home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.pasteur.org/FAQ/
/
ftp-pasteur-org-FAQ.zip
/
FAQ
/
net-abuse-faq
/
part2
< prev
next >
Wrap
Internet Message Format
|
1996-01-29
|
20KB
Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!gatech!newsfeed.internetmci.com!uwm.edu!math.ohio-state.edu!magnus.acs.ohio-state.edu!lerc.nasa.gov!kira.cc.uakron.edu!odin.oar.net!malgudi.oar.net!catseye.bluemarble.net!shooter.bluemarble.net!scotty
From: scotty@shooter.bluemarble.net (Scott Southwick)
Newsgroups: news.admin.net-abuse.misc,alt.current-events.net-abuse,alt.answers,news.answers
Subject: news.admin.net-abuse FAQ (2/2)
Followup-To: news.admin.net-abuse.misc
Date: 26 Jan 1996 23:32:18 GMT
Organization: Blue Marble
Lines: 476
Approved: news-answers-request@MIT.EDU
Expires: 18 Feb 1996
Message-ID: <4eboa2$964@catseye.bluemarble.net>
NNTP-Posting-Host: shooter.bluemarble.net
Xref: senator-bedfellow.mit.edu news.admin.net-abuse.misc:39275 alt.current-events.net-abuse:35050 alt.answers:15265 news.answers:63316
Archive-name: net-abuse-faq/part2
Posting-Frequency: biweekly
[Table of Contents for part two only:]
NITTY-GRITTY
3.1) Yeah, but how many times is 'X'?
3.2) What is the Breidbart Index (BI)?
3.3) What is NoCeM?
3.4) Is there a blacklist of net-abusers?
3.5) How can I tell if a post is forged?
3.6) How do I know when I've got spam on my hands?
3.7) OK, I think I've spotted a spam. Who should I mail-bomb?
3.8) OK, I think I've spotted a spam. What should I do?
3.9) What about e-mail spam?
3.10) I e-mailed a complaint to {so-and-so} about their {e-mail, post}
and now they're threatening to complain to my system administrator.
What should I do?
3.11) What's a cancel-bot?
3.12) Where can I get me one?
3.13) How do spam-cancellers cancel spam?
3.14) Can I sick The Man on these MAKE.MONEY.FAST losers?
3.15) What is a killfile, and how do I use one?
GROAN
4.1) Why are you net-abuse people such net-cops?
4.2) Hey, I think my newsgroup is being invaded by alt.syntax.tactical!
4.3) Hey, somebody posted an ad to <newsgroup>!
4.4) Hey, so-and-so's not being nice in <newsgroup>!
4.5) Hey, the Good Times virus--
4.6) Hey, there's this <AT&T, Jerry Garcia, whatever> banner message
in the newsgroup descriptions!
4.7) Hey, one of those net.cops posted an ad for <something>! Haw! Haw!
APPENDIX
news.admin.net-abuse.misc charter
news.admin.net-abuse.misc charter and guidelines
NITTY-GRITTY
============
3.1) Yeah, but how many times is 'X'?
How many posts does it take to push the spam envelope? To use up all
your spam charity points? For a bare-bones spam? To trigger the
raging-spam-cancellers-from-Hell?
Among those who agree that spam should be defined solely by quantity,
-----------------> 20 <--------------------
appears to be the magic number, or at least a number so
middle-of-the-road that it provokes very little passionate dissent in
either direction. Notably, Cancelmoose[tm] refuses to set a firm
number, in the belief that people would simply post [X-1]
messages. It's safe to say that a couple incidents of 19-post spams
would cause the magic number to plummet. Thus, 20 should be considered
a vague approximation only.
Passionately dissenting note: Rahul Dhesi [dhesi@rahul.net], one of
the fathers of the cancel-bot movement, sticks by the following
definition:
More than five physically distinct postings with substantially
identical content posted within a period of ten days.
3.2) What is the Breidbart Index (BI)?
The Breidbart Index (BI) is a measure of the breadth of any
multi-posting, cross-posting, or combination of the two. BI is defined
as the sum of the square roots of how many newsgroups each article was
posted to. If that number approaches 20, then the posts will probably
be cancelled by somebody.
For instance, four identical posts to nine newsgroups each (4 times 3)
has a BI of 12. However, nine identical posts to four newsgroups each
(9 times 2) has a BI of 18.
3.3) What is NoCeM?
NoCeM is an end to all this spam, and an end to all this
cancelling. With NoCeM (pronounced "No See 'Em"), your newsreader goes
out and gets certain posts (from trusted parties) that contain lists
of junk articles (ECP, spam, etc.) Your newsreader then hides those
articles from you.
Note that right now there's only a NoCeM newsreader for Unix.
The move to NoCeM is headed by the Cancelmoose[tm] (moose@cm.org), and
the moose's web site has all the info you might want about NoCeM:
http://www.cm.org
Also check out the newsgroup alt.nocem.misc, which will degenerate
into a Big 7 newsgroup one of these days.
3.4) Is there a blacklist of net-abusers?
Yes, Axel Boldt maintains the world-renowned "Blacklist of Internet
Advertisers" at
http://math-www.uni-paderborn.de/~axel/BL/blacklist.html
3.4) How can I tell if a post is forged?
Gandalf (gandalf@ddi.digital.net) is putting together a guide to
tracking down forgeries, and posting the FAQ to
news.admin.net-abuse.misc. I've saved a copy of the second draft at
http://www.bluemarble.net/~scotty/forgery.html
For a rough article on forgery, originally constructed for this FAQ
out of information contributed by Robert Bonomi, Arthur Byrne, Emma
Pease, and Alan Bostick, see
http://sckb.ucssc.indiana.edu/kb/data/all.afco.html
For more information on headers, see RFC-1036, "Standard for
Interchange of Usenet Messages," at
http://www.cis.ohio-state.edu/htbin/rfc/rfc1036.html
3.5) How can I tell how many newsgroups an article was posted to?
For people who can't use the classic "grepping the newsspool" method,
nn or nngrab may be able to help. (The following is adapted from a
posting by Lee Rudolph--thanks.)
You can force the Unix newsreader nn to ignore your .newsrc and create
a "merged newsgroup" consisting only of articles containing a certain
word in their subject line. For instance, to gather all articles at
your site containing the word "spam" in their subject line, use this
command:
% nngrab spam
That's basically a faster version of
% nn -i -s"spam" -mXx
Caution: this latter method can be a long, tedious process. See the nn
man page for more details.
3.6) OK, I'm certain it's spam. Who should I mail-bomb?
Don't mail-bomb anybody. Harrassment is illegal everywhere. If
somebody's done something truly evil, they'll get enough single
responses from individuals to acheive the same effect.
3.7) OK, I'm certain it's spam. What should I do?
* Check n.a.n-a.announce. If somebody's already made a definitive
spotting, there's no sense in an "I've seen it, too" post.
* Include a *complete* header from one copy of the spam in your post
to n.a.n-a.announce. Set followups to n.a.n-a.misc.
* Say how many newsgroups at your site it was posted to; list 20 or
more of them. (See "How do I know how many newsgroups an article was
posted to?")
* Complain politely to the spammer and the Usenet administrator at the
spammer's site (whose address should be "usenet@site.name"; if that
fails, try "postmaster@site.name".) Request that the Usenet
administrator post a response to n.a.n-a.announce, detailing what
actions have been taken.
3.8) What about e-mail spam?
You can always complain about unsolicited e-mail to both the bozo that
sent it to you and the bozo's postmaster. To write to a postmaster,
just substitute the perp's username in their address (e.g.,
bozo@otherwise.lovely.com) with "postmaster" (i.e.,
postmaster@otherwise.lovely.com.) Please be brief and polite with the
postmasters, include a copy of the e-mail you received, and leave the
subject-line intact (in case the postmaster wants to set up an
auto-responder.)
3.9) I e-mailed a complaint to so-and-so about their {post, mail}, and
now they're threatening to complain to my system administrator. What
should I do?
Let your sys-admin know right away what's happening. Tell them the
story, briefly. [Include the post(s) in question?] Then keep them
updated on any further threats.
If you're brief, polite, and on the right side, you can usually find
an ally in your sys-admin.
3.10) What is a cancel-bot?
First off, "cancel-bot" is an unfortunate misnomer, and one that the
conventional media have understandably misunderstood. "bot" implies
that something is out there, running unattended, cancelling whatever
meets its nefarious qualifications... But this author knows of *no*
automated cancel programs in use against any type of Usenet postings,
and has never heard of such a program. All spam-cancels are sent out
manually and deliberately by actual human beings. (They happen to use
a program that is commonly referred to as a "cancel-bot".)
A cancel-bot is a program that sends out cancel messages; you feed it
the message-IDs of posts, and it sends out a cancel message for each
one (see RFC 1036.) Cancel messages are normally sent out by a
newsreader in response to a user's request to cancel a message, using
a newsreader command, *if* the user was also the original poster of
the message. Sites will ignore cancel messages that don't appear to
come from the original poster. Cancel-bots work around this
restriction by using header lines that make it look like the original
poster sent out the cancel; they'll usually add something like a
"Cancelled-By" header line as well, to keep things nominally
above-board.
Use of a cancel-bot against anything besides 'consensus spam' outrages
people, as it should. See alt.religion.scientology for sample
discussions.
3.11) Where can I get me a cancel-bot?
If you have to ask, you should probably wait a while. ;}
3.12) How do the spam-cancellers cancel spam?
* They make bloody sure they know how to use their cancel-bot;
* They confirm the spam themselves;
* They announce their action to n.a.n-a.announce. This prevents
everyone from waiting around and wondering whether anyone's done
anything.
Here's a standard section from a cancel-notification post by the
beloved Cancelmoose(TM):
The $alz cancel. and Path: cyberspam conventions were followed. [The
$alz convention is to create your cancel message-ID by prepending
'cancel.' to the original one. The cyberspam convention is to use-
'Path: cyberspam!usenet' so that sites that do not want your cancels
can easily opt out. Please use these when cancelling spam.]
3.13) Can I sick The Man on these MAKE.MONEY.FAST losers?
You can complain about e-mail or Usenet pyramid schemes (at least
those involving Americans somehow) to the FTC:
STAFF CONTACT: Bureau of Consumer Protection
David Medine, 202-326-3224
dmedine@ftc.gov
Before doing so, consider seriously whether you actually want to
encourage government intervention. The number of 'net cases the FTC
has been involved in is very low at this point; in an ideal world, it
would probably remain that way.
3.15) What is a killfile, and how do I use one?
A killfile enables you to permnanently avoid reading posts by certain
people, or from a certain site, or whose Subject: lines contain
particular words... Check out the RN killfile FAQ at
http://www.cis.ohio-state.edu/hypertext/faq/usenet/killfile-faq/faq.html
Here's some newsreaders that support killfiles (search
http://vsl.cnet.com/cgi-bin/vsl-master/QuickForm? to acquire the
software):
* trn (Unix)
* nn (Unix)
* NewsHopper (Mac)
[please send me the names of those you know about. Thanks--]
If your newsreader doesn't allow killfiling, write the author of the
newsreading software and ask them to add support for killfiles.
Although it doesn't discuss killfiling, see 'The "Good Net-Keeping
Seal of Approval" for Usenet Software' at
http://kalypso.cybercom.net/~rnewman/Good_Netkeeping_Seal
for more information on what makes a good newsreader.
GROAN
=====
4.1) I hate net-cops like you people.
Who will watch the watchmen? net-cop.cops like this,
apparently. ;} Anyways, anyone who wanted to police the net would be a
pig-headed, unrealistic fool. Thankfully, we just want to shoot spam
out of the sky, because
* We hate it,
* It feels good, and
* We can.
Anyways, if you don't like spam being cancelled at your site, you can
have your upstream feeds alias your site to "cyberspam".
4.2) Hey, I think my group's being invaded by alt.syntax.tactical!
We're sorry. Please don't bring that subject up again here. Good
luck... Keith "Justified and Ancient" Cochran, who has been wrongfully
accused of a.s.t involvement himself, adds: "I would suggest the first
thing you do is take a chill pill." (Note that there is no second
thing to do. However, you may want to pass the time reading the
alt.bigfoot FAQ:
http://www.cis.ohio-state.edu/hypertext/faq/usenet/bigfoot/top.html
--particularly the part about cats.)
See also "What is a killfile, and how do I use one?"
4.3) Hey, somebody posted an ad in {newsgroup}!
So?
Alright, alright: first, check to see if the post was obviously forged
(see "How can I spot a forgery?")
Then check to see if it's spam (see "What is Spam" and "How do I know
when I've got spam on my hands?") It's probably not. We only want to
hear about it if it's spam.
If the ad is off-topic, and you really can't let it go, check out the
advice in "Hey, so-and-so's not being nice in {newsgroup}!"
4.4) Hey, so-and-so's not being nice in {newsgroup}!
Happens all the time. We don't want to hear about it. However, here
are some things you can do (written by Keith "Justified and Ancient"
Cochran):
"The first thing to do is take it up with user@some.site. If you
can't achieve a mutual understanding, then you _MIGHT_ (note, not
WILL, _MIGHT_) want to mail postmaster@some.site with your complaint.
If you are going to write to postmaster@some.site, be sure to include
the full, unedited post you have a problem with, a short but
descriptive summary of why you have a problem with it, and a short,
but descriptive explanation of what you would like to have happen.
"Note that this does not apply to MAKE.MONEY.FAST. If you see a copy
of M.M.F, just e-mail postmaster@some.site, including the article ID,
and the first paragraph of the post."
See also "What is a killfile, and how do I use one?"
4.5) Hey, the "Good Times" virus--
is a total, 100%, long-proven hoax. For the complete story, see
http://www.nsm.smcm.edu/News/GTHoax.html
4.6) Hey, there's this <AT&T, Jerry Garcia, whatever> banner message
in the newsgroup descriptions!
We know, we know... It's a fairly common prank to add bunches of
newsgroups whose descriptions spell something out. Ask your local news
admninstrator to rmgroup the whole lot.
4.7) Hey, one of those net.cops posted an ad for <something>! Haw! Haw!
"Ad" does not equal "spam".
"Ad" does not equal "net-abuse".
APPENDIX
========
news.admin.misc charter:
news.admin.net-abuse.misc is for the discussion of possible abuses
of netnews and e-mail. It is for the discussion of standards of net
abuse, to suggest appropriate courses of action (if any) to net
abuse and to post reports of alleged occurrences of net
abuse. Relevant topics include events associated with net abuse
such as: spamming (posting many individual copies of any article),
excessive crossposting of non-germane articles, injection of
malformed articles into the news system (broken gateways, for
example), or other forms of "roboposting" involving large numbers
of postings to one or more groups, forging identity of postings,
forged approval to moderated groups, forged cancellation of
articles including cancellation of net abuse articles, use of
rmgroup/newgroup in an abusive manner, large-scale mailings to
mailing lists or other mail-bombing, deciding what isn't net abuse,
general issues of netiquette, methods for resolving conflicts,
proposed blacklists and boycotts, "renegade" sites, etc. Postings
include news reports, reviews, and conferences, and net-abuse FAQs.
Although commercial posts are not inherently net-abuse, proper
methods of posting commercial material are within the scope of this
group.
news.admin.net-abuse.announce charter and guidelines:
news.admin.net-abuse.announce Charter and Guidelines
1. What topics are relevant to this group? Events associated with net
abuse, such as:
- posting many individual copies of any article.
Or, excessive crossposting of non-germane articles.
- injection of malformed articles into the news system (broken
gateways, for example), or other forms of "roboposting" involving
large numbers of postings to one or more groups.
- Forging identity of postings
- Forged approval to moderated groups
- Forged cancellation of articles not included above. Note that
cancellation of net abuse articles is also relevant to the
topic of net abuse.
- Use of rmgroup/newgroup in an abusive manner
- large-scale mailings to mailing lists or other mail-bombing
Postings to this group may also include announcements relevant
to the topic of net abuse, such as news reports, reviews, and
conferences, and possible net-abuse FAQs.
The purpose of this group is not to decide the guilt or
innocence of any parties, but rather to simply report on the
activity (much like the crime section found in many local
newspapers). It must be kept clear that the net is a new legal
area, but it is also one with a lot of unwritten rules. The
moderators are in no way are attempting to act as judges,
lawyers, or mediators.
2. Posting of reports of this kind of activity in no way implies
that net-wide cancellation of such articles are to be
encouraged. How local news admins deal with such incidents is
strictly up to them. The moderators of this group should not be
held responsible for actions taken by others in response to
articles posted to news.admin.net-abuse.announce.
3. No moderator will engage in the following activities:
- cancellation of any posts other than ones posted by them,
excepting articles with forged approval to newsgroups they
moderate or, if they are a news admin, posts originating from
their site (following the local site's procedures).
- Sending of "mailbombs", threats, abusive e-mail, or other
attacks in response to alleged net abuse.
4. We are committed to providing accurate information regarding
events related to net abuse (with emphasis on Usenet) in a
timely manner. However, as we the moderators must often rely on
the reports of others, whenever we have not confirmed a report
ourselves we will state so in the posting.
5. Right of Reply. If posts have been made in this group concerning
an individual's alleged net abuse and the individual and/or site
from which it originated have suffered negative consequences in
the form of articles cancelled, accounts cancelled, or
substantial negative email; then the individual and site each
have the right to one (but no more than one) reply for the
purpose of justification, rebuttal, or reports of actions taken
to correct or cancel the alleged abuse.
6. Examples of inappropriate postings:
- redundant reports of events
- Trivial events, for example "Hey, this guy posted an ad to
comp.sys.xyz!"
7. Administravia
- Approval of postings will be made by a team of moderators.
- Change of moderators will be made by majority. Forcible removal
of a moderator will be by consensus of remaining moderators.
- Any rule changes will be made by majority of the moderators.
Initial moderators:
David Barr <barr@math.psu.edu>
Joel Furr <jfurr@acpub.duke.edu>
Paul Phillips <paulp@CERF.NET>
Abby Franquemont-Guillory <abbyfg@tezcat.com>
----
[New:]
Liszt: http://www.liszt.com/
A searchable directory of over 22,000 mailing lists.