How to Complain About Spam, or, Put a Spammer in the Slammer

Phil Agre
http://communication.ucsd.edu/pagre/
Feel free to post where appropriate until December 31st, 1997.

Table of contents:

  1. Introduction
  2. Fraud and related consumer issues
  3. Issues relating to paper mail
  4. Complaining to the police
  5. Complaining to your legislator
  6. Complaining to the service provider
  7. Complaining to the spammers themselves
  8. Questionable strategies
  9. Other resources
  10. Conclusion

(1) Introduction

Unsolicited bulk e-mail, commonly called "spam", has lately become an extraordinary nuisance. Spam as such is not illegal (yet). The contents of some actual spam messages, however, may violate a state or federal law. Other spam messages may violate the spammer's contract with his or her Internet Service Provider, or else cause enough harm to a third party to warrant a civil lawsuit. No legal action will be taken against a spammer, however, unless someone reports the problem.

This article does not provide legal advice, nor does it make legal allegations against any particular spammer or any particular class of spam messages. It does, however, provide instructions for reporting those messages that, in your judgement, deserve further investigation by appropriate authorities. Reporting spam does take some effort at first, but once you get a little practice, it can easily become a regular part of reading e-mail. Let me emphasize: even though this article provides a whole menu of methods for complaining about spam, you'll be doing a tremendous public service if you simply pick ONE of these methods and do it on a regular basis. Pick the one that you find most convenient, or that gives you the most delicious feeling of revenge. There's no need to get overwhelmed or burned out. Follow the instructions a few times, just to see how it feels. Maybe try something else and see how *it* feels. Then slowly work your favorite spam-reporting measures into your daily and weekly routine.

The contact information that I provide here is incomplete, and at present includes only the United States. Those with contact information for other jurisdictions are encouraged to send it along for inclusion in future editions. This article only contains information for those wishing to complain about spam; those seeking deeper explanations of the problem, or who are curious about other topics, will find URLs for several encyclopedic Web sites toward the end of this article. Most of the information in this article, particularly on technical topics, has previously been described in other forms by these existing sites.

(2) Fraud and related consumer issues

Many spam messages make offers that seem too good to be true -- for example money-making pyramid schemes, impossibly lucrative work-at-home deals, suspiciously low prices, disingenuously described goods, questionable medical cures, free cable TV schemes, and so forth. These messages might be fraudulent, or they might not. You needn't judge for yourself which messages are legal. If you find a message suspicious then you have a right, and perhaps even a moral duty to others less sophisticated than yourself, to report the possible fraud or misrepresentation to the Federal Trade Commission (FTC). The FTC doesn't settle particular disputes, but it is interested in patterns, and a massive, potentially fraudulent spam is nothing if not a pattern. Although the FTC has so far shown little inclination to do anything about potentially fraudulent spam offers, nonetheless it's their job and we should encourage them to do it. For their progress on related issues see:

http://www.ftc.gov/opa/9711/hlthsurf.htm http://www.ftc.gov/opa/9711/cdi.htm

To report a suspicious spam message, simply print the message out, add a cover letter that expresses your concerns, and mail it to:

Federal Trade Commission
6th Street and Pennsylvania Ave NW
Washington, DC 20580

Your cover letter can be very simple indeed. There's no need to quote chapter and verse of the law. You might simply say:

I received the enclosed message over the Internet today, presumably as part of a much larger "spam". I am concerned that it might be fraudulent, and I want to ask you to investigate it. Thank you.

I encourage you to report potentially fraudulent spam messages to law enforcement authorities using paper mail, because Internet messages seem to carry less weight in Washington. You can, however, make a report to the FTC over the Internet using the "scamspam" page:

http://www.junkemail.org/scamspam/

The FTC supposedly accepts electronic mail complaints about spam at uce@ftc.gov. I would be interested to hear of any evidence that they take complaints to that address seriously. (UCE means unsolicited commercial email, which is supposedly the polite way of saying spam.)

The British equivalent of the FTC is the Trading Standards Officer:

http://www.xodesign.co.uk/tsnet/pages/lalist.htm

One way to raise awareness of these issues is to seek media coverage. In the United States anyway, many regional television stations have excellent consumer affairs reporting. These folks are always looking for good story ideas, and potentially fraudulent junk mail on the Internet makes a clear story that's easy to explain. Pick up the phone and call a local station that produces a nightly news program. Ask for the name of the editor who handles consumer affairs and the mailing address of the station. Write that person a letter concisely explaining the problem. Draw on your own experience and use language that their viewers will understand.

A good consumer affairs story will ideally have a local angle -- for example, someone in the community who got burned by a fraudulent offer that they received over the Internet, or a questionable spammer who lists a mailing address in the area -- or a news hook -- for example, a recent news article about somebody being indicted for a consumer-related crime that involves the Internet. Even if those elements are missing, potentially fraudulent spam messages can still make a good story if you explain the following points:

Enclose some examples of spam from your own printer, and any news clippings on the subject that you might have (USA Today and the New York Times have covered the issue, or use the Spam Media Tracker -- see below) and perhaps a copy of this article. Some people make a habit of printing out spam messages that they find particularly offensive, just to have them ready for such purposes. The key, however, is your letter.

If you want to follow up with a phone call, wait about three days and then call in the morning, when deadlines are less urgent. Never try to talk to an editor or reporter on the phone without first asking if they are on deadline. Then simply ask if they've received the letter and whether they'd like to follow up. Be polite, don't pressure anyone, and be ready to accept a "no" gracefully.

(3) Issues relating to paper mail

Schemes that employ the US mail may interest postal inspectors. If you find a spam message suspicious, and the message invites replies at a US mail address, you might send a copy of the message to the relevant postmaster. Again, simply print the message out, add a simple cover letter expressing your concerns, and mail it to:

Postmaster
Anytown, XX 12345

where, obviously, you should replace "Anytown, XX 12345" with the real city, state, and zip code that was mentioned in the address.

You must use postage when sending a letter to a postmaster (or, for that matter, to the FTC or the other law enforcement agencies). In the United States, one first-class stamp pays for an envelope and about four sheets of paper. After that, put another stamp on it to make sure. Reporting spam, in other words, does cost a little money. If this bothers you, simply restrict yourself to reporting the most offensive messages, or the ones that seem the most obviously illegal.

(4) Complaining to the police

Messages that seem potentially illegal can also be reported to the FBI, to the attorney general of any state that the message claims as its origin, and to the local police. In each case, once again, simply print out the message and include a brief cover letter expressing your concerns.

To find the address of the nearest FBI field office, consult the following web page:

http://www.fbi.gov/fo/fo.htm

The attorney general of your state is your friend, and will be happy to investigate potentially illegal spammers if newspaper headlines can be generated by doing so. Here, just to give the idea, are a few of their addresses:

Attorney General Scott Harshbarger
One Ashburton Place
Boston, MA 02108-1698
(617) 727-2200
http://www.state.ma.us/ag/ago.htm
Frank J. Kelley
Attorney General
Law Building
PO Box 30212
Lansing, MI 48909
(517) 373-1110
Hon. Drew Edmondson, Attorney General
112 State Capitol Bldg.
Oklahoma City, OK 73105
(405) 521-3921
Pennsylvania Attorney General's Office
16th Floor, Strawberry Square
Harrisburg, PA 17120
(717) 787-3391
info@attorneygeneral.gov
http://www.attorneygeneral.gov
Office of the Texas Attorney General
PO Box 12548
Austin, TX 78711-2548
(512) 463-2100
Office of the Virginia Attorney General
900 East Main Street
Richmond, VA 23219
(804) 786-2071
mail@oag.state.va.us
http://www.state.va.us/~oag/main.htm

The National Association of Attorneys General is on the Web at:

http://www3.issinet.com/naag/

The attorney generals' contact information, courtesy of various sources:

http://www.tobacco.org/Misc/ags.html
http://www.fraud.org/info/links.htm
http://www.counselconnect.com/agtierney/list.html
http://members.aol.com/reinbeaux/pass/stateag.htm

Many state attorneys general have offices to protect consumers. For example, the Washington State attorney general's Consumer Protection Division is on the Web at http://www.wa.gov/ago/CPD/CPHOME.html

Many states have Web sites at http://www.state.XX.us/ , where XX is the 2-letter postal code, for example CA for California. You might be able to find other consumer related information at the site for your state, or the state from which a spam message originated.

The federal equivalent of the state attorneys general are the US attorneys, who litigate for the US attorney general. Their contact information can be found at:

http://www.usdoj.gov/usao/usao.html

If the spam message includes a postal address then you can get the address for the spammer's local police department through directory assistance (in the US, 1 + area code + 555 1212).

It would be excellent if someone wrote a program (ideally integrated with a commonly used mail-reading program) that scans a potentially illegal spam message and automatically prints letters of complaint to the appropriate law enforcement authorities.

(5) Complaining to your legislator

If you receive a particularly outrageous item of spam, you can use it to help educate your elected representatives on the need for appropriate legislative action. Federal legislation would have the advantage of uniformity, but action is more likely at the state level. Moreover, at least one state, Nevada, has passed very bad legislation in this area because legislators were not well-enough educated. You can easily identify your legislators and obtain their addresses by calling your state's capitol building. The most effective letters are hand-written, concise, calm and rational, based in personal experience, and explain the issue in plain language.

At the federal level, you can find instructions for contacting senators and representatives at http://www.cauce.org/congress.html. Several anti-spam bills have been introduced in the US Congress, and you may wish to express your opinion about them.

(6) Complaining to the service provider

Warning. This section is slightly technical. Although I have tried to write it for beginners, many people might be impatient with the details. That's okay. Go ahead and concentrate on the methods of complaint that are listed in the previous sections and you'll be making a real contribution.

Internet Service Providers should require their subscribers to sign contracts that forbid spam, and some of them actually do so. It is appropriate, therefore, to complain to any ISP whose users originate spam. The ISP usually isn't responsible for the spam, so be polite. But do encourage the ISP to take action against the offender, and to strengthen its contractual language so that future offenders face stronger penalties for spamming.

The focus here, then, is on identifying the spammer's ISP. It is not useful to complain about particular spammers to your own service provider, who already knows about all of the spammers that it can do anything about. Your service provider, however, might be able to provide you with software for filtering spam or tracking spam messages back to the source. Beyond that, you might consider moving your business to a provider who makes a real effort to fight spam both technically and legally.

The hard question is how to identify the spammer's ISP. The most obvious approach is to look in the "From:" field of the spam message's header. If the address in that field is not a plausible e-mail address, for example

From: yourfriend@snarfworld.com

you can be confident that the header was forged and that the message did *not* originate at snarfworld.com. Even a legitimate-looking "From:" field is likely to contain the address of an innocent person whom the spammer wishes to burden with complaints. Likewise, any field that claims to identify the "Authenticated sender", for example:

Comment: Authenticated sender is otherguy@aol.com

is probably bogus as well. Now, if a spammer forges an individual's name or address as the source of a spam message, then that individual might have cause for a lawsuit. Likewise, the owner of an Internet site whose domain name has been forged as the source of a spam message might also have cause for a suit. So you might consider reporting spam to a site even when the site's address has obviously been forged. You should obviously be polite about it. In particular, you should understand that having to read your message constitutes part of the damage that will constitute grounds for the suit. It's your call.

In any case, another part of the header is less likely to be forged. It looks like this:

Received: from snarfworld.com ([194.177.96.7])
    by weber.ucsd.edu (8.8.6/8.8.6) with ESMTP id QAA23180
    for <pagre@ucsd.edu>; Wed, 12 Nov 1997 16:01:42 -0800 (PST)

If you don't see any "Received:" fields in the header, that's because your mail-reading program isn't displaying the complete header, or else because the mailer at your site has stripped off the "Received:" headers before delivering the mail to you. Consult the mail-reader's documentation, or your ISP or system administrator, to find out how to see the complete headers. Here are the instructions for some commonly used mail reading programs:

Spammers sometimes put fake headers at the end of a message to cause confusion. But AOL is virtually the only environment where headers are supposed to show up at the end of a message, and even there you should be able to find the real headers after the fake ones.

When you do retrieve the full header for a spam message, you will usually see several "Received:" fields, which are supposed to trace which machines the message has passed through. You can use these fields to decide where to report the spam. Opinions differ about the best strategy, and I will keep this explanation simple at the risk of offending those who hold different opinions. The problem, simply put, is that many spam messages include forged "Received:" fields to throw you off track. Any "Received:" fields that mention AOL or Juno, for example, are probably forged.

The "Received:" fields are generally in order, with the most recent ones first, so if one "Received:" field is suspect, then all the ones below it are automatically suspect as well. If you assume that the "Received:" fields are all legitimate, then you can simply look through them and identify the first machine that accepted the message from the spammer's own site. This machine shares some of the blame, since it should have detected that the message was spam, for example because its return address could not be translated to a legitimate IP address, and refused it. If the spammer employed software that deliberately creates a confusing header, however, you may end up complaining to an innocent party -- one whom the spammer wishes to attack. This is where it helps to have technical tools for reconstructing the truth behind potentially forged e-mail headers. Although I'll talk about some of these tools in a moment, they may require more expertise than most people have.

Therefore, nontechnical people may wish to employ another strategy. If you look at a header closely, you will usually find that one or more of the "Received:" fields mentions your own site. Look for the "Received:" header field that records the message's first arrival within your site. Because the "Received:" fields are ordered, the field you want might be the first "Received:" field in the header. This field was generated by the mailer at your site, so it is probably reliable. In the case of the (fictional) "Received:" field that I quoted above, the message came from snarfworld.com. In that case, to report the message, you would forward a copy of it like so:

To: abuse@snarfworld.com
Subject: spam from your site

This spam message was apparently sent through your mailer...


[include a copy of the message, including the full header]

It is important to include the full header of the offending spam message; that header is the site maintainer's major source of clues about the message's actual origins. In fact, the site to which you are complaining was most likely "hijacked" against its will to produce spam. This is very common, and it generally results in torrents of "bouncemail" for the messages that the spammer sent to bad addresses – potential cause for a lawsuit. Even if no lawsuit is filed, the site's maintainers need to upgrade their software to prevent this sort of hijacking in the future, and your complaint will help motivate them to do so. I recognize that this can be a complicated issue, and that mailer upgrades that suppress hijacking may also disable other, legitimate uses of mail. I believe, however, that spam is the more serious concern.

If mail to the "abuse" address does not work, you *might* be dealing with an ISP that is irresponsible or needs a little education on the importance of taking action against users who spam. See if you can reach them at "postmaster" instead and explain the issues to them. A table of the spam-reporting addresses at several major ISPs can be found about halfway down the following Web page:

http://members.aol.com/reinbeaux/pass/pass.htm

On the other hand, you should not expect a personal reply to a spam complaint from even the most responsible ISP. ISPs get far too many complaints, for better or worse, to respond to each one individually.

For more detailed instructions on interpreting "Received:" header fields, see:

http://kryten.eng.monash.edu.au/received.html

If the "Received:" fields in the message header are too complicated to think about, you might also be able to discern the origin of a spam message from the "Message-Id:" field, also in the header. For example:

Message-Id: <199711006334.WAB43780@node21.snarfworld.com>

This line can be forged as well, but so far only the professional spammers seem to be forging it regularly. Mail to "postmaster" or "abuse" at the indicated site (in this case snarfworld.com) would be appropriate, once again keeping in mind that the site could have been forged.

Another approach to researching the origins of spam messages is the Dejanews service, http://www.dejanews.com/ . This is a search engine for Usenet discussion groups. If an offensive spam message includes a distinctive text string, perhaps a fabricated address in the header or a misspelling in the body of the message, then you can use that text string to conduct a Usenet search. Oftentimes a discussion about that very message will already be ongoing among expert spam-trackers on Usenet, and if you can find the appropriate newsgroup then you can learn what they've discovered. In particular, if you notice a message whose "Subject:" line is "Please help me decode these headers", click on the icon indicating "replies".

If a particular Internet Service Provider seems to originate a large amount of spam, you might want to take the trouble to focus your attention on that particular provider. Start by looking at their web page, which will probably be found at http://www.companyname.com/, and see if they have a policy about spam. If they don't have a policy, or if the policy is weak, or if they are clearly not enforcing it, then you might write to the addresses of any customer service people or company executives that happen to be mentioned on the site. Most reputable ISPs hate spam, so be polite unless you have the expertise to be certain that you're dealing with an irresponsible company.

You can also write to the webmaster of any site that is mentioned in a URL that might be included in a spam message. If the message contains a URL like http://www.snarfworld.com/~joker/freeoffer.html , then you might wish to send a message that looks like this:

To: webmaster@snarfworld.com
Subject: spammer using your site

A spammer is evidently using your web server...


[Enclose a copy of the message, again with complete headers.]

Often the URL will mention the spammer's company, but the spammer's web site will in fact be located on the server of a legitimate ISP. If you learn how to use whois, nslookup, and traceroute, you can identify the ISP and report the problem (with complete documentation) to the ISP's "abuse" or "postmaster" address.

URLs for Web interfaces to the whois, nslookup, and traceroute functions are provided below. Briefly, the whois function allows you to identify individuals who are involved in managing the spammer's Internet domain. If "abuse" and "postmaster" are invalid, you can send e-mail to the administrative and billing contacts. If those addresses are forged or inactive, see if the server information shown at the bottom of the whois report allows you to track down the actual ISPs supporting the spammer's site.

The nslookup function lets you recover the IP address from a domain name. IP addresses, which look like [251.666.4.71], might provide more reliable information about the source of a message than domain names, which look like snarfworld.com.

The traceroute function is easily the most entertaining of the three. It demonstrates the route that a packet takes from an arbitrary Internet site (say, for example, the site from which a spam message originated) to another arbitrary site. When you're dealing with a spammer who is connected to a small local ISP, traceroute is useful for figuring out which big national ISPs the spam messages are passing through. If the local ISP is chronically tolerant of spam, you might suggest that representatives of the big ISP have a talk with them.

If you would like to learn more sophisticated methods for tracking the origins of offensive spam messages, consult the Web pages mentioned at the end of this article.

(7) Complaining to the spammers themselves

If you can recover a useful e-mail address from a spam message then you can complain to the spammer directly. It is hard to be certain of having the spammer's real address, but if you find an address on the spammer's Web site then you can be reasonably certain that it is correct. You should realize, however, that by sending electronic mail to a spammer, you have just validated your address for purposes of future spam. Some people claim that they have only made their spam problems worse by complaining in this way, particularly if they use software tools that process a spam message and create complaint messages automatically.

If a spam message mentions a phone number, one possibility is to call them and complain. This is easy and cheap if the number happens to be local, or if it is a toll-free (800 or 888) number. You'll probably get an answering machine. However, you should be aware of several drawbacks:

Some spammers may simply be ignorant people who have been conned into paying for miraculous cheap advertising. If you're a kind soul and think you might be dealing with such a person, and they've provided a US mail address in their message, you might write them a letter. Perhaps you can create a form letter that explains the problem, and simply mail it to every postal address that is mentioned in a spam message that you receive.

(8) Questionable strategies

Some strategies for complaining about spam have significant drawbacks.

If you think you have the spammer's true e-mail address, you can send back a couple dozen copies of the offending spam, or else three or four large messages each containing dozens of copies. This approach, however, has four problems: first, you may not have identified the spammer correctly, so that an innocent person gets your mail-bomb; second, the spammer's ISP might stagger under the weight of your messages, thus potentially inconveniencing others; third, spammers have better mail filters than you, and are unlikely to see your mail-bomb; and fourth, you have just provided your e-mail address to a person who sends annoying e-mail. I don't recommend this approach.

Another questionable approach is to threaten the spammer with violence or property damage. Though perhaps momentarily satisfying, this method is probably ineffective, possibly illegal, and certainly immoral. The last thing we need is spammers stereotyping anti-spammers as terrorists. A large number of other vigilante measures, such as circulating a spammer's identity on the Internet or complaining about the spammer to his or her business associates, should be approached only with extreme caution, given the potential for harming innocent people or provoking expensive legal action. Do nothing that is illegal, or that might provide grounds for a lawsuit.

I also do not recommend availing yourself of the mechanisms that spammers advertise for removing yourself from their mailing lists. Many of those mechanisms are bogus, and they tend to legitimize spam. The goal here is to stop spam, not to legitimize it.

You might try configuring your mail-reading program to screen out spam by recognizing certain domains or phrases. Some people have reported good success with this approach, but many others have not. Even if it works, it is only a viable solution for the technically sophisticated, and it does not alleviate the burdens that spam creates for legitimate system operators. This is a community problem that seeks community solutions.

Finally, I absolutely do not recommend ignoring spam. Many people argue that you should just ignore it, since flaming creates bad energy, doing anything constructive takes effort, and lots of experts are out there solving the problem. This is hooey and I denounce it. The war is not won, and it will not be won simply through the heroic labors of experts. Everybody's efforts are crucial, including yours. Pick something that you can do and do it, and know that lots of other people are doing the same.

(9) Other resources

Here are the URLs for some other sources of information about spam on the Web. Use your judgement. I do not necessarily endorse any opinions, factual claims, or software programs that these sites might offer:

Email Abuse Frequently Asked Questions

http://members.aol.com/emailfaq/emailfaq.html

SPAM-L Frequently Asked Questions

http://www.ot.com/~dmuth/spam-l

Review of the legal issues by Michael W. Carroll

http://server.Berkeley.EDU/BTLJ/articles/11-2/carroll.html

Compendium of proposed federal and state spam laws

http://www.tigerden.com/junkmail/laws.html

Comparison of proposed federal spam laws, including text

http://www.junkemail.org/bills/

Spam court cases

http://www.jmls.edu/cyber/cases/spam.html

Spam Media Tracker

http://www-fofa.concordia.ca/spam/news.shtml

Internet Mail Consortium

http://www.imc.org/imc-spam/

National Fraud Information Center

http://www.fraud.org/info/contactnfic.htm

Coalition Against Unsolicited Commercial Email

http://www.cauce.org/

spam.abuse.net

http://spam.abuse.net/

Junkbusters (mostly phone and paper mail)

http://www.junkbusters.com/

Get That Spammer! (tools for tracking down spammers)

http://kryten.eng.monash.edu.au/gspam.html

Spam Hater

http://www.compulink.co.uk/~net-services/spam/spam_hater.htm

Netizens Against Gratuitous Spamming (technical fixes)

http://www.nags.org/

Yahoo's guide to anti-spam software

http://www.yahoo.com/Computers_and_Internet/Communications_and_Networking/
Electronic_Mail/Junk_Email/Software/

whois -- for recovering (potentially forged) information on a domain

http://www.interlog.com/~patrick/cgi/whois.cgi
http://rs.internic.net/cgi-bin/whois

nslookup -- for looking up the real IP address of a domain name

http://www.interlog.com/~patrick/cgi/nslookup.cgi

traceroute -- unix program for finding a spammer's upstream ISPs

http://www.boardwatch.com/isp/trace.htm

news group concerning abuse of e-mail (not for the faint of heart)

news.admin.net-abuse.email

(10) Conclusion

If we despair about spam then the spammers win. Many thousands of people are working against spam, each in their own way. If you simply pick the one method that you find most convenient then you can be confident that these antisocial people will eventually be compelled to find better ways of making a living.

(*) Acknowledgements

I would like to thank the many people who have contributed suggestions, corrections, and URLs to various drafts of this article. Any further constructive comments will be gratefully received. Notwithstanding the kindness and generosity of the commenters, this article is solely my responsibility. In particular, it does not represent the views of the University of California or any other organization. HTML markup by Tom Blake.

Copyright 1997 by the author. You may forward this article electronically to anyone for any noncommercial purpose. However, you must forward it in its entirety, without modification. Reproduction in printed form, or for commercial purposes, requires the author's express written consent.