Drowning in spam
stephen mulcahy
I've been looking for an excuse to test out the new list address -
thanks to a world full of spammers I've been given that opportunity.
I came in this morning to find my mailbox full of bounces for spam sent
using our addresses - the stuff is coming at the rate of a mail every
few seconds so I've disabled at least one of the addresses entirely.
Obviously this isn't a generally useful strategy (we'll be going through
email addresses at a ferocious rate) - what are others doing to deal
with this?
Other than that, I've also noticed a big increase in spam thats getting
through our filters (spamassassin, no black lists but bayesian learning
ok) since Friday - has some big new botnot kicked into action and what
else can you do other than tweak spamassassin to manage this new spam?
Any thoughts and comments welcome.
-stephen
--
Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center,
GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com
Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
Sam Johnston
I haven't so much as thought about SPAM since moving to Google Apps and Postini (which is tossed in for free with the $50/user/year premier edition or costs three bucks per user per year separately). Granted I've been selling the stuff since 2006, but I was a user first!
In answer to your question about Joe Jobs (http://en.wikipedia.org/wiki/Joe_job) though, the best defense is probably sender authentication of some sort and globally blacklisting brain-dead mail servers (which won't help you today unfortunately). I've got an SPF record for example which only allows Google and Postini servers to send mail from samj.net:
$ host -t txt samj.net
samj.net descriptive text "v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 include:aspmx.googlemail.com ~all"
Well configured mail servers should refuse to accept joe job mail rather than bouncing it later...
Sam
Brian Scanlan
> Other than that, I've also noticed a big increase in spam thats getting
> through our filters (spamassassin, no black lists but bayesian learning ok)
> since Friday - has some big new botnot kicked into action and what else can
> you do other than tweak spamassassin to manage this new spam?
Are you running a modern version of SpamAssassin and/or using the
VBounce ruleset?
http://taint.org/2007/01/10/141434a.html
http://wiki.apache.org/spamassassin/VBounceRuleset
Brian.
James Coleman
Occasionally I saw a spam-bounce from spammer forging my address.
On the Easter weekend this year I got I think 200 spam-bounces on the Fri night.
I saw them on Sat. The good news is after maybe 600 more that weekend they stopped completely.
I filtered any bounces to a spam-bounce folder, now I have a mail-filter ready if it happens again.
I also sent a quick mail to whoever postmaster@wherever was.
I got one a reply. A very nice Swiss person. :)
$ MYMAILSRV=whatever
$ MOO=$(egrep "^(From |From: |Subject: )" Application\
Data/Thunderbird/Profiles/9ons8p9k.default/Mail/Local\ Folders/spam-bounce |grep -A1 "^From "
|egrep -v "(--|^From )" |grep ^From: |sed "s/From: //"|sed "s/.*<//;s/>.*//;" |sed "s/ (Mail
Delivery System)//" |sed "s/mailer-daemon/postmaster/i" |egrep -v "$MYMAILSRV" |sort |uniq )
Subject: SPAM Report
Your mail server bounced spam messages and sent bounce to the forged from address.
I've seen the odd spam-bounce since but not a big flurry again.
I report spam to this account using spamcop and it gets somewhere between 20 and 100 spam daily
these days.
James.
Alan Doherty
>Howdy,
>
>I've been looking for an excuse to test out the new list address - thanks to a world full of spammers I've been given that opportunity.
>
>I came in this morning to find my mailbox full of bounces for spam sent using our addresses - the stuff is coming at the rate of a mail every few seconds so I've disabled at least one of the addresses entirely.
>
>Obviously this isn't a generally useful strategy (we'll be going through email addresses at a ferocious rate) - what are others doing to deal with this?
I checking mail from <> sending ip against backscatter.org then grepping data portion for list subscribers adderess to weed back false positives then rejecting after data all non-matches}
{while delivering silently to an evidence box that i look for bad {not preserving delivered to address} autoresponders in when bothered}
{only checking mail from <> against that list {no-reject till after data} as they also list autoresponders and hosts that do callout as well and i don't block/disallow those}
also compiling my own clean backscatterers-only list from the aggregate and rejecting after data all not containing subscriber address in body
and considering offering a rcpt-time optional reject backscatterers option for users wanting to run their mail filtering at a LART idiotic admins level {the sort of users that want to reject on rfc-ignorant lists available but few choose to use it for more than scoring}
{BTW google features highly for backscatter non gmail domains they host}
>Other than that, I've also noticed a big increase in spam thats getting through our filters (spamassassin, no black lists but bayesian learning ok) since Friday - has some big new botnot kicked into action and what else can you do other than tweak spamassassin to manage this new spam?
i find zen invaluble, and spamassasin only good with rbl testing, as most spam covered just by rejecting those on dynamic/dialup/homeuser {thus listed in sbl>zen
stephen mulcahy
> I came in this morning to find my mailbox full of bounces for spam sent
> using our addresses - the stuff is coming at the rate of a mail every
> few seconds so I've disabled at least one of the addresses entirely.
>
> Obviously this isn't a generally useful strategy (we'll be going through
> email addresses at a ferocious rate) - what are others doing to deal
> with this?
Thanks to everyone that responded to my initial email.
I went and took a look at Justins excellent blog on the topic (the
slightly updated one at http://taint.org/2007/05/30/164456a.html) and
pretty much implemented everything he described there.
The postfix modifications addressed most of it - the VBounce rules did
the rest. I think this will do the trick for now.
We're running Debian etch on our servers - I don't want to be running a
testing distro on production systems, but I've gone and added Etch
volatile to pick up the latest Spamassassin (3.2.x) since Etch is
carrying 3.1.x. More info on Debian Volatile here -
http://www.debian.org/volatile/.
Thanks again for the feedback and comments - its proven invaluable this
morning and in addressing a big headache, and thanks to Sam for his work
on the lists - all seems to be running smoothly.
Sam Johnston
> I haven't so much as thought about SPAM since moving to Google Apps and
> Postini (which is tossed in for free with the $50/user/year premier edition
> or costs three bucks per user per year separately). Granted I've been
> selling the stuff since 2006, but I was a user first!
Just to clarify (and to see if posting works from
http://groups.google.com/group/sysadmin-ie/ - if you see this, it
does) the Postini service (and others like it) is separate from Google
Apps in that once you've provisioned your account you just update your
MX records and they will take care of dealing with the unwashed masses
for you.
I believe 30 day trial accounts can be had if anyone wants to suck it
and see, and there's a bunch of others providing similar services
(which basically allow you to focus on something more useful/
interesting).
Sam
> On Tue, Apr 22, 2008 at 10:28 AM, stephen mulcahy <smulc...@aplpi.com>
Alan Doherty
>stephen mulcahy wrote:
>>I came in this morning to find my mailbox full of bounces for spam sent using our addresses - the stuff is coming at the rate of a mail every few seconds so I've disabled at least one of the addresses entirely.
>>Obviously this isn't a generally useful strategy (we'll be going through email addresses at a ferocious rate) - what are others doing to deal with this?
>
>Thanks to everyone that responded to my initial email.
>
>I went and took a look at Justins excellent blog on the topic (the slightly updated one at http://taint.org/2007/05/30/164456a.html) and pretty much implemented everything he described there.
>
>The postfix modifications addressed most of it - the VBounce rules did the rest. I think this will do the trick for now.
though wern't you discussing bounces to list addresses like {member...@lists.sysadmin.ie}
if so isn't using the above alone going to mean you never detect dead recipient addresses in your list?
or does the vbounce only reject bounces that have spam attached? if so any removing the content before bouncing get through?
I'd still consider a data filter that looks for known subscriber addresses in body before rejecting after data but maybe i just need to read up on vbounce
Cian Davis
Hi All,
Technically, that's not a Joe Job, it's backscatter
http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29 It's difficult to
deal with, as I understand it and is usually a matter of waiting for it
to die down.
We (Skynet) process about 15,000 - 20,000 mails a day. Depending on the
day, we reject between 55% and 75% of mail at SMTP time, almost all of
it using zen.spamhaus.org. On top of that, we use postgrey. When it was
implemented, my spam per day dropped from ~100 a day to about 5.
Greylisting is still very effective, but due to the delay, it's often
not acceptable for businesses. I'm back up to about 15 - 20 a day which
go through SpamAssassin. It almost all gets caught but due to some of my
old rules, I do get some false positives. Most spam I get is to the
postmaster and abuse aliases. Razor/Pyzor used to be very, very
effective but not as much so now. Other DNSBLs used by SA often get hit
but the one that catches most of the spam are the URI.
Would people here advocate rejecting mail entirely for a failed SPF
record check? At the moment, any SPF checks we do are with SA so they
just get points.
How does this compare with other mail setups? In particular, what hit of
SMTP time rejection are you seeing?
Regards,
Cian
Sam Johnston wrote, On 22/04/08 09:53:
> Hi Stephen,
>
> I haven't so much as thought about SPAM since moving to Google Apps
> and Postini (which is tossed in for free with the $50/user/year
> premier edition or costs three bucks per user per year separately).
> Granted I've been selling the stuff since 2006, but I was a user first!
>
> In answer to your question about Joe Jobs
> (http://en.wikipedia.org/wiki/Joe_job) though, the best defense is
> probably sender authentication of some sort and globally blacklisting
> brain-dead mail servers (which won't help you today unfortunately).
> I've got an SPF record for example which only allows Google and
> Postini servers to send mail from samj.net <http://samj.net>:
>
> $ host -t txt samj.net <http://samj.net>
> samj.net <http://samj.net> descriptive text "v=spf1
> ip4:207.126.144.0/20 <http://207.126.144.0/20> ip4:64.18.0.0/20
> <http://64.18.0.0/20> include:aspmx.googlemail.com
> <http://aspmx.googlemail.com> ~all"
Sam Johnston
You might like to know that Hushmail's spam filter didn't like this message.
Appears to be SPF related - apt considering the context of the discussion!
Sam
Alan Doherty
>On Tue, Apr 22, 2008 at 8:12 PM, Brian Sullivan <<mailto:xei-i...@hushmail.com>xei-i...@hushmail.com> wrote:
>You might like to know that Hushmail's spam filter didn't like this message.
>
>
>Appears to be SPF related - apt considering the context of the discussion!
>
>Sam
yup semms the host and domain
{both lists.sysadmin.ie}
have no spf or other txt records at all
i still wish CSV had taken off {would kill many botnets if isp's had added it to the root reverse FcDNS zone for their dialups but then so would isp's volunteering their addresses to the PBL}
http://en.wikipedia.org/wiki/Certified_Server_Validation
as i hate spf breaking forwarding done by others of my users mail
{i only use it with -all to indicate domains/hostnames with no mail originating from those addresses}
Sam Johnston
> At 19:25 22/04/2008 Tuesday, Sam Johnston wrote:
>
>
> >On Tue, Apr 22, 2008 at 8:12 PM, Brian Sullivan <<mailto:xei-i...@hushmail.com>xei-i...@hushmail.com> wrote:
> >You might like to know that Hushmail's spam filter didn't like this message.
> >
> >
> >Appears to be SPF related - apt considering the context of the discussion!
> >
> >Sam
>
> yup semms the host and domain
> {both lists.sysadmin.ie}
> have no spf or other txt records at all
>
>
> as i hate spf breaking forwarding done by others of my users mail
>
> {i only use it with -all to indicate domains/hostnames with no mail originating from those addresses}
>
Interesting idea... while lists.sysadmin.ie doesn't have SPF, my
domain does and it looks like that's where the wheels fell off
courtesy the forwarding:
Received-SPF: softfail (google.com: domain of transitioning
sam.johnston+caf_=samj=samj...@sysadmin.ie does not designate
207.126.144.49 as permitted sender) client-ip=207.126.144.49;
Authentication-Results: mx.google.com; spf=softfail (google.com:
domain of transitioning sam.johnston+caf_=samj=samj...@sysadmin.ie
does not designate 207.126.144.49 as permitted sender)
smtp.mail=sam.johnston+caf_=samj=samj...@sysadmin.ie
Sam
Sam Johnston
> On Wed, Apr 23, 2008 at 04:44:55PM +0200, Sam Johnston wrote:
> > On Tue, Apr 22, 2008 at 9:28 PM, Alan Doherty <al...@alandoherty.net> wrote:
> > > At 19:25 22/04/2008 Tuesday, Sam Johnston wrote:
> > > >On Tue, Apr 22, 2008 at 8:12 PM, Brian Sullivan <<mailto:xei-i...@hushmail.com>xei-i...@hushmail.com> wrote:
>
>
>
> > > >You might like to know that Hushmail's spam filter didn't like this message.
> > > >
> > > >Appears to be SPF related - apt considering the context of the discussion!
>
>
> > domain does and it looks like that's where the wheels fell off
> > courtesy the forwarding:
>
>
>
> > Received-SPF: softfail (google.com: domain of transitioning
> > sam.johnston+caf_=samj=samj...@sysadmin.ie does not designate
> > 207.126.144.49 as permitted sender) client-ip=207.126.144.49;
> > Authentication-Results: mx.google.com; spf=softfail (google.com:
> > domain of transitioning sam.johnston+caf_=samj=samj...@sysadmin.ie
> > does not designate 207.126.144.49 as permitted sender)
> > smtp.mail=sam.johnston+caf_=samj=samj...@sysadmin.ie
>
> particular mail (hop) is from an envelope address @sysadmin.ie, so it's
> the SPF records for that domain that count. And they are
>
> $ host -t txt sysadmin.ie
> sysadmin.ie descriptive text "v=spf1 include:aspmx.googlemail.com ~all"
>
> and what is included is
>
> $ host -t txt aspmx.googlemail.com
> aspmx.googlemail.com descriptive text "v=spf1 redirect=_spf.google.com"
>
> and what is redirected is
>
> $ host -t txt _spf.google.com
> _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ?all"
>
> and the ?all in the included-redirected bit is effectively ignored,
> so the original falls back to the ~all, which is the reported softfail.
>
> Whether hushmail should use an SPF softfail to mean "spam" is a separate
> matter -- possibly it was used in conjunction with other spamlike
> characteristics before the warning flag was raised.
>
> But to avoid the softfail, the server that is doing the rewriting would
> need to use a domain that has correct-or-no SPF records. So either change
> it to be @lists.sysadmin.ie, or change the sysadmin.ie records to include
> 207.126.144.49.
>
> Unless I've misunderstood how this hangs together...
Well spotted Francis... I didn't look here because I'd already made
the change on ns2.sysadmin.ie, only it hasn't filtered through yet:
$ host -t txt sysadmin.ie ns1.sysadmin.ie
Using domain server:
Name: ns1.sysadmin.ie
Address: 81.17.246.3#53
Aliases:
sysadmin.ie descriptive text "v=spf1 include:aspmx.googlemail.com ~all"
$ host -t txt sysadmin.ie ns2.sysadmin.ie
Using domain server:
Name: ns2.sysadmin.ie
Address: 81.17.246.4#53
Aliases:
sysadmin.ie descriptive text "v=spf1 ip4:81.17.246.0/24
ip4:207.126.144.0/20 ip4:64.18.0.0/20 include:aspmx.googlemail.com
~all"
In any case I'm changing this to return 'neutral' instead of
'softfail' to keep those of you using @sysadmin.ie aliases with your
own systems happy:
$ host -t txt sysadmin.ie ns2.sysadmin.ie
Using domain server:
Name: ns2.sysadmin.ie
Address: 81.17.246.4#53
Aliases:
sysadmin.ie descriptive text "v=spf1 ip4:81.17.246.0/24
ip4:207.126.144.0/20 ip4:64.18.0.0/20 include:aspmx.googlemail.com
?all"
Kind regards,
Sam