InBoxRevenge KS Forum

Welcome to inboxrevenge.com!

Have you had it with spam? Can't find important messages? Sent important emails to other people who apparently never found them in their spam folders? Or worse, are you having emails blocked altogether by ISP's that have instituted draconian anti-spam measures? Frustrated that despite all the filtering going on, you're still getting an inbox full of emails from Nigerian widows, password resets for banks where you don't have accounts, Valentine's Day cards from computer malware distributors, ads for fake pharmacies/watches, etc? Worried about your kids or parents clicking on something dangerous in an email? Maybe you clicked on something yourself and ended up spending a lot of time or money getting your computer cleaned up. Maybe your passwords/identity were stolen and you're still finding new frauds being perpetrated with the information. Maybe you've been notified by your ISP that your computer is mailing spam, and you want to know what you did and how you can avoid doing it again. We don't have to tell you that spam is about a lot more than annoying emails. Spammers are criminals, and they have your email address.

This forum is home to some highly accomplished spamfighters, but we're specifically interested in helping newbies get started defending their own inboxes. If you know absolutely nothing about spam, you're in the right place. There are no stupid questions. But we hope you'll read through this thread so we only have to answer the most common questions once. We also invite you to visit the spamwiki, at http://spamtrackers.eu/wiki , where many spam-related topics are covered in more detail.

About the inboxrevenge.com forum:

While some topics are open to guests, there are others than can only be viewed by registered members. You also must register to post. Due to frequent attacks by spammers, new registrations must be approved by an administrator. You will be contacted to provide information about yourself. You don't have to give your name, but please tell us enough about how you got here that we know you aren't a forum-spamming bot. Add: We are trying an experiment where newly registered members may post, but a moderator will have to approve it. Those new members will not have access to the members-only forums. Once you have responded to the email, we can switch you to full membership with immediate postings and access to additional forums.

Use a temporary password to register, then change it. You must choose a complex password, as hackers regularly attempt to guess members' passwords. For the time being, once your registration is approved, SiL isn't really going to delete your username if you don't post within 24 hours. So go ahead and register, even if you don't have anything to say yet. However, if you don't sign in at all after registering, your username will be deleted after a while.

There's a new member thread at
viewtopic.php?t=162&start=135
if you would like to introduce yourself

Important things to know about this site:
* The primary administrator is spamislame (SiL).
* Others include Red Dwarf and AlphaCentauri
In addition, there are moderators who can edit/delete other people's posts. (You can always edit your own.) You should alert them if you see any spam posted on the forum or if there are inappropriate posts of other sorts, like flame wars. You can do that by clicking the exclamation point icon at the upper right corner of a post. You can also flag one of your own posts should you need help with it. If you think there is some issue that can't wait until the next mod logs on, Red Dwarf, trobbins, and I (in addition to SiL) are probably available via PM fastest.

* Mail: You can get notifications of replies to your posts and get notifications when other people send you private messages if you set your forum preferences that way. You can get notifications of replies to a thread you haven't posted to by clicking "Subscribe topic" at the bottom left of the page. Even if you choose not to get routine email notifications, please keep your email address up to date, as that is how you would be notified if the forum relocates due to DDoS.

* This site does not have a time limit for editing your own posts. You can edit any time you want (but only a mod can completely delete one). We use that feature liberally, and it allows people to revise things that maybe sound more harsh than they were intended so the discussions remain respectful. But remember that if you edit an old post, it will not be flagged as new, so if you want people to notice your change, make a new post or add a "bump" post at the end.

* Since we got DDoS'd out of our original URL and moved a couple times since, you will still find internal links in older posts that go to our old locations. You can substitute in the new URL if you find them. So for example,

http://thecarpcstore.com/phpbb2/viewtopic.php?t=2021
or
http://kyferez.kicks-ass.net:81/killspammers/viewtopic.php?t=2021
or
http://kstest.inboxrevenge.com/ksforum_new/viewtopic.php?t=2021

should be changed to
http://ksforum.inboxrevenge.com/viewtopic.php?t=2021

* Should this forum be down, some of us can be contacted via private message on other forums such as spywarehammer.com or wilderssecurity.com. We also have alternative blog sites for news updates if you can't reach this site at all:
http://inboxrevenge.blogspot.com/
http://inboxrevenge.spaces.live.com/
http://inboxrevenge.webs.com/
http://twitter.com/inboxrevenge
However, the email accounts related to those blogs aren't monitored under normal circumstances.

Munging links:

Please remember that search engines and spambots crawl the forum. You don't want them collecting the email addresses of good people or the URLs of bad sites. You also don't want anyone accidentally clicking through to a site that could be dangerous. (Linking to good sites is okay and is encouraged, as antispammers need to support one another.)

For email addresses: Minimally, you can select the "@" sign and make it italic or bold or change the color, so the parsers looking for strings with "@" in the middle are confused. But I'm sure the spammers will figure that out, so it's a good idea to vary how you do it, change the color of part of the domain or username to black, etc. For example:
alphac[color=#000000]entauri@exam[/color]ple.com
will end up like this:
alphacentauri@example.com
You can read it, but email harvesting bots can't.

In order to munge URLs, any "http://" or any "www." must be broken up with formatting tags. For example:
....."http:[color=#000000]//[/color]example.com" becomes http://example.com
....."www[i].[/i]example.com" becomes www.example.com
On this forum, you can easily add tags by highlighting the character and clicking one of the buttons above the message window. In order to do colors, highlight the word, then choose the color from the spectrum on the right.

Domains/Registars/Nameservers - what is everyone talking about?

Spammers are criminals, but they rely on legitimate businesses to carry on their activities. One of the most important ways to fight spam is to notify those businesses when they are being abused by spammers.

One of those types of businesses is the "domain registrar." A "domain name" is a name like "example.com" that identifies a website. The actual computers where websites are located have numeric "IP addresses" like 127.0.0.1. Giving those websites domain names makes the internet much easier to use. But that means there have to be records and roadmaps on the internet, so that when you type "example.com" in your internet browser, the computer with that website can receive your request to view their webpage.

Someone who wants a website has to arrange to register a domain name with a registrar. The registrar then submits that domain name to a "registry," which governs the registration of all domain names for particular "TLD's" or "top level domains." TLD's you will be familiar with are ".com" and ".net," which are governed by ICANN and the InterNIC registry, but there are numerous other registries. A single registrar may register domain names with TLD's governed by several different registries, and a single registry will usually deal with multiple competing registrars. In addition, large registrars may work with "resellers," independent affiliates who bring in business for the registrar and who may do the direct customer support. Registrars must be "accredited" by the registry, and they are responsible for the actions of their resellers (who are not accredited directly).

As you will notice, the "top" level domain name is the one on the far right of the domain name in the "URL" (or "uniform resource locator"), just before the first single "/" mark. (The URL is the full address of the web page, like http://ksforum.inboxrevenge.com/index.php, and includes the domain name.) In addition to the domain name like "example.com," a domain may have "subdomains" on the left of the domain name, like "forum.example.com" or "www.example.com."

The person setting up the website also has to arrange for his site to be hosted by an internet service provider, which is basically someone with a computer who will allow other people to store their website files there. His domain name will have to be associated with the IP address of that ISP's computer. He can have his site hosted on several IP addresses and even several different ISP's at once, and he can have his subdomains hosted on different computers than the main domain.

How would anyone find his website with all that going on? The information is stored on a computer that acts as a "nameserver." The registrars keep track of which nameservers have information for which domains and submit that information to the registries. The nameservers themselves have to have domain names registered, but they don't have to have websites. Their IP addresses have the special name "glue records," to distinguish the fact that nameservers don't need other nameservers to store their IP addresses. A domain name can (and should) have several nameservers (in case one goes down, the others can allow people to visit the website). And a nameserver can keep records for thousands of domains. If all the nameservers for a domain fail to function, it is impossible to view that site.

When we report a spamvertised website, we frequently report them to registrars. We look at the URL to find the domain name. We read until we hit the first single "/" then work backward. So for this URL:

http://google.com.erklsetr.com/microsoft.html

the domain name is "erklsetr.com," not "google.com" nor "microsoft.html."

We can report that individual domain name, but often the spammers have dozens or hundreds or thousands of identical websites with different domain names. If we can get all the nameservers for those domains shut down, we can get all those spamvertised sites off line at once. The Complainterator tool (available at http://spamtrackers.eu/downloads/ ) will look up the registrar for the domain name and the nameservers' domain names and will compose reports to send to each of them.

The caveat is that you can't shut down a nameserver that serves good websites, only nameservers controlled by the criminals. How do you know the difference? Complainterator helps, because it will automatically suppress many of the nameservers controlled by registrars themselves. In addition, if you see a nameserver's domain name was registered years ago, it is more likely to be legitimate; in any case, you will have difficulty convincing a registrar to shut down a long term customer. Most spammers' domains are registered only a few days before they show up in spam, and those that aren't shut down are abandoned once spam filters add them to their definitions. Again, shutting down the nameserver can even shut down domains that have not yet been mailed in spam.

The tools for spam fighting are well documented. They target the owner of the IP address used for sending the spam, for hosting the spammed website, for name servers resolving access to the spammed website. They also target the registrar who has a service contract for the domain name of the web site, or the domain name of the name servers.

But there is another form of spam that is not covered by these actions. That is the spam that does not rely on a web site, but an exchange of emails between the perpetrator and the victim. These scams are often referred to as 419 or Nigerian scams. They all seek to separate the victims from their money by various forms of psychological trickery.

To combat these scams a different approach is required. The most effective approach is to educate users about these scams so they will not be easily taken in. A second approach is to terminate the email address before they can be involved in an ongoing email exchange, or before a fraud can be completed.
The typical fraudster uses free emali service providers, and we have seen over 70% of frauds coming from just these three

• Microsoft
• Yahoo!
• Google

The rest are spread over hundreds of other providers, making it difficult to know where to send reports.

Microsoft allows reports to be sent via email to their abuse reporting address.
Both Yahoo! and Google refuse to accept scam abuse reports via email, and insist that they come from a web form.

Tools exist that make the reporting a whole lot easier.

One report generator is called ScamerAtor. It consists of one neat web page that you can load from your own machine. It contains information on where to report a scammer email address, and quick drop-down menus that will generate the report for you.

Another is called 419 Automated Reporter. Running under Windows with Firefox, it will work from a Gmail spam folder and run through each scam, identifying the category of scam from the context, and sending correctly formatted reports to any one of 600 email service providers, including the big 3 of course.

ScamerAtor and 419 Automated Reporter can both be found at http://spamtrackers.eu/downloads under the Spam Reporter section.