Surviving Abusive Repetitive Email Messages on the Internet
                        (a.k.a. Spam Mail and Mail Bombs) 

                                              March 1996

                                     Christopher D. Reagoso 


                                            Introduction



Definition and Explanation of an Internet Mail-Bomb 

Internet "mail-bombing" is the act of sending an extraordinarily large number of duplicate
messages via Internet electronic mail to a target person whose account typically resides on a
system other than the one the messages were originated from. 

Generally, should you find yourself the victim of an Internet mail-bombing, it is in response to a
Usenet news message recently posted by yourself that someone took an offense to. Regardless as
to whether their dislike for your posting was founded or not, mail-bombing someone is not polite
and is justifiably not tolerated by system administrators.

Traits of an Internet Mail-Bomber 

The typical Internet mail-bomber is a junior or senior in high school, or freshman in college. They
hold radical beliefs that are far to the left or right and do not take well to constructive criticisms.
Maladjusted to their environment and preferring social isolation, their felonious handles protect
them from person-to-person relationships as they frequent the Usenet newsgroups. 

Stereotypically, they are also technocratic elitists who take pleasure in the "dark side" of the
Internet (including computer hacking, theft of service from telephone utilities, and credit card
fraud). They feel their power is derived from their ability to adversely affect your daily life. With
their inflated egos they attempt to cause mischief while hiding behind their shield of anonymity. 

In 99% of all cases, their threats to you are nothing to be concerned with. This is evident since you
found yourself mail-bombed rather than holding a $10,000.00 telephone bill or credit card
statement. They do not actually possess these skills-they are lying when they say they do. It takes
no special knowledge, effort, or "elite hacking skills" to mail-bomb someone. You could do it to
someone right now.



                        Putting An End to the Mail-Bomber's Escapades 

Note: The technique I am about to describe is most effective against mail-bombs originating from the domains of educational
institutions and small Internet service providers. The techniques detailed below are not entirely effective with providers such as GEnie,
CompuServe, and America Online because of the limited nature of the accounts they provide to their users. I illustrate how I
determined that Joshua Davis of Marietta College, OH has mail-bombed me with over 600 messages; and how attempt to put an
end to it. 



Understanding an Internet Mail-Bomb 

If a technical manual existed describing what to consider when sending a mail-bomb, it would
concentrate on forging the electronic mail headers. 

Below is the message header from an actual mail bomb that was sent to me. I received over 600
duplicate mailings inside of one minute, all with this header. Take careful notice that the header
insinuates that I had surely mail-bombed myself.

From: reagosoc@apci.net (Christopher D. Reagoso)
Subject: Re: Make Money Fast!!!!!!!!!!!!!!!!!!!
Date sent: Mon, 26 Feb 1996 22:42:12 GMT
Organization: Applied Personal Computing, Inc.




Notice my name in the "From:" block, and the name of my Internet service provider in the
"Organization:" block. It would appear that whoever sent this bomb intended it to look as if I had
sent the six hundred duplicates of the message to myself.

A More Detailed Understanding 

Unfortunately, for the mail-bomber, there are headers in addition to the ones that are normally
displayed to the casual user. These headers are called extended headers. They contain information
detailing the email address of who the message was sent from, from what system it originated
from, various times and dates, and the like. Below are the extended headers from the mail bomb
that was sent to me.

X-POP3-Rcpt: reagosoc@hilly
Return-Path: daviso@mcnet.marietta.edu
Received: from mcnet.marietta.edu (mcnet.marietta.edu [199.218.109.34]) by hilly.apci.net (8.6.12/8.6.9) with SMTP id RAA00343 for <reagosoc@apci.net>; Thu, 7 Mar 1996 17:23:23 -0600
Received: by mcnet.marietta.edu; id AA18923; Thu, 7 Mar 1996 18:22:15 -0500
Path: malgudi.oar.net!multiverse!castle.nando.net!imci4!newsfeed.internetmci.com!queeg.apci.net!news 
From: reagosoc@apci.net (Christopher D. Reagoso)
Newsgroups: alt.2600
Subject: Re: Make Money Fast!!!!!!!!!!!!!!!!!!!
Date: Mon, 26 Feb 1996 22:42:12 GMT
Organization: Applied Personal Computing, Inc.
Lines: 405
Message-Id: <4gtd9k$h9c@queeg.apci.net>
References: <96022548306@microserve.com>
Nntp-Posting-Host: dialup111.apci.net
X-Newsreader: Forte Free Agent 1.0.82
Apparently-To: reagosoc@apci.net
X-PMFLAGS: 33554560 0




Upon examination of the extended mail headers I had discovered the true identity of the
mail-bomber. The mail-bomber did not (or could not) remove his return email address from the
"Return-Path:" block in the extended message headers. He also did not take the time to think that
by simply pressing CTRL-H in my mail reader, Pegasus Mail version 2.2, I could read the extended
headers and discover who indeed he was. 

Had he been able to remove his return email address, scattered throughout the extended message
header I would have still seen "mcnet.marietta.edu" which is where the message originated from.
Even had the mail-bomber been able to remove his name from the message I would have been able
to tell where it had originated from by the extended headers.


Discovering Detailed Information About the Mail-Bomber 

Once you have a mail-bomber's email address, discovering more information such as his real name,
phone number, and home address through legal means is not difficult; especially if he is new to his
operating environment, as most mail-bombers are. This information, provided it is not misused, is
especially useful when dealing with a mail-bomber's system administrators since it adds
credibility to the accusation of your suspected mail-bomber. 

Using Netscape or other browser, visit http://www.winternet.com/~drow/finger.html. (NOTE: This
finger server is now out-of-service. 3-Dec-96 cdr) It is a WWW Finger Server. Do not be concerned
with what this is, but rather what it can provide. Enter the full email address of the suspected
mail-bomber and click on submit. A screen with text similar to that below might be displayed.

[mcnet.marietta.edu] 
Login name: daviso                      In real life: Joshua Davis
Directory: /mc/staff/daviso             Shell: /bin/ksh
Last login Fri Mar  8 17:04 on ttyp0 from 199.218.109.38
No Plan.




The mail-bombers identity is now known as Joshua Davis from the "In real life:" block. It would not
be far-fetched to see an alias entered in this block to help obscure his true identity; but not in this
case. I now have a name (or alias) that I can use when contacting his system administrators. 

Later you will see how I discovered his account was on a computer at Marietta College in Ohio, area
code 614. Had Joshua had a phone (or a listed number, assuming he does have a phone with an
unlisted number), I could have had his phone number and address through AT&T's directory
assistance by dialing 10+288+1-614-555-1212. 

Discovering Detailed Information About the Mail-Bomber's Internet Service Provider 

Before you contact the mail-bomber's system administrators, it is good to know a bit about them.
From the mail-bomber's email address "daviso@mcnet.marietta.edu" you know that his system
administrators live at the domain "mcnet.marietta.edu" and that by adding "http://www." to the
front of it and "/" to the end of it, you probably have recreated his system's web page. 

More simply, daviso@mcnet.marietta.edu becomes mcnet.marietta.edu becomes
http://www.mcnet.marietta.edu/ which I simply use Netscape to look up. 

It's almost that simple. As it turns out, "mcnet" must be eliminated for it to be a valid address.
Therefore, the correct address for the web page of Joshua's system administrators is
http://www.marietta.edu/. Once I visited this page it was not long before I discovered that the
phone number for the computer science department of Maretta College in Ohio was (614)376-4820.

Gathering Motives and Other Evidence 

Now that you have an identity, you need to gather motives and other evidence supporting why to
believe the user you suspect mail-bombed you actually was the one who did it. 

A good source for this is the DejaNews Research Service located at http://www.dejanews.com/ on
the world wide web. Among other things, the cost-free DejaNews Research Service will allow you
to search for all of the postings your suspected mail-bomber has ever posted to the UseNet
newsgroups. You can copy his postings and forward them to his system administrator to help
justify your accusations. 

All postings to all Usenet newsgroups that Joshua has ever made were at my fingertips when I
searched on his email address "daviso@mcnet.marietta.edu." My search resulted in the list below. 

03/02 024 I'm tired of the trash o alt.2600             daviso@mcnet.mariett
02/18 022 Daemon Dialers           alt.2600             daviso@mcnet.mariett
02/18 022 40Hex                    alt.2600             daviso@mcnet.mariett
03/02 021 Then use a killfile. (wa alt.2600             cantrick@rintintin.C
03/02 021 Re: I'm tired of the tra alt.2600             TheAnalyst@Nfo.Org (
02/19 021 Re: 40Hex                alt.2600             medulla@PROBLEM_WITH
02/21 020 Re: 40Hex                alt.2600             0@0.0               
02/18 020 Re: 40Hex                alt.2600             Josh Attoun <attoun@
01/30 020 cmsg cancel <9601301105. bit.listserv.games-l Joshua Davis <daviso




This is every posing on every newsgroups that contains Joshua's email address as of March 9, 1996.
I forwarded several of his postings to his system administrators to show that he was indeed an
internet trouble-maker.

Contacting the System Administrators 

Once you are sure you have determined who mail-bombed you, as I did, it is time to contact the
system administrators. Usually, the system administrators can be contacted by sending mail to
root@the.name.of.their.system. In the case of Joshua, his administrators would be
"root@mcnet.marietta.edu" and below are the messages I sent to them. I have removed some parts
of my message because of their lengthy nature. 

From:                 Self <Single-user mode>
To:               root@mcnet.marietta.edu, root@microserve.com
Subject:          (Fwd) Re: Make Money Fast!!!!!!!!!!!!!!!!!!!
Copies to:        support@apci.net, reagosoc@hqamc.safb.af.mil
Date sent:        Thu, 7 Mar 1996 22:44:44

                                       Christopher D. Reagoso
                                       401 N. 48th St. No. 5
                                       Belleville, IL  62223
                                       (618)256-2300 [work]

                                       March 7, 1996

To:  root@mcnet.marietta.edu
     root@microserve.com

Dear Administrators,

  I have recently received over 600 copies of the attached 
message (see below).  The body of the mailing is from my response to a
chain-letter solicitation I discovered in a alt.2600 some time ago. I
suspect that it may be from a user seeking vengeance for my intolerance
to the solicitation, or from some other usenet reader who did not agree
with my method for handling the solicitation.  Regardless, I will
not stand for another attack such as this.  For this reason, I need
your help.

  I am reasonably new to reading mail headers and understand that they
can be forged.  The message does seem, however, to have originated from
a user on one of your systems.

  Please assist me in investigating this.  Also understand that I am
not concerned with who originated it in-as-much-as that they are no
longer provided a capability to act again in this fashion on networks
under your administration.

  Upon resolving this issue (e.g.:  determination that it was or was
not a user of your network, or if indeterminable), please follow-up
with me by telephone, or email at the following address (since I can
not guarantee that I will be able to sort out your replies from future
mail-bombings):

          reagosoc@hqamc.safb.af.mil

  Again, thank you for your attention to this matter.

Sincerely,
/s/
Christopher D. Reagoso

cc:  support@apci.net

-- Forwarded Message Follows (Entire Message w/ Full Headers) --
-- Forwarded Message Follows (Entire Message w/ Full Headers) --
-- Forwarded Message Follows (Entire Message w/ Full Headers) --
X-POP3-Rcpt: reagosoc@hilly
Return-Path: daviso@mcnet.marietta.edu
Received: from mcnet.marietta.edu (mcnet.marietta.edu
[199.218.109.34]) by hilly.apci.net (8.6.12/8.6.9) with SMTP id
RAA00628 for <reagosoc@apci.net>; Thu, 7 Mar 1996 17:23:55 -0600
Received: by mcnet.marietta.edu; id AA08868; Thu, 7 Mar 1996 18:22:48
-0500 Path:
malgudi.oar.net!multiverse!castle.nando.net!imci4!newsfeed.internetmci
com!queeg.apci.net!news From: reagosoc@apci.net (Christopher D.
Reagoso) Newsgroups: alt.2600 Subject: Re: Make Money
Fast!!!!!!!!!!!!!!!!!!! Date: Mon, 26 Feb 1996 22:42:12 GMT
Organization: Applied Personal Computing, Inc. Lines: 405 Message-Id:
<4gtd9k$h9c@queeg.apci.net> References: <96022548306@microserve.com>
Nntp-Posting-Host: dialup111.apci.net X-Newsreader: Forte Free Agent
1.0.82 Apparently-To: reagosoc@apci.net Status: RO X-Status: X-PMFLAGS:
33554560 0

<message deleted because of length>




I followed up by forwarding Joshua's UseNet newsgroup postings to his system administrators and
placing a phone call to them in the morning.



                  Checklist For Your Response to an Internet Mail-Bombing 



Below are the steps I executed to thwart the future mail-bomb attempts of Joshua
Davis of Marietta College, Ohio (daviso@mcnet.marietta.edu). Although the steps are
very generic, it is conceivable that they may not work for you because of the great
diversity of systems on the internet. 

It is also conceivable that you may receive the "perfect forgery"; a message in which
all of the headers have been forged (thank you--I don't know who (grin)--for pointing
this out to me by a perfectly forged email). Generally, though, most mail-bombers are
not technically competent to create the perfect forgery, so I suggest using these
steps to track him down and put an end to his antics. 

   1.Attempt to determine the true email address of the offender by reading the extended
      headers of the mail-bomb. 
   2.Discover more detailed information about the mail bomber through the use of a WWW Finger
      Server. 
   3.Discover more detailed information (such as phone number and mailing address) of the
      offender's internet service provider. This is done by mutating the offender's email address to
      the address of a WWW URL (Netscape address) and using Netscape or other browser to view
      their home page. 
   4.Gather motives and other evidence by using the cost-free DejaNews Research Service and
      searching on his full email address. Prepare these for forwarding to his system
      administrators. 
   5.Forward the entire mail-bomb with extended headers, detailed information about the
      offender, and all evidence gathered to the system administrators. It is a good idea to send a
      courtesy copy to your system administrators who may be able to assist you further.