[ALUG] Huge increase in spam

Laurie Brown laurie at brownowl.com
Wed Oct 25 13:55:01 BST 2017


On 25/10/17 11:08, steve-ALUG at hst.me.uk wrote:
> On 24/10/17 10:01, Laurie Brown wrote:
>> Hi all,

[SNIP]

> Honeytrap?  My  "Honeytrap" is an service which records and traps spam
> as you describe, but basically sends a "Failure.  Try again later"
> message to the email sender.  This is listed as my last-placed email
> server in my MX records, .  The theory being that a well behaved email
> sender will try email servers in the correct order but  spammers often
> go to the last-placed email server first, on the theory that it will
> have had less security hardening applied to it.
> I'm guessing that this is what you do.  If not, you may want to add this
> to your system.

That's exactly what I use, except the people I use collate the data to
update their RBLs.

[SNIP]

> Perhaps add more RBLs?
> Apart from that I can't really think of much else you could do.

I'm careful as to the RBLs I use as some are more reliable than others.
I have paying clients who don't need the hassle of rejected email thanks
to some bloke in his bedroom with a grudge!

> Occasionally, I report spam I have received to SpamCop.  If you're not
> familiar with it, Spamcop takes your spam and works out who really sent
> it.  It then sends a report to the ISP of whoever sent it.  The report
> tries to anonymise you.  The theory is that if you complain to the ISP,
> genuine spammers will get shut down, and people with
> compromised/infected machines will be LARTed.  It's a "long-game" sort
> of option - it won't have an immediate effect, but may result in less
> spam for everyone in the future.  Pros and cons - if spammers work out
> who reported them, they might then avoid you because you report them,
> but on the flip side, they might try to punish you or think this is a
> confirmed live email address - let's use it.

I've never heard of that: thanks for the heads-up. I'll look into it.

> Use multiple email addresses.

[BIG SNIP]

This isn't an option for me, but I get the point.

> I've drawn the conclusion recently that, if you use an email address, it
> will get harvested eventually, because, no matter how careful you are,
> you are relying on the security of everyone else who has it, so you're
> only as secure as the least secure person in your contact list. 
> Consequently, you're either going to have to change email addresses
> regularly, put up with spam, or use good anti-spam systems, or some
> combination of the above.

All of that is true. I use what are normally very good anti-spam
systems, but as I originally said, something isn't quite right out there
at the moment. It happens regularly, as spammers find a way around the
measures we take, and then we learn to deal with that. Until now,
grey-listing has been good, but this current batch is dealing with that.

> In your later post, you say you've got some new TLDs that seem to be
> sending the email, and have identified some IP addresses which you have
> blocked.  I just wondered; surely there must be some way of tweaking
> spamassassin to reduce the amount of spam from a TLD. There is a
> more_spam_to option, but there doesn't seem to be a less_spam_to option.

As I expected, the IP list option was unsustainable from a maintenance
perspective, although it was very effective. I've since, using postfix's
inbuilt options, totally blocked these TLDs (temporarily):

.bid
.loan
.stream
.top
.trade

The average blockage rate across the filters is so far a little under 20
an hour. Note that these are only the ones passing the RBLS, and all the
other postfix anti-spam tricks.

> Hope this helps somehow.
> 
> Steve

Indeed. Thanks.

Cheers, Laurie.

-- 
---------------------------------------------------------------------
                               Laurie Brown
                           laurie at brownowl.com
---------------------------------------------------------------------




More information about the main mailing list