Hi y'all
My mailserver has started getting a lot of spam in the last few days.
Basically, people are sending emails with loads of random email addresses - approx 90+ per email. They're not getting through - they get rejected then blocked. I wondered if anyone else has noticed anything similar?
I'm not entirely sure of what this gets them. The occasional spam getting through can't be worth it. Or are they trying a scattergun approach to try and find valid email addresses or accounts? Or are they trying to overwhelm mail servers to exploit bugs in them? Or something else?
Anything I should do?
I'm getting quite close to saying "ah to ${badplace} with it, lets use a commercial mail-server", but I'm quite attached to the features I have with mine.
For my email accounts, I can have unlimited email suffixes on them e.g. example@mydomain.invalid example-mailinglist@mydomain.invalid example-somecompany@mydomain.invalid example-ALUG@mydomain.invalid
etc - anything after the "-" can be specified. I use this so that I can work who spams email address, or leaks my email address to spammers, and for easy blockage. Does anyone provide a service like this for less than megabucks?
Steve
On Tue, 23 May 2023 at 16:07, steve-ALUG@hst.me.uk wrote:
Does anyone provide a service like this for less than megabucks?
A standard feature of GMail is that any suffix prefixed by + works this way. So example+blah@gmail.com goes to example@gmail.com. So not the "-" option you requested but pretty close, and I haven't found anyone better at blocking spam than Google (albeit it's only because their servers "read" so many people's emails to be able to detect it).
On 23/05/2023 16:07, steve-ALUG@hst.me.uk wrote:
Hi y'all
My mailserver has started getting a lot of spam in the last few days.
Basically, people are sending emails with loads of random email addresses - approx 90+ per email. They're not getting through - they get rejected then blocked. I wondered if anyone else has noticed anything similar?
Hi. I'm seeing the same thing. Spam up about eight fold, and the server getting wedged with dozens of spamassassin processes. This server's on an AWS virtual, so a bad storm and I'll reboot to a more capable instance. Currently on t2.micro and haven't, yet, had to. Used to find greylistd helped, but not so much now, and the delays can get irritating, so no longer running it. Bill
On 24/05/2023 11:21, Bill Hill wrote:
On 23/05/2023 16:07, steve-ALUG@hst.me.uk wrote:
Hi y'all
My mailserver has started getting a lot of spam in the last few days.
Basically, people are sending emails with loads of random email addresses - approx 90+ per email. They're not getting through - they get rejected then blocked. I wondered if anyone else has noticed anything similar?
Hi. I'm seeing the same thing. Spam up about eight fold, and the server getting wedged with dozens of spamassassin processes. This server's on an AWS virtual, so a bad storm and I'll reboot to a more capable instance. Currently on t2.micro and haven't, yet, had to. Used to find greylistd helped, but not so much now, and the delays can get irritating, so no longer running it.
Same here, but I'm running sqlgrey, which still seems to help. I'm running Vultr instances though - cheaper than AWS, and quicker than DO.
Cheers, Laurie.
On Wed, 24 May 2023 11:21:46 +0100 Bill Hill mail@wbh.org allegedly wrote:
On 23/05/2023 16:07, steve-ALUG@hst.me.uk wrote:
Hi y'all
My mailserver has started getting a lot of spam in the last few days.
Basically, people are sending emails with loads of random email addresses - approx 90+ per email. They're not getting through - they get rejected then blocked. I wondered if anyone else has noticed anything similar?
Hi. I'm seeing the same thing. Spam up about eight fold, and the server getting wedged with dozens of spamassassin processes. This server's on an AWS virtual, so a bad storm and I'll reboot to a more capable instance. Currently on t2.micro and haven't, yet, had to. Used to find greylistd helped, but not so much now, and the delays can get irritating, so no longer running it. Bill
Not here. My spam levels haven't changed at all. My postfix server runs on a VM in hetzner's network. Like others I used to do greylisting (with postgrey) but stopped that about 4 years ago because it became inefficient and seemed to cause problems with some mail. I now use a mixture of rbl (zen.spamhaus.org) and a local spamcrap database of idiots who seemed to be targetting just me ("check_sender_access hash:/etc/postfix/spamcrap" in smtpd_sender_restrictions).
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net ---------------------------------------------------------------------
On 24/05/2023 15:04, mick wrote:
Not here. My spam levels haven't changed at all. My postfix server runs on a VM in hetzner's network. Like others I used to do greylisting (with postgrey) but stopped that about 4 years ago because it became inefficient and seemed to cause problems with some mail. I now use a mixture of rbl (zen.spamhaus.org) and a local spamcrap database of idiots who seemed to be targetting just me ("check_sender_access hash:/etc/postfix/spamcrap" in smtpd_sender_restrictions).
Mick
Hmm..... Zen eh?
I was using another spamhouse rbl. Will give Zen a try.
You've all given me food for thought.
Cheers folks. Steve
On Wed, 24 May 2023 18:02:51 +0100 steve-ALUG@hst.me.uk allegedly wrote:
Hmm..... Zen eh?
I was using another spamhouse rbl. Will give Zen a try.
You've all given me food for thought.
Steve
Possibly you were using spl/xbl at spamhaus. I used to. See https://www.spamhaus.org/zen/ for the reasons to change.
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net ---------------------------------------------------------------------
On 24/05/2023 18:57, mick wrote:
On Wed, 24 May 2023 18:02:51 +0100 steve-ALUG@hst.me.uk allegedly wrote:
Hmm..... Zen eh?
I was using another spamhouse rbl. Will give Zen a try.
You've all given me food for thought.
Steve
Possibly you were using spl/xbl at spamhaus. I used to. See https://www.spamhaus.org/zen/ for the reasons to change.
Thanks, I'll take another look at that, but I'm pretty sure I've followed that already.
I use these, in this order:
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net
To see what that first two lines are all about see: http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
I also use Project tar in my MX records: http://wiki.junkemailfilter.com/index.php/Project_Tar
Cheers, Laurie.
On Fri, 26 May 2023 13:38:06 +0100 Laurie Brown laurie@brownowl.com allegedly wrote:
I use these, in this order:
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net
Laurie
cbl.abuseat.org was incorporated into spamhaus from january 2021 - See https://www.abuseat.org/
sorbs.net is in my view problematic because it has been historically very difficult to get delisted once your IP address appears in their database. Indeed, SORBS has been accused of mafia like tactics. I prefer to avoid them.
spamcop I think are complete bozos. They actually list oneadone/GMX as spammers. Since I (and my wife) have email addresses with them I find that hard to cope with.
I had never heard of junkenfilter before - thanks I will have a look.
Cheers
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net ---------------------------------------------------------------------
On 24/05/2023 18:57, mick wrote:
Steve Possibly you were using spl/xbl at spamhaus. I used to. See https://www.spamhaus.org/zen/ for the reasons to change.
Hmmm. Deeply perplexing.
the spamhaus check doesn't seem to be checking.
I've tried various configurations but it's not showing up as rejecting anything in my log.
Anyone care to comment on the exim syntax? A or B I've seen examples of both.
A) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org
B) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org/<;$sender_host_address;$sender_address_domain
Drop or Deny I gather they're similar. Deny logs and doesn't accept; drop does that and forcibly drops the connection, I think.
I've just had a spam email from 239.1.70.111 111.70.1.239.
dig +short TXT 239.1.70.111.zen.spamhaus.org responds "https://www.spamhaus.org/query/ip/111.70.1.239"
showing it's listed and should be dropped.
Or is it simply that it's checking all of the recipients before it gets to the RBL check?
Any thoughts?
Steve
On 27/05/2023 20:23, steve-ALUG@hst.me.uk wrote:
On 24/05/2023 18:57, mick wrote:
Steve Possibly you were using spl/xbl at spamhaus. I used to. See https://www.spamhaus.org/zen/ for the reasons to change.
Hmmm. Deeply perplexing.
the spamhaus check doesn't seem to be checking.
I've tried various configurations but it's not showing up as rejecting anything in my log.
Anyone care to comment on the exim syntax? A or B I've seen examples of both.
A) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org
B) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org/<;$sender_host_address;$sender_address_domain
Drop or Deny I gather they're similar. Deny logs and doesn't accept; drop does that and forcibly drops the connection, I think.
I've just had a spam email from 239.1.70.111 111.70.1.239.
dig +short TXT 239.1.70.111.zen.spamhaus.org responds "https://www.spamhaus.org/query/ip/111.70.1.239"
showing it's listed and should be dropped.
Or is it simply that it's checking all of the recipients before it gets to the RBL check?
Any thoughts?
Steve
Possibly have a reason why it's not working...
https://uribl.com/refused.shtml
Well, same problem, different product. It *MAY* be that my request to Spamhaus is going via a big name server, and spamhaus is saying, "nope, you're too big, this is for personal use".
I believe a solution is to use a caching name server. I do, but it's pointing at a big name server... So, I've overridden the Name Server for spamhaus to point to a smaller name server. We'll see....
Fingers crossed.
Steve
On 27/05/2023 22:32, steve-ALUG@hst.me.uk wrote:
On 27/05/2023 20:23, steve-ALUG@hst.me.uk wrote:
On 24/05/2023 18:57, mick wrote:
Steve Possibly you were using spl/xbl at spamhaus. I used to. See https://www.spamhaus.org/zen/ for the reasons to change.
Hmmm. Deeply perplexing.
the spamhaus check doesn't seem to be checking.
I've tried various configurations but it's not showing up as rejecting anything in my log.
Anyone care to comment on the exim syntax? A or B I've seen examples of both.
A) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org
B) drop message = REJECTED - ${sender_host_address} is blocklisted dnslists = zen.spamhaus.org/<;$sender_host_address;$sender_address_domain
Drop or Deny I gather they're similar. Deny logs and doesn't accept; drop does that and forcibly drops the connection, I think.
I've just had a spam email from 239.1.70.111 111.70.1.239.
dig +short TXT 239.1.70.111.zen.spamhaus.org responds "https://www.spamhaus.org/query/ip/111.70.1.239"
showing it's listed and should be dropped.
Or is it simply that it's checking all of the recipients before it gets to the RBL check?
Any thoughts?
Steve
Possibly have a reason why it's not working...
https://uribl.com/refused.shtml
Well, same problem, different product. It *MAY* be that my request to Spamhaus is going via a big name server, and spamhaus is saying, "nope, you're too big, this is for personal use".
I believe a solution is to use a caching name server. I do, but it's pointing at a big name server... So, I've overridden the Name Server for spamhaus to point to a smaller name server. We'll see....
Fingers crossed.
OK - Progress. The DNS fix has resulted in the spamhaus test triggering.
That's good. It's still going through all the unknown "to" emails first and rejecting them, and them hitting the spamhaus test. Just need to work out how to get it to hit the spamhaus one first....
Steve
-
Bill Hill -
Laurie Brown -
Mark Rogers -
mick -
steve-ALUG@hst.me.uk