Addition due to trespass spam
This is the most common way networks find their way on the MAPS DUL, but hardly the most pleasant. A spammer sets up a "mail server" or "spam engine" on a dial-up line, and sends spam to one or more MAPS members. We prefer that ISPs participate in the MAPS DUL before trespass spam happens.

Because our mail servers are modern enough to record the source IP addresses where trespass spam comes from, we can very quickly determine where to send the complaint. We also determine how large the surrounding dial-up network is and list that network in its entirety.

We determine the size and location of a dial-up network using these methods:

• Asking the maintaining ISP for this information
• Zone transfer of the IN-ADDR.ARPA subdomain from the name server providing reverse DNS for the dial-up network
• Scanning the IN-ADDR.ARPA subdomain
• In extreme cases, scanning for SMTP ports

While the last three methods may seem intrusive, the information extracted from them is otherwise public knowledge. Many Internet protocols require valid DNS names of hosts to work properly, and this information is almost always provided via the IN-ADDR.ARPA domain. In addition, fixed mail servers will have Mail Exchange (MX) records associated with the domains they handle mail for.

Where a network contains mostly dial-ups or otherwise maintains no valid reverse DNS information, a port scanner is used to look for hosts running services on Port 25. This scanner is non-destructive; it does not try to send mail through any mail servers found, and it immediately sends the SMTP command "QUIT" to terminate connections with any mail servers found. Information gathered from this is checked against any reverse DNS information found, so as not to skip dial-up IPs with actual SMTP servers found. In short, running an SMTP proxy on a dial-up line doesn't count; it gets listed.

These methods are only used as needed where information is not quickly available, and are only used once on each network unless requested by that network's owner to re-check. We take extreme care to ensure dedicated mail servers do not appear on this list (That is a matter for the MAPS RBL.)

To avoid incorrect listings, please ensure you maintain accurate IN-ADDR.ARPA records for the networks you are in charge of. This data is checked and re-checked by the MAPS DUL maintainers before adding them to the list. No automated tools actually perform additions. If you suspect an incorrect listing bring it immediately to our attention.

Addition due to requests from spam victims
Very likely we've already received the same trespass spam you did, and are about to consider listing the network where it came from.

While we'll take a sample trespass spam and do the research ourselves, a suspect dial-up network will appear in the MAPS DUL faster if you can do some of the work for us. This work includes:

• Determining if it is actually trespass spam in the first place
• Asking the ISP for their dial-up information
• Attempting to copy their IN-ADDR.ARPA records to your own name servers (nslookup's "ls -d" command can copy the zone for you; see nslookup's documentation)
• Asking them again if their IN-ADDR.ARPA records are accurate

We do not encourage you to perform port scans or reverse DNS scans as they may be seen as a violation of your ISP's terms and conditions.

Determining if email spam is trespass spam is a matter of checking a spam's headers for the Received: lines. Typically, a trespass spam will have only one Received: header (besides any extra headers the server adds for its own internal routing):

Received: from mail.delivery45125.com (unverified [209.30.76.125]) by srv1.reelwest.bc.ca
 (EMWAC SMTPRS 0.83) with SMTP id ;
 Fri, 06 Nov 1998 17:33:15 -0800
Message-ID: 
To: 
From: 
Subject: A No Nonsense Site
Date: Fri, 6 Nov 1998 13:53:46

Most users of Microsoft Windows® computers can determine the reverse DNS name of a source IP using a "ping -a" command:

ping -a 209.30.76.125

This example returns: "p125.amax13.dialup.lax1.FLASH.net" provided the ISP maintains good reverse DNS records. Users of other platforms should have a reasonable version of nslookup or dig that can obtain this information.

If you've determined that this is trespass spam, send a request to their ISP to make the spammer stop and to participate in the MAPS DUL by volunteering their list of dial-up networks to MAPS (dul@mail-abuse.com). If you receive several different trespass spam letters from the same network, send a single copy of each back to them asking them to stop and to volunteer their dial-up information to us. They may not realize what is happening, as trespass spam is an attempt at "stealth" (But we don't have any logs showing they were spamming, is there a problem?), so explain it to them, every time.

Addition due to ISP Participation
This is the preferred method of adding networks to the MAPS DUL. Only the ISP who maintains the dial-up or dynamic network has the most accurate information about it.

If you offer dial-up Internet access, please consider using the MAPS DUL and submitting your own networks for inclusion. Please see these examples of how to use the MAPS DUL include methods of excluding your own network from checks, and to allow mail access from any MAPS DUL-listed network through SMTP authentication, such as POP before SMTP (Checking mail before sending mail) while still stopping trespass spam.

To simplify our job somewhat, please submit your network ranges in CIDR (Classless Inter-Domain Routing) format, as this is the format we use to maintain the master list. Include your ARIN, RIPE, or APNIC network name in the submission. For example:

207.194.197.0/26 NETBLK-INTOUCH1-CA(ARIN)
207.194.197.128/25 NETBLK-INTOUCH1-CA(ARIN)

CIDR is a notation of describing networks where the /x number describes the number of 'ones' bits in the subnet mask. Most router languages use CIDR. For example, in 192.168.2.0 with subnet mask 255.255.255.0, the binary version of the subnet mask: 11111111.11111111.11111111.00000000 contains twenty-four 'ones' bits, so you list this as 192.168.2.0/24. You may list single IP addresses with /32, pairs of IP addresses with /31, groups of four IP addresses with /30, and so on.

If you move or re-shuffle your networks around, please re-submit your dial-up networks as soon as you can to avoid inconvenience.

About ADSL and cable modem listings: Often, the cable or xDSL network IP addresses are dynamically assigned, just as dial-up IP addresses are, and are suitable for listing. An ISP may participate in the DUL and request that they be listed. We will do so if asked.