This is a much longer spam report than you would typically have to write, since I tried to include examples of many different kinds of contacts. For the typical spam message, you will only need to report to (1) the originating host’s provider (for direct-to-MX mail) and perhaps (2) the web hosting provider (for the sales website). If you have a lot of issues to report, and you have the time, it may be more effective to send several messages, one to each abuse departrment, each one tailored for the particular recipient.

Here are some things to note about this message:

• I used some “weasel-wording” or equivocation — rather than come right out and say that the message was spam, I said that my analysis suggested that it was spam. There’s always a microscopic chance that it isn’t, so you might as well not go on record making an unqualified accusation that some spammer’s lawyer could beat you over the head with (in the unlikely event that you get called to depose or testify in a legal proceeding). This way, you have the option at some future time of backing off your statement and saying that your analysis was wrong.

Some lawyerly folks suggest that you should use the phrase “without prejudice” (as in “I believe, without prejudice, that this is spam”) to the same effect. In English, this roughly means “I think it might be spam (but haven’t made up my mind for sure)”.

• I enumerated each offending IP address, e-mail address, and domain name, in each case linking it with the appropriate provider (so that the recipients know why they’re getting mail from me).
• I didn’t ask for a specific remedy (e.g., “cut off their nuts,”) but instead simply called on them to enforce their own policies. This is a reasonable request, and is pretty much all you can expect them to do.
• I was formal and polite in my phrasing, and did not include emotional language or try to badger or name-call the abuse-desk people; after all, they’re victims of the spammer as well, and I want them on my side.
• Be sure to include the entire spam message if you can; certainly, at a minimum, you should include the headers, plus enough of the body to show the involvement of the spam websites. You may truncate lengthy attachments (e.g., embedded images) if these don’t contain any information of value, but you should indicate that you have done so.

Many abuse desks will refuse messages that are longer than some maximum length, and even small embedded images can really bulk up a message; for this reason, it’s a good idea to cut all but the first few lines of attached and encoded image data. Encoded text or HTML should not be truncated, if possible, since it is likely to contain info of importance for investigation.

Here are some further tips for writing complaints:

• When you include the offending e-mail, paste it right into the message in its raw, encoded text form — don’t edit it in any way (if you can possibly avoid it), and don’t decode any of its parts. Try not to paste it as a quotation, since the “>” marks might be a nuisance to the abuse-desk folks.
• You can, if you wish, remove or deface your e-mail address or other information that might identify you, but this doesn’t seem worthwhile since you’ll have identified yourself anyway when you send the report. Many providers won’t accept “blind” third party reports from which such details have been removed. If for some reason you are not comfortable with allowing a particular provider to see this information, you should consider not sending the report to them.
• You can ask the provider not to pass the message on to the spammer directly. You have no way to stop them doing this, but you might as well ask.
• If your e-mail program mangles the raw text of the message (as do Microsoft Exchange-based clients and some standard SMTP clients), do the best you can to reconstruct the message: paste in the header as you received it, followed by a blank line, then the body as you received it.
• Don’t include the message on as a file attachment (some abuse desks will reject mail with attachments). If the message contains lengthy MIME attachments, such as images, you may cut these off, although you should always indicate in your note that you have done so.
• It’s better to send these reports as plain text, rather than “decorated” (HTML, RTF, etc.) formats, particularly since your mail program may otherwise try to mess around with the mail you paste in (are you listening, Microsoft?).
• Don’t pad out the message with screen dumps, traceroute output, or other extraneous data. The abuse-desk folks can run these as well as you can.
• Wherever possible, use copy-and-paste commands rather than the keyboard to enter IP addresses and host names; this may take you a bit longer, but you will be less likely to make mistakes that could invalidate your report.
• Keep it brief — abuse-desk folks hae a lot to deal with, and don’t need to read your autobiography.

What to expect from your report

So, as soon as these guys receive your report, they’re all going to go running over to pull the plug on the spam hosts, right? Well, frankly, no.

When you send an abuse report these days, you will rarely get a response from a real human (particularly if you’re just complaining about mere spam, as opposed to more insidious cracking and probing activities). At best, you will get an automated pro-forma response (“...we received your complaint and are acting on it...please be assured yadda yadda...”), perhaps including a case file number to use for future correspondence. In many cases, you will get no response at all. This does not necessarily mean, however, that nothing will come of your report.

Let’s face facts for a moment; ISPs don’t make money by handling abuse complaints, they make money by keeping customers online. However, if they see that one of those customers is making an unwarranted and disproportionate nuisance of himself, they will eventually act. I have no illusions that a single report of mine, no matter how well-researched and accurate, will make much difference in the grand scheme. After all, even thoroughly honest online business get the occasional misdirected spam complaint (which is usually ignored). I think the power of reporting kicks in when an ISP receives many, many reports from many different people about the same incidents; that’s why I urge you, if you are able, to join those of us who research and report spam incidents.

If you want to check up on the effectiveness of your reports, you might bookmark some of the spam websites you’ve reported and then check back later to see whether they have been shut down.

Elevating matters

From time to time, I get a message that I think merits special treatment. On these occasions, I will pick up the phone and try to talk to some humans — specifically, those in the network operations center, or NOC, of the ISPs in question. This is certainly not something you want to do for routine spam, but it might be worthwhile if you detect phishing, virus distribution, cracking, or other more serious forms of abuse.

Often, it can be hard to find the phone numbers for the NOC — sometimes they are found in the output of whois, but often you may have to go to the ISP’s website and look up a number. Many larger ISPs have a phalanx of phone minions protecting the people at the NOC who are actually doing the work; you may first have to speak with the general customer support line, and then you might convince them to transfer you to the abuse desk. Even here, you may not actually be speaking with people who can do any more than just take reports over the phone, so see whether you can be transferred to the NOC.

When you speak to the people in the NOC, be cordial and collegial (“...hey, for your information, I think you have a problem.”) Offer to send details to them via e-mail rather than enumerating addresses and host names over the phone. Don’t waste their time or make a pest of yourself — this will make them think you are a kook whose complaints don’t deserve action. Don’t get messianic or obsessive about following up with the NOC on these reports — once you file your report, you have done your duty, and the rest is up to others.

Conclusion

So, that’s it — you’ve filed a spam report! Congratulations, and thanks for doing your part to stop e-mail abuse. Relax and enjoy yourself while you can, for the next spam message is probably on its way to you.