All About ABUSES & ATTACKS!

---

Our goal at The 2 Fords Network is to provide a high quality Internet service to our customers and the Internet community at large. In order to achieve this goal, we need to limit certain activities that may interfere with or disrupt the service. Our Acceptable Use Policy, describes activities which we consider violations and which are therefore prohibited. The examples listed only those known currently and may change from time to time. These examples are provided solely for guidance and to help 2 Fords Network customers understand the problems that can occur with these abuses.

What are the Definitions of some Common Internet Abuse Terms?

1. Usenet Spam- Cross posting of identical material to more than Seven newsgroups. Content is irrelevant. The most reliable document describing current spam thresholds and guidelines is a FAQ posted weekly to news.admin.net-abuse.misc by Chris Lewis. It also describes the Breidbart Index in greater detail. That FAQ is now available on the web at: http://spam.abuse.net/spam/whatisspam.html

2. Off-Topic Posting (OTP) or Off-Topic Cross-Posting- Newsgroup post whose subject is considered unrelated to the subject matter of the newsgroup in which it was posted.

3. Mass Unsolicited Email (aka UBE)- Sending many identical messages, to force it on people who would not otherwise choose to receive it.

4. Unsolicited Email (aka UCE)- Attempting to force a message on people who would not otherwise choose to receive it.

5. Hacking- Unauthorized access to another computer which can be:

a. Successful- Access gained, damage potential exists, potential file corruption/theft/deletion, etc. or
b. Unsuccessful- access denied by target system.

6. Mailbomb- Sending of multiple email messages to an address with the sole intent of overloading the recipient's mailbox.

7. TCP SYN Flooding Attack- Sending multiple TCP SYN packets to another computer with the intention of exhausting the target's resources.

8. Sniffing- Capturing information that was intended for other machines.

9. Spoofing Attack- Creating half open connection structures on the victim's system making it impossible for the victim to accept any new incoming connections until the files expire.

10. False Email Address- Used with the intention of masking identity.

---

Spammers are very cunning in the ways they obtain user information. There are several possibilities as to how your email address was obtained:

Unfortunately just posting a message to a news group can result in unsolicited email. Some spammers "harvest" email addresses by stripping email return addresses out of messages people post.

Your email address can be added to lists just by visiting web pages. Some web servers collect information about visitors and then use this information to create customer lists for sale and/or distribution to other sources.

I have been Spammed, What Should I do?

1. If you suspect the individual responsible is a 2 Fords Network customer, please email information to fordpub@2fords.net for assistance with the actual connection logs. These connection logs will include the complete IP address, date, time and time zone associated with the abusive action. The internet is not private. If you contact us right away, our technicians will most likely be able to track down the person that has caused your problem.

2. Do not reply or complain to the "Spammer" directly. This will confirm a "real" live email address, which may lead to even more junk email. We suggest complaining to the owner of the site only.

3. Make sure you use terms correctly (refer to the "Definitions" section of this document). A recent trend is to call any off topic post "spam" and it is not. Various ISP's handle abuse types in different ways.

4. Try to keep the content of the complaint clear and to a minimum.

5. Send the complaint with FULL HEADERS by email to fordpub@2fords.net. There are other places to report your problems to.

6. If you would like to do the looking yourself, you can look up admin information using Whois from Network Solutions. A web interface to whois is located at http://www.networksolutions.com/cgi-bin/whois/whois
Note: The Network Solutions Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's).

7. No matter how much we hate Spam and how much we dislike spammers, Spam is not illegal (yet). If you try anything against the spammers, please *do not* put yourself in risk of breaking the law.

---

Spammers often forge the headers of their messages in an attempt to avoid losing their accounts and to evade filters. This section may help you track the source of the abuse. You need a message reader that can display the full headers. See below to learn more.

Be advised of the following important header lines:

a. "From:"- Displays the message sender and is the easiest to forge.
b. "From"- Distinct from the "From:" line. This line is not actually part of the email header, but mail transfer software often inserts it when the mail is received. Many Unix mailers use this line to separate messages in a mail folder. This line will always be the first line in the headers. This line can be forged, but not always.

c. "Reply-To:" or "Return-Path:"- The address to which replies should be sent. Often absent from the message, and very easily forged. However, it often provides a clue. Forged abuse often has a legitimate Reply To field so the spammer can receive mail orders.

d. "Sender:"- The account that sent the message. Mail software is supposed to insert this line if the user modifies the "From:" line. Most mail software is broken in this respect, so this line is rarely present. Some mailers provide an "X-Sender:" line.

e. "Message-ID:"- A unique string assigned by the mail system when the message is created. It can be forged, but requires more specialized knowledge than modifying the From: line. The Message-ID often identifies the system from which the sender is logged in, rather than the actual system where the message originated. The format of a Message-ID field is (unique string)@(sitename). Each kind of mail software has its own style of unique string. Sloppy forgeries often get it wrong, so a forgery can be confirmed by comparing the message id with legitimate messages from the same site.

f. "Received:"- These are the most reliable lines in the header. They form a list of sites through which the
message traveled to reach you. It can not be forged after the point where it was injected. Up to that point, there may be forgeries. Received lines are read from bottom to top. That is, the first Received line is your own system or mail server. The last (non-forged) Received line is where the mail originated. Each mail system has its own style of Received line. A Received line typically identifies the machine that received the mail and the machine that the mail was received from. For example:

Received: from foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

The "foo.com" part is the name the sending machine used to identify itself and may be forged. The id is for logging purposes and may help system admins track the unwanted email message if you can get them to cooperate. Many mailers add extra information. For example:

Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

In this case, the mailer inserted the IP address of the sending system. If the machine name does not match the IP address, you have likely identified the point where the mail was injected. In other words, the machine whose address is 129.2.3.4 lied when it identified itself as foo.com. Any Received lines that follow are likely to be forgeries.

If the IP address does not make sense (for instance, no component may be greater than 255), then the entire Received line is a fake. Contact a system admin for more advice in determining if an IP address has been forged. If the entire Received line is fake, then the injection point is somewhere above in the headers. Sometimes you will see the following:

Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

In this case, the mailer has inserted both the IP address and the real name of the sending system. This will help identify forgeries and eliminate the need to look up the IP address.

g."Comment:"- Some mailers may add additional information into the headers, such as "Authenticated sender is doe@foo.com". Forged Comment lines can be easily added to outgoing mail, so this line is likely to be forged, but not always. Other mailers may insert their own authentication information in the headers. For more information on this topic, please visit http://www.rahul.net/falk/mailtrack.html If you suspect the message received was sent by a 2 Fords Network customer, please forward the original message including all header information to fordpub@2fords.net for proper handling.

When tracking Usenet Spam be advised that the easiest thing to forge is the email return address. Most posting software allows anything to be typed as a email address. Most machines accept email from any other machine, so don't send email to postmasters of "upstream" sites that pass the message along. A sample Usenet Header is as follows:

Message-ID: <351876F8.4037@HOME.COM>
Date: Tue, 24 Mar 1998 22:16:08 -0500
From: xxxxx
Reply-To:
Organization: NONE
X-Mailer: Mozilla 3.02 (Win95; I)
MIME-Version: 1.0
Newsgroups:
misc.forsale.computers.pc-specific.misc,misc.forsale.computers. pc-specific.motherboards,misc.forsale.computers.pc-s,ecific.portables
Subject: Re: Make A Fortune with Bulk Emails
References: <3515cad7.284451576@news.total.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: 129.37.221.142
X-Trace: 25 Mar 98 03:16:07 GMT, 129.37.221.142

The Received line below shows four pieces of useful information (read from back to front in order of decreasing reliability):

1) The host that added the Received line (host3)
2) The IP address of the incoming SMTP connection (ww.xx.yy.zz)
3) The reverse DNS lookup of that IP address (host2)
4) The name the sender used in the SMTP HELLO command (host1)

How to Track Hacking and Cracking.

Unauthorized access to a server should be documented in the server's logs. We will take all necessary actions once fordpub@2fords.net is provided with the actual connection logs. These connection logs will include the complete IP address, date, time and time zone associated with the abusive action. Please include a contact person, title and phone number in the submitted complaint.

Our goal at the 2 Fords Network is to provide a high quality Internet service to our customers and the Internet community at large. We do not host IRC servers, nor do we maintain them. If you have been a victim of abuse on an IRC server, please contact the IRC administrator of the IRC server you are experiencing the problem on. The system administrator is ultimately responsible for activities on that server. If the administrator requires our intervention, fordpub@2fords.net can be notified. We require connection logs associated with the abuse reported. These connection logs should include a complete IP address, date, time and time zone associated with the abusive action. Only with this information can we identify the responsible individual.

Most Internet applications "mask" many of the message header lines by default. This makes the message easier to read. The mail headers contain detailed "system" information for the message you are viewing. It is important to view the complete message header when trying to track the true source of a message. Your Internet application should give the option of "Showing All or Complete Message Headers." Instructions for finding the message headers are listed below. Follow these instructions while viewing the message. If your messaging application is not listed here you should consult its Help section or contact the vendor for help.

1.Netscape v2.x and v3.x Mail- Click Options, Show Headers, then All.
2.MS Outlook Express- Click File, Properties, then the Details tab.
3.MS Internet Mail- Click File, Properties, then the Details tab.
4.Netscape v4.x Mail- Click View, Headers, then All.
5.Forte Free Agent v1.11- Click Message, then Show All Header Fields.
6.Pegasus v2.54 Mail- Click Reader, then Show all headers.
7.Eudora Light v3.0.1- Click the Blah Blah button over the message.

Generally, we do not release information about subscribers to any third parties unless required by law. If the matter is the subject of a criminal or civil investigation, please direct the appropriate law enforcement official or attorney to contact fordpub@2fords.net.

The 2 Fords Network will only take action or proceed with a complaint received, based on verifiable data such as original header information, connection logs and log extracts. We cannot and will not proceed on "word of mouth" information. No action can be taken if the data provided is inaccurate and/or non-conclusive making it impossible to match the information to our Gateway connection logs. We will be glad to assist you further if you can provide additional information that can assist us in identifying the individual involved.

Filtering is a process by which you can reject (or delete) messages based on its From field, Subject, Content, etc. The 2 Fords Network does routine mail and news filtering for large scale spamming. We do not however offer filtering at the POP or SMTP Server levels. You can perform your own email filtering using special Filter software. There are many clients on the market that may suit your needs and requirements. You can also reject email from domains that continue to spam.

One site to download software from is located at http://www.tucows.com

You can also filter your newsgroup downloads. Many news readers have a "kill" feature that will filter out postings. Each news reader is unique, consult its help file. More information on filters can be found at: http://www.best.com/~ariel/nospam, http://www.samiam.org/spam/index.html and http://www.io.com/~johnbob/jm/index.html