

ALT.NET.ABUSE FAQ
=================

[ Spam Spam Spam Spam .........  ]



POLITICS

1.1) What is alt.current-events.net-abuse?
1.2) Why does it have such a silly name?
1.3) Who's responsible for this FAQ?
1.4) Where can I get it?
1.5) I don't understand a word of this.

SPAM, SPAMMERS, and MOOSES

2.1) What is Spam?                        [REVISED]
2.2) Where did the term come from?
2.3) Tell me about the Great Spammers.
2.4) Who were Canter and Siegel?
2.5) Where can I get more info on them?
2.6) What should we do about the book?
2.7) What was Larry's historic first post to a.c-e.n-a?
2.8) That doesn't make any sense. What was Larry's historic second
  post to a.c-e.n-a?
2.9) Who is Cancelmoose[tm]?                 [NEW]

NITTY-GRITTY

3.1) Yeah, but how many times is 'X'?
3.2) How can I tell if a post is forged?
3.3) How do I know when I've got spam on my hands?
3.4) OK, I think I've spotted a spam. Who should I mail-bomb?
3.5) OK, I think I've spotted a spam. What should I do?
3.6) What about e-mail spam?
3.7) I e-mailed a complaint to {so-and-so} about their {e-mail, post}
and now they're threatening to complain to my system administrator.
What should I do?
3.8) What's a cancel-bot?
3.9) Where can I get me one?
3.10) How do the spam-cancellers cancel spam?
3.11) Can I sick The Man on these MAKE.MONEY.FAST losers?

GROAN

4.1) Why are you a.c-e.n-a people such net-cops?
4.2) Hey, I think my newsgroup is being invaded by alt.syntax.tactical!
4.3) Hey, somebody posted an ad to <newsgroup>!
4.4) Hey, so-and-so's not being nice in <newsgroup>!
4.5) Hey, one of those net.cops posted an ad for <something>! Haw! Haw!


POLITICS
========

1.1) What is alt.current-events.net-abuse, and why was it created?

Here's the 'charter,' or at least the text from Thomas Koenig's
newgroup message of April 25, 1994:

  alt.current-events.net-abuse is a forum to discuss the current
  net abuses, such as "spamming" of Usenet by the law firm Canter &
  Siegel, and related issues.  This disussion, at the moment, takes
  up most of the bandwidth in news.admin.misc and news.admin
  policy, and clearly merits a separate forum.

  It was proposed on alt.config in
  <2p8q9s$idl@nz12.rz.uni-karlsruhe.de>, and met no opposition
  there at all.

  For your newsgroups file:
  alt.current-events.net-abuse   Usenet spamming, Green Card and the like

Since that time, many curious forms of Usenet behavior have been
discussed on a.c-e.n-a. Of these, spam remains the only one considered
'net-abuse' by consensus, which is why it gets its own section
below. Other Frequently Aired Complaints are discussed throughout the
FAQ.

BTW: as Neil Pawson says, "it's for abuse *of* the net, NOT abuse *on*
the net."

1.2) Why does alt.current-events.net-abuse have such a silly name?

It was/is supposed to be "temporary." Can you imagine, a "temporary"
newsgroup name? Would you really want to have to go through alt.config
*twice*? --Note, however, that there's a serious campaign to move
a.c-e.n-a to the news.* hierarchy; this would make us go through
news.groups instead. Delight!

1.3) Who's responsible for this FAQ?

It's maintained by Scott Southwick (scotty@indiana.edu). The
information has been gleaned from various Usenet sources --primarily
posts to a.c-e.n-a made by a wide variety of authors-- and so the
maintainer must actively disclaim all responsibilty for the veracity,
advisabilty and/or legality of anything contained in the FAQ. Thanks
to the following people who have contributed to it, or at least
discussed its contents in a non-threatening manner:

Arthur Byrne, Pekka Pirinen, Keith "Justified and Ancient" Cochran,
Lamont Granquist, Victoria Fike, J.D. Falk, Steve Patlan, Wilf
Leblanc, Seth Cohn, Neil Pawson, Bram Cohen, Mitchell Golden, Rahul
Dhesi, Stephen Boursy, Mary Branscombe, David Cortesi, Alexander
Lehmann, Greg Lindahl, Jack Hamilton, and several others I have
undoubtedly missed.

Contributions are always warmly welcomed, as are suggestions,
corrections and criticism.

1.4) Where can I get it?

The finished version will be posted either bi-weekly or semi-monthly
(whichever you prefer) to a.c-e.n-a, alt.answers, and news.answers. It
will also be available by anonymous ftp from rtfm.mit.edu and its
mirror sites. The sharpest-dressed and most up-to-the-minute version
will always be available on the Web at

       http://www-sc.ucssc.indiana.edu/~scotty/acena.html

If you have trouble with that alias, try

       http://jalapeno.ucs.indiana.edu/~scotty/acena.html

1.5) I don't understand a single word of this.

The best starting place for learning about Usenet is Indiana
University's Usenet Resources page, at

    http://scwww.ucs.indiana.edu/NetRsc/usenet.html

[I put that together at my day-job. This entry is a shameless plug for
my employers.]  It's got links to most Usenet primers, netiquette
documents and news FAQs, Son-of-RFC-1036, some charters, newsreader
man pages, &c.


SPAM, SPAMMERS, and MOOSES
==========================

2.1) What is Spam?

It's a luncheon meat, kinda pink, comes in a can, made by Hormel. Most
Americans intuitively, viscerally associate "Spam" with "no nutritive
or aesthetic value." The luncheon meat has its own newsgroup,
alt.spam.

The term "spam," as used on this newsgroup, means "the same article
(or essentially the same article) posted an unacceptably high number
of times to one or more newsgroups." CONTENT IS IRRELEVANT. 'Spam'
doesn't mean "ads." It doesn't mean "abuse." It doesn't mean "posts
whose content I object to." Spam is a funky name for a phenomenon that
can be measured pretty objectively: did that post appear X times?
(See: "Yeah, but how many is X?')

There's currently a discussion raging about "customized" spams, in the
aftermath of a large spam-cancel wherein every post contained a
substantial section of material tailored specifically for each
group. The large majority of posters felt that the cancel was
justified. The above definition of "spam" will probably be adjusted in
some way to incorporate this, once the dust finally settles; comments
are welcome.

It should be noted that cross-posting a single message to many
newsgroups is definitely *not* considered cancellable spam by those
who cancel spam. That doesn't mean it's always a swell idea, though.

2.2) Where did the term 'Spam' come from?

From the Monty Python song that goes, roughly, "Spam spam spam spam,
spam spam spam spam, spam spam spam spam..." See?

The term wasn't first used to describe mass news posting, however. See
the Hacker's Jargon File for previous uses of the word.

2.3) Tell me about the Great Spammers.

So as not to duplicate effort, here's a couple of excellent archives
devoted to the various bugbears of the Net:

  * The Net.Legends archive (particularly the Net.Legends FAQ)
      gopher://dixie.aiss.uiuc.edu:6969/11/urban.legends/net.legends

  * The alt.usenet.kooks Web Page
      ftp://ftp.crl.com/users/ro/cd/auk.html

Not all of the kooks and legends discussed there are spammers, or even
villains. Spam fans should pay particular attention to the entries on
Serdar Argic, the spiritual ancestor of today's spammers.

2.4) Who were Canter and Siegel?

Unfortunately, it's "Who *are* Canter and Siegel?" They're lawyers,
authors, and Usenet newbies _par excellence_. Super-newbies. Honorary
Permanent Newbies. When they sit around the net, they sit *around the
net*...

C+S weren't the first spammers, but they were so gothically clumsy
about it, and so intent on making a buck, that people were terrified
and infuriated into starting this newsgroup.

2.5) Where can I get more information about them?

The best archive of Canter and Siegel-related postings is maintained
by C&S themselves; last time somebody checked with "ls -r", the
fun-loving net.lawyers seemed to be storing every post that mentioned
them (can you say "grepping for libel cases"?)

If you're not C or S yourself, though, the next best info source is
Thomas Leavitt's "The Canter & Siegel Report," available via anonymous
ftp from

   ftp://ftp.armory.com/pub/user/leavitt/

Those files are zipped. Users with access to 1990s technology should
check out the WWW versions at

   ftp://ftp.armory.com/pub/user/leavitt/html/cands.report.html
   ftp://ftp.armory.com/pub/user/leavitt/html/candsrpt.two.html
   ftp://ftp.armory.com/pub/user/leavitt/html/candsrpt.three.html

2.6) What should we do about the book?

What book?

2.7) What was Larry's historic first post to a.c-e.n-a?

Path: usenet.ucs.indiana.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!cs.utexas.edu!uunet!psinntp!cr.sell.com!lcanter
From: lcanter@cyber.sell.com (lcanter)
Subject: Re: Larry and Martha
Message-ID: <D009w5.Iv0@cyber.sell.com>
Followup-To: news.admin.misc,news.admin.policy,alt.current-events.net-abuse,alt.fan.joel-furr
Sender: news@cyber.sell.com (NetNews Administration)
Organization: CYBERSELL -TM
X-Newsreader: TIN [version 1.2 PL0]
References: <19941126d$zbbfr@nospam.nohow.edu> <3b8edh$748@pith.uoregon.edu> <3bc5g3$7hr@decaxp.harv.edu> <caradoc-2811940848430001@tecate.enet.net> <3bd09p$2nc@news.duke.edu>
Date: Tue, 29 Nov 1994 01:38:29 GMT
Lines: 12

: When Mike Godwin of the Electronic Frontiers Foundation offered the
: services of the EFF to represent me (this on the heels of literally
: hundreds of offers of contributions to my non-existent legal defense
: fund), Canter and Siegel dropped their plans like a hot potato.

  ***************************************************
  *  Laurence A. Canter  lcanter@cyber.sell.com     *
  *  Cybersell -tm                                  *
  *  10245 E Via Linda, Ste 222 Scottsdale AZ  85258*
  *  Telephone (602) 661-5202 Fax (602) 451-7617    *
  ***************************************************

2.8) That doesn't make any sense. What was Larry's historic second
post to a.c-e.n-a?

Path: usenet.ucs.indiana.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!cs.utexas.edu!uunet!psinntp!cr.sell.com!lcanter
From: lcanter@cyber.sell.com (lcanter)
Subject: Re: Larry and Martha
Message-ID: <D00FED.KCL@cyber.sell.com>
Followup-To: news.admin.misc,news.admin.policy,alt.current-events.net-abuse,alt.fan.joel-furr
Sender: news@cyber.sell.com (NetNews Administration)
Organization: CYBERSELL -TM
X-Newsreader: TIN [version 1.2 PL0]
References: <19941126d$zbbfr@nospam.nohow.edu> <3b8edh$748@pith.uoregon.edu> <3bc5g3$7hr@decaxp.harv.edu> <caradoc-2811940848430001@tecate.enet.net> <3bd09p$2nc@news.duke.edu>
Date: Tue, 29 Nov 1994 03:37:25 GMT
Lines: 15
Xref: usenet.ucs.indiana.edu news.admin.misc:1941 news.admin.policy:666 alt.current-events.net-abuse48

: When Mike Godwin of the Electronic Frontiers Foundation offered the
: services of the EFF to represent me (this on the heels of literally
: hundreds of offers of contributions to my non-existent legal defense
: fund), Canter and Siegel dropped their plans like a hot potato.

Really?  This is complete news to us.

--
  ***************************************************
  *  Laurence A. Canter  lcanter@cyber.sell.com     *
  *  Cybersell -tm                                  *
  *  10245 E Via Linda, Ste 222 Scottsdale AZ  85258*
  *  Telephone (602) 661-5202 Fax (602) 451-7617    *
  ***************************************************

2.9) Who is Cancelmoose[tm]?

Cancelmoose[tm] is, to misquote some wise poster, "the greatest public
servant the net has seen in quite some time." He or she sends out
spam-cancels from a major American provider and then posts notice
anonymously to news.admin.policy, news.admin.misc, and a.c-e.n-a. The
Moose stepped to the fore on its own initiative, at a time when
spam-cancels were irregular and disorganized, and has behaved
altogether admirably-- fair, even-handed, and quick to respond to
comments and criticism, all without self-aggrandizement or martyrdom.
Cancelmoose[tm] appears to have near-unanimous support from the
readership of all three above-mentioned groups.

Nobody knows who Cancelmoose[tm] really is, and there aren't even any
good rumors.

NITTY-GRITTY
============

3.1) Yeah, but how many times is 'X'?

How many posts does it take to push the spam envelope? To use up all
your spam charity points? For a bare-bones spam? To trigger the
auto-cancel-bots-from-Hell?

Among those who agree that spam should be defined solely by quantity,

             -----------------> 20 <--------------------

appears to be the magic number, or at least a number so
middle-of-the-road that it provokes very little passionate dissent in
either direction.

Passionately dissenting note: Rahul Dhesi [dhesi@rahul.net], one of
the fathers of the cancel-bot movement, sticks by the following
definition:

     More than five physically distinct postings with substantially
     identical content posted within a period of ten days.

3.2) How can I tell if a post is forged?

Sometimes it's easy to spot a forgery, sometimes it takes years of
experience, and unfortunately, sometimes it's just impossible. (Note:
most newsreaders don't show the entire header. Yours may have a
command (e.g. 'h' in nn, 'v' in rn and trn, CTRL/h in tin) that allows
you to see them in their entirety. If it doesn't, save the post to a
file -- if given the choice, use 'mailbox' format.  Then bring that
file up in an editor.)

For starters, these four sites in the header should agree:

--The From: line, listing the site where the poster is.

--The 'path:' line shows all the sites the message passed thru, on its
way *to* you (most recent, to oldest).  So the poster's site should be
at (approximately) the end of that path.

--The last part of the 'message ID,' which is the originating site
name.

--On many posts there is an "NNTP host" field, as well.

The last item in the "Path" header line is the poster; working
backwards, it lists the hosts the message passed through until it got
to the server the reader uses.  First check on a supposed forgery is
whether the host that supposedly posted the message is on this list in
the correct location.  However, even if it were that doesn't mean it
isn't a forgery since wily forgers forge part of the path line before
slipping the message into the usenet.

The Message-ID: is a unique id number created by the posting
software. In all cases that we know of, the posting machine's ID is
appended at the end of it. Sometimes, but not always, this matches the
poster's account. Sometimes a slightly different machine in the domain
is used for posting, and may vary slightly. But if the sites in the
message-ID and the poster's account vary wildly--e.g., netcom.com and
army.mil--you may be dealing with a forgery.

Some other ideas:

* Check the time stamps; if the site and the time zone don't agree,
something might be up.

* With experience, you can look at the intermediates on the 'path' and
spot things that look 'funny'.  If a message that purports to have
come from someone in Detroit, MI, goes bouncing thru half-a-dozen
sites in EUROPE, before arriving in Chicago, IL -- it's likely its a
phoney origin.  If you have the advantage of knowing about what sites
are connected to where -- even for a few sites-- you can spot a fake
if it shows routing between two machines that you *know* don't talk to
each other.

However, as Steve Patlan cautions: "I posted a message from Austin, TX
that went through Austria.eu.net (something like that) before reaching
(a newsfeed received from Rice U in) Houston, TX."

* The "Organization" line, which is usually set by the site's news
administrator (but can be easily changed by the poster for purposes
legitimate or devious) may also contain clues. If somebody's trying to
cause trouble for a particular organization, for instance, they may
include it, but not get the name or address right.

Of course, if the forger simply forgets to alter the Organization
line, you may get clues that way also.

For more information on headers, see RFC-1036, "Standard for
Interchange of Usenet Messages," at

    http://www.cis.ohio-state.edu/htbin/rfc/rfc1036.html

(Thanks to Robert Bonomi, Arthur Byrne, Emma Pease, and Alan Bostick
for most of this information.)

(This entry comes from Indiana University's UCS Knowledge Base.)

3.3) How can I tell how many newsgroups an article was posted to?

[more ways here?]

(adapted from a posting by Lee Rudolph--thanks.)

You can force the Unix newsreader nn to ignore your .newsrc and create
a "merged newsgroup" consisting only of articles containing a certain
word in their subject line. For instance, to gather all articles at
your site containing the word "spam" in their subject line, use this
command:

  % nngrab spam

That's basically a faster version of

  % nn -i -s"spam" -mXx

Caution: this latter method can be a long, tedious process. See the nn
man page for more details.

3.4) OK, I'm certain it's spam. Who should I mail-bomb?

Don't mail-bomb anybody. Harrassment is illegal everywhere. If
somebody's done something truly evil, they'll get enough single
responses from individuals to acheive the same effect.

3.5) OK, I'm certain it's spam. What should I do?

* Check a.c-e.n-a. If somebody's already made a definitive spotting,
there's no sense in an "I've seen it, too" post.

* Include a *complete* header from one copy of the spam in your post
to a.c-e.n-a. Delete most of the spam itself--content doesn't really
matter, and most people have probably already seen it. Just summarize
it briefly.

* Say how many newsgroups at your site it was posted to; list 20 or
more of them. (See "How do I know how many newsgroups an article was
posted to?")

* Complain politely to the spammer and the Usenet administrator at the
spammer's site (whose address should be "usenet@site.name"; if that
fails, try "postmaster@site.name".) Request that the Usenet
administrator post a response to news.admin.misc, detailing what
actions have been taken.

3.6) What about e-mail spam?

You can always complain about unsolicited e-mail to both the bozo that
sent it to you and the bozo's postmaster. To write to a postmaster,
just substitute the perp's username in their address (e.g.,
bozo@otherwise.lovely.com) with "postmaster" (i.e.,
postmaster@otherwise.lovely.com.) Please be brief and polite with the
postmasters, include a copy of the e-mail you received, and leave the
subject-line intact (in case the postmaster wants to set up an
auto-responder.)

3.7) I e-mailed a complaint to so-and-so about their {post, mail}, and
now they're threatening to complain to my system administrator. What
should I do?

Let your sys-admin know right away what's happening. Tell them the
story, briefly. [Include the post(s) in question?] Then keep them
updated on any further threats.

If you're brief, polite, and on the right side, you can usually find
an ally in your sys-admin.

3.8) What is a cancel-bot?

A cancel-bot is a program that sends out cancel messages. Cancel
messages are normally sent out by a newsreader in response to a user's
request to cancel a message (e.g., with the 'C' command in trn or 'D'
in tin) *if* the user was also the original poster of the
message. Sites will ignore cancel messages that don't appear to come
from the original poster.  Cancel-bots work around this restriction by
forging header lines that make it look like the original poster sent
out the cancel; they'll usually add something like a "Cancelled-By"
[?] header line as well, to keep things nominally above-board.

Use of a cancel-bot against anything besides 'consensus spam' would
probably create a fierce uproar, ending in tears.

3.9) Where can I get me a cancel-bot?

If you have to ask, you should probably wait a while. ;}

3.10) How do the spam-cancellers cancel spam?

   * They make bloody sure they know how to use their cancel-bot;
   * They confirm the spam themselves;
   * They announce their action to a.c-e.n-a. This prevents everyone
     from waiting around and wondering whether anyone's done anything.

Here's a standard section from a cancel-notification post by the
beloved Cancelmoose(TM):

  The $alz cancel. and Path: cyberspam conventions were followed.  [The
  $alz convention is to create your cancel message-ID by prepending
  'cancel.' to the original one.  The cyberspam convention is to use-
  'Path: cyberspam!usenet' so that sites that do not want your cancels
  can easily opt out.  Please use these when cancelling spam.]

3.11) Can I sick The Man on these MAKE.MONEY.FAST losers?

Americans can complain about e-mail or Usenet pyramid schemes to the
FTC:

  STAFF CONTACT:      Bureau of Consumer Protection
                      David Medine, 202-326-3224
                      david.medine@wpo.ftc.gov

                      Jeffrey S. Markowitz, 202-327-2460
                      jeffery.markowitz@wpo.ftc.gov

Before doing so, consider seriously whether you actually want to
encourage government intervention. The number of 'net cases the FTC
has been involved in is very low at this point; in an ideal world, it
would probably remain that way.

GROAN
=====

4.1) I hate net-cops like you people in a.c-e.n-a.

Who will watch the watchmen? net-cop.cops like this,
apparently. ;} Anyways, anyone who wanted to police the net would be a
pig-headed, unrealistic fool. Thankfully, we just want to shoot spam
out of the sky, because

  * We hate it,
  * It feels good, and
  * We can.

4.2) Hey, I think my group's being invaded by alt.syntax.tactical!

We're sorry. Please don't bring that subject up again here. Good
luck... Keith "Justified and Ancient" Cochran, who has been wrongfully
accused of a.s.t involvement himself, adds: "I would suggest the first
thing you do is take a chill pill." (Note that there is no second
thing to do. However, you may want to pass the time reading the
alt.bigfoot FAQ:

  http://www.cis.ohio-state.edu/hypertext/faq/usenet/bigfoot/top.html

--particularly the part about cats.)

4.3) Hey, somebody posted an ad in {newsgroup}!

So?

Alright, alright: first, check to see if the post was obviously forged
(see "How can I spot a forgery?")

Then check to see if it's spam (see "What is Spam" and "How do I know
when I've got spam on my hands?") It's probably not. We only want to
hear about it if it's spam.

If the ad is off-topic, and you really can't let it go, check out the
advice in "Hey, so-and-so's not being nice in {newsgroup}!"

4.4) Hey, so-and-so's not being nice in {newsgroup}!

Happens all the time. We don't want to hear about it. However, here
are some things you can do (written by Keith "Justified and Ancient"
Cochran):

"The first thing to do is take it up with user@some.site.  If you
can't achieve a mutual understanding, then you _MIGHT_ (note, not
WILL, _MIGHT_) want to mail postmaster@some.site with your complaint.
If you are going to write to postmaster@some.site, be sure to include
the full, unedited post you have a problem with, a short but
descriptive summary of why you have a problem with it, and a short,
but descriptive explanation of what you would like to have happen.

"Note that this does not apply to MAKE.MONEY.FAST.  If you see a copy
of M.M.F, just e-mail postmaster@some.site, including the article ID,
and the first paragraph of the post."

4.5) Hey, one of those net.cops posted an ad for <something>! Haw! Haw!

     ad != spam

[ END ]


X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
 Another file downloaded from:                                NIRVANAnet(tm)

 &TOTSE                510/935-5845   Walnut Creek, CA         Taipan Enigma
 Burn This Flag        408/363-9766       San Jose, CA                Zardoz
 realitycheck          415/666-0339  San Francisco, CA    Poindexter Fortran
 Governed Anarchy      510/226-6656        Fremont, CA             Eightball
 New Dork Sublime      805/823-1346      Tehachapi, CA               Biffnix
 Lies Unlimited        801/278-2699 Salt Lake City, UT            Mick Freen
 Atomic Books          410/669-4179      Baltimore, MD               Baywolf
 Sea of Noise          203/886-1441        Norwich, CT             Mr. Noise
 The Dojo              713/997-6351       Pearland, TX               Yojimbo
 Frayed Ends of Sanity 503/965-6747     Cloverdale, OR              Flatline
 The Ether Room        510/228-1146       Martinez, CA Tiny Little Super Guy
 Hacker Heaven         860/456-9266        Lebanon, CT         The Visionary
 The Shaven Yak        510/672-6570        Clayton, CA             Magic Man
 El Observador         408/372-9054        Salinas, CA         El Observador
 Cool Beans!           415/648-7865  San Francisco, CA        G.A. Ellsworth
 DUSK Til Dawn         604/746-5383   Cowichan Bay, BC         Cyber Trollis
 The Great Abyss       510/482-5813        Oakland, CA             Keymaster

                          "Raw Data for Raw Nerves"
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
