The topic of spam websites comes up very frequently in the SpamCop forums∞ and elsewhere. While SpamCop is primarily a service for identifying, reporting, and block-listing the sources of spam mail messages, it does also make some effort to trace and report websites linked from spam messages. Yet, this is apparently not an exhaustive effort. This page will give you some idea what is involved in identifying and tracing website links in spam, and how you can do this yourself if you care to.

This is a summary page designed for the general reader; I'll be linking out to more detailed information where appropriate. I am assuming that you have some basic familiarity with the way the internet works: specifically, topics like HTTP, HTML, DNS, and whois. You won't need to be an expert on these (I'm not), but a bit of background will help you understand what's going on.

What is a 'spam website?'

It's well to start out by defining terms: a "spam website" (as I use the term here) is a website that (1) is referenced by name (or by an actual HTML link) within a spam mailing, and (2) is used directly by the spammer to sell spamvertized goods and services, or to otherwise support the spam operation (such as by providing "list removal" services, or hosting images to be embedded in the spam message).

The latter point is important. As we will see, spammers will sometimes add website links to their messages that have nothing to do with their spam, or they will maliciously include links to innocent websites that they wish to be tarred with the "spammer" brush (i.e., a "Joe job". Also, some innocent website links may be added to an outgoing spam message by webmail services, anti-virus software, and the like, after the message has left the hands of the spammer. None of these really fit into my definition of "spam website."

Note that it isn't necessary that the spam website be run by the same parties who sent the mail. In fact, I suspect that most spam is sent by "affiliates" to drum up business for website operators; the affiliates aren't associated with the webmasters except that they may be paid bounties or commissions by the webmasters for the business they generate.

Also, it isn't required that the website's host machine be within the same IP address block or domain as the machine that sent the spam; few hardcore spammers will send their mailings from the domains or IP blocks where their websites are hosted, so you don't have to assume a particularly tight business or technical linkage between the spammer (who sent the mail) and the webmaster (who takes the money and -- possibly -- delivers the goods).

Next, let's deal with the very-frequently-asked question:

Isn't SpamCop supposed to find spam websites and prepare reports about them?

In theory, yes it is. In practice, however, SpamCop often fails to identify spam website links; or, upon identifying them, SpamCop may fail to (or refuse to) trace them and prepare the necessary reports. As I noted above, SpamCop's primary mission is to deal with spam mail sources, and SpamCop's proprietors have apparently made the decision to put dealing with websites at a lower priority; they generally will catch only the "low-hanging fruit," leaving many sites undetected and unreported.

This is very frustrating for many SpamCop users, who feel that SpamCop is falling down on the job. There are, however, a few factors that limit SpamCop's effectiveness in this area:

• The job of tracing down spam websites takes a lot more computer and network resources than simple mail source tracing. For example, getting the info required to report a spam mail source usually requires no more than a couple of quick whois lookups per spam, but tracing a spam website usually requires an authoritiative DNS lookup and one or more whois lookups per website link at a minimum, and may also require some fairly fine "byte-twiddling" and deobfuscation operations as well. These take valuable CPU time that other SpamCop users need in order to report their mail sources.
• Many successful spammers have perfected ways to prevent SpamCop (and other well-known spam investigation outfits) from "fingering" their websites, so that any time spent by SpamCop on such links will not yield any useful results.
• Even if SpamCop can easily find and trace a website link, it still has no way to know for sure that the link is actually implicated in the spamming; it requires some human judgment to determine whether a given website link should be included in a spam report (keep reading to find out why).

The latter point is worth some further emphasis: even if SpamCop presents you with one or more reports for websites found within a spam message, these aren't necessarily "correct" for you to file. You must always verify for yourself that a website-related report is accurate and correct before you allow SpamCop to send it (or before you send it on your own).

Can I report these websites myself if SpamCop doesn't trace them?

Yes, you can. As with any other resource involved in spamming, you can report spam websites to the appropriate parties (mainly, the hosting providers) wherever you think they need to know about what is going on. For example:

• Often, the spammer may be violating his agreements with the providers he uses to run the websites (which may prohibit promotion of hosted websites using unsolicited e-mail).
• In other cases, he may actually be stealing services (e.g., from hijacked home computers) to run those sites, and thus represents an unauthorized (and unpaid) user of the services.
• The operator of the website may not have been responsible for sending the spam, but he may have allowed (or failed to prevent) the sending of spam on his behalf by others (i.e., the spammer is a "rogue affiliate" of the website).
• The website may be (1) violating the laws of your country or locality (e.g., by offering drugs without prescription), (2) making criminally fraudulent claims about the goods or services it offers (e.g., "diploma mills"), or (3) doing business in a patently illegal manner (e.g., by using the information you submit for identity-theft purposes).

Even if a given spam website doesn't fall under any of the above examples, however, you are still entitled to report it if the website is directly associated with the spam mailing. (The latter is an important point, as we shall shortly discuss).

If you find that SpamCop isn't preparing reports for websites linked from your spam, you are free to create these reports yourself, and then send them either in separate mail or (with some care) as part of the standard SpamCop report.

What kinds of website links can be reported?

In general, you can justifiably report a website link included in a spam mailing if:

• You have verified that it provides a sales outlet for the goods or services advertised in the spam (e.g., a website selling fake watches linked from a spam promoting fake watches).
• You have verified that it provides "list removal" services for the spammer (i.e., the spammer offers to remove you from his mailing list if you visit the linked website).
• You have verified that it provides some other sort of direct support to the spam operation.

What kinds of website links should NOT be reported?

If you find any kind of website link that doesn't fall strictly into one of the categories above, you should consider it very carefully before reporting it, since the chances are good that such a report would be wrongful and misdirected. For example:

• Unverifiable links. If you can't resolve a web server host, can't get it to serve you the page in question, or otherwise can't clearly determine whether it falls into one of the categories mentioned above, you should be very careful in reporting the website link. It may already have been dealt with, or it may be unrelated to the spam.
• Links placed by others. Some spammers (like the infamous advance-fee fraud artists) will use free webmail services to send out their messages. Such services often affix links to themselves to the bottom of all outgoing messages. These links don't have anything to do directly with the spam, and so should not be reported.
• "Camouflage" links. Sometimes spammers include web links in their message merely to divert the attention of the spam investigator or to get him in trouble by filing false reports. Often, these links are designed to be invisible to the normal reader of the spam e-mail (e.g., by using HTML formatting tricks). If you peek at the HTML markup for the spam message and report such links without verifying them beforehand, you can get in trouble.
• "Joe-job" links. In rare cases, bad guys will send out bulk-mailings to implicate their enemies as spammers. They'll usually include a link to the victim's website in these mailings, and will often try to position these victims as flagrant criminals or fraudsters. This sort of thing is called a "Joe-Job" (see the Wiki entry for JoeJob). You should always do your best to verify that the website is indeed associated with the mailing before you report such links.
• "Further-reading" links. Stock spammers once used to decorate their mailings with links to investment information websites (like Yahoo! Finance), or even to the websites of the companies whose shares they are promoting. Most of the time, these links are not associated directly with the spamming and should not be reported (in particular, you should realize that the companies named in stock spams often have nothing to do with the spam mailings, and are therefore fellow-victims of the spammer).
• Embedded image links. Many URLs found in spam point not to websites (with order forms, etc.), but to image files (JPEGs, GIFs, PNGs, etc.) that the spammer wants to embed in the spam (i.e., these links are usually part of <IMG> tags rather than <A> tags). SpamCop does not track down or report IMG links to outside websites. Personally, I don't do this either. You could make a case that the image hosting service is abetting the spam, but the connection is a bit too tenuous for me. Anyway, it is more productive to work on the actual website rather than on a simple image drop, since the image link does no real harm by itself.

I should note here that most of the types of website links given above don't occur very frequently in spam these days (the embedded-image and unverifiable links being possible exceptions); however, they do turn up sufficiently often that you need to be aware of them.

Why do I see 'ISP does not wish to receive reports?'

Upon reporting a "web-enabled" spam via SpamCop, you may sometimes find that the technical details of the website link analysis show something like "ISP does not wish to receive reports regarding [x]." This means that the ISP in question has been labeled by SpamCop as an "Innocent Bystander" or "IB", and SpamCop will refuse to send any more reports on the site to this ISP (see the Wiki entry for InnocentBystander). Usually, this happens because an administrator from the ISP has requested SpamCop to stop sending reports on the site in question, and has (we hope) provided some sort of plausible explanation as to why they cannot be held responsible for the site.

Most often, the IB is responsible for a link of one of the types listed above (a "further-reading" link, a "Joe-job" link, etc.). On rare occasions, a provider may falsely or mistakenly claim to SpamCop to be an innocent bystander when in fact he is not. For this reason, SpamCop usually gives you the option to "appeal" the IB status. To do so, you must click the appropriate reporting box, and you are also expected to fill in the "Notes" box for this report with your reasons for wanting to override the IB status (e.g., "website drugqueenz.foo is selling Rx drugs and is still online at the time of this report"). A SpamCop administrator will review your appeal and take appropriate action.

Needless to say, perhaps, you don't want to appeal an IB listing without good reason. It is up to you to provide evidence (in the "Notes" field) to show why the site in question is directly related to the spam, and why the provider involved should be required to take action to close it.

What information do I need in order to report a website link?

At a minimum, you will have to do the following grunt work:

1. Verify that the website is reportable (i.e., it is directly related to the spam).
2. Find the IP address(es) to which the spam website host resolves.
3. Find the internet provider(s) (listed by whois) responsible for the address(es) you found in #1.
4. Find (from whois or elsewhere) the abuse contact addresses (e.g., "abuse@" e-mail addresses) for the providers in #2.

None of these are particularly difficult to do after a bit of training and practice. Generally, once you know how to find such information, you should have no trouble finding it for any given website. If you can't find it, however, you probably should not (and maybe cannot) report the website.


Generally, this requires that you connect to the website and evaluate what you see using your own human judgment.

This step can be a bit dangerous, since many spam website links may be designed to transmit your address back to the spammer (so that he knows that you are reading his mail), or may even compromise the security of your computer via download of malicious code. There are ways to increase your safety or comfort level in performing such checks, although they may affect the results of your investigation.

Read my page on verifying the reportability of websites for some tips.


If the website is called out with a specific IP address (e.g., http://192.168.15.20/watchz.php, then you are all set; just snag the IP address from the URL (192.168.15.20 in this example) and carry on to the next step.

You're seldom going to be this lucky, however. For a variety of reasons (not least of which is the easy availability of no-questions-asked-now-or-later domain registration from complaisant registrars), most spammers now use internet domain names for their websites (e.g., http//fakewatchz.foo/sales/). Thus, almost all spam websites will require a bit more work on your part to uncover their addresses.

This step requires you to perform a "manual" DNS lookup on the host name or domain name of the spam website (e.g., fakewatchz.foo in the example above). Read my page on finding spam website addresses for some further information.


You can find out information about any IP address in use on the public internet by consulting the whois database. This database will identify the name of the provider, along with postal addresses, telephone and fax numbers, and contact e-mail addresses for various issues (including abuse).

In all but a very few cases, the provider turned up by whois will be just that: a provider. This provider will NOT be the party directly responsible for the spam (i.e., they are not the spammers); however, providers do bear responsibility for the misuse of their resources by their customers or by unauthorized parties. We do not expect spammers to treat abuse reports with any sort of respect; however, we do expect these reports to be read and acted upon by the providers (since the providers have an obvious interest in minimizing the abuse of their services).

See my page on finding IP-address contact information for spam websites for more information.


Assuming you've got through step #3 okay, then all you need do here is to read the whois information for the address in question and select one of the e-mail addresses provided. Many providers will post a specific address for reporting abuse issues; others will not. If you can't find a specific abuse contact in the whois information, you can also try a lookup to whois.abuse.net.

See my page on finding abuse reporting addresses for more detail.

What if my reports would go to the spammers themselves?

Typically, a spam website will be hosted with an internet service that does business with lots of other people (most of them not spammers). In some cases, the spammers are actually making unauthorized and unpaid use of the services of others in order to host their website. In such cases, you are usually safe in reporting the abuse to the providers in question.

Sometimes, however, spammers can actually get control of their own blocks of IP addresses such that they show up in whois as the owners of the block. If you file reports to any of the e-mail addresses that they provide, you are in effect communicating directly with the spammer, which is something you generally do not want to do (most of all because it won't do you any good).

There's no "acid test" that enables you to tell absolutely when you would be reporting directly to the spammer, but you can apply some human judgment to the information you've collected. If you think that the spammer owns the IP block in question, you may be better off reporting to the provider that sold the block to the spammer; this provider is often called an "upstream provider."

Finding upstream providers takes a bit of guesswork, using tools like whois and traceroute. It can be a bit tricky to do, but fortunately it is not required very often (since few spammers enjoy the luxury of their own IP blocks). See my page on finding upstream contacts for further information.

What about reporting spam websites to domain registrars?

A "domain registrar" is an ICANN-accredited business∞ that sells people the rights to use particular domain names on the internet. Even the skankiest of spammers must go through the standard ICANN domain registration process in order to set up their named websites, since they otherwise won't get their domains into the DNS and won't be able to use them.

It can be tempting to report spam websites to the domain registrars that sold their domains. After all, the domain registrar can kill a spam website deader than Vaudeville by simply removing it from the DNS. As a practical matter, however, reporting to domain registrars is an iffy proposition at best. SpamCop does not make any effort to investigate spam domain registrations, so you are very much on your own here.

Registrars generally aren't required to revoke registrations in case of spamming (and only a few of them take on this responsibility voluntarily). Unless you find that the registrar for a spam domain has an anti-spam policy for its products, then, you won't get anywhere with the registrar simply by crying "spam!" You may have solid grounds for a report, however, if either of the following are true:

• The registrant data for the domain is demonstrably bogus (e.g., telephone numbers or addresses don't exist).
• The registrant is using a proxy service to hide his personal info, and the proxy service has a no-spam policy.

See my page on reporting to domain registrars for particulars.

---

CategorySpamCopReporting

---