NOTE: The opinions expressed on this page are those of the author and not of SpamCop. It is up to the reader to determine whether this information is useful or applicable to his own circumstances.
The topic of spam websites comes up very frequently in the SpamCop forums∞ and elsewhere. Many people assume that spam mail and spam websites are all-of-a-piece and that the same techniques used for the one also apply to the other. However, dealing with spam websites represents a very different problem from that of simply tracing spam mail sources; even if the spammer doesn't try any tricks (like botnet proxying or redirection from shell websites), tracking down such websites can be more difficult and more plagued by ambiguity than finding the source of a spam mailing.
While SpamCop is primarily a service for identifying, reporting, and block-listing the sources of spam mail messages, it does also make some effort to trace and report websites linked from spam messages. Yet, this is not always an exhaustive effort, and many such sites go undetected and unnamed in the reports that SpamCop offers to file for you. This page will give you some idea what is involved in identifying and tracing website links in spam, and how you can do this yourself if you care to.
This is a summary page designed for the general reader; we'll be linking out to more detailed information where appropriate. This page assumes that you have some basic familiarity with the way the internet works: specifically, topics like HTTP, HTML, DNS, and WHOIS. You won't need to be an expert on these, but a bit of background will help you understand what's going on.
What is a 'spam website?'
It's well to start out by defining terms: a "spam website" (as we will use the term here) is a website that (1) is referenced by name (or by an actual HTML link) within a spam mailing, and (2) is used directly by the spammer to sell "spamvertised" goods and services, or to otherwise support the spam operation (such as by providing "list removal" services, or hosting images to be embedded in the spam message).
The latter point (that is, how the website is used) is an important one. As we will shortly see, spammers will sometimes add website links to their messages that have nothing to do with their spam, or they will maliciously include links to innocent websites that they wish to be tarred with the "spammer" brush (i.e., a "Joe job"). Also, some innocent website links may be added to an outgoing spam message by webmail services, anti-virus software, and the like, after the message has left the hands of the spammer. None of these really fit into our definition of "spam website." It is not appropriate to report these websites, because they had nothing to do with the spam.
Note that it isn't necessary that the spam website be run by the same parties who sent the mail. In fact, most spam is probably sent by "affiliates" to drum up business for website operators; the affiliates aren't associated with the webmasters except inasmuch as the webmasters may pay them bounties or commissions for the business they generate.
Similarly, it isn't required that the website's host machine be within the same IP address block or domain as the machine that sent the spam; few hardcore spammers will send their mailings from the domains or IP blocks where their websites are hosted, so you don't have to assume a particularly tight business or technical linkage between the spammer (who sent the mail) and the webmaster (who takes the money and -- possibly -- delivers the goods).
Why would you want to report a spam website?
As with any other internet resource used in spamming, you can report spam websites to the appropriate parties (mainly, the hosting providers) wherever you think they need to know about what is going on. For example:
The spammer may be violating his good-faith agreements with the providers he uses to run his website (these policies may prohibit promotion of hosted websites using unsolicited e-mail).
In other cases, the spammer may actually be stealing services (e.g., from hijacked home computers or zombies) to run his site, and thus represents an unauthorized (and nonpaying) user of these services.
The operator of the website may not have been responsible for sending the spam, but he may have allowed (or failed to prevent) the sending of spam on his behalf by others (i.e., the spammer is a "rogue affiliate" of the website).
The website may be (1) violating the laws of your country or locality (e.g., by offering drugs without prescriptions, or selling counterfeit luxury goods), (2) making criminally fraudulent claims about the goods or services it offers (e.g., advance-fee frauds or diploma mills), or (3) doing business in a patently illegal manner (e.g., by using the information you submit for identity-theft purposes, as the phishers do).
Even if a given spam website doesn't fall under any of the above examples, however, you are still entitled to report it if the website is directly associated with the spam mailing. (The latter is an important point, as we shall shortly discuss).
Isn't SpamCop supposed to find and report spam websites?
In theory, yes it is. In practice, however, SpamCop often fails to identify spam website links within a message; or, upon identifying them, SpamCop may fail to (or refuse to) trace them and prepare the necessary reports. As noted above, SpamCop's primary mission is to deal with spam mail sources, and SpamCop's proprietors have apparently made the decision to put dealing with websites at a lower priority; they generally will catch only the "low-hanging fruit" among these, leaving many sites undetected and unreported.
Many SpamCop users find this to be very frustrating, and feel that SpamCop is falling down on the job. There are, however, a few real-world factors that limit SpamCop's effectiveness in this area:
The job of tracing down spam websites takes a lot more computer and network resources than that of simply tracing mail sources. For example, getting the info required to report a spam mail source usually requires no more than a couple of quick WHOIS queries, but tracing a spam website usually requires an authoritiative DNS lookup and one or more WHOIS lookups per website link at a minimum, and may also require some fairly fine "byte-twiddling" and deobfuscation operations as well (i.e., if the spammer has disguised the website link). These take valuable CPU time that other SpamCop users need in order to report their mail sources.
Many successful spammers have perfected ways to prevent SpamCop (and other well-known spam investigation outfits) from "fingering" their websites. They may use tricks to "move" their websites rapidly from one IP address to another, or they may protect them using redirection from other "dummy" sites. Any time spent by SpamCop on such links will likely not yield any useful results.
Even if SpamCop can easily find and trace a website link, it still has no way to know for sure that the link is actually implicated in the spamming; it requires some human judgment to determine whether a given website link should be included in a spam report (keep reading to find out why).
The latter point is worth some further emphasis: even if SpamCop presents you with one or more reports for websites found within a spam message, these aren't necessarily appropriate for you to file. You must always verify for yourself as best you can that a website-related report is accurate and correct before you allow SpamCop to send it (or before you send it on your own).
What kinds of spam websites can be reported?
In general, you can justifiably report a website linked or mentioned in a spam mailing if:
You have verified that it provides a sales outlet for the goods or services advertised in the spam (e.g., a website selling fake watches linked from a spam promoting fake watches), or
You have verified that it provides "list removal" services for the spammer (i.e., the spammer offers to remove you from his mailing list if you visit the linked website), or
You have verified that it provides some other sort of direct support to the spam operation.
What kinds of website links should NOT be reported?
If you find any kind of website link that doesn't fall strictly into one of the categories above, you should consider it very carefully before reporting it, since the chances are good that such a report would be wrongful and misdirected. For example:
Dead or unverifiable links. If you can't resolve a web server host, can't get it to serve you the page in question, or otherwise can't clearly determine whether it falls into one of the categories mentioned above, you should be very careful in reporting the website link. It may already have been dealt with, or it may be unrelated to the spam. (Note that many spam websites are supported by rather shaky DNS service, so they can and do periodically "disappear" from the net, only to return a short time later. Unless you are blessed with an abundance of free time, however, it might not be worth your while to see whether this will happen with any given site in which you are interested.)
Links placed by others. Some spammers (like the infamous advance-fee fraud artists) will use freemail services to send out their messages. Such services often affix links to themselves (or to paid advertisers) to the bottom of all outgoing messages. Likewise, some anti-virus programs or services also identify themselves (with web links) within the bodies of the messages they handle. These links are typically placed after the spam has left the hands of the spammer, and don't have anything to do with the spam operation; therefore, they should not be reported.
"Camouflage" links. Sometimes spammers include web links in their message merely to divert the attention of the spam investigator or to get him in trouble by filing false reports. Often, these links are designed to be invisible to the normal reader of the spam e-mail (e.g., by using HTML formatting tricks). If you peek at the HTML markup for the spam message and report such links without verifying them beforehand, you can wind up adding to the impression (much promoted by spammers) that people who oppose spam are indiscriminate cranks and kooks.
"Joe-job" links. Often, bad guys will send out bulk-mailings just to frame their enemies as spammers. They'll usually include a link to the victim's website in these mailings, and will often try to implicate these victims as flagrant criminals or fraudsters. This sort of thing is called a Joe job. Sometimes, if you visit a Joe-jobbed site, you may see a disclaimer regarding the spam sent in their name; other times you may not (because the firm may not want to add any more fuel to the fires of controversy, or give the impression that they are not in control of their corporate communications). You should nevertheless always do your best to verify that the website is indeed associated with the mailing before you report such a link. In general, the more flagrantly criminal the activity promoted by a spam mail, and the more identifying details included about the supposed "spammer," the greater is the likelihood that the spam is simply a Joe job.
"Further-reading" links. Spammers often try to beef up the credibility of their pitches by including links to well-known news services or the like; we might call these "further-reading" links. For instance, stock spammers sometimes "decorate" their mailings with links to honest investment information websites (like Yahoo Finance), or even to the websites of the companies whose shares they are promoting. Likewise, some advance-fee fraudsters will include links to articles on well-known news websites that "corroborate" their sob stories. Most of the time, such links are not associated directly with the spamming and should not be reported (in particular, you should realize that the companies named in stock spams usually had no hand the spam sent to promote their shares, and are therefore fellow-victims of the spammer).
Embedded image links. Many URLs found in spam point not to websites (with order forms, etc.), but to image files (JPEGs, GIFs, PNGs, etc.) that the spammer wants to display in the spam (i.e., these links are usually part of HTML <IMG> tags rather than <A> tags). SpamCop does not track down or report <IMG> links to outside websites. You could make a case that the image hosting service is abetting the spam, but the connection may be a bit tenuous. Anyway, it is more productive to work on the actual sales website rather than on a simple image drop, since a "dangling" or unreferenced image link does no real harm by itself (i.e., a tree falling in the forest makes no noise if no one is there to hear it).
With the possible exception of dead or unverifiable links, and image drops, the types of links described above are not very common in spam. However, they do turn up sufficiently often that you need to be aware of them.
Can you safely report websites that SpamCop has found in a spam message?
Yes, but only if you are certain that they are connected with the spam. The fact that SpamCop has identified a link, and offered to report on it, does not relieve you of the responsibility of verifying it for reportability (in the manner described above). While SpamCop may be able to decode and trace a web URL, it cannot figure out whether the URL has anything to do with the spam (as opposed to simply having appeared in the spam); as yet, this job still requires a human being (that is, you). And so, you still need to do your homework (though it isn't very hard in most cases). If you know that a particular web link is not implicated in the spam, or if you aren't sure, it is easy enough to clear the appropriate checkbox on the SpamCop VER form to stop this particular report from being sent.
Why does SpamCop say, "ISP does not wish to receive reports?"
Upon reporting a "web-enabled" spam via SpamCop, you may sometimes find that the technical details of the website link analysis show something like "ISP does not wish to receive reports regarding [some URL]." This means that the ISP in question has been labeled by SpamCop as an "Innocent Bystander" or "IB", and SpamCop will refuse to send any more reports on the site to this ISP (see the Wiki entry for InnocentBystander). Usually, this happens because an administrator from the ISP has requested SpamCop to stop sending reports on the site in question, and has (we hope) provided some sort of plausible explanation as to why they cannot be held responsible for the site.
Most often, the IB is responsible for a link of one of the "unreportable" types listed above (a "further-reading" link, a "Joe-job" link, etc.). On rare occasions, a provider may deceptively or mistakenly claim to be an innocent bystander when in fact he is not. For this reason, SpamCop usually gives you the option to "appeal" the IB status. To do so, you must click the appropriate reporting box on the VER form, and you are also expected to fill in the "Notes" box for this report with your reasons for wanting to override the IB status (e.g., "website drugqueenz.foo is selling Rx drugs and is still online at the time of this report"). A SpamCop administrator will review your appeal and take appropriate action.
Needless to say, perhaps, you don't want to appeal an IB listing without good reason. It is up to you to provide evidence (in the "Notes" field) to show why the site in question is directly related to the spam, and why the provider involved should have his feet held to the fire.
Despite its name, SpamCop is not a police agency; its reports are sent not as demands or orders, but simply as advice. Most reputable internet providers willingly accept SpamCop reports and will act on them wherever they can. There are many others, however, who do not wish to receive SpamCop reports, and it is their perfect right to request SpamCop not to send them. For this reason, many spam website reports you try to make via SpamCop will never go through, no matter how many times you try to send them. If you want to report such sites, you will have to do so on your own, as described below.
What if SpamCop doesn't offer to send a report on a website?
If, as frequently happens, SpamCop can't or won't prepare a report for a website mentioned in spam you have submitted, you have the option of sending this report yourself. There are two ways to send such reports (which we will get to shortly), but both require that you collect some basic information about the website. Specifically, you will have to do the following grunt work:
Verify that the website is reportable (i.e., it is directly related to the spam).
Find the IP address(es) to which the spam website host resolves.
Find the internet provider(s) (listed by WHOIS) responsible for the address(es) you found in #2, and collect appropriate e-mail contact addresses from the WHOIS output.
None of this is particularly difficult to do after a bit of training and practice. Generally, once you know how to find such information, you should have no trouble finding it for any given website. If you can't find it, however, you probably should not (and maybe cannot) report the website.
Another very common reason why SpamCop won't offer to report a website, even where it has successfully found the link, is simply that it may be busy — possibly having just reported the same link seconds ago for some other user. You can give SpamCop a "nudge" by waiting for a few seconds and then refreshing the reporting page (holding down the "shift" key and clicking on the reload button will work on most browsers), after which you may find that a report for the link will appear.
(1) How do you verify that a website is directly related to the spam?
Generally, this requires that you connect to the website and evaluate what you see using your own human judgment, and the descriptions of reportable and unreportable sites listed above.
This step can be a bit dangerous, since many spam website links may be designed to transmit your address back to the spammer (so that he knows that you are reading his mail), or may even compromise the security of your computer via upload or injection of malicious code. There are ways to increase your safety or comfort level in performing such checks, although these may affect the results of your investigation. However, if this concerns you, you may wish to stick with reporting only those websites that SpamCop has managed to trace.
(2) How do you find the IP address(es) of the website host?
If the website is called out with a specific IP address (e.g., http://192.168.15.20/watchz.php, then you are all set; just snag the IP address from the URL (192.168.15.20 in this example) and carry on to the next step.
You're seldom going to be this lucky, however. For a variety of reasons (not least of which is the easy availability of no-questions-asked-now-or-later domain registration from complaisant or corrupt registrars), most spammers now use internet domain names for their websites (e.g., http//fakewatchz.foo/sales/). Also, the use of domain names rather than bare IP addresses allows spammers to evade tracing and detection by employing various DNS-related tricks. And so, almost all spam websites will require a bit more work on your part to uncover their addresses.
This step requires you to perform a "manual" DNS lookup on the host name or domain name of the spam website (e.g., fakewatchz.foo in the example above), using common network tools like nslookup, dig, or host.
NOTE: You may find, on trying to resolve a website URL, that it appears to "live" at a large number of distinct IP addresses (as many as 20 or more). If you know how to use the dig command, you may also find that the time-to-live (TTL) of these addresses is very short (as little as a couple of minutes). In such cases, you are likely dealing with a BotNet botnet-hosted website of the sort used by the most accomplished spammers. As a practical matter, it may not be the best use of your time to report any of these addresses, since they are likely to have "disappeared" by the time the abuse desk gets around to looking into them.
(3) How do you find the providers for the addresses from #2 above?
You can find out information about any IP address in use on the public internet by consulting the WHOIS service. This service will identify the name of the provider, along with postal addresses, telephone and fax numbers, and contact e-mail addresses for various issues (including abuse).
In all but a very few cases, the provider turned up by WHOIS will be just that: a provider. This provider will NOT be the party directly responsible for the spam (i.e., they are not the spammers); however, providers do bear responsibility for the misuse of their resources by their customers or by unauthorized parties. We do not expect spammers to treat abuse reports with any sort of respect; however, we do expect these reports to be read and acted upon by the providers (since the providers have an obvious interest in minimizing the abuse of their services).
In many cases, the provider will publish a specific contact address for abuse; if you can't find one, you can use any other WHOIS-listed contact that seems appropriate (e.g., "support@" or "admin@"). Do not use "Changed-By" addresses, or addresses that point to a regional internet registry (e.g., ARIN, APNIC, RIPE, etc.), as these generally cannot help with abuse problems.
Before we move on to look at how to file spam website reports, let's take a quick look at a couple of issues that sometimes come up in the process.
What if your reports would go to the spammers themselves?
There's a small but non-negligible chance that your report could wind up going to the spammer himself, and this is a circumstance that bears some consideration.
Most spam webmasters are "downstream" internet users who do not have direct control over their IP address allocations. In such cases, you are usually safe in reporting the abuse to the providers that do control these addresses. For example, some spam websites may be hosted with an internet service that does business with lots of other people (most of them not spammers). More often these days, the spammers are actually making unauthorized and unpaid use of the services of others -- for example, via botnets (which they use to host their websites, or more likely to provide a "portal" or "proxy" for their real websites, which are hidden from our view). In either case, the provider that controls the IP address block where the website resides is a legitimate target for a spam report.
Sometimes, however, spammers can actually get control of their own blocks of IP addresses such that they show up in WHOIS as the owners of these blocks. If you file reports to any of the e-mail addresses that they provide, you are in effect communicating directly with the spammer, which is something you generally do not want to do (most of all because it won't do you any good).
There's no simple "acid test" that enables you to tell absolutely when you would be reporting directly to the spammer, but you can apply some human judgment to the information you collect about the addresses involved in spam. If you think that the spammer owns the IP block in question, you may be better off reporting to the provider that sold (and allocated) the block to the spammer; this provider is often called an "upstream provider."
Finding upstream providers takes a bit of guesswork, using tools like WHOIS and traceroute. It can be a bit tricky to do, but fortunately it is not required very often (since few spammers enjoy the luxury of their own IP blocks).
Can you report spam websites to domain registrars?
Under certain conditions, it may be useful to report spam websites to the domain registrars who sold the domain names they use. This takes extra work, and so should be reserved for cases where it can do some good.
A "domain registrar" is an ICANN-accredited business∞ that sells people the rights to use particular domain names on the internet. Even the skankiest of spammers must go through the standard ICANN domain registration process in order to set up their named websites, since they otherwise won't get their domains into the DNS and won't be able to use them. As part of the domain registration process, the owners of these domains are required to submit "...accurate and reliable" contact information about themselves (names, phone numbers, e-mail addresses, and the like) for inclusion in the domain-WHOIS database; this database can be queried by anyone who needs to find out about the domain (for instance, in order to file an abuse report).
It can be tempting to report spam websites to the domain registrars that sold their domains. After all, the domain registrar can kill a spam website deader than Vaudeville by simply removing it from DNS (by suspending the domain, or "null-routing" it to an address or name server that cannot be reached). As a practical matter, however, reporting to domain registrars is an iffy proposition. SpamCop does not make any effort to investigate spam domain registrations, so you are very much on your own here.
Registrars aren't required to take action in the case of simple spamming (and only a few of them take on this responsibility voluntarily). Unless you find that the registrar for a spam domain has an anti-spam policy for its products, then, you won't get anywhere with the registrar simply by crying "spam!" You may have solid grounds for a report, however, if any of the following are true:
The registrant data for the domain is demonstrably bogus (e.g., telephone numbers or addresses don't exist, contact e-mail addresses are undeliverable).
The registrant is using a proxy registration service to "cloak" his personal info in the domain-WHOIS database, and the proxy service he uses has a no-spam policy.
The website is engaged in patently criminal activity (fraud, child pornography, or the like) that goes above and beyond simple spamming.
Generally, at least one of these will be true for the typical hardcore spam domain.
These days, there are many complaisant or corrupt domain registrars who cater to the spammer trade by allowing spammers to register in bulk for hundreds of domain names at a time; these registrars knowingly accept false registrant data, which, together with their spam-friendly business model, makes it rather unlikely that a spam report to them will do any good. It is up to ICANN to police their agreements with such registrars, but ICANN is not often proactive in doing so.
Okay, now that you have all of this information, what do you do with it?
Having gathered the above info on a spam website, you now have two choices:
Adding the website info to a standard SpamCop VER report as a User Notification Report (if this feature is available to you).
Composing and sending you own report, outside of SpamCop.
Adding website information to standard SpamCop VER reports
If SpamCop fails to offer to report a website mentioned in a spam mailing, you may be able to add such a report yourself as a so-called User Notification Report, which will be filed along with any other reports identified in the SpamCop VER form. These are not available to all SpamCop users, and they should be used with the greatest care (see the SpamCop FAQ at http://mailsc.spamcop.net/fom-serve/cache/126.html∞ for particulars). You must be very careful with User Notification Reports; you do not want to use them for randomly slagging away at innocent websites, lest you dilute the accuracy and effectiveness of SpamCop reporting (and endanger your own access to your SpamCop account).
We will assume here that you have used the techniques above to find (1) the IP address to which a website URL resolves, and (2) an abuse-reporting contact for the owner of the address. We'll also assume that you have verified that the website is, in fact, reportable. To create a User Notification Report from this info, parse the spam through the VER web interface as normal, and then do the following:
Enter the website host (by name) or URL, along with the IP address you found for it, into the "Comments for: User Notification" field at the bottom of the main SpamCop report page. You might also like to include the identifier of the netblock that contains the address, if you have it handy (hint: you will find it in the WHOIS output), just to prove that you are doing your due diligence. Here's a fictitious and non-functional example:
Comments for: User Notification
Enter the abuse contact e-mail address(es) (up to four of them, according to the SpamCop instructions∞) for the IP address into the "Re: User Notification" field below the other addresses in the middle of the main SpamCop report page. For example:
Re: User Notification
(Notes) To:
(Note: the checkbox above will automatically be checked if you enter an address into a genuine SpamCop VER form).
When you press the reporting button, copies of the report will generally be sent to each of the addresses you specified above. Sometimes, however, SpamCop may refuse to send reports to a particular address if it has determined that the address does not work, or is inappropriate (or has declined to receive SpamCop reports). If you still want to send these reports, you will have to do so outside SpamCop.
How do you compose and send a spam website report without using SpamCop?
If you can't file User Notification Reports, or would prefer not to do so, you can prepare your own reports and send them via your own e-mail resources. Each such report should include the following:
What you are reporting (that is, a website or domain name used by a spammer),
What leads you to believe that the report recipients are responsible, for example:
You resolved the web host (for a website report) to an address in the hosting provider's block.
You determined (for a domain-registrar report) that the recipient sold the domain name used in the spam.
What you want done about the problem.
In the case of a spam website, to investigate and close down the website.
In the case of a domain name used by spammers, to suspend or "null-route" the domain (i.e., to point it to a non-existent portion of the internet, so that it becomes useless).
The "raw" e-mail packet for the spam, including the full headers.
Any other pertinent information (for example, your analysis of bogus registrant info provided for a spam domain).
You don't need to include a lot of extra narrative, rants, whines, or personal stories in these reports; keep things short and to the point. Also, try to be polite, as you are more likely to get a favorable result if you can refrain from abusing the people whom you're trying to get to help you. Finally, you don't need to include screen shots, traceroute outputs, WHOIS printouts, outside web links, or other materials that aren't pertinent or that the abuse staffers can find for themselves.
(NOTE: You can, if you wish, point to sections of the provider's policies that prohibit the behavior you are reporting.)
You'll get better results with these reports if you force your mail program to a text-only format (that is, don't put in colorful fonts and pictures of flowers or cartoon characters).
Generally, you will always want to provide a complete copy of the spam message in the report, including the full headers. This should be pasted directly into the message body (below your comments) as raw ASCII text (without added "quoting" marks, or decoration via HTML etc.).
If you make the message a MIME attachment (rather than simply pasting it inline within the body), some abuse desks may refuse to read it, or may reject your report.
Likewise, if the mail packet is very lengthy (which might happen for a spam containing a large image attachment), your report may be rejected by the abuse desk; if necessary, you can shorten it by removing material that doesn't bear on the issue at hand, but you should always describe any edits you have made (for example, "I removed most of an embedded image MIME attachment").
If you delete or munge (modify) other portions of the message, such as e-mail addresses or selected header lines, you may obliterate information that the abuse department people need to see. They may regard this as grounds to ignore your report. If you do not feel comfortable sending the unedited mail to the recipient, you should consider simply not sending the report.
Be aware that your outgoing report might be tagged as spam, either by the recipient's mail service or (in rare cases) by your own, simply because it contains the text of a spam message. If you want to get around this, you'll either have to find another reporting address for the target, or report your spam from a less-restricted e-mail service.
Do not expect to get a personal reply to your message; at best, you may get a pro-forma response from an "autoresponder" robot indicating that your report has been received (such notes may include a "ticket number" that might be of use in future correspondence). The lack of a reply doesn't mean that nothing will be done with your report; if you are curious, you can earmark the offending websites and check later on to see whether they have been dealt with.
There are no comments on this page. [Add comment]