Sender checklist

If your IP address is listed as a sending host in a proxypot report, one of these things happened (listed in order of decreasing probability):

  1. You're a spammer
  2. Your computer has been hijacked by a spammer
  3. A spammer had your IP address before or after you
  4. You've misunderstood the /24 report
  5. Someone faked the proxypot report
  6. A spammer spoofed your IP address

Spamvertized contact point checklist

If your domain name, mailing address, web directory, or phone number is listed in a proxypot report, one of these things happened: (listed in order of decreasing probability):

  1. You're a spammer
  2. A spammer deliberately framed you
  3. The proxypot message analyzer messed up
  4. Someone faked the proxypot report

Compromised system

Trojan horses, buffer overflows, password thieves, backdoors... it's a rough world. If you aren't confident that you have control of your computer and know what it's doing, then maybe someone else does.

If you're a network administrator, maybe someone snuck in an unapproved, insecure machine while you weren't looking.

Joe job

Sometimes a spammer includes a reference to someone else's web site, in order to deliberately create the false impression that the owner of the web site sent the spam. If this has happened to you, don't be offended when you find your web site listed in a proxypot report. The proxypot report doesn't say that you sent the spam, just that your web site was referenced by the spam, which is a fact, not an accusation. Look on it as an opportunity to find the spammer who did it. See the spam victim page for information on how you can use the proxypot report to find out who's responsible.

Mistaken message analysis

Contact points (web site addresses, mail address, and phone numbers) in spam are often written in strange non-standard ways, so that the intended victim can use them but other people and programs can't make sense of them. These obfuscation techniques are usually unsuccessful, because the proxypot report generator is smart enough to read them the way the intended victim would. But occasionally it's wrong and detects a reference that isn't actually there. If one of these shows up in a proxypot report, notify the proxypot operator so he can configure the report generator to remove the false references.

Reassigned IP address

If your IP address is listed as a spam sender and you're certain that you haven't sent spam, check the time frame (which is near the top of every page of the report). Maybe the spam was sent before you obtained your current IP address. Proxypot reports are not necessarily composed entirely of recent data, and they are not to be interpreted as an accusation against the current user of the IP address.

Living in a /24 with a spammer

The proxypot reports contain summaries organized by /24 (also known as "class C" network, a group of 256 IP addresses). Even if only one host in the /24 has sent spam, it will appear in the /24 list. That doesn't mean the entire /24 is controlled by the spammer. The /24 list only exists to provide an easier to read, condensed form of the host list, with aggregate statistics when a spammer controls many consecutive IP addresses. When in doubt, check the host list for your individual IP address. If it's not there, relax.

Faked reports

Sadly, there is the possibility that someone will make a phony proxypot report. If you think this has happened, and the report is published on this site, contact me.

IP spoofing

If your IP address is listed as a spam sender, and you're certain that you haven't sent spam, and you've already checked the time frame, the last possibility is IP spoofing, which means someone else has been using your IP address. Ask the proxypot operator if his TCP sequence numbers are sufficiently random. Ask your ISP if they use ingress filtering to prevent their users from spoofing each other's addresses.

You're a spammer

Go directly to Hell. Do not pass Go.