2026 note from Me:
The old / original FAQ ran monthly on Usenet from November 1995 through 2005 to help people trace forged posts and spam e-mail back to the source. The Usenet pieces are mostly historical now – Google Groups shut down access to its Usenet archive in February 2024 and the alt.* hierarchy is a ghost town – but the e-mail header tracing methodology is still valid. Spammers got better, the rest of the Internet got worse, and reading Received: lines bottom-up is the same as it ever was.
What I've done in this pass:
o Kept the tracing methodology intact – it still works.
o Pruned dead lore (Cyberpromo, CompuServe, MindSpring, Pegasus, Nettamer, Lotus Notes R6, INND log grepping, NNTP telnet tracing, the CAN-SPAM letter-writing campaign).
o Replaced dead resource links with current ones. Where a tool or organization is gone with no successor, I say so.
o Updated the threat landscape to reflect what's actually happening in 2026: phishing, BEC, pig-butchering, MFA bypass, etc.
If you want the unedited original, the Wayback Machine has snapshots going back to the late 90s.
– Ken Hollis (GandalfDDI), 2026
Contact: BlueSky @GandalfDDI, Mastodon @GandalfDDI. The old gandalf@digital.net address has been dead since digital.net folded into EarthLink/Mindspring/whatever it became. Don't bother.
Archive-name: net-abuse-faq/spam-faq
Last-modified: 2026
URL: https://gandalfddi.github.io/spamfaq.html
Original distribution was to alt.spam, news.admin.net-abuse.email, news.admin.net-abuse.misc, alt.answers, news.answers. None of those groups carry meaningful traffic anymore. Feel free to repost, copy, mirror – just please do not pop it up on the screen of anybody who didn't ask for it.
Contents
========
o Introduction
o The easy way to get rid of spam
o Tracing an e-mail message
o What computer did this e-mail originate from?
o Mailing list messages
o WHOIS and IP lookup tools
o Converting that IP to a name
o What to do with "strange" looking Web links
o Malware – viruses, trojans, ransomware, spyware
o Phishing, fraud, and the modern Make Money Fast
o Nigerian 419 / advance-fee fraud (and pig butchering)
o Hoaxes
o Filtering e-mail
o Misc
o Protecting yourself and your kids on the Internet
o Origins of spam
o How did I get this unsolicited e-mail anyway?
o How to respond to spam
o Firewalls and protecting your computer
o Revenge – what to do and not to do (mostly not)
o Junk mail – the law (2026 edition)
o Additional resources
Introduction
============
This FAQ helps you decipher which machine a fake e-mail came from and who (generally or specifically) you should contact.
Before trying to figure out where a message came from, accept that the message will contain some truth, but all or most of the routing information may be forged. Be careful before accusing anybody.
I will not tell you how to send fake e-mail. It took me about two days to figure out and it isn't difficult. Read the RFC.
Every e-mail has a point at which it was injected into the mail stream. That injection point lives in the Received: headers. Tracing past the injection point requires cooperation from the operators of the mail systems that handled the message, and their logs typically rotate within days. Move fast or don't bother.
The 2026 reality: between SPF, DKIM, DMARC, and the dominance of a handful of mail providers (Google, Microsoft, Apple, Proton, Yahoo, Fastmail), pure forgery of major-domain mail is much harder than it was in 1998. What you mostly see now is:
o Spoofed display names with an attacker-controlled reply-to / from-domain
o Lookalike domains (amaz0n.com, paypa1.com, IDN homographs)
o Compromised legitimate accounts sending real mail through real SMTP servers
o Throwaway free-tier SaaS senders (Mailchimp/SendGrid/Mailgun abuse, etc.)
o SMS / iMessage / RCS scams driving the e-mail volume down (it migrated, not vanished)
The header reading skill in this FAQ still tells you the truth about which SMTP server actually injected the mail. That's what matters.
The easy way to get rid of spam
================================
There isn't one. Sorry.
If you reply to "unsubscribe" on actual spam (not legitimate marketing you signed up for), you're confirming your address is live. Don't. If it's legitimate commercial mail from a real company you can identify, unsubscribing is usually fine – in the US the CAN-SPAM Act requires them to honor it within 10 days; in the EU GDPR makes them stop on request; in Canada CASL is stricter still. Real businesses comply because the fines are real.
For the rest, the boring answer is the right one: let your mail provider's spam filter do its job. Gmail, Outlook.com, Apple iCloud, Proton, and Fastmail all run server-side filtering that catches the overwhelming majority. What slips through is usually targeted (phishing) or new (zero-day spammer infrastructure). Report it via the "Report Spam" / "Report Phishing" button in your client. That actually feeds the filters – this is one of the rare cases where clicking the button helps everyone.
Tracing an e-mail message
=========================
What computer did this e-mail originate from?
You need to see the full headers. Every modern mail client has a way to display them; the menu name varies:
o Gmail (web): open the message, click the three-dot menu, choose "Show original".
o Outlook (new) / Outlook.com: open the message, three-dot menu, "View message source".
o Apple Mail: View → Message → All Headers (Cmd+Shift+H), or "Raw Source".
o Thunderbird: Ctrl+U or View → Message Source.
o Proton Mail: three-dot menu → View headers / View message.
o iOS / Android default clients: generally limited. Forward to yourself on a desktop client.
You're looking for the Received: headers. These are added top-down as the message travels – the topmost Received line is from your own mail server (your inbox), and each line below was added earlier. Read them bottom to top to trace the path.
A typical Received line looks like:
Received: from host1 (host2 [ww.xx.yy.zz]) by host3 with ESMTPS id ABC123; Thu, 18 Jul 2025 12:18:06 -0600
Four pieces of information here, in decreasing order of trustworthiness:
1. host3 – the server that added this Received line. You can trust this (it's writing about itself).
2. ww.xx.yy.zz – the IP address of the incoming SMTP connection. Trust this (it's what host3 observed at the TCP level).
3. host2 – the reverse-DNS lookup of that IP. Probably trustworthy but DNS can be sloppy.
4. host1 – the hostname the sending machine claimed in its SMTP HELO/EHLO. This is whatever the sender felt like typing. Often a lie.
Anything inside [square brackets] is what the receiving server observed. Anything outside the brackets is what the sender claimed. When in doubt, the brackets win.
Walk the chain bottom-up until you find the first Received line that doesn't match the rest. That's where the chain entered legitimate infrastructure. Below that line is forgery; at that line is the injection point. Complain to the operator of the server in that line.
A note on modern headers: in addition to Received, you'll see Authentication-Results:, Received-SPF:, DKIM-Signature:, and ARC-* headers. These tell you whether the sending domain's published policies (SPF, DKIM, DMARC) said the message was legitimate. A dmarc=fail or spf=softfail on a major-brand message is a near-certain sign of forgery.
Useful tools for parsing headers:
o Microsoft Message Header Analyzer – paste headers, get a parsed view.
o Google Admin Toolbox Messageheader – same idea, Google version.
o MXToolbox Header Analyzer – vendor-neutral.
Once you have the offending IP, look up the abuse address via abuse.net (send to foo.bar.com@abuse.net and it forwards to the best-known abuse contact for that domain), or look up the IP block owner at ARIN, RIPE, APNIC, LACNIC, or AfriNIC depending on the region.
Be sure you're not complaining to an intermediary. ARIN/RIPE/etc. WHOIS will tell you the owner. If you complain too far down the chain you'll hit the spammer; too far up and the complaint will take weeks to filter through to anyone who can act on it. Aim for the IP block owner who's not the spammer.
Mailing list messages
Legitimate mailing list mail will have List-Id:, List-Unsubscribe:, and related RFC 2369 headers. The interesting Received chain is the part before the list software touched the message – that's where the original poster's IP shows up. Some lists strip this for privacy; many don't.
For complaints, contact the list owner first (almost always reachable via List-Owner header or by replying to the list with a polite off-list note to the moderator). Don't blast the whole list.
WHOIS and IP lookup tools
=========================
The classic tools are mostly gone (Sam Spade, RIP). What's left and works in 2026:
o MXToolbox – one-stop shop for DNS, blacklist, header, and SMTP diagnostics.
o DNSChecker.org – quick DNS / IP lookup with global resolution checks.
o Whois.com – domain ownership lookup (heavily redacted post-GDPR, but better than nothing).
o ARIN, RIPE, APNIC, LACNIC, AfriNIC – regional IP allocation registries.
o Hurricane Electric BGP Toolkit – ASN lookups, prefix info, peering data.
o Spamhaus IP/domain reputation – is this IP or domain on a blocklist?
o SANS Internet Storm Center IP info – reputation, attack data, complaint addresses.
o VirusTotal – submit URLs, files, or IPs for multi-vendor reputation check.
o abuse.net lookup – find the right abuse contact for a domain.
GDPR significantly redacted WHOIS records in 2018. For many domains you'll see "Redacted for Privacy" instead of the registrant. The registrar contact is still there, and abuse complaints still work through the registrar.
Traceroute and reverse DNS still work the way they always did. tracert on Windows, traceroute or mtr on Linux/macOS. Online versions exist if your local network blocks ICMP.
Converting that IP to a name
============================
Reverse DNS lookup: nslookup 192.0.2.1 on any platform, or dig -x 192.0.2.1 on Unix-y systems. Most modern IPs have reverse records, but spammers and dynamic-IP residential ranges often don't, or have generic ones like c-67-189-12-34.hsd1.wa.comcast.net.
Some IP ranges are reserved and should never appear as the public source of mail. If you see one, it's either misconfigured or forged:
IPv4 private / reserved ranges:
o 10.0.0.0/8 (10.0.0.0 – 10.255.255.255) – private
o 172.16.0.0/12 (172.16.0.0 – 172.31.255.255) – private
o 192.168.0.0/16 (192.168.0.0 – 192.168.255.255) – private
o 127.0.0.0/8 – loopback
o 169.254.0.0/16 – link-local (APIPA)
o 100.64.0.0/10 – carrier-grade NAT
o 224.0.0.0/4 – multicast
o Anything with an octet > 255 – faked (sometimes you see this in old example data; modern faking is more competent)
IPv6 equivalents:
o fc00::/7 – unique local addresses
o fe80::/10 – link-local
o ::1 – loopback
You will increasingly see IPv6 source addresses in mail Received headers. The methodology is identical – just longer addresses.
What to do with "strange" looking Web links
The classic tricks all still work:
o URL shorteners hide the destination. Use Unshorten.it or CheckShortURL to reveal the real target before clicking.
o Look-alike domains: amaz0n.com (zero), paypa1.com (one), microsofft.com (double f), g00gle.com. Hover or long-press to reveal before clicking.
o IDN homograph attacks: Cyrillic "а" (U+0430) looks identical to Latin "a" (U+0061). аpple.com is not apple.com. Modern browsers usually display these as Punycode (xn--pple-43d.com) but not always.
o Subdomain spoofing: paypal.com.security-update.evil.example is a hostname under evil.example, not under paypal.com. Read hostnames right-to-left: the right two labels are the actual domain.
o Display text vs. actual URL: an <a> tag can say one thing and link to another. Always check the actual href, not the visible text.
o QR codes ("quishing"): a QR code in an e-mail or printed sticker can encode any URL. Same rules apply – preview the decoded URL before opening it.
If you're suspicious, paste the URL (not click, paste) into VirusTotal or urlscan.io to see what it actually does without putting your machine at risk.
If you need to update a real account, type the URL by hand into the address bar from memory or a bookmark. Never use the link in the e-mail. This single habit kills the overwhelming majority of phishing attacks against you personally.
Malware – viruses, trojans, ransomware, spyware
================================================
The threat model has shifted hard since the Adaware / Spybot / Hijack This era. In 2026:
o Ransomware is the dominant criminal threat. It encrypts your files and demands payment. Pay or don't, you lose either way. The only defense is offline / immutable backups. The 3-2-1 rule: three copies of data, two different media, one offsite.
o Infostealers (RedLine, Vidar, Lumma, et al.) scrape browser passwords, cookies, crypto wallets, and session tokens, then phone home. They get installed via cracked software, fake browser updates, and malicious ads.
o Living-off-the-land attacks abuse legitimate tools (PowerShell, WMI, scheduled tasks, OAuth tokens) and leave fewer traces than traditional malware. AV alone won't catch these.
o Mobile is now a major target. SMS phishing, malicious sideloaded apps, fake VPNs, banking trojans. iOS is harder to attack than Android, but neither is invulnerable.
What to actually do, in order:
1. Keep your OS and browser patched. Auto-update on. Reboot when it tells you to. Most exploits target patched vulnerabilities, just on machines that didn't patch.
2. Use the built-in AV on your platform. Windows Defender / Microsoft Defender is genuinely good now. macOS XProtect plus Gatekeeper. Both block the common stuff. Third-party AV is rarely necessary for home users and often makes things worse.
3. Run on-demand scans with Malwarebytes Free if you suspect infection. Free version, no real-time component needed alongside Defender.
4. Use a password manager. Bitwarden (free, open-source) or 1Password. Unique random password for every site. This single change eliminates an entire category of breach impact.
5. Turn on MFA / 2FA everywhere. Prefer app-based (Authy, Google Authenticator, Microsoft Authenticator) or hardware keys (YubiKey, Google Titan) over SMS. SMS is better than nothing and worse than anything else.
6. Back up offline. External drive that you unplug when you're done. Cloud-only backups can be encrypted by ransomware if they're constantly mounted as a drive.
7. Don't install software you didn't go looking for. Especially "your browser is out of date" popups, fake Adobe Flash installers (Flash has been dead since 2020 anyway), and "Microsoft Support" cold calls.
If you have been hit by ransomware, check No More Ransom – a joint effort by law enforcement and security vendors that hosts free decryptors for known ransomware families. Sometimes you get lucky.
Report serious incidents to CISA (US) and the FBI Internet Crime Complaint Center (IC3).
Phishing, fraud, and the modern Make Money Fast
================================================
The 1990s Make Money Fast chain letter has evolved into a small zoo:
o Phishing – e-mail or SMS pretending to be your bank, mail provider, Microsoft, Amazon, IRS, Postal Service, etc., asking you to "verify" credentials on a lookalike site.
o Spear phishing / BEC (Business Email Compromise) – targeted, well-researched, often impersonating your CEO or CFO asking for an urgent wire transfer or gift cards. Costs US businesses billions per year per FBI IC3 reporting.
o MFA-bypass phishing – lookalike sites that proxy your login in real time and capture your session cookie. App-based MFA is better than SMS, hardware keys are better still.
o Romance scams / pig butchering – long-con relationship building (dating apps, social media, accidental wrong-number texts) leading to fake crypto investment platforms that show fake gains until you try to withdraw. Massive growth area; often run by trafficking-victim labor in Southeast Asia.
o Tech support scams – popup or cold call claiming your computer is infected. Real Microsoft / Apple / your ISP will never cold-call you.
o Fake debt collectors – threatening letters or e-mails about debts you don't owe. Legitimate collectors must provide written validation on request; scammers can't.
o Sextortion – e-mail claiming the attacker has compromising video. They don't. Often references a real password from an old breach (check haveibeenpwned.com) to seem credible.
o Crypto giveaway scams – "send 1 ETH, get 2 ETH back", often using deepfaked or hacked accounts of Elon Musk / Vitalik / etc.
Universal rules:
1. If it's urgent, it's suspicious. Real institutions don't demand action within the hour.
2. If you didn't initiate the contact, verify through a channel you chose. Call the number on the back of your card, not the one in the e-mail.
3. If you're being asked to keep it secret from your spouse / colleagues / bank, it's a scam.
4. If the payment is in gift cards, wire transfer, or crypto, it's a scam. Real institutions don't take those.
5. If they got your password from a breach (and they will name it to scare you), change it on every site that shared it and move on. They don't actually have access.
Where to report:
o FTC ReportFraud.ftc.gov (US, replaced the old uce@ftc.gov address)
o FBI Internet Crime Complaint Center (IC3) (US, replaced IFCC)
o Anti-Phishing Working Group (APWG) – forward phishing to reportphishing@apwg.org
o Canadian Anti-Fraud Centre (Canada)
o Action Fraud (UK)
o Scamwatch (Australia)
o eConsumer.gov – international consumer complaints
Nigerian 419 / advance-fee fraud (and pig butchering)
====================================================
Robert Heinlein: TANSTAAFL. There Ain't No Such Thing As A Free Lunch. If it looks too good, it is.
The classic 419 (named for the section of the Nigerian criminal code it violates) promises millions from a deceased dictator / oil minister / orphaned heir / lottery / inheritance. They need a small fee up front to release the funds. The fee is the entire scam, and there are always more fees.
Variants include:
o Inheritance from a long-lost relative
o Lottery winnings you didn't enter
o Crypto wallet recovery (with twist: they got a fake wallet, send fees to "unlock")
o Romance follow-on (boyfriend / girlfriend overseas needs money for flight / surgery / customs)
o Job offers requiring you to receive and forward packages or wire money (money mule recruitment – you become an unwitting accomplice in someone else's fraud)
The 2020s twist is pig butchering (sha zhu pan): long-form romance and friendship cultivation leading to a fake investment platform – usually crypto. The victim sees fake gains, "invests" more, and only discovers the fraud when they try to withdraw and are told they need to pay "taxes" or "fees" first. By the time it's clear, the money is gone. Often the people running it are themselves trafficked labor in compounds in Cambodia, Myanmar, or Laos. The Federal Reserve estimates US losses in the tens of billions per year.
The advice is the same as it has always been: never send money to someone you've only met online; never pay fees to release a payment to yourself; if they're asking you to lie to your bank about why the wire is going out, the bank is right and they are lying to you.
Report 419 / advance-fee fraud:
o FBI IC3
o US Secret Service Financial Crimes (the old 419.fcd@usss.treas.gov address still works in some form but use the web form)
o FTC ReportFraud
For the entertainment value, 419 Eater is still around – the original scam-baiter community. Don't actually try this yourself; the scammers are organized crime and sometimes the targets push back hard.
Hoaxes
======
Random alarming forwards from your relatives are mostly still hoaxes. The classic verification sites:
o Snopes – still the gold standard for forwards, urban legends, and viral nonsense.
o PolitiFact – political claims.
o FactCheck.org – Annenberg Public Policy Center, political claims.
o AFP Fact Check, Reuters Fact Check – for the news cycle.
o CISA Avoid Scams – current scam advisories.
Vmyths and HoaxBusters/CIAC are long gone. CIAC was rolled into US-CERT, which was rolled into CISA. CISA publishes current advisories.
Filtering e-mail
=================
The procmail / Gnus / SpamAssassin home-rolled era is over for most people. Your mail provider runs server-side Bayesian + ML filtering that's better than anything you'll build at home in a reasonable amount of time. What you can usefully do:
o Use the Report Spam button. It actually trains the global model. Same for Report Phishing.
o Set up provider-side rules for things you don't want but aren't spam (newsletters, automated notices). Gmail, Outlook, iCloud, and Fastmail all have rule editors.
o Use mail aliases for signup forms. Apple's Hide My Email, Fastmail's Masked Email, SimpleLogin, AnonAddy, DuckDuckGo Email Protection. When the alias gets spammed you delete the alias and you know exactly who leaked it.
o Self-hosters: SpamAssassin and rspamd are still the main open-source choices, both alive and maintained. Combined with greylisting (postgrey) and a DNSBL feed (Spamhaus Zen) you can get to high-90s effectiveness.
Misc
====
Protecting yourself and your kids on the Internet
The 1990s "net nanny" software model has been replaced by built-in parental controls on every major platform:
o iOS / macOS: Screen Time. Content restrictions, communication limits, app limits, downtime.
o Android: Family Link.
o Windows: Microsoft Family Safety.
o Network-level: any modern router with DNS filtering – OpenDNS Family Shield, NextDNS, AdGuard DNS, CleanBrowsing. Set it once at the router and it covers every device.
o Browser-level: uBlock Origin in Firefox or a Chromium-based browser kills the overwhelming majority of malicious ads and trackers before they reach the kid (or you).
The bigger problem in 2026 isn't strangers in chat rooms – it's algorithmic content recommendation, peer-driven social media harms (TikTok, Snapchat, Instagram), and sextortion (especially of teen boys via fake girlfriend accounts on Instagram and Snap). Common Sense Media and the FBI's Parents and Caregivers resources are useful starting points.
Talk to your kids. Tell them they will never be in trouble for telling you something a stranger online said or asked. The shame is the leverage; remove it.
Origins of spam
Two relevant pieces of history:
o The word "spam" in this sense comes from the Monty Python sketch – SPAM, SPAM, SPAM, SPAM – via early Usenet and MUD culture, where flooding a channel with repeated text was called "spamming". Hormel (the actual SPAM company) has been remarkably good-humored about it.
o The first widely-recognized commercial Usenet spam was the "Green Card Lottery" mass-cross-posting by lawyers Laurence Canter and Martha Siegel on April 12, 1994. Canter was later disbarred. The genie was out of the bottle.
Brad Templeton has the long version: Reflections on the 25th Anniversary of Spam.
How did I get this unsolicited e-mail anyway?
Probably one or more of:
1. You were in a data breach. Check Have I Been Pwned. Most adults' addresses are in at least one. Often dozens.
2. A site you trusted sold or shared your address. Privacy policies are vague for a reason.
3. Your address was scraped from a public source – a forum post, a GitHub commit, a public WHOIS record (pre-GDPR), a corporate website's contact page.
4. Someone in your contacts got malware that exfiltrated their address book.
5. Dictionary / brute-force generation. If your address is info@yourdomain.com or ken@gmail.com, you'd get spam even if you'd never used it.
The practical fix is per-service aliases (see item 7 above). You don't unleak your address; you contain the blast radius of the next leak.
How to respond to spam
Don't.
More specifically: don't reply, don't click the unsubscribe link unless you know it's a real company you have a real relationship with, don't open attachments, don't load remote images (turning off auto-loading of remote images in your mail client kills tracking pixels). Hit Report Spam / Report Phishing and move on.
If it's targeting your company, forward to your security team. They probably already know but the data point helps.
Firewalls and protecting your computer
For home users in 2026:
o Your ISP-provided gateway has a NAT firewall on by default. Inbound unsolicited traffic is blocked. This is fine for most people.
o Windows Defender Firewall is on by default and works. Don't turn it off.
o macOS Application Firewall is similar and on by default in System Settings → Network → Firewall.
o If you want more control: OPNsense or pfSense on a dedicated box. Both free, both work.
o Segment your IoT junk. Anything you don't trust (smart bulbs, smart TVs, smart appliances, the kid's tablet) goes on a separate VLAN or guest network, not on your trusted LAN. The default password on your "smart" doorbell is in a botnet.
o Use WPA3 (or WPA2 if WPA3 isn't available) on Wi-Fi. WEP and WPA are broken. A long passphrase beats a clever short one.
o Change the default admin password on your router. Yes, even today. Especially today.
Revenge – what to do and not to do (mostly not)
==================================================
Don't.
Tempting as it is, retaliation is almost always a bad idea:
o The "return address" on spam is almost never the spammer – it's an innocent third party whose address was forged or harvested. Hitting reply with abuse just dumps on a victim.
o Mail-bombing, subscribe-bombing, or DDoS "back" is a felony in most jurisdictions (US: CFAA). It also doesn't work – spammers expect it and have throwaway infrastructure.
o Calling phone numbers from spam mail tells the scammer the address is live and gives them a vector to social-engineer you back.
o "Doxing the spammer" back is illegal and often hits the wrong person because of identity-laundering through compromised hosts.
What works: report through the official channels (FTC, IC3, APWG, your mail provider), use the Spam/Phishing button, and let aggregated reporting do the work. Spamhaus and similar reputation services genuinely do put spammers' infrastructure out of business at scale.
If a specific spammer is harassing you personally (not bulk – targeted), document everything and contact law enforcement. Cyberstalking is a crime.
Junk mail – the law (2026 edition)
==========================
Brief tour, because the law actually matters here:
o US – CAN-SPAM Act (2003): legitimate commercial mail in the US must have a valid physical postal address, an honest subject line, and a working unsubscribe mechanism that works within 10 business days. Penalties are real but enforcement is reactive. CAN-SPAM pre-empts most state anti-spam laws, which is why it was watered down compared to what some states wanted. I called it a bad law in 2003 and the last twenty-three years have not changed my mind, but it is the law of the land.
o EU – GDPR (2018): marketing requires explicit consent (opt-in, not opt-out). Right to be forgotten. Significant fines for violations. Applies to anyone processing EU residents' data, regardless of where the company is based.
o California – CCPA (2020) and CPRA (2023): right to know what's collected, right to delete, right to opt out of sale. A weaker echo of GDPR; still useful.
o Canada – CASL (2014): stricter than CAN-SPAM, explicit consent required for commercial electronic messages.
o Australia – Spam Act 2003: consent-based, similar approach to CASL.
o UK – PECR + UK GDPR: post-Brexit, broadly tracks the EU model.
None of these stop actual criminal spammers. What they do is give recourse against semi-legitimate businesses that should know better. Mostly that means real companies are now careful about their marketing lists, and most of the spam you see is from operators outside any meaningful jurisdiction.
Additional resources
====================
Reporting:
o FTC ReportFraud (US consumer fraud)
o FBI IC3 (US cybercrime)
o CISA report incidents (US infrastructure / serious incidents)
o Anti-Phishing Working Group (APWG) – phishing reports to reportphishing@apwg.org
o Spamhaus – reputation and reporting
o SpamCop (now Cisco) – spam reporting with auto-routing to ISP abuse contacts
o abuse.net – abuse contact directory
o US Postal Inspection Service – mail fraud
o SEC Tips and Complaints – stock pump-and-dump, securities fraud
o FDA Report a Problem – counterfeit pharmaceuticals
Information and analysis:
o Krebs on Security – investigative journalism, especially on cybercrime infrastructure
o Bleeping Computer – daily threat news, removal guides
o SANS Internet Storm Center – daily diary, threat data
o Schneier on Security – the elder statesman of practical security thinking
o Have I Been Pwned – breach lookup for your e-mail and passwords
o VirusTotal – multi-AV scanner for files, URLs, IPs
o urlscan.io – sandboxed URL analysis
o Snopes – hoaxes and urban legends
o No More Ransom – free ransomware decryptors
Tools:
o MXToolbox – DNS, blacklists, header analysis
o Microsoft Message Header Analyzer
o Google Admin Toolbox Messageheader
o Malwarebytes Free
o Bitwarden – free open-source password manager
o YubiKey – hardware MFA
Standards and reference:
o RFC 5321 – SMTP (the protocol)
o RFC 5322 – Internet Message Format (the headers)
o RFC 7208 – SPF
o RFC 6376 – DKIM
o RFC 7489 – DMARC
Disclaimer: I am not a lawyer and this is not legal advice. For legal advice consult an attorney licensed in your jurisdiction.
80% of the Internet is bull, free advice is worth every penny you paid for it. Brought to you via Usenet since November 1995 and on the open Web since whenever.
------------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis – Gandalf The White – @GandalfDDI – O- TINLC
WWW Page – https://gandalfddi.github.io/
Trace e-mail forgery – https://gandalfddi.github.io/spamfaq.html
Trolls crossposts – https://gandalfddi.github.io/trollfaq.html