box, point out that the box holder is using the box for commercial purposes and you would like the name, address and phone number from the box rental card.

    The U.S. Postal Service maintains a web page to help you locate the nearest inspector.

    Nigerian 419 Scam

    So-called because it violates section 419 of the Nigerian criminal code. This scam usually, but not always, originates in Nigeria. In the 419 scam, you receive a letter from an official in Nigeria or other african country, and are told that someone needs to move a great deal of money out of the country and that you've been selected to help them do it. In return for your help, you'll be given a cut of the action. All you need to do is pay some sort of "Advance Fee" or "Transfer Tax" or give them your bank account information so they can wire the money to you.

    It's hard to believe anyone in the world is stupid enough to fall for this scam, but people do. Supposedly, this scam has evolved into a major industry in Nigeria.

    The scam is a variant of the centuries-old "Spanish Prisoner" scam, in which a Spanish nobleman needs front money to bribe his way out of prison, after which, he will shower you with riches.

    The scam has been on-going in its present form for decades and is propagated by other means than the internet. I received one via international snail-mail once.

    Here is an example which was recently forwarded to me by a reader:

        Dear xxxx,
          I am Mrs LISA MONIGBA Ivorien widow with an only  son ISMEAL
        ADAMS MONIGBA.My husband was the chief security  officer to the
        ousted President Henry BEDIE of Cote d'voire.During the over throw
        of 24th December 1999,  my husband was among the people that were
        killed by  the military.
           Immediately after my husband's death, I ran away with my only
        son to Togo,
          I do hereby wish to ask for your assistance in urgent business
        transaction that requires absolute honesty and secret.  Although I
        have not in any way disclose to anybody about this business because
        I want to be very careful about it and have being undergruond since
        I left my country immediately the death of my husband.Please the
        details of this my proposal to you is very confidential and I want
        you to treat it as such because I don't want to be traced by the
        former President concerning this transaction which I want to
        involve you by seeking your assistance. By virtue of my husband's
           The former President(BEDIE)gave him US
        Dollars(Twenty million US dollars) cash in US100.00 dollars bill
        stacked in a box to transfer into his foreign account overseas
        through Ghana which is one of the neigbouring countries with my
        country Cote d'voire.  My husband was about to go on one of his usual
        journies with only some days left before the 24th December
        overthrow took place and he was killed by the military .Immediately
        my husband was confirmed dead, I made away with this box with my
        only son and ran away so that we cannot be reached by Mr BEDIE. I
        have really been waiting for a more suitable time and a trustworthy
        person to assist me provide his or her foreign bank account to
        transfer this money as I don't have any foreign bank account
        overseas and also I cannot bank this money here in Togo where I am
        presently staying with my son because I don't have any business
        here to cover up such a big amount of money.  Right now, the money
        is in a safe place, I deposited it with a security company for safe
        keeping.  I am using this opportunity to seek for your  assistance
        to move this money on trust to your country, to be invested on
        behalf of my only son ISMEAL. I got your contact through the
        internent and I therefore decided to contact you so that you can
        assist me transfer this fund to your country.  For this transaction
        to be concluded immediately, all you need to do is to arrange to
        meet with me and my son here in LOME- TOGO where this box is been
        lodged, open an account in your name, pay in the whole money after
        clearing it from the security company,pay it into your account and
        transfer it to your chosen bank account in your country.
          I am ready to offer you 30% of the total sum and give you the
        full power to manage the remaining 70% on behalf of my son.Contact
        me with this e-mail address.Now we are curently staying in
        LOME-TOGO.This money I deposited it with the best security company
        in LOME-TOGO.  Upon conclusion of arrangement, I shall forward to
        you the certificate of deposit,contract agreement form and the
        phone and fax number of the security company for confirmation
        immediately you develop interest to assist me in this transaction.
        Please be informed that you'll also assist us get travelling
        documents that will enable us meet you in your country immediately
        this fund is transfered into your account so that we can invest the
        remaining fund.
          Please I want us to finish this transaction as quikly as possible
        and I want to hear from you immediately you receive this
        mail.Thanks and may God bless you for assisting me.
       Yours faithfuly

    For more information, see the The 419 Coalition Website, or type "419 scam" into the search engine of your choice.


    The practice of promoting a cheap stock ("pumping" it) in order to inflate its price. At which point, the persons pumping the stock dump their own shares at a profit.

    See the MMF Hall of Humiliation for more info.

    See also:


    Using spam to solicit donations without offering a product. Pun on "panhandling".


    A mainstream (i.e. well-known) company that takes the lamentable step of spamming. They tend to come around more often than not, especially when they discover that nobody trusts them with their email addresses any more. (Or that a lot of their other mail suddenly starts bouncing too. B)


    (n.) On-line auction house. Alleged to periodically "lose" user preference settings -- in particular the "do not send me email" preference.
    (v.) The practice of "losing" a database of customer opt-out requests so that you can send your users spam even after they've requested that you not do so.

    Viral Marketing

    (1) Quasi-spam marketing style. Web pages or other online advertisements exhort you to "tell a friend" by entering their email address into a form and clicking "send". See MSNBC article
    E-mail marketing: Return to sender? for more information.

    (2) The literal use of viruses or other cracker tricks for advertising purposes. Recent example is the web site. The web site contained active-x code which would modify the victim's system, adding an advertisment for GoHip to the victim's email signature, and making changes to the victim's browser default page. See WiReD article What is Hip? Not for more information. See also C|Net article Browser hijackings upset security pundits


    Software containing a trojan horse which monitors your system or your net browsing activity and sends the results to the author of the spyware. Once used only by crackers, spyware is now used by mainstream companies to collect marketing information. Examples include:
    Media Player logs the songs and movies you play. See Associated Press article Microsoft Player Logs User Info
    Real Networks
    Wrote MP3 software RealPlayer and RealJukebox which scanned the user's system for mp3 files and reported the results back to See news articles for more.
    Smart Download software tracks file downloads from the net. See Wired article Privacy Suit Targets Netscape and Ziff-Davis article AOL/Netscape hit with privacy lawsuit for more.
    Download Demon software tracks file downloads from the net.
    See web page The Anatomy of File Download Spyware for more information.

    For an excellent description of how spyware is installed on computers, see the text of the LL Bean v Kraft lawsuit (pdf).

    Breidbart Index

    A measurement of the severity of spam, invented by Seth Breidbart. The Breidbart Index takes into account the fact that
    multi-posting is worse than cross-posting.

    The Breidbart Index is computed as follows: For each article in a spam, take the square-root of the number of newsgroups to which the article is posted. The Breidbart Index is the sum of the square roots of all of the posts in the spam. For example, one article posted to nine newsgroups and again to sixteen would have BI = sqrt(9) + sqrt(16) = 7.

    It is generally agreed that a spam is cancelable if the Breidbart Index exceeds 20.

    Breidbart Index accumulates over a 45-day window. Ten articles yesterday and ten articles today and ten articles tomorrow add up to a 30-article spam. Spam fighters will often reset the count if you can convince them that the spam was accidental and/or you have seen the error of your ways and won't repeat it.

    Breidbart Index can accumulate over multiple authors. For example, the "Make Money Fast" pyramid scheme exceeded a BI of 20 a long time ago, and is now considered "cancel on sight".


    Abbreviation for Breidbart Index.


    A more aggressive version of the
    Breidbart Index. BI2 is computed as (n + BI)/2, where n is the total number of groups hit.

    BI2 is experimental, and as of this writing is not used as a spam-cancelling criterion.


    A cancel is a netnews control message which instructs receiving sites to delete a specific article from their news spools. Cancels are typically used by an author who wishes to retract a previous post (typically because they just discovered an embarrassing spelling error or they just remembered that their mother reads the group.)

    Cancels are also used to remove spam and other inappropriate posts, or for censorship (this latter use is usually considered to be net abuse).


    The practice of retroactively moderating a newsgroup by cancelling inappropriate articles. This is generally considered censorship and net-abuse unless the group's charter explicitly permits it or the retromoderator otherwise has a consensus that it is permissible.

    Spam cancellers usually issue cancels based strictly on volumes of spam (as measured by the Breidbart Index) and not by content, in order to avoid charges of censorship.

    Retro-moderation cancels should always include the "retromod" pseudo site in the Path: header line, so that sites which wish to ignore retromod cancels may do so.


    Short for robot.

    1) A program that posts to usenet news or takes other actions when called to do so. Examples include robocancellers which seek out and cancel usenet posts that match certain criteria, robots which post periodic FAQ's to certain newsgroups, "Dave the Resurrector" which detects unauthorized cancels and reposts the cancelled article, and the "Kiboizer" which was written by James (Kibo) Perry to search all of usenet news for references to himself so he could respond.

    2) Aka zombie. A computer which is under the remote control of another party, usually without the legitimate owner's knowledge. Usually used to transmit spam or participate in ddos attacks.


    A network of bots, often numbering in the hundreds of thousands. Botnets are controlled by individuals or organizations who then rent out access to the network to spammers or other on-line criminals.


    (Aka Cancel 'Bot.) A program which automatically detects and cancels spam or other unwanted articles. Robocancellers are very dangerous and should only be attempted by trained professionals. See


    The term for a cancel issued to remove a binary file posted to a non-binaries newsgroup. The "bincancel"
    pseudo site is added to the Path: header to enable sites to selectively ignore bincancels. See also cyberspam

    Cyberspam Convention

    The practice of adding the
    pseudo site "cyberspam" to a cancel's Path: line when cancelling spam. This permits sites which wish to ignore spam cancels to do so.


    Short for "No-See-'Em". A NoCeM report is a report posted to alt.nocem.misc that contains a list of articles the author thinks you should ignore or even delete from your news server. Similar to cancels, but in a more compact format. NoCeM reports may be processed by individual news readers or by entire sites.

    NoCeM reports are advisory only. Each individual user and/or site administrator determines whether or not to honor NoCeM reports; based primarily on the reputation of the person issuing the report. Anybody may issue a NoCeM report.

    For more information, see the Cancel Moose Homepage.


    DNS Blocklist. A list of IP addresses which are listed for spam or spam support. This list may be queried in real time via the DNS (Domain Name Service). This allows blocklists to be updated continuously as new sources of spam are discovered, permitting clients to have up-to-the-minute information.

    Another advantage to DNS-based blocking lists parties is that network addresses can be removed as easily as they're added. Without DNSbl services, system administrators are forced to manually add each new source of spam to their deny lists as they are discovered. Even after the responsible ISP discovers the spam and shuts it down, these manually-added entries remain, often permanently. ISPs which are slow to react to spam complaints can thus find large swaths of IP address space permanently damaged. On the other hand, if administrators use a DNS blocklist, IP addresses become usable again once they've been cleaned up.

    There are disadvantages to using DNS blocklists, though. To start with, it means ceding some of the control of your network to a third party. In addition, the "one size fits all" approach provided by a DNSbl may not always be appropriate. For instance, a DNSbl maintainer may see nothing but spam coming from a certain net block and list it, but you might personally be friends with the single legitimate user in that net block and not want to block it. Finally, a DNSbl may go haywire and the problem not quickly discovered. In August of 2006, SPEWS quietly stopped updating their list and it was months before the word got out.

    DNSbls should not be used by large ISPs as a sole method of guaging spam. Instead, best practice would be to query one or more DNSbl and using the response as a weighting term in the ISPs own spam-filtering system.

    One well-known example of a DNSbl is the RBL.


    Mail Abuse Protection System Realtime Black List. An online database of email spam sites that may be used for email spam filtering, either on a personal basis or used by an entire site. Problem sites are added to the RBL almost instantly when spam becomes a problem, and are removed again quickly once the problem is dealt with.

    For more information, see the Mail Abuse Protection System home page and this Yahoo article about the RBL.


    Companion database to the RBL. The DUL is a list of known dial-up IP addresses. These sites are not necessarily spam sites, but the list is provided so that you may choose not to accept email directly from them. Email transmitted directly from a dial-up system -- as opposed through the dial-up system's own provider -- is very likely to be spam.

    For more information, see the Mail Abuse Protection System Dial-Up List


    In general terms, Alias means to refer to one entity by an alternative name. In Usenet terms, Alias means that a site has an alternative name for itself. News handling software keeps a list of aliases so that it may detect and ignore incoming news which it knows originated locally.

    Aliasing can also be used to block news from unwanted sources. For instance, if you don't want to receive news from Earthlink, you would add earthlink to your news software's aliases file (even though Earthlink is not really an alias for your site). This would cause your news software to discard all news with "earthlink" in the Path: header line.

    Pseudo Sites may also be aliased to allow news software to reject news or control messages with certain keywords in the Path: line. See cyberspam for more info.

    In a more derivative sense, Aliasing is often used to refer to setting up software blocks to reject various kinds of traffic from certain sites.

    Note that articles from a third party will also be rejected if they pass through the aliased site, but may later be accepted if they arrive via an alternate route. For example, suppose UUNet has been aliased by A message leaves, passes through UUNet, and arrives at where it is rejected. However, if is multiply-connected, then that same message may eventually reach by a route that did not involve UUNet. At that point it would be accepted.


    Usenet Death Penalty. A situation where a site is considered to be rogue and beyond reasoning with. At this point, all traffic from or passing through the offending site is blocked.

    The name is somewhat of a misnomer; death is permanent while a full-fledged UDP typically only lasts a few days.

    There are three forms of UDP:

    Also known as passive UDP. Sites participating in the UDP alias the offending site out at the news spool. Netnews from that site is not accepted by the sites which have aliased it out. The biggest problem with passive UDP is that once administrators have aliased out an offending site, they often don't bother to remove the block when the UDP is over. Thus, sites which have been subject to a passive UDP never really recover.
    Also known as active UDP. The most common form of UDP. A robocanceller is set up to hunt down and cancel all posts from the offending site. Active udp may be applied against spam, against all posts from the offending site to certain newsgroups, or against all posts from the offending site (full UDP). Active UDP is easier to implement than passive UDP since it requires action by fewer people. Active UDP is even easier to bring to an end -- the cancellers simply stop cancelling.
    In this case, sites participating in the UDP refuse to accept any internet packets of any sort from the offending site. See's IP Blocking info page for more info. Also known as IDP.

    For a partial history of UDP's, see Udp History

    For articles in the press about UDPs, see UDPs in the News


    Internet Death Penalty. A situation where all traffic from a site is blocked at the packet level, essentially shutting that site off from the rest of the internet. Also known as shunning.


    A service which execute a denial-of-service attack against spammers by somehow consuming all of a spammer's bandwidth. Typically by repeatedly downloading the images from the spammer's site. See
    Spam Vampire and Lad Vampire for examples.


    Headers are the block of information lines which appear at the top of a mail or news message. Headers identify the sender and recipient of a message, the route the message took from one site to another and so on. Headers are used to determine the source of a post. For more information, see
    Tracking Spam.


    To modify your email address in such a way that
    address harvesters won't get a usable address, but humans can still figure it out.

    See the Jargon.txt file.

    Tagged Address

    An email address that is unique in some way so that the owner can keep track of who has it. For instance, if you were to use as your email address when signing up for an account at Ameritrade, and later received pump-n-dump spam to that address, you would know that the spammers had obtained your email address from Ameritrade.

    Hash Buster

    "Hash busting" - Random content, often confiqured in a word-like pattern, in either the Subject line, the From line, or beneath the legitimate text. Used to evade spam-detecting software which looks for identical messages because each wave of posts appear unique and individual. Each new post has different hashed text.

    Hash busting can be simple:

    Subject: Want To Learn How to Make Money!!! asdfasdfasdf From: Or a little more complex: buy my business stratagy now. Joyn keetge ukaqn znrl yfni dfp o efgh flbbj lyxd jc sus rray i eeclik sbelse pqiyoup eurl eollq puciebr a fkv pzsml beoc usqrmmb flaby uill jls lztn y ezg o faliq a ekgin fol?

    Snowshoe Spamming

    Spam techniques that spread the spam load as thinly as possible, in order to avoid detection. The analogy is to snow shoes, which spread the wearer's weight thinly across the snow. See Spamhaus glossary for more.


    Technique of hiding a small amount of spam in among larger amounts of legitimate email to hide it.

    Dead Chicken

    "Sometimes posts to moderated groups take forever to get posted ... and so one might be motivated to "approve" one's own posts by adding the relevant header. This is sometimes known as waving a dead chicken over one's post. One might even refer to said dead chicken in one's X-Approved: header.

    "However, moderators tend to frown on this and cancel said posts, which they have every right to do.

    --Kelly Thompson


    (n.) A disclaimer at the end of an email spam assuring you that the spam complies with Bill S.1618 which makes the spam legal. Also known as a "Murkogram".
    (v.) The act of sending spam containing a Murkogram.

    The term comes from Frank Murkowski (R-AK), the senator who wrote S.1618 which would have made spam legal provided it followed certain rules. In particular, to be legal under S.1618, the spam must contain full contact info at the start and make no attempt at hiding its origin.

    There are three problems however: First, S.1618 was never passed. Second, S.1618 would not actually have made spam legal, it would have made certain kinds of spam illegal. Finally, most spam in fact, actually violates the provisions of S.1618.

    Thus, a Murk disclaimer serves as a sure sign that the message is spam, and that the sender knew they were doing something wrong.


    To modify headers in such a way as to evade detection by automated software. The most common kind of morphing is to modify the From: line. The most notable morpher is Woodside who constantly modified the headers and bodies of their spam to evade detection. Netzilla is also well known for morphing their headers.

    Sometimes morphing is inadvertant, such as when an ISP upgrades their news software.


    A javascript tool used by spammers to encode their pages to make them less human-readable, and thus harder to track back to their source.

    See the HayWyre Nullifyer to decode these.


    (n.) Information, typically a spammer's URL, placed into an image which is then spammed to the internet. It is very difficult for spam-detecting software to detect and recognize a brand. Similar to a watermark, but not intended to be hard to see.


    A web page which exists merely to redirect users to another site. Click-throughs are used so that a web site being spamvertised need not be mentioned in the actual advertisement. Spammers will typically create click-through pages on
    throw-away accounts and spamvertise the click-through page.


    That part of a spam which the spammer is really advertising:
    Let's say you have a spam and that spam has a "from" address of "".

    If the spam asks you to hit "reply" for more info then in this case the address "" is the payload so you want to make sure to complain to ""

    If the spam asks you to go to for more info then is the payload so you complain to whoever hosts that website. In this case what's in the "from" is irrelevant.

    If the spam invites you to call 1-800-555-spam then that phone number is the payload.

    If the spam invites you to write to postal address then that postal address is the payload.

    --- Ron Ritzman <>

    Search Engine Spam

    Any content or technique used to artifically improve a web page's ranking with search engines. Examples include the inclusion of non-sequiter keywords or hidden text on a web page, or the seeding of other web pages with links to the page being spammed.

    See also Wikipedia entry Spamdexing.


    Search Engine Optimization. The practice of optimizing a web page to make it easier for search engines to index, and to improve the web page's ranking. Some search engine optimizing services artificially boost web page rankings via spam. See Spamhuntress wiki for more.

    Web Spam

    Form of search engine spam.

    The practice of presenting one web page to search engine crawlers and another to ordinary users. The fake page shown to the search engine crawlers contains content and keywords designed to increase the web page's score or otherwise mislead the search engine, in order to bring traffic to the real page which would otherwise not have merited it.

    Link Farm

    Form of search engine spam.

    Network of web pages whose only true purpose is to contain links to other web pages in order to increase the Page Ranks of the target pages. Link farms are frequently used by "search engine optimization" services who offer to increase a web page's Page Rank for a fee.

    Comment Spam

    Form of search engine spam.

    The practice of filling the comment section of popular blogs with meaningless posts containing links back to a web site. The intent is to artificially boost the page rank of the linked web site, taking advantage of the high page rank of the spammed blog. The more popular a blog is, the more comment spam it gets.

    Spam Blog

    Form of search engine spam.

    Also known as a splog, a spam blog is one created only to contain links. The text is often irrelevant, repetitive, or nonsensical. For a fuller description, see About Spam Blogs at Blogger.

    Referrer Spam

    Form of search engine spam.

    Whenever you click on a link that takes you to a new web page, the server for that web page is given the URL of the page that contained the link. This is done so that servers can keep track of where their traffic is coming from, and optionally serve different content depending on where the link came from. These "referrer links" are kept the the server logs.

    Sometimes these referrer links are made public, either through misconfigured statistics-collecting software, by bloggers who like to display where their traffic is coming from, or any number of other ways.

    Search engine spammers will exploit this weakness by flooding sites with thousands of page requests that contain forged referrer links, in order to boost the Page rank of those 'referred' sites, or simply in the hopes that people will click on those links.

    See discussion forum for more information.

    Click Fraud

    The act of clicking on an on-line advertisement for the purpose of generating revenue or costing someone else money. In the first case, someone using e.g. Google's AdSense program would use a program or hire cheap labor to continuously click on the ads on their own web page, thus generating unearned revenue at the cost of the advertiser. In the second case, someone using e.g. Google's AdWords program would similarly generate clicks on a competitor's ads at Google, thus costing the competitor money.

    See Wikipedia article for more information.


    Practice in which an innocent third party's web page is copied to the page-jacker's web site almost verbatim, but modified so that it links or redirects to the page-jacker's other web sites.

    The purpose is two-fold: The seemingly innocent content of the copied page lures readers into thinking that it's safe to click on the links, and secondly, web search engines will index the copied page under a variety of unrelated catagories. Thus, someone searching for "Oaklahoma Tornadoes" might find themselves at a porn site.

    For a good article on this practice, see Wired article New Web Hazard: Page-Jacking.

    Page Waxing

    A concerted campaign to censor a web site, page, or author. Commonly executed by a large corporation to remove bad publicity or reviews from the internet, although it can also be conducted by politicians, religious zealots, or anybody else who wants to silence debate.

    Page waxing typically consists of legal threats both to the author of a web page and to the ISP where the web page is hosted.

    For more information, see Counterexploitation.

    Typo Squatting

    The act of registering domain names which are likely typos of well-known domain names (as an excercise, try the url ""). The typo-squatters fill the web pages with advertisement. Enough people click on these ads to make the practice profitable. For more details, see
    Wikipedia article.


    Use of javascript which prevents a reader from leaving a web site. When the user tries to leave, a new window pops up back at the web site. Typically used by contract spammers who get paid per person who clicks on the advertiser's web site.

    For a good article on this practice, see Wired article New Web Hazard: Page-Jacking.


    Similar to a mousetrap; lock-in code disables your browser's Back button and prevents you from leaving the web site. Originally developed by porn sites, some mainstream sites also employ this trick. See Ziff-Davis article Coop's Corner: World's most annoying Web sites. See's list of sites that use this trick.

    You can usually escape a lock-in by bringing up the history menus available in most browsers. With Netscape, bring up the "Go" menu, the "Netsite:" menu (far right edge of URL), or hold the mouse button down over the Back button.

    Remember: Always disable Active-X and Javascript except when visiting trusted sites, and always disable them afterwards.


    Eastern Daylight Savings Time. -0400 from GMT (Universal) time. This is useful to know, as some spam software gets this wrong in forged headers.


    Eastern Standard Time. -0500 from GMT (Universal) time. This is useful to know, as some spam software gets this wrong in forged headers.

    Pseudo Site

    A pseudo site is a keyword entered into the Path: line of a cancel as if it were the name of a site. Sites which wish to ignore specific kinds of cancellations may then
    alias that pseudo site out and thus ignore the cancels. Sample pseudo sites are bincancel, mmfcancel, spewcancel, retromod, cyberspam, and nocemed.

    Other pseudo sites may include the name of the canceller or keywords such as SitenameUdp.

    $alz Convention

    The convention of generating message id's for cancels by prepending the string "cancel." to the id of the message being cancelled. This is done in order to reduce network bandwidth. If multiple spam cancellers issue cancels for the same article, they will all use the same message id. This prevents multiple cancels for a single article from being transmitted all over the net.


    A few years ago, Dick Depew wrote a
    robocanceller which was designed to detect and cancel what he considered inappropriate posts to certain newsgroups (see retromoderation.)

    The robot had a bug in it however: it issued cancels which contained the keywords which Depew was using to identify inappropriate posts. The robot went berserk, cancelling its own cancels. Much panic and hilarity ensued as admins everywhere tried to determine the source of the cancels, and then to track down Depew -- who had gone home for the weekend -- to get him to shut it off.

    (This is a classic example of why you never deploy new software on a Friday afternoon.)

    The word "Despew" was coined to refer to spew caused in this fashion.


    A cancel issued to stop spew. Spew cancels should have the pseudo site "spewcancel" added to the Path: header line.


    AKA UUCPNet. The term "Usenet" is not as rigidly defined as it used to be. "Usenet" once referred to the ad-hoc network of computers connected to each other via the "Unix-to-Unix Copy Program" (UUCP). Usenet was a "store-and-forward" network operated over telephone lines instead of expensive high-speed networks such as Arpanet or Bitnet. Usenet was invented in 1979 at Duke University. For more information, see
    Usenet Software: History and Sources.

    As networking evolved, more and more Usenet sites found themselves also connected to the higher-speed networks. It became natural to "gateway" the networks -- that is to use Arpanet, etc. instead of phone lines to transmit Usenet traffic.

    When the Arpanet and the other networks coalesced into what is now known as the internet, Usenet ceased to exist as a separate entity. Also, with the advent of internet protocols over phone lines (Slip, PPP), the UUCP protocol is less widely used. The only real remainder of Usenet today is the format of the Path: header line, which is the format originally used by Usenet to specify a user mail address.

    Today, the term Usenet is more often used to refer to the "network within a network" of machines carrying netnews.

    For more information, see the FAQ's What is Usenet, by Salzenberg, Spafford and Moraes, and What is Usenet? A second opinion, by Vielmetti.

    Usenet II

    Usenet II is a proposal to create a spam-free subset of Usenet. Full details can be found at the web site

    Usenet II consists of a new top-level hierarchy, net.*, which would have a global anti-spam charter. Sites wishing to join Usenet II would be required to adopt and enforce anti-spam policies, and to peer only with other Usenet II sites.

    The Usenet II proposal includes more formal authentication, "hierarchy czars" and secured control messages.

    Alternative: There is a simpler version of the Usenet II proposal (also known as Usenet 3 or Usenet 1.5 due to conflict with the original proposal.)

    In this version, news would flow between Usenet and Usenet II only through selected gateway machines which would implement anti-spam filters on incoming news and hold articles long enough for cancels to arrive -- sort of a gated community in the virtual global village.

    In effect, the anti-spam half of Usenet would be shunning the pro-spam half, except that legitimate traffic would still get through.

    One of the advantages of the newer proposal is that it does not require any changes to the underlying infrastructure, nor the creation of any new newsgroups, with the attendant transition problems.

    For more information, visit and follow the discussions entitled "NNTP Protocol RFC redux" and "USENET2 proposals".


    From the Usenet II rules: A sound site only accepts articles from other sound sites, and takes responsibilility for the generation and transmission of sound articles. If it can't do that, it's not sound, and will not be allowed to transmit articles into U2.


    The global network which was formed when all of the smaller networks -- Arpanet, Decnet, Bitnet, UUCPNet, and so on -- merged together and adopted standardized addresssing schemes.

    Internet 2

    A new network being formed for educational purposes. Internet 2 has the same purpose as the original Internet, but will be for non-commercial use only, and hopefully spam-free. For more information, visit the
    Internet 2 Home Page.


    ISP stands for Internet Service Provider.


    A site which refuses to enforce anti-spam rules on its users, to the extent that it is no longer of any use reasoning with them. Rogue sites are typically owned by the spammers themselves, or are run by greedy, lazy or incompetent owners.

    Rogue sites are dealt with by appealing to their upstream providers, or via Usenet Death Penalty

    Hat Color

    Refers to the pro-spam or anti-spam stance of an organization. The term comes from old American cowboy movies in which you could recognize the good guys and the bad guys by their hat color.

    The "hat color" is usually one of the following:


    Spammer's term for a service provider guaranteed not to disconnect spammers. Term usually used when advertising spam services.


    rogue site which exists for the purpose of sending out spam. Also:, a web site dedicated to tracking spammers.


    An internet backbone dedicated to, or tolerant of spam. For most of 1997,
    Agis was considered a spambone. Later, it refered to the new spam-dedicated backbone that Sanford Wallace and GTMI plan to create.


    AUP stands for Acceptable Use Policy. ISP's should always have an acceptable use policy that says what a customer can and cannot do. These should always prohibit spamming. Better AUPs provide for penalties for repeat spammers. See's
    Sample Acceptable Use Policies for more information.


    (n.) Terms Of Service
    (v.) The act of cancelling a user's account for violating the terms of service. Also: "TOSs" or "TOSsed".


    (n.) Luser Attitude Readjustment Tool, e.g. a 2x4. See
    lart(1M) man page
    (v.) To adjust the attitude of a luser. Often by TOSsing that luser.


    To clue someone in. Derived from old Missouri saying that to get Mule's attention you have to hit them with a 2 x 4.


    A piece of
    construction equipment typically used to dig holes in the ground. Backhoes occasionally tear up underground cables, causing networks to go down.

    Often, when a spammer's ISP goes off the net, it is not known if the upstream service provider discontinued service, or a backhoe did it.

    There are rumours that new wilderness survival kits will now include a piece of optical fibre and a small shovel. If you get lost in the woods, the instructions in the survival kit will tell you to dig a trench, bury the optical fibre, and wait for a backhoe to come along and dig it up. -- Norman L. DeForest

    See User Friendly comic (last panel).


    (n.) The HTTP error code indicating that a web page does not exist, or has been deleted.
    (v.) To delete a web page. Esp. for violating an
    AUP such as one forbidding haven spam.

    A web page is referred to as "404 compliant" when it has been deleted for net-abuse.


    Final Ultimate Solution to the Spam Problem. Derisive term used to describe any pie-in-the-sky suggestion on how to defeat spam. See You Might Be An Anti-Spam Kook If....

    Coffee & Cats

    (Also C&C, etc.) "A term originating from an incident where something I said made someone laugh enough to spill their coffee on their cat and cause all hell to break loose; prefix is considered a courtesy warning so people can put their drinks and cats away before reading the post" -- (Phoenix)

    Rule #1

    Rule #1: Spammers lie.

    Often, someone will post something to the net like "I complained to a spammer about X, and they told me it wasn't their fault because of ...". This is often followed by a two-word response: "Rule #1".

    Rule #2

    Rule #2: If a spammer appears to be telling the truth, see Rule 1

    Rule #3

    Rule #3: Spammers are stoopid.


    Bastard Operator From Hell. Typically a system operator who aggressively enforces policies. See
    lart, clue-by-four, First known reference, BOFH Web Site.

    Bandwidth Hugger

    Nickname for spam-fighter.


    Teergrube is German for "tar pit". In internet terms, a teergrube is a system that acts as a tar pit for spammers -- causing their internet connection to become stuck or to slow down dramatically.

    A typical teergrube is a very slow SMTP server. The server will send periodic SMTP response continuation lines to prevent the client from timing out.

    There are other kinds of teergrubes as well, such as a network connection that sends small packets for reassembly just fast enough to keep the other end of the connection from timing out, a DNS server that takes a long time to resolve a name, or an iptables module that sets the window size to zero, making it impossible for the other end to disconnect.

    For more information, see the Teergrubing FAQ [deutsche], and Wikipedia


    Domain Key/Domain Key Identified Mail. System for positiviely identifying sites transmitting email. See
    info page.


    In general, a system designed to look attractive to crackers and other undesirables. The crackers or whomever attack the honeypot while being carefully watched by the honeypot's admins. In spam terms:
    It's a mailserver set up to appear to be an open relay, but it really isn't. Ideally, a honeypot will relay the spammer relay tests, but it won't relay any actual spam that the spammers send, the actual spam just gets thrown away.

    In practice, it's iffy sorting out the relay tests from the actual spam. Brad will tell you its easy to do, but he's had to head back to work a few times after hours when the spammers didn't do what he expected them to do.

    I think the concept is sweet, but I don't think its very effective. Other's think the concept sucks because there's no way to guarantee that an apparent open relay won't leak any spam, and leaking spam is BAD, PERIOD, even if the thrown away spam outnumbers the leaked spam by a factor of 10,000.

    Steve Baker


    A CGI script which produces an unlimited number of dummy web pages with seemingly different URLs, each of which contains a large number of randomly generated email addresses. The purpose of wpoison is partly to act as a
    teergrube for search engines looking for email addresses, and primarily as a source of bogus email addresses to poison the spammer's lists. See the wpoison home page for more information.


    Rhyming slang for Attorney. Refers to imaginary or clueless lawyers that spammers refer to when threatening lawsuits.
    (Sample usage.)

    Chicken Boner

    The idea is that spammers would love to give you the impression that they're high-powered corporate movers and shakers on the bleeding edge of internet commerce, sipping gin and tonics in their gleaming steel-and-glass slab towers, overseeing a vast empire of wealth; in reality, the image is more that of a lonely, balding guy in a sweaty tank undershirt sitting in a mobile home, scratching himself listessly in the glare of a computer monitor that's surrounded by the detritus of fried-chicken bones and empty 40-oz. malt liquor bottles. It just gives a little perspective.
    -- That Damned EFGrif
    My memories are a bit hazy, but I recall, some time back, that someone in this newsgroup conjured up an image of the place where a spammer would live and work. The writer vividly described, set in a seedy trailer park, a rickety old mobile home littered with beer cans and chicken bones. The image stuck, and "beer cans and chicken bones" have come to be associated with spammer. From there, the term "chickenboner" evolved as a reference to spammers.
    -- Bob Blaylock
    Full story in netnews article
    Things we don't know about spammers

    See also: Three Stages of the Chickenboner and Re: Three Stages of the Chickenboner.


    Short for "clueless newbie". Many spammers are actually well-meaning but clueless newbies to the on-line world. General consensus is that clewbies should be given a second chance.

    Beware, however, of hardcore spammers pretending to be clewbies in order to forestall being TOSsed. See the first stage in Three Stages of the Chickenboner.

    See also: Clue-By-Four.


    (n.) A site which exchanges netnews with another site.
    (v.) The act of exchanging netnews with another site.


    The act of passing an internet message (such as email or netnews) from machine to machine. In the days when the primary transport mechanism for
    usenet was UUCP, relaying was the normal way for a message to reach its destination. Netnews is still distributed this way.

    In the modern packet-switched internet, email is normally sent directly from origin to destination.


    The act of relaying spam through a third-party system without permission.

    Spammers will often relay spam through third-party systems in order to hide the point of origin (effectively laundering the headers.) This is done to trick users into reading messages they would otherwise delete, to evade automated spam-filtering software, and to make it difficult to complain about spam.

    Hijacking can be harmful to the third-party system in several ways. First, it is theft of service. Second, it is a drain on resources -- a large flood of spam can crash a small server, creating a denial of service attack. Third, it can cause bounces and complaints to be directed to the innocent third party. Fourth, it damages the third party's good name when spam recipients think that the spam came from them.

    In October 1997, the medical imaging company Octree was completely knocked off the net for two weeks when the Software Publishing Association relayed a 300,000-message spam through Octree's server, bringing it down.

    In 2002, Califonia politician Bill Jones' campaign hijacked the computers of a korean elementary school in order to send political spam.

    Strong Funds is currently suing Over The Air Equipment for relaying spam through their site.


    Socks is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the SOCKS server without requiring direct IP-reachability.
    In other words, Socks is a protcol for getting through firewalls in an MS-DOS environment.

    An open Socks proxy is a security hole used by spammers to hide their originating IP address. Spam can made to appear to come from the Socks proxy instead of the actual origin.

    GRE and IPIP Tunneling

    A technique used to connect two masqueraded networks together. For more details, see article Tunneling - LinuxNet.

    Mentioned here because its use is insecure on the internet, and has been known as a vector for spammers.


    Denial Of Service attack. Any computer attack intended to render another system unusable.


    Distributed Denial Of Service attack. A form of DOS attack in which hundreds or thousands of computers -- usually Zombies -- are used to execute an attack against the target system. Often used by spammers to cripple spam-fighting web sites, or to blackmail businesses into paying protection money. See Security Focus article FBI busts alleged DDoS Mafia.


    A computer which has been cracked into and is being used by the hackers to launch an attack or spam at other computers -- usually without the knowledge of the computer's owner.

    Usually, the zombie's owner is unaware of what is happening. Zombies were used in the February, 2000 attack that brought down several popular web sites. See news article FBI looks at NZ student in DoS attack investigation

    Zombies are very useful for retransmitting spam. To begin with, the IP address of the zombie computer is likely to be unknown by spam filters prior to the transmission of the spam. In addition, each individual zombie machine may only send a few spams at a time, allowing them to fall "below the radar" and not get noticed as a source of spam.

    Zombies are generally members of a much larger "botnet", so while each individual zombie may not be sending much spam, the total volume of spam can be enormous. Probably between 70% and 95% of all spam is transmitted by zombies.


    Internet Service Provider. A company which sells internet access to the unwashed masses.


    Network Service Provider. A company which sells network access, typically to large companies and ISPs.


    Email Service Provider. A company which sells email management solutions to others. ESPs may also handle legitimate (or not) mass mailings for others.

    Smart Hosting

    Explanation provided by Doug Lim:

    Smarthosting in the context of SMTP servers is when an SMTP server isn't configured to know about resolving MX hosts via DNS for e-mail destinations (an MX record in DNS indicates what host is responsible for mail routing for a given destination mail domain or subdomain) and it simply passes all e-mail that it accepts for delivery to an SMTP server that does know about MX resolving.

    The "dumb" SMTP server's admin basically says, "I don't know about or care about properly finding the destination MX host, I'll just pass all mail to the smarthost which does know about MX hosts and will deliver the e-mail to the proper remote hosts".

    Also, smarthosting is commonly used with networked UNIX workstations where the workstation users send e-mail directly from their workstation, but for reasons of policy or firewall configuration aren't allowed to deliver directly to the remote MX hosts outside the local domain so the network admins designate an SMTP gateway machine that is allowed to deliver e-mail outside the local domain.

    The problem with smarthosting on cable modems and ADSL lines and other forms of dedicated connectivity (particularly inexpensive dedicated connectivity that invites the clueless masses) is when the machine's owner decides, "Gee, it'll be really cool to run my own mailserver, but I don't want to learn anything about proper server administration", gets mailserver software that's open relay by default and only reads far enough into the server docs to find the part that says, "Do this if you don't know about or don't care about resolving MX hosts". The clubie thinks for a second, "What's MX? I don't care about it." and then follows the instructions that follow.

    Smarthosting, in and of itself isn't necessarily a bad thing since it is possible to do smarthosting without running an open relay. Someone with a clue just has to know enough to configure their server to be more selective about what messages it'll accept for delivery (i.e. close the smarthosted server to relay attacks).


    Opt-In refers to email advertising lists which users must deliberately sign on to. Examples include Powell's Books, American Airlines, Cathay Pacific, and so on, all of which allow users to sign up to receive notices of special offers.

    Opt-in is considered the only legitimate way to market via email.


    Opt-out refers to email advertising lists in which recipients are signed up without their knowledge or permission, but may request to be removed from the list.

    Opt-out lists do not work for the following reasons:

    What you should do is stop mentioning the opt-out list, period. It's a little like mentioning condoms to rape victims
    -- Dan Zerkle to Symantec after Symantec's major email spam.


    The practice of removing complainers from an address list rather than deleting the list entirely. This allows spammers to continue to spam with a minimum of complaints. Listwashing often requires the complicity of the spammer's service provider, who will forward email addresses of complainers on to the spammer.


    Secondary spam created by poorly-implemented email software which reports bounces back to the address in the "From:" line of spam. Since the "From:" line is invariably forged, this can cause a second wave of spam in which an innocent third party to receive thousands of bounces.

    See also
    Joe Job.

    Sender Policy Framework

    Also known as SPF. Previously known as Sender Permitted From.

    Sender Policy Framework is an attempt to solve the problem of sender address forgery. Most spam and other abusive email contains a forged sender address. The victims whose addresses are being used are then harmed because their reputation is diminished and they have to spend their time sorting through misdirected bounce messages.

    SPF version 1 allows the owner of a domain to publishes an SPF record in the domain's DNS zone. The SPF record specifies which mail servers are authorized to send email from that domain. A receiving server can then check the domain's SPF record to see if the incoming email came from a valid server or not.

    See for more information.


    A spam-prevention system in which the first email contact from an unknown sender is bounced back with a "prove this is really you" message. Once the sender jumps through whatever hoop the challenge-response system requires, they are allowed to send mail to the recipient. Better C-R systems will queue the original message, and send it through once the sender has validated themself; thus saving the sender the trouble of retransmitting the message.

    On the surface, challenge-response systems look like an effective anti-spam system, but have drawbacks that many anti-spam activists consider unacceptable. In particular, since most spam has forged "From:" lines, the challenges from C-R systems will be sent to innocent third parties, in effect creating a second wave of spam originating from the C-R system itself.

    (More, courtesy of Steve Linford:)

    On top of all of this, is the fact that challenge response breaks automated email delivery which is vital to e-commerce:

    Your challenge response software rejects them all, telling every robot mailer to prove it's a human.

    How many new people do you email in a given week? 50? OK, you only have to click 50 'challenges'. I probably email 150 new addresses every week, do I want to be looking out for 150 challenges to open and click each week? How about Microsoft Customer Support or indeed any ISP technical or support operation who spend their whole day emailing customers (or those anti-spammers who always complain ;) only to find their efforts bouncing off challenges with the result that the person asking the question does not get an answer and gets angry at the company's poor support.

    Every time someone writes in the Spamhaus asking a question, and I spend time writing them an answer only to find a challenge comes back when I send it, I press delete.

    Sender Verification Callout

    A spam-prevention system in which the identity of the sender of incoming email is verified before the email is accepted. The standard method is for the receiving system to connect to the mail server specified in the "From:" header and verify the sender's identity.

    Although commonly used as an anti-spam system, and available with a number of mail transfer agents, sender verification callout has many of the same problems as challenge-response. In particular, since most spam has forged "From:" lines, the verification step will result in an unwanted connection to the puported sender's system, further tying up bandwidth of an innocent third party. If a large spam run uses the same domain in the forged "From:" lines, the innocent server will be barraged with verification requests. In addition, some domains will accept email to any user id either because the domain has a "catch-all" address or as part of its own anti-spam measures. This will cause all forged From: addresses to be accepted by the system trying to use sender verification callout.

    And finally, many systems disable address verification completely to prevent spammers from harvesting email addresses. This would cause verification to fail for legitimate From: addresses, causing legitimate email to be labeled as spam.

    The problem is severe enough that at least some DNS Blacklist providers consider the use of sender verification callout to be net-abuse and will list servers that use it.


    Serial Line Internet Protocol. A method that allows a small computer to connect to the internet over an ordinary serial line and modem.


    Point to Point Protocol. A method that allows a small computer to connect to the internet over an ordinary serial line and modem.


    Point Of Presense. A network router that allows a user in one place to connect to their ISP in another. Many POPs have very poor logging capabilities, making it difficult to track down the exact individual responsible for spam.

    Some ISPs rent access to POPs to other ISPs. This can make the equation even more complex.

    Mail Drop

    An email address at a second ISP, to be used to receive email after a spam. Used because the spammer knows that the account from which the spam was sent will be quickly cancelled.

    Throw-Away Account

    A cheap account acquired for the purpose of
    spamming, with the knowledge that the account will be quickly cancelled, but not in time to stop the spam.

    Free internet services such as Deja-news, or internet services with free trial periods such as AOL, are favorites of spammers, as it costs nothing to acquire and then lose the account.

    Domain Kiting

    The practice of registering a domain name for only five days and then returning it for a full refund.

    ICANN allows domain owners a five-day grace period to drop a registration in case of misspellings or typos. However, spammers and other bad actors use this policy as a loophole in order to create "throw-away" domain names for spamming, or to register tens of thousands of temporary domains for such purposes as link-farming or typo-squatting.

    See Spam Diaries article for more information on the subject.


    (From A program that handles email sent to an abuse@ address by sending a soothing reply, and deleting the original complaint

    Some ignorebots send a message indicating that the spammer is not abusing the ISP's rules, or that the ISP has no rules against spam, or in some other way indicates that no action will be taken. These are known as "fuck-you-bots".


    Term coined by Joe Greco.
    1. A scenario where a spammer or other luser signs up for new accounts as fast as they lose the old accounts.
    2. A scenario where a spammer is based at one ISP, but only posts spam through open servers at other ISPs. If the first ISP refuses to disconnect the spammer, the only recourse for anti-spammers is to monitor the spammer's activity and notify the owners of the open servers as they're discovered. Since new open servers are always popping up as fast as old ones get closed, this can get very tedious.
    Both scenarios resemble the "Whack-A-Mole" arcade game, hence the name.

    Golden Mallet

    Virtual award given to the system administrator who shows the greatest achievement in whacking spammers quickly.

    Night Of The Long Knives

    Sept 19, 1997. The date that
    AGIS pulled the plug on Cyberpromo, Quantcom, and Nancynet.


    Newsgroup A usenet newsgroup dedicated to fighting email spam. See also,, etc.

    Usenet Cabal

    The term used to describe the secret underground organization of spam-fighters, censors, plug-pullers, communist tentacles and criminal pedophiles who wish to take over Usenet, corrupt our youth, rot our teeth and win the war for the axis. See also
    Trilateral Commission, The Illuminati, and Department of Conspiracy Investigation & Propagation.

    The Cabal does not actually exist as such, except in the mind of various net.kooks for whom the Cabal serves the purpose of providing a relatively harmless way of venting their excess paranoid energy. As secret organizations go, the "Cabal" doesn't do a very good job as they're not very secret (you can find them any time by reading and they're not very organized (they have to read n.a.n-a.m just to find each other.)

    The actual term "Cabal" comes from the Great Usenet Renaming of the late 1980's, when a group of administrators of Usenet backbone systems decided that the Usenet news naming conventions were too disorganized and went ahead and reorganized things. (At this time, many popular newsgroups changed names, e.g. "net.women" became "soc.women" and so on.)

    Further, the backbone administrators were refusing to carry newsgroups with controversial titles such as "" and "rec.drugs". This had the effect of banning these newsgroups.

    This group of administrators was nicknamed "The Backbone Cabal". The "Alt" news hierarchy was created to route around this censorship.

    Although the great renaming was many years ago, and the Usenet backbone itself no longer exists as such, the term "Cabal" has remained firmly entrenched in the minds of those who need someone or something to blame for their inability to re-make Usenet the way they would wish.

    For more information on how you can join the Cabal, read Jeffrey Smith's article How to see if you qualify to join the Cabal


    "There Is No Cabal". Comment often added to posts about or from spam-fighters.

    Net Scum

    Term used by various
    net.kooks to refer to those with whom they disagree. For more information, see the Net Scum homepage where they maintain an extensive enemies list. It is considered by many to be a badge of honor to be included on the Net Scum list. However, like the famous Nixon "enemies list" before it, the Net.scum list has grown to the point where this is no longer a particularly exclusive club.

    The Net Scum webpage was hosted by Cyberpromo, but lost their connectivity when Cyberpromo was disconnected.

    Lusenet Cabal

    Word play on "Usenet Cabal". Reference to those with a screw loose who believe in the secret organization to take over Usenet.

    For more information on the Lusenet Cabal, visit the following web sites:

    Kook Kabal

    Another term for
    Lusenet Cabal

    Issue Poster

    Similar to a net.kook, an issue poster is someone who posts relentlessly on a single issue. Post "have a nice day" to a newsgroup inhabited by an issue poster, and the issue poster will respond "Oh sure, that's easy for you to say, but Slobovian political prisoners *never* have a nice day."

    Perhaps the most famous issue poster of all was Serdar Argic who not only posted relentlessly on the Turk genocide against Armenia, but even went so far as to write a 'bot which searched out all references to "Turkey" on the internet and auto-posted a followup tirade. This proved to be a great nuisance in the recipes newsgroups every Thanksgiving. (Note: it is believed by many that Serdar Argic never actually existed except as the 'bot, which was presumably written by Ahmed Cosar.)

    Lumber Cartel


    "There Is No Lumber Cartel". Humerous reference to allegations by Duane Patterson Patterson Research & Recovery. See for more.

    Also see the Lumber Cartel home page.


    SubGenius Police, Usenet Tactical Units, Mobile See Sputum webpage.
    [ER] Contributed by (Errol)
    [JD] Contributed by Doug Jacobs
    [RC] Contributed by (Roswell Coverup)
    [RR] Contributed by Ron Reddon
    [CT] Contributed by Christ Tucker
    [SL] Contributed by Steve Linford

    Back to top

    The opinions expressed on this page are solely those of Ed Falk and do not necessarily represent those of any other organization, (although I hope they do). I wish to thank for hosting this web page.

    This page maintained by Ed Falk