On 25/10/17 11:08, steve-ALUG@hst.me.uk wrote:
On 24/10/17 10:01, Laurie Brown wrote:
Hi all,
[SNIP]
Honeytrap? My "Honeytrap" is an service which records and traps spam as you describe, but basically sends a "Failure. Try again later" message to the email sender. This is listed as my last-placed email server in my MX records, . The theory being that a well behaved email sender will try email servers in the correct order but spammers often go to the last-placed email server first, on the theory that it will have had less security hardening applied to it. I'm guessing that this is what you do. If not, you may want to add this to your system.
That's exactly what I use, except the people I use collate the data to update their RBLs.
[SNIP]
Perhaps add more RBLs? Apart from that I can't really think of much else you could do.
I'm careful as to the RBLs I use as some are more reliable than others. I have paying clients who don't need the hassle of rejected email thanks to some bloke in his bedroom with a grudge!
Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it.
I've never heard of that: thanks for the heads-up. I'll look into it.
Use multiple email addresses.
[BIG SNIP]
This isn't an option for me, but I get the point.
I've drawn the conclusion recently that, if you use an email address, it will get harvested eventually, because, no matter how careful you are, you are relying on the security of everyone else who has it, so you're only as secure as the least secure person in your contact list. Consequently, you're either going to have to change email addresses regularly, put up with spam, or use good anti-spam systems, or some combination of the above.
All of that is true. I use what are normally very good anti-spam systems, but as I originally said, something isn't quite right out there at the moment. It happens regularly, as spammers find a way around the measures we take, and then we learn to deal with that. Until now, grey-listing has been good, but this current batch is dealing with that.
In your later post, you say you've got some new TLDs that seem to be sending the email, and have identified some IP addresses which you have blocked. I just wondered; surely there must be some way of tweaking spamassassin to reduce the amount of spam from a TLD. There is a more_spam_to option, but there doesn't seem to be a less_spam_to option.
As I expected, the IP list option was unsustainable from a maintenance perspective, although it was very effective. I've since, using postfix's inbuilt options, totally blocked these TLDs (temporarily):
.bid .loan .stream .top .trade
The average blockage rate across the filters is so far a little under 20 an hour. Note that these are only the ones passing the RBLS, and all the other postfix anti-spam tricks.
Hope this helps somehow.
Steve
Indeed. Thanks.
Cheers, Laurie.