On 24/10/17 10:01, Laurie Brown wrote:
Hi all,
Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number.
Has anyone else noticed this?
Not really. Yesterday I got 12 that made it into my spam folder. Really spammy ones get rejected so don't make it to my spam folder. It's more than I'd like. It increased a while ago but seems fairly constant. Hardly any make it into my inbox. Sometimes I get a few false positives; frequently the pub-announce from this list!
I use postfix, blacklists, postgrey, spamassassin (and a Bayesian DB), with all the usual postfix settings to discourage spammers. I also use a honeytrap third party MX server which traps and records some spam.
Honeytrap? My "Honeytrap" is an service which records and traps spam as you describe, but basically sends a "Failure. Try again later" message to the email sender. This is listed as my last-placed email server in my MX records, . The theory being that a well behaved email sender will try email servers in the correct order but spammers often go to the last-placed email server first, on the theory that it will have had less security hardening applied to it. I'm guessing that this is what you do. If not, you may want to add this to your system.
Normally, once in a while I'll see a small increase in soam, and then the RBLs kick in and it stops after a few hours. However, I can't even find much of a pattern in the emails; there are a couple of regular IPs
- now firewalled out - but in the main they are random. There must be a
massive Windows-based botnet out there with some new spamming software on it. It's certainly dealing with grey-listing now.
Ideas anyone?
Perhaps add more RBLs? Apart from that I can't really think of much else you could do.
Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it.
Use multiple email addresses. If you run your own email server, you may be able to use multiple email addresses. My email system allows me to configure it so that, for example, user numpty has email address numpty@example.invalid, but also any email in the format numpty-{PrettyMuchAnything}@example.invalid.
With this set up, you can take two approaches, date code, or company code your emails. I don't like date-coding emails, but you could use email addresses for a year, or a month or something and have numpty-2017@example.invalid for this year, and then use a new one for next year. Then you use spamassassin to reduce the amount of spam to old email addresses, or just reject email to them. As I said, I don't like this approach, as you have to keep updating people with your new email address.
Company coding emails I like more. If you email BigCorp, always use email address numpty-BigCorp@example.invalid. Only use this address with this company. Then, if you start getting spam to numpty-BigCorp@example.invalid, you know where it has been harvested from (an this may affect decisions about if you wish to continue your relationship with them). Also, you can reject email from numpty-BigCorp@example.invalid and tell them you've changed your email address to numpty-BigCorp2@example.invalid. This does mean you end up using a lot of email addresses and need to have an email system that allows you to enter multiple "from" email addresses (Thunderbird does, ish.).
Alternatively, "just" change your email address every now an again!
This email address "munging" won't solve your current problem - it may just reduce it in future.
I've drawn the conclusion recently that, if you use an email address, it will get harvested eventually, because, no matter how careful you are, you are relying on the security of everyone else who has it, so you're only as secure as the least secure person in your contact list. Consequently, you're either going to have to change email addresses regularly, put up with spam, or use good anti-spam systems, or some combination of the above.
In your later post, you say you've got some new TLDs that seem to be sending the email, and have identified some IP addresses which you have blocked. I just wondered; surely there must be some way of tweaking spamassassin to reduce the amount of spam from a TLD. There is a more_spam_to option, but there doesn't seem to be a less_spam_to option.
Hope this helps somehow.
Steve