I've been looking for an excuse to test out the new list address - thanks to a world full of spammers I've been given that opportunity.
I came in this morning to find my mailbox full of bounces for spam sent using our addresses - the stuff is coming at the rate of a mail every few seconds so I've disabled at least one of the addresses entirely.
Obviously this isn't a generally useful strategy (we'll be going through email addresses at a ferocious rate) - what are others doing to deal with this?
Other than that, I've also noticed a big increase in spam thats getting through our filters (spamassassin, no black lists but bayesian learning ok) since Friday - has some big new botnot kicked into action and what else can you do other than tweak spamassassin to manage this new spam?
Any thoughts and comments welcome.
-stephen
-- Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center, GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
I haven't so much as thought about SPAM since moving to Google Apps and Postini (which is tossed in for free with the $50/user/year premier edition or costs three bucks per user per year separately). Granted I've been selling the stuff since 2006, but I was a user first!
In answer to your question about Joe Jobs ( http://en.wikipedia.org/wiki/Joe_job) though, the best defense is probably sender authentication of some sort and globally blacklisting brain-dead mail servers (which won't help you today unfortunately). I've got an SPF record for example which only allows Google and Postini servers to send mail from samj.net:
> I've been looking for an excuse to test out the new list address - thanks > to a world full of spammers I've been given that opportunity.
> I came in this morning to find my mailbox full of bounces for spam sent > using our addresses - the stuff is coming at the rate of a mail every few > seconds so I've disabled at least one of the addresses entirely.
> Obviously this isn't a generally useful strategy (we'll be going through > email addresses at a ferocious rate) - what are others doing to deal with > this?
> Other than that, I've also noticed a big increase in spam thats getting > through our filters (spamassassin, no black lists but bayesian learning ok) > since Friday - has some big new botnot kicked into action and what else can > you do other than tweak spamassassin to manage this new spam?
> Any thoughts and comments welcome.
> -stephen
> -- > Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center, > GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com > Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
On Tue, Apr 22, 2008 at 9:28 AM, stephen mulcahy <smulc...@aplpi.com> wrote: > Other than that, I've also noticed a big increase in spam thats getting > through our filters (spamassassin, no black lists but bayesian learning ok) > since Friday - has some big new botnot kicked into action and what else can > you do other than tweak spamassassin to manage this new spam?
Are you running a modern version of SpamAssassin and/or using the VBounce ruleset?
I have an old old email address that collects tons of spam. Occasionally I saw a spam-bounce from spammer forging my address.
On the Easter weekend this year I got I think 200 spam-bounces on the Fri night. I saw them on Sat. The good news is after maybe 600 more that weekend they stopped completely.
I filtered any bounces to a spam-bounce folder, now I have a mail-filter ready if it happens again.
I also sent a quick mail to whoever postmaster@wherever was. I got one a reply. A very nice Swiss person. :)
Your mail server bounced spam messages and sent bounce to the forged from address.
I've seen the odd spam-bounce since but not a big flurry again. I report spam to this account using spamcop and it gets somewhere between 20 and 100 spam daily these days.
> I've been looking for an excuse to test out the new list address - > thanks to a world full of spammers I've been given that opportunity.
> I came in this morning to find my mailbox full of bounces for spam sent > using our addresses - the stuff is coming at the rate of a mail every > few seconds so I've disabled at least one of the addresses entirely.
> Obviously this isn't a generally useful strategy (we'll be going through > email addresses at a ferocious rate) - what are others doing to deal > with this?
> Other than that, I've also noticed a big increase in spam thats getting > through our filters (spamassassin, no black lists but bayesian learning > ok) since Friday - has some big new botnot kicked into action and what > else can you do other than tweak spamassassin to manage this new spam?
At 09:28 22/04/2008 Tuesday, stephen mulcahy wrote:
>Howdy,
>I've been looking for an excuse to test out the new list address - thanks to a world full of spammers I've been given that opportunity.
>I came in this morning to find my mailbox full of bounces for spam sent using our addresses - the stuff is coming at the rate of a mail every few seconds so I've disabled at least one of the addresses entirely.
>Obviously this isn't a generally useful strategy (we'll be going through email addresses at a ferocious rate) - what are others doing to deal with this?
I checking mail from <> sending ip against backscatter.org then grepping data portion for list subscribers adderess to weed back false positives then rejecting after data all non-matches} {while delivering silently to an evidence box that i look for bad {not preserving delivered to address} autoresponders in when bothered}
{only checking mail from <> against that list {no-reject till after data} as they also list autoresponders and hosts that do callout as well and i don't block/disallow those}
also compiling my own clean backscatterers-only list from the aggregate and rejecting after data all not containing subscriber address in body and considering offering a rcpt-time optional reject backscatterers option for users wanting to run their mail filtering at a LART idiotic admins level {the sort of users that want to reject on rfc-ignorant lists available but few choose to use it for more than scoring}
{BTW google features highly for backscatter non gmail domains they host}
>Other than that, I've also noticed a big increase in spam thats getting through our filters (spamassassin, no black lists but bayesian learning ok) since Friday - has some big new botnot kicked into action and what else can you do other than tweak spamassassin to manage this new spam?
i find zen invaluble, and spamassasin only good with rbl testing, as most spam covered just by rejecting those on dynamic/dialup/homeuser {thus listed in sbl>zen
stephen mulcahy wrote: > I came in this morning to find my mailbox full of bounces for spam sent > using our addresses - the stuff is coming at the rate of a mail every > few seconds so I've disabled at least one of the addresses entirely.
> Obviously this isn't a generally useful strategy (we'll be going through > email addresses at a ferocious rate) - what are others doing to deal > with this?
Thanks to everyone that responded to my initial email.
I went and took a look at Justins excellent blog on the topic (the slightly updated one at http://taint.org/2007/05/30/164456a.html) and pretty much implemented everything he described there.
The postfix modifications addressed most of it - the VBounce rules did the rest. I think this will do the trick for now.
We're running Debian etch on our servers - I don't want to be running a testing distro on production systems, but I've gone and added Etch volatile to pick up the latest Spamassassin (3.2.x) since Etch is carrying 3.1.x. More info on Debian Volatile here - http://www.debian.org/volatile/.
Thanks again for the feedback and comments - its proven invaluable this morning and in addressing a big headache, and thanks to Sam for his work on the lists - all seems to be running smoothly.
-stephen
-- Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center, GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
On Apr 22, 10:53 am, "Sam Johnston" <s...@samj.net> wrote:
> I haven't so much as thought about SPAM since moving to Google Apps and > Postini (which is tossed in for free with the $50/user/year premier edition > or costs three bucks per user per year separately). Granted I've been > selling the stuff since 2006, but I was a user first!
Just to clarify (and to see if posting works from http://groups.google.com/group/sysadmin-ie/ - if you see this, it does) the Postini service (and others like it) is separate from Google Apps in that once you've provisioned your account you just update your MX records and they will take care of dealing with the unwashed masses for you.
I believe 30 day trial accounts can be had if anyone wants to suck it and see, and there's a bunch of others providing similar services (which basically allow you to focus on something more useful/ interesting).
> On Tue, Apr 22, 2008 at 10:28 AM, stephen mulcahy <smulc...@aplpi.com> > wrote:
> > Howdy,
> > I've been looking for an excuse to test out the new list address - thanks > > to a world full of spammers I've been given that opportunity.
> > I came in this morning to find my mailbox full of bounces for spam sent > > using our addresses - the stuff is coming at the rate of a mail every few > > seconds so I've disabled at least one of the addresses entirely.
> > Obviously this isn't a generally useful strategy (we'll be going through > > email addresses at a ferocious rate) - what are others doing to deal with > > this?
> > Other than that, I've also noticed a big increase in spam thats getting > > through our filters (spamassassin, no black lists but bayesian learning ok) > > since Friday - has some big new botnot kicked into action and what else can > > you do other than tweak spamassassin to manage this new spam?
> > Any thoughts and comments welcome.
> > -stephen
> > -- > > Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center, > > GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com > > Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
At 11:45 22/04/2008 Tuesday, stephen mulcahy wrote:
>stephen mulcahy wrote: >>I came in this morning to find my mailbox full of bounces for spam sent using our addresses - the stuff is coming at the rate of a mail every few seconds so I've disabled at least one of the addresses entirely. >>Obviously this isn't a generally useful strategy (we'll be going through email addresses at a ferocious rate) - what are others doing to deal with this?
>Thanks to everyone that responded to my initial email.
>I went and took a look at Justins excellent blog on the topic (the slightly updated one at http://taint.org/2007/05/30/164456a.html) and pretty much implemented everything he described there.
>The postfix modifications addressed most of it - the VBounce rules did the rest. I think this will do the trick for now.
though wern't you discussing bounces to list addresses like {members-ow...@lists.sysadmin.ie} if so isn't using the above alone going to mean you never detect dead recipient addresses in your list? or does the vbounce only reject bounces that have spam attached? if so any removing the content before bouncing get through?
I'd still consider a data filter that looks for known subscriber addresses in body before rejecting after data but maybe i just need to read up on vbounce
Hi All, Technically, that's not a Joe Job, it's backscatter http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29 It's difficult to deal with, as I understand it and is usually a matter of waiting for it to die down.
We (Skynet) process about 15,000 - 20,000 mails a day. Depending on the day, we reject between 55% and 75% of mail at SMTP time, almost all of it using zen.spamhaus.org. On top of that, we use postgrey. When it was implemented, my spam per day dropped from ~100 a day to about 5. Greylisting is still very effective, but due to the delay, it's often not acceptable for businesses. I'm back up to about 15 - 20 a day which go through SpamAssassin. It almost all gets caught but due to some of my old rules, I do get some false positives. Most spam I get is to the postmaster and abuse aliases. Razor/Pyzor used to be very, very effective but not as much so now. Other DNSBLs used by SA often get hit but the one that catches most of the spam are the URI.
Would people here advocate rejecting mail entirely for a failed SPF record check? At the moment, any SPF checks we do are with SA so they just get points.
How does this compare with other mail setups? In particular, what hit of SMTP time rejection are you seeing?
> I haven't so much as thought about SPAM since moving to Google Apps > and Postini (which is tossed in for free with the $50/user/year > premier edition or costs three bucks per user per year separately). > Granted I've been selling the stuff since 2006, but I was a user first!
> In answer to your question about Joe Jobs > (http://en.wikipedia.org/wiki/Joe_job) though, the best defense is > probably sender authentication of some sort and globally blacklisting > brain-dead mail servers (which won't help you today unfortunately). > I've got an SPF record for example which only allows Google and > Postini servers to send mail from samj.net <http://samj.net>:
> Well configured mail servers should refuse to accept joe job mail > rather than bouncing it later...
> Sam
> On Tue, Apr 22, 2008 at 10:28 AM, stephen mulcahy <smulc...@aplpi.com > <mailto:smulc...@aplpi.com>> wrote:
> Howdy,
> I've been looking for an excuse to test out the new list address - > thanks to a world full of spammers I've been given that opportunity.
> I came in this morning to find my mailbox full of bounces for spam > sent using our addresses - the stuff is coming at the rate of a > mail every few seconds so I've disabled at least one of the > addresses entirely.
> Obviously this isn't a generally useful strategy (we'll be going > through email addresses at a ferocious rate) - what are others > doing to deal with this?
> Other than that, I've also noticed a big increase in spam thats > getting through our filters (spamassassin, no black lists but > bayesian learning ok) since Friday - has some big new botnot > kicked into action and what else can you do other than tweak > spamassassin to manage this new spam?
> Any thoughts and comments welcome.
> -stephen
> -- > Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business > Center, > GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 > http://www.aplpi.com > Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, > Galway)
>On Tue, Apr 22, 2008 at 8:12 PM, Brian Sullivan <<mailto:xei-irel...@hushmail.com>xei-irel...@hushmail.com> wrote: >You might like to know that Hushmail's spam filter didn't like this message.
>Appears to be SPF related - apt considering the context of the discussion!
>Sam
yup semms the host and domain {both lists.sysadmin.ie} have no spf or other txt records at all
i still wish CSV had taken off {would kill many botnets if isp's had added it to the root reverse FcDNS zone for their dialups but then so would isp's volunteering their addresses to the PBL} http://en.wikipedia.org/wiki/Certified_Server_Validation
as i hate spf breaking forwarding done by others of my users mail
{i only use it with -all to indicate domains/hostnames with no mail originating from those addresses}
