Huge increase in spam
Hi all, Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number. Has anyone else noticed this? I use postfix, blacklists, postgrey, spamassassin (and a Bayesian DB), with all the usual postfix settings to discourage spammers. I also use a honeytrap third party MX server which traps and records some spam. Normally, once in a while I'll see a small increase in soam, and then the RBLs kick in and it stops after a few hours. However, I can't even find much of a pattern in the emails; there are a couple of regular IPs - now firewalled out - but in the main they are random. There must be a massive Windows-based botnet out there with some new spamming software on it. It's certainly dealing with grey-listing now. Ideas anyone? Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On Tue, 2017-10-24 at 10:01 +0100, Laurie Brown wrote:
Hi all,
Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number.
Has anyone else noticed this?
Yep. Not only am I getting a massive increase in spam (from near enough zero to 40 or 50 a day), but they're much bigger than previously - near enough a megabyte each. IMO this is closer to a DoS attack than it is advertising.
I use postfix, blacklists, postgrey, spamassassin (and a Bayesian DB), with all the usual postfix settings to discourage spammers. I also use a honeytrap third party MX server which traps and records some spam.
Normally, once in a while I'll see a small increase in soam, and then the RBLs kick in and it stops after a few hours. However, I can't even find much of a pattern in the emails; there are a couple of regular IPs - now firewalled out - but in the main they are random. There must be a massive Windows-based botnet out there with some new spamming software on it. It's certainly dealing with grey-listing now.
Ideas anyone?
Sadly not, at the moment. I'm just gritting my teeth and training my filters up. Due to the enormous size of the emails, I am looking filtering solutions that run over IMAP, rather than having to download the garbage first (that and Sieve scripts that run at my ISP), but apart from that, I run much the same stuff as you. Sorry. -- Today is Boomtime, the 5th day of The Aftermath in the YOLD 3183 Celebrate Maladay Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.
On 24/10/17 10:17, Huge wrote:
On Tue, 2017-10-24 at 10:01 +0100, Laurie Brown wrote:
Hi all,
Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number.
Has anyone else noticed this?
Yep. Not only am I getting a massive increase in spam (from near enough zero to 40 or 50 a day), but they're much bigger than previously - near enough a megabyte each. IMO this is closer to a DoS attack than it is advertising.
At least it's not just me! I save all missed spam in special folders and about once a fortnight I use them to train the Bayesian DBs. I've got hundreds now and I'm currently grepping out and counting IP addresses. I should have a decent list for iptables. I don't like doing it this way, but this calls for desperate measures! Even my clients are complaining, not something they have ever done before (about spam anyway!) [SNIP]
Ideas anyone?
Sadly not, at the moment. I'm just gritting my teeth and training my filters up. Due to the enormous size of the emails, I am looking filtering solutions that run over IMAP, rather than having to download the garbage first (that and Sieve scripts that run at my ISP), but apart from that, I run much the same stuff as you.
Sorry.
Well, thanks anyway. I must say, I'm not seeing a particular increase in the size of the spam emails. I run a couple of postfix filters on small cloud VMs which deal with most spam before it even gets to my main servers. This stuff is getting through those filters (my main servers won't accept SMTP traffic from anywhere except the filters). Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
Hi all, I've gone through several hundred emails and found a pattern. the vast majority of these emails are coming from random domain names in the following TLDs: .bid .stream .trade I've found 328 such emails, 298 of which come from unique IP addresses. I'm going to add those to my firewall rules on a temporary basis, ready for the overnight influx of spam. Note that if one has clients dependent on filtering, this IS NOT the right way to deal with spam - it's too easy to block the wrong IPs - but it's ok in an emergency on a temporary basis. Temporarily, interested parties can grab the sorted and unique list of these IP addresses as follows, to do with as they wish (with full disclaimer and no guarantees): wget vm3.convergent-ict.com/misc/temp-spam-IPs.lis Cheers, Laurie.-- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On 24/10/17 10:01, Laurie Brown wrote:
Hi all,
Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number.
Has anyone else noticed this?
Not really. Yesterday I got 12 that made it into my spam folder. Really spammy ones get rejected so don't make it to my spam folder. It's more than I'd like. It increased a while ago but seems fairly constant. Hardly any make it into my inbox. Sometimes I get a few false positives; frequently the pub-announce from this list!
I use postfix, blacklists, postgrey, spamassassin (and a Bayesian DB), with all the usual postfix settings to discourage spammers. I also use a honeytrap third party MX server which traps and records some spam.
Honeytrap? My "Honeytrap" is an service which records and traps spam as you describe, but basically sends a "Failure. Try again later" message to the email sender. This is listed as my last-placed email server in my MX records, . The theory being that a well behaved email sender will try email servers in the correct order but spammers often go to the last-placed email server first, on the theory that it will have had less security hardening applied to it. I'm guessing that this is what you do. If not, you may want to add this to your system.
Normally, once in a while I'll see a small increase in soam, and then the RBLs kick in and it stops after a few hours. However, I can't even find much of a pattern in the emails; there are a couple of regular IPs - now firewalled out - but in the main they are random. There must be a massive Windows-based botnet out there with some new spamming software on it. It's certainly dealing with grey-listing now.
Ideas anyone?
Perhaps add more RBLs? Apart from that I can't really think of much else you could do. Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it. Use multiple email addresses. If you run your own email server, you may be able to use multiple email addresses. My email system allows me to configure it so that, for example, user numpty has email address numpty@example.invalid, but also any email in the format numpty-{PrettyMuchAnything}@example.invalid. With this set up, you can take two approaches, date code, or company code your emails. I don't like date-coding emails, but you could use email addresses for a year, or a month or something and have numpty-2017@example.invalid for this year, and then use a new one for next year. Then you use spamassassin to reduce the amount of spam to old email addresses, or just reject email to them. As I said, I don't like this approach, as you have to keep updating people with your new email address. Company coding emails I like more. If you email BigCorp, always use email address numpty-BigCorp@example.invalid. Only use this address with this company. Then, if you start getting spam to numpty-BigCorp@example.invalid, you know where it has been harvested from (an this may affect decisions about if you wish to continue your relationship with them). Also, you can reject email from numpty-BigCorp@example.invalid and tell them you've changed your email address to numpty-BigCorp2@example.invalid. This does mean you end up using a lot of email addresses and need to have an email system that allows you to enter multiple "from" email addresses (Thunderbird does, ish.). Alternatively, "just" change your email address every now an again! This email address "munging" won't solve your current problem - it may just reduce it in future. I've drawn the conclusion recently that, if you use an email address, it will get harvested eventually, because, no matter how careful you are, you are relying on the security of everyone else who has it, so you're only as secure as the least secure person in your contact list. Consequently, you're either going to have to change email addresses regularly, put up with spam, or use good anti-spam systems, or some combination of the above. In your later post, you say you've got some new TLDs that seem to be sending the email, and have identified some IP addresses which you have blocked. I just wondered; surely there must be some way of tweaking spamassassin to reduce the amount of spam from a TLD. There is a more_spam_to option, but there doesn't seem to be a less_spam_to option. Hope this helps somehow. Steve
On 25/10/17 11:08, steve-ALUG@hst.me.uk wrote:
On 24/10/17 10:01, Laurie Brown wrote:
Hi all,
[SNIP]
Honeytrap? My "Honeytrap" is an service which records and traps spam as you describe, but basically sends a "Failure. Try again later" message to the email sender. This is listed as my last-placed email server in my MX records, . The theory being that a well behaved email sender will try email servers in the correct order but spammers often go to the last-placed email server first, on the theory that it will have had less security hardening applied to it. I'm guessing that this is what you do. If not, you may want to add this to your system.
That's exactly what I use, except the people I use collate the data to update their RBLs. [SNIP]
Perhaps add more RBLs? Apart from that I can't really think of much else you could do.
I'm careful as to the RBLs I use as some are more reliable than others. I have paying clients who don't need the hassle of rejected email thanks to some bloke in his bedroom with a grudge!
Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it.
I've never heard of that: thanks for the heads-up. I'll look into it.
Use multiple email addresses.
[BIG SNIP] This isn't an option for me, but I get the point.
I've drawn the conclusion recently that, if you use an email address, it will get harvested eventually, because, no matter how careful you are, you are relying on the security of everyone else who has it, so you're only as secure as the least secure person in your contact list. Consequently, you're either going to have to change email addresses regularly, put up with spam, or use good anti-spam systems, or some combination of the above.
All of that is true. I use what are normally very good anti-spam systems, but as I originally said, something isn't quite right out there at the moment. It happens regularly, as spammers find a way around the measures we take, and then we learn to deal with that. Until now, grey-listing has been good, but this current batch is dealing with that.
In your later post, you say you've got some new TLDs that seem to be sending the email, and have identified some IP addresses which you have blocked. I just wondered; surely there must be some way of tweaking spamassassin to reduce the amount of spam from a TLD. There is a more_spam_to option, but there doesn't seem to be a less_spam_to option.
As I expected, the IP list option was unsustainable from a maintenance perspective, although it was very effective. I've since, using postfix's inbuilt options, totally blocked these TLDs (temporarily): .bid .loan .stream .top .trade The average blockage rate across the filters is so far a little under 20 an hour. Note that these are only the ones passing the RBLS, and all the other postfix anti-spam tricks.
Hope this helps somehow.
Steve
Indeed. Thanks. Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On 25/10/17 13:55, Laurie Brown wrote:
On 25/10/17 11:08, steve-ALUG@hst.me.uk wrote:
Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it. I've never heard of that: thanks for the heads-up. I'll look into it.
https://www.spamcop.net/ Create an account (free). Login. You're taken to a report spam page, but at the top it says Forward your spam to: submit.SOMEUNIQUENUMBER@spam.spamcop.net. That's your unique reporting address. I then select all the spams I want to report, forward as an attachment to that address. A short while later, spamcop then sends you one email for each spam. In each email is a report link. Click on the link and it displays who it thinks the sender was, who their ISP is, and relevant ISP if they're advertising a product and other detected IP addresses or ISPs. It preselects who it thinks you should report to, but you can override it if you want. You can add extra info (a description) if you want. If some of your email comes through a trusted relay, make sure you don't report that relay! As you have to do a page for each spam it can take a while so I tend to use if for the most annoying or offensive spam. If you're happy, "report" it. Occasionally you may get a message back from an ISP acknowledging the the spam report. Spamcop also run a RBL generated as a result of these spam reports. I believe they're trustworthy, but I don't use their RBL. HTH Steve
PS, Spamcop, it works better with fresh spam. It won't let you report something more than 3 days old. I'd only bother with today's spam, and possibly yesterday's. Steve
<Sucking eggs> I think spamassassin is supposed to update itself by some sort of scheduled task, but every now and again I like to run sudo sa-update (I think it needs the sudo) to update all its settings including up-to-date blocklists. </Sucking eggs> Steve
On 25/10/17 23:18, steve-ALUG@hst.me.uk wrote:
<Sucking eggs> I think spamassassin is supposed to update itself by some sort of scheduled task, but every now and again I like to run
sudo sa-update
(I think it needs the sudo) to update all its settings including up-to-date blocklists.
</Sucking eggs> Steve
That gets done when I update the Bayesian databases, but it's worth mentioning as some may not realise it exists. Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On 25/10/17 22:51, steve-ALUG@hst.me.uk wrote:
On 25/10/17 13:55, Laurie Brown wrote:
On 25/10/17 11:08, steve-ALUG@hst.me.uk wrote:
Occasionally, I report spam I have received to SpamCop. If you're not familiar with it, Spamcop takes your spam and works out who really sent it. It then sends a report to the ISP of whoever sent it. The report tries to anonymise you. The theory is that if you complain to the ISP, genuine spammers will get shut down, and people with compromised/infected machines will be LARTed. It's a "long-game" sort of option - it won't have an immediate effect, but may result in less spam for everyone in the future. Pros and cons - if spammers work out who reported them, they might then avoid you because you report them, but on the flip side, they might try to punish you or think this is a confirmed live email address - let's use it. I've never heard of that: thanks for the heads-up. I'll look into it.
https://www.spamcop.net/ Create an account (free). Login. You're taken to a report spam page, but at the top it says
Forward your spam to: submit.SOMEUNIQUENUMBER@spam.spamcop.net. That's your unique reporting address.
I then select all the spams I want to report, forward as an attachment to that address. A short while later, spamcop then sends you one email for each spam. In each email is a report link. Click on the link and it displays who it thinks the sender was, who their ISP is, and relevant ISP if they're advertising a product and other detected IP addresses or ISPs. It preselects who it thinks you should report to, but you can override it if you want. You can add extra info (a description) if you want. If some of your email comes through a trusted relay, make sure you don't report that relay!
As you have to do a page for each spam it can take a while so I tend to use if for the most annoying or offensive spam.
If you're happy, "report" it. Occasionally you may get a message back from an ISP acknowledging the the spam report. Spamcop also run a RBL generated as a result of these spam reports. I believe they're trustworthy, but I don't use their RBL.
HTH Steve
Many thanks for that; I think I'll have a go when I next have a clear out. As it happens, I *do* use their RBL! Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
<snip>
https://www.spamcop.net/ Create an account (free). Login. You're taken to a report spam page, but at the top it says
Forward your spam to: submit.SOMEUNIQUENUMBER@spam.spamcop.net. That's your unique reporting address.
I then select all the spams I want to report, forward as an attachment to that address. A short while later, spamcop then sends you one email for each spam. In each email is a report link. Click on the link and it displays who it thinks the sender was, who their ISP is, and relevant ISP if they're advertising a product and other detected IP addresses or ISPs. It preselects who it thinks you should report to, but you can override it if you want. You can add extra info (a description) if you want. If some of your email comes through a trusted relay, make sure you don't report that relay!
As you have to do a page for each spam it can take a while so I tend to use if for the most annoying or offensive spam.
If you're happy, "report" it. Occasionally you may get a message back from an ISP acknowledging the the spam report. Spamcop also run a RBL generated as a result of these spam reports. I believe they're trustworthy, but I don't use their RBL.
HTH Steve
_______________________________________________
Would that work for personal accounts too? Likewise Spamassassin? (Not asking for myself by the way as Thunderbird and gmx are a bit over enthusiastic about barring spam sometimes... Yes I have checked the settings.) Bev.
On 26/10/17 11:40, Bev Nicolson wrote:
<snip>
https://www.spamcop.net/ Create an account (free). Login. <snip> _______________________________________________
Would that work for personal accounts too? Likewise Spamassassin? (Not asking for myself by the way as Thunderbird and gmx are a bit over enthusiastic about barring spam sometimes... Yes I have checked the settings.)
Bev.
Ignore my bit about Spamassassin, btw. 'Googled' it. Bev.
On 26/10/17 11:40, Bev Nicolson wrote:
<snip>
https://www.spamcop.net/ {} _______________________________________________
Would that work for personal accounts too? Likewise Spamassassin? (Not asking for myself by the way as Thunderbird and gmx are a bit over enthusiastic about barring spam sometimes... Yes I have checked the settings.)
Yes. I have multiple email addresses but basically this is just a personal email account. I see no reason why it wouldn't work, as long as you can forward the spam as an attachment. Steve
On 24/10/17 10:01, Laurie Brown wrote:
Hi all,
Well, after many years of my Linux mail filters working very well, I've noticed a significant increase in spam over the last week, and last night I got 33 alone, an unheard of number.
Has anyone else noticed this?
Guess I've just been lucky. Not noticed any increase. Still get about 5 a week. Nev
participants (5)
-
Bev Nicolson -
Huge -
Laurie Brown -
Nev Young -
steve-ALUG@hst.me.uk