[ALUG] Huge increase in spam

steve-ALUG at hst.me.uk steve-ALUG at hst.me.uk
Wed Oct 25 11:08:37 BST 2017


On 24/10/17 10:01, Laurie Brown wrote:
> Hi all,
>
> Well, after many years of my Linux mail filters working very well, I've
> noticed a significant increase in spam over the last week, and last
> night I got 33 alone, an unheard of number.
>
> Has anyone else noticed this?

Not really.  Yesterday I got 12 that made it into my spam folder. Really 
spammy ones get rejected so don't make it to my spam folder.    It's 
more than I'd like.  It increased a while ago but seems fairly 
constant.  Hardly any make it into my inbox.  Sometimes I get a few 
false positives; frequently the pub-announce from this list!


>
> I use postfix, blacklists, postgrey, spamassassin (and a Bayesian DB),
> with all the usual postfix settings to discourage spammers. I also use a
> honeytrap third party MX server which traps and records some spam.

Honeytrap?  My  "Honeytrap" is an service which records and traps spam 
as you describe, but basically sends a "Failure.  Try again later" 
message to the email sender.  This is listed as my last-placed email 
server in my MX records, .  The theory being that a well behaved email 
sender will try email servers in the correct order but  spammers often 
go to the last-placed email server first, on the theory that it will 
have had less security hardening applied to it.
I'm guessing that this is what you do.  If not, you may want to add this 
to your system.
>
> Normally, once in a while I'll see a small increase in soam, and then
> the RBLs kick in and it stops after a few hours. However, I can't even
> find much of a pattern in the emails; there are a couple of regular IPs
> - now firewalled out - but in the main they are random. There must be a
> massive Windows-based botnet out there with some new spamming software
> on it. It's certainly dealing with grey-listing now.
>
> Ideas anyone?

Perhaps add more RBLs?
Apart from that I can't really think of much else you could do.

Occasionally, I report spam I have received to SpamCop.  If you're not 
familiar with it, Spamcop takes your spam and works out who really sent 
it.  It then sends a report to the ISP of whoever sent it.  The report 
tries to anonymise you.  The theory is that if you complain to the ISP, 
genuine spammers will get shut down, and people with 
compromised/infected machines will be LARTed.  It's a "long-game" sort 
of option - it won't have an immediate effect, but may result in less 
spam for everyone in the future.  Pros and cons - if spammers work out 
who reported them, they might then avoid you because you report them, 
but on the flip side, they might try to punish you or think this is a 
confirmed live email address - let's use it.

Use multiple email addresses.
If you run your own email server, you may be able to use multiple email 
addresses.  My email system allows me to configure it so that, for 
example, user numpty has email address numpty at example.invalid, but also 
any email in the format numpty-{PrettyMuchAnything}@example.invalid.

With this set up, you can take two approaches, date code, or company 
code your emails.
I don't like date-coding emails, but you could use email addresses for a 
year, or a month or something and have numpty-2017 at example.invalid for 
this year, and then use a new one for next year.  Then you use 
spamassassin to reduce the amount of spam to old email addresses, or 
just reject email to them.  As I said, I don't like this approach, as 
you have to keep updating people with your new email address.

Company coding emails I like more.  If you email BigCorp, always use 
email address numpty-BigCorp at example.invalid.  Only use this address 
with this company.  Then, if you start getting spam to 
numpty-BigCorp at example.invalid, you know where it has been harvested 
from (an this may affect decisions about if you wish to continue your 
relationship with them).  Also, you can reject email from 
numpty-BigCorp at example.invalid and tell them you've changed your email 
address to numpty-BigCorp2 at example.invalid.  This does mean you end up 
using a lot of email addresses and need to have an email system that 
allows you to enter multiple "from" email addresses (Thunderbird does, 
ish.).

Alternatively, "just" change your email address every now an again!

This email address "munging" won't solve your current problem - it may 
just reduce it in future.

I've drawn the conclusion recently that, if you use an email address, it 
will get harvested eventually, because, no matter how careful you are, 
you are relying on the security of everyone else who has it, so you're 
only as secure as the least secure person in your contact list.  
Consequently, you're either going to have to change email addresses 
regularly, put up with spam, or use good anti-spam systems, or some 
combination of the above.



In your later post, you say you've got some new TLDs that seem to be 
sending the email, and have identified some IP addresses which you have 
blocked.  I just wondered; surely there must be some way of tweaking 
spamassassin to reduce the amount of spam from a TLD. There is a 
more_spam_to option, but there doesn't seem to be a less_spam_to option.

Hope this helps somehow.

Steve





More information about the main mailing list