Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Glossary

Spam
SPAM®
Spamtrap
Spammer
Snowshoe Spamming
Listwashing
Waterfalling
E-pending (Email-appending)
Hashbusters
ISP
IP Address
DNSBL
Block, Blocking
Tagging
Bouncing, Rejecting
Return Codes
RHSBL
Cartooney
Joe Job
Ransomware
Spamware
Zombie


Spam
Spam is Unsolicited Bulk E-mail ("UBE"). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.

For the standard accepted definition of "Spam" see: http://www.spamhaus.org/definition.html


SPAM®

SPAM Chopped Pork and Ham is a famous canned meat product made mainly from ham. Great in sandwiches, salads or mac & cheese, or with eggs, cheese, or pineapples, or sliced, diced, baked or fried. The name derives from "sp(iced h)am". SPAM is a registered trademark of Hormel Foods Corporation. The product name "SPAM" (used always in uppercase) has nothing to do with the internet jargon word "spam" meaning unsolicited bulk email. While "spam" (junk email) is bad for internet users, SPAM (Chopped Pork and Ham) is good for internet users. If you have never tasted SPAM, try it today!

Spam or SPAM, I'm still confused. Do you have a zen-like haiku to help me understand?

Yes.

Bacon is tasty
SPAM® is too but not as good
Nobody likes spam


Spamtrap
Spamtraps are email addresses which do not belong to real users. A spamtrap either never belonged to a real user, or did but was closed and rejected email for a significant period before being repurposed.


Spammer
A sender of Unsolicited Bulk E-mail (UBE), or "spam". A person who either knowingly or unknowingly sends UBE is termed a "spam sender", the short form of which is "spammer". Also a person who engages in the business of spam, supplying software, hosting, or other materials to enable spamming.

Traditionally it means any person who sends, pays or arranges for someone else to send, or assists someone else to send spam, or otherwise directly or indirectly benefits from spam.

For the standard definition of "Spam" see: http://www.spamhaus.org/definition.html


Snowshoe Spamming
Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters.

Snowshoers use many fictitious business names (DBA - Doing Business As), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.



Listwashing
Listwashing is the systematic removal of complainants from an illicitly gathered address list with no other action taken to stop spamming the remainder of the list. Listwashing removes spam symptoms without curing the underlying problem. ISPs which simply pass abuse reports on to their spamming customers without investigation or further consequences are aiding in listwashing and spamming.

Listwashing is often done in conjunction with snowshoe spamming and waterfalling to attempt to clean bad lists and improve deliverability, rather than simply using OPT IN address acquisition in the first place. Listwashers nearly always include per-recipient codes in the headers and payload URLs. Together with careful list segmentation, dirty lists can be washed to a clean enough state that some ESPs are willing to risk sending spam by importing those lists.


Waterfalling
A list owner is "waterfalling" when they run the same illicitly obtained address list through a series of ESPs, each time cleaning bounces, complainants and maybe non-respondants, and then hoping to move up to a cleaner ESP with better deliverability. The result still includes spammed addresses but fewer spam complaints to the ESP.


E-pending (Email-appending)
Email appending, e-pending, or "enriching" is the supplementation of existing email databases by cross-referencing them with information from other databases. The presumed goal is to add email addresses for customers or prospects for whom the sender has other information but not email. E-pending is not an opt-in process.

MAAWG has published a very clear statement about e-pending: The practice of email appending is in direct violation of core MAAWG values. The Spamhaus Project fully agrees with MAAWG's position; we never have and never will support e-pending. Both e-pending services and marketers using e-pending to enlarge their audience risk being listed on our SBL blocklist.


Hashbusters
A hashbuster is a section of random text included in spam, possibly hidden as invisible text using HTML.

The purpose of including hashbusters is to try and defeat Bayesian spam filtering, to make each individual spam look as different as possible.

Including hashbusters in email is a sure sign that the email is spam, that it's sent by a spammer, and that the spammer knows that they are sending spam. This practice is always prohibited by any legitimate ESPs or affiliate marketing programs.


ISP
Internet Service Provider (ISP) is the generic term for providers of all sorts of Internet services: connectivity, bandwidth, mail, DNS, web hosting, etc. Network Service Providers (NSP) and Email Service Providers (ESP) are specific kinds of ISPs. Your ISP is the company you contract with for your Internet services. You should contact them regarding any service problems, including SBL listing!


IP Address
An IP address (Internet Protocol address) is a unique address that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

An IP address can appear to be shared by multiple client devices either because they are part of a shared hosting web server environment or because a proxy server (e.g., an ISP or anonymizer service) acts as an intermediary agent on behalf of its customers.

IP addresses are managed and created by the Internet Assigned Numbers Authority. IANA generally assigns super-blocks to Regional Internet Registries, who in turn allocate smaller blocks to Internet service providers and enterprises.


DNSBL
Domain Name System Block List - a list of IP address ranges or other information compiled as a DNS zone. Information in DNS format is easy to query and transport, and its small answers are very "light" on bandwidth overhead (UDP vs. TCP). A DNSBL of domain names is often called a URIBL, Uniform Resource Indicator, although there are numerous such lists written under other names.

DNSBL Technical FAQ

Understanding DNSBL filtering



Block, Blocking
noun: A range of IP addresses is a "block" or subnet, often expressed in CIDR notation.

verb: An action taken by an ISP or network to prevent unwanted traffic from entering its private servers, including mail servers.



Tagging
Some spam-filtering systems add a "tag" to the headers of messages which have a high spam-score, such as "X-Filter: yes" or "[spam]" in the Subject. The user can then have their mail client filter those to a quarantine, or delete them sight-unseen. Many of those filtering systems include Spamhaus lists as part of their scoring.


Bouncing, Rejecting
"Bouncing" or "rejecting" refer to the two courses of action a server may take when it detects undeliverable or unwanted mail. In the case of spam, bouncing is very undesirable because most spam has forged headers, and the bounce is sent on to an innocent third party who is often the target of a malicious "bounce bomb" attack.

Bouncing refers to the receiving server accepting the message, then post-processing it, deciding it is bad or undeliverable, and creating a new message to the "envelope" MAIL FROM (or sometimes other choices of "return path" for poorly implemented mail servers). Bouncing for any reason is becoming less and less acceptable, and bouncing due to spam is simply spamming someone else.

Rejecting refers to a realtime message delivered by the receiving server during the SMTP connection. It consists of a number such as "550" and a message such as "message refused by policy", most often in response to the sender's RCPT TO or DATA command. The sender's server can then safely relay the "Delivery Status Notice" (DSN) back to the sender, resulting in no silently discarded messages. That is a very good feature of using DNSBL-reject mail transfer agents (MTA).


Return Codes

A return code is the answer a DNSBL provides when the object of a DNS query is listed in that DNSBL zone. All Spamhaus DNSBL return codes are in the 127.0.0.0/8 range assigned by IANA as "Loopback" addresses. Specific return codes may signify specific characteristics of the data within a Spamhaus DNSBL zone. Lists of Spamhaus DNSBL return codes are linked from the What do the 127.*.*.* Return Codes mean? FAQ.

A quick way to check the return code of a listed IP or domain is the "host" or "nslookup" command found on most OS installations. For IPs, check the inverse octets, so for 127.0.0.2 you'd do this:

$ host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
Here's an example for domains:
$ host dbltest.com.dbl.spamhaus.org
dbltest.com.dbl.spamhaus.org has address 127.0.1.2


RHSBL
Right-Hand-Side Block List. A type of DNSBL that uses domain names instead of IP addresses. See Spamhaus DBL - Domain Block List


Cartooney
Term for a legal threat sent solely in the hope of scaring the recipient. Derives from 'Cartoon Attorney'.

A Cartooney generally contains promises of legal action, often quoting irrelevant or non-existent laws, and is often written by one who has not consulted a real lawyer and has little intention of doing so. More often than not, the Cartooney sender is on the wrong side of the law to begin with.

Sometimes spelled "Cart00ney" to emphasize the comical nature of most Cartoonies, they are often sent anonymously, sent by fictitious lawyers or signed "Legal Department". Many promise to sue under invented laws such as the "Freedom Of Speech Law" or "International Email Law" and are usually written by spammers reacting to what they consider undeserved censure, being publicly identified or added to spam filter blocklists.



Joe Job

Spammers frequently forge the "From" address, and even send huge "bounce bombs" where a single "From" address receives a gazillion bounces, but in a Joe Job attack the spam is designed to look as though it is actually advertising the content of the message, but it is really sent in order to maliciously hurt the reputation of that targeted content, or even have the targeted website suspended by its host. It is named after a January, 1997, attack on Joes.com.



Ransomware
Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

You can find more information in this Wikipedia article.


Spamware
Software designed for sending spam in ways that hide the sender, attempt to circumvent spam filters, or which contains features only of use to spammers. The sale of spamware is illegal in eight U.S. states. See: Laws Banning the Sale of Spamware.


Zombie
Definition #1: A zombie is a computer connected to the Internet that has been compromised by a computer virus or trojan malware and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to send spam e-mail and launch distributed-denial-of-service (DDoS) attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

This definition is the newer one, analogous to the zombies in modern zombie movies. They become zombies when infected by some virus or pathogen.

Definition #2: A zombie is the name Spamhaus gave to ranges of IP addresses that are hijacked by spammers, routed to the spammer's servers and then used to send out spam. These IP addresses were either assigned to long-dead companies, or have been forgotten about by the original assignees over the years. Spamhaus saw these ranges of IP addresses "coming back from the dead."

This definition is the older one. Hijacking, which continues today, pre-dated the use of infected computers for spam. Its analogy is to the zombies in voodoo-lore. These zombies are corpses that are re-animated to do the bidding of some master.


© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy