You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2006/11/02 02:05:24 UTC
BIG increase in spam today
I usually come home from work to find about 60-80 spam's in my spam folder.
Today upon bringing up the mailer there were over 400! Looks like a large
botnet attack or something. Has anyone else noticed this? I've not finished
looking at the ASN's to see where they're from, but I do notice that there
are about 25-30 with the same subject in each group.
--
Chris
Re: R: BIG increase in spam today
Posted by jdow <jd...@earthlink.net>.
From: "Giampaolo Tomassoni" <g....@libero.it>
> Da: Marc Perkel [mailto:marc@perkel.com]
> What I do is sort of partial greylisting. If a connection is suspicious
> I give them a temp error on my lowest MX but accept them on higher MX
> records. So that way most MTA will try a higher MX right away and it
> doesn't add much of a delay.
Well, it's nice. But expect bots to circumvent this within few months: it's easy.
Greylisting works on the assumption that no spammer would waste its precious time by
attempting a second time to an smtp server, but they could attempt to a site's higher MXes
soon after they get a 4xx from the lowest one...
You know: they have to do their dirty work within minutes, or their efforts will be voided
by reporting agents and the like (razor, pyzor, dcc, ecc...) or sometimes by the
connection provider itself.
<< If I were running a greylist instead of using fetchmail here I'd
definitely want to gen up a tool that notices source IPs and at the
third message from a source IP in 10 seconds engage the grey list
response. Ditto for same message subject CRC32 hash or the like. (And
if the first few are spam report it to one of the "instant response"
BLs to reward the spammer with some instant recognition to boost his
ego. {^_-})
{^_^}
R: R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
> Da: Marc Perkel [mailto:marc@perkel.com]
> What I do is sort of partial greylisting. If a connection is suspicious
> I give them a temp error on my lowest MX but accept them on higher MX
> records. So that way most MTA will try a higher MX right away and it
> doesn't add much of a delay.
Well, it's nice. But expect bots to circumvent this within few months: it's easy.
Greylisting works on the assumption that no spammer would waste its precious time by attempting a second time to an smtp server, but they could attempt to a site's higher MXes soon after they get a 4xx from the lowest one...
You know: they have to do their dirty work within minutes, or their efforts will be voided by reporting agents and the like (razor, pyzor, dcc, ecc...) or sometimes by the connection provider itself.
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
Re: R: BIG increase in spam today
Posted by Marc Perkel <ma...@perkel.com>.
What I do is sort of partial greylisting. If a connection is suspicious
I give them a temp error on my lowest MX but accept them on higher MX
records. So that way most MTA will try a higher MX right away and it
doesn't add much of a delay.
François Rousseau wrote:
> Greylisting is not always good...
>
> The greylisting insert delay in delevery and sometimes the email have
> to be delever fast.
>
> For example: on some public wireless network, you have to register to
> have access to the internet. You can access internet without
> authentification for 15 minutes. In this 15 minutes, you have to
> register in the captive portal and then go confirm your inscription by
> clicking in a link received by email. If the greylisting insert more
> then 15 minutes of delay...
>
> I think technologies like SPF have a better futur.
>
> François Rousseau
>
>
Re: R: BIG increase in spam today
Posted by Benny Pedersen <me...@junc.org>.
On Thu, November 2, 2006 17:03, Randy Smith wrote:
> I use policyd and give my users the ability to optout (or optin depending on
> the domain settings) of greylisting if they choose. They can do it through a
> plugin in SquirrelMail so, if they choose, they can turn it off for a few
> minutes to get "instant" delivery and turn it back on when they are done or
> just leave it off. It seems to work well enough here.
where is that squirrelmail plugin ?
> I have to agree with others in this thread that, in general, the more you can
> safely stop before it hits your filtering system, the happier you'll be.
yes, could be sendmail milter where amavisd new runs and reject the spam virus
to the sender, can't take them more serious :-)
and since postfix 2.3.x have sendmail milter support one may do it one day
>> I think technologies like SPF have a better futur.
> I don't know. I've seen too many problems with SPF and mail forwarding from
> hosting providers.
users may ask them self why forwarding email addys is needed to break spf :(
--
"This message was sent using 100% recycled spam mails."
Re: R: BIG increase in spam today
Posted by Randy Smith <pe...@falconsroost.alamosa.co.us>.
On Thursday 02 November 2006 08:42, François Rousseau wrote:
> Greylisting is not always good...
>
> The greylisting insert delay in delevery and sometimes the email have to be
> delever fast.
>
> For example: on some public wireless network, you have to register to have
> access to the internet. You can access internet without authentification
> for 15 minutes. In this 15 minutes, you have to register in the captive
> portal and then go confirm your inscription by clicking in a link received
> by email. If the greylisting insert more then 15 minutes of delay...
I use policyd and give my users the ability to optout (or optin depending on
the domain settings) of greylisting if they choose. They can do it through a
plugin in SquirrelMail so, if they choose, they can turn it off for a few
minutes to get "instant" delivery and turn it back on when they are done or
just leave it off. It seems to work well enough here.
I have to agree with others in this thread that, in general, the more you can
safely stop before it hits your filtering system, the happier you'll be.
>
> I think technologies like SPF have a better futur.
I don't know. I've seen too many problems with SPF and mail forwarding from
hosting providers.
[snip]
--
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley
Re: R: BIG increase in spam today
Posted by Jonas Eckerman <jo...@frukt.org>.
Federico Giannici wrote:
> What about combining BlackListing and GreyListing?
I'm experimenting ab it with that right now. I've got my greylisting code to use a configurable number of checks before it decides if the greylist should be in use for an incoming connection. The idea is to avoid delaying most ham, and it seems to work pretty well.
Currently the following tests (in this order) are used (at the first matching check, the rest of the tests are skipped):
---8<---
If p0f thinks it's a Novell server: Do not greylist.
If the host rdns look dynamic: Do greylist.
If the host is not swedish and the domain does not end in ".se" or ".org": Do greylist.
If the host listed in our own dynamic blacklist: Do greylist.
If the host has sent spam to us: Do greylist.
If the host is listed in njabl, sorbs or uceprotect: Do greylist.
If no tests matched: Don't greylist.
---8<---
The greylist code does some massacring of mail addresses, has host whitelisting, and reports to a very short lived blocklistthingy. Some of the stuff above uses data from other parts of our filter.
> Has anybody already implemented it?
Yes. I have. :-)
> Is there already something able to implement it?
MIMEDefang (a sendmail milter) together with code from my filter at <http://whatever.frukt.org/mimedefangfilter.text.shtml> could be used as a starting point.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: R: BIG increase in spam today
Posted by Ken A <ka...@pacific.net>.
Federico Giannici wrote:
> François Rousseau wrote:
>> Greylisting is not always good...
>>
>> The greylisting insert delay in delevery and sometimes the email have
>> to be delever fast.
>
> I don't trust enough DNSBLs to completely block an email only based on
> them.
>
> What about combining BlackListing and GreyListing?
> I'd like to use GreyLists (with long delay) for BlackListed emails only.
>
> Has anybody already implemented it?
> Is there already something able to implement it?
>
from milter-greylist readme:
-- snip --
9 Using DNSRBL
==============
milter-greylist can use a DNSRBL to decide wether a host should be
greylisted or whitelisted. For instance, let us say that you cant to
greylist any host appearing in the SORBS dynamic pool list (this include
DSL and cable pools). You would do this:
# if IP a.b.c.d is positive, then nslookup of d.c.b.a.dnsbl.sorbs.net
# returns 127.0.0.10
dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10
acl greylist dnsrbl "SORBS DUN"
You can combine it with variable greylisting delays so that dynamic hosts
get a greylisting delay of 12 hours while other hosts only get 15 minutes:
dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10
acl greylist dnsrbl "SORBS DUN" delay 12h
acl greylist default delay 15m
This feature was introduced in milter-greylist 2.1.7 and may not be
fully stable. You need the --enable-dnsrbl flag to configure to use
it. You must link milter-greylist with a thread-safe resolver, else
the milter will be unstable (see the explanation in the SPF section).
-- snip --
Ken A
Pacific.Net
> Thanks.
>
R: R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
> Federico Giannici wrote:
> > François Rousseau wrote:
> >> Greylisting is not always good...
> >>
> >> The greylisting insert delay in delevery and sometimes the email have
> >> to be delever fast.
> >
> > I don't trust enough DNSBLs to completely block an email only based on
> > them.
> >
> > What about combining BlackListing and GreyListing?
> > I'd like to use GreyLists (with long delay) for BlackListed emails only.
> >
> > Has anybody already implemented it?
> > Is there already something able to implement it?
>
> This was asked on the Postfix list recently:
>
> http://groups.google.com/group/list.postfix.users/browse_thread/thread/5146269c41c5ca9d
>
> The best answer was:
>
> http://www.orangegroove.net/code/marbl/
Great hint! Thanks.
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
Re: R: BIG increase in spam today
Posted by Stuart Johnston <st...@ebby.com>.
Federico Giannici wrote:
> François Rousseau wrote:
>> Greylisting is not always good...
>>
>> The greylisting insert delay in delevery and sometimes the email have
>> to be delever fast.
>
> I don't trust enough DNSBLs to completely block an email only based on
> them.
>
> What about combining BlackListing and GreyListing?
> I'd like to use GreyLists (with long delay) for BlackListed emails only.
>
> Has anybody already implemented it?
> Is there already something able to implement it?
This was asked on the Postfix list recently:
http://groups.google.com/group/list.postfix.users/browse_thread/thread/5146269c41c5ca9d
The best answer was:
http://www.orangegroove.net/code/marbl/
Re: R: R: BIG increase in spam today
Posted by Benny Pedersen <me...@junc.org>.
On Fri, November 3, 2006 11:53, Giampaolo Tomassoni wrote:
> Due to the dynamic nature of this test, I guess that at least in the postfix
> case it should need to be somehow embedded into the greylisting server: it
> seems postfix doesn't allow to specify more than one policy server in the
> check_policy_service directive.
can be made with a combo of restriction classes and policy restrictions on
postfix, how you do this is your problem :-)
--
"This message was sent using 100% recycled spam mails."
R: R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
> François Rousseau wrote:
> > Greylisting is not always good...
> >
> > The greylisting insert delay in delevery and sometimes the
> email have to
> > be delever fast.
>
> I don't trust enough DNSBLs to completely block an email only
> based on them.
>
> What about combining BlackListing and GreyListing?
> I'd like to use GreyLists (with long delay) for BlackListed emails only.
This is a very interesting idea.
Ah, these italian brains! :)
> Has anybody already implemented it?
I use postfix, and something like that is suggested in the postfix's "SMTP Access Policy Delegation" manual (http://www.postfix.org/SMTPD_POLICY_README.html). See "Greylisting mail from frequently forged domains" in there.
That, however, uses a static list of "frequently forged" domains and check_sender_access to enforce greylistin on listed domains. What you suggest is obviously more powerfull.
Due to the dynamic nature of this test, I guess that at least in the postfix case it should need to be somehow embedded into the greylisting server: it seems postfix doesn't allow to specify more than one policy server in the check_policy_service directive.
So, a postgrey or postgreysql server's code would shurely need to be tuned for this.
> Is there already something able to implement it?
FWIK, no.
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
> Thanks.
>
> --
> ___________________________________________________
> __
> |- giannici@neomedia.it
> |ederico Giannici http://www.neomedia.it
> ___________________________________________________
Re: R: BIG increase in spam today
Posted by Federico Giannici <gi...@neomedia.it>.
François Rousseau wrote:
> Greylisting is not always good...
>
> The greylisting insert delay in delevery and sometimes the email have to
> be delever fast.
I don't trust enough DNSBLs to completely block an email only based on them.
What about combining BlackListing and GreyListing?
I'd like to use GreyLists (with long delay) for BlackListed emails only.
Has anybody already implemented it?
Is there already something able to implement it?
Thanks.
--
___________________________________________________
__
|- giannici@neomedia.it
|ederico Giannici http://www.neomedia.it
___________________________________________________
Re: R: BIG increase in spam today
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 2 Nov 2006, [ISO-8859-1] Fran�ois Rousseau wrote:
> Greylisting is not always good...
>
> The greylisting insert delay in delevery and sometimes the email have to be
> delever fast.
>
> For example: on some public wireless network, you have to register to have
> access to the internet. You can access internet without authentification
> for 15 minutes. In this 15 minutes, you have to register in the captive
> portal and then go confirm your inscription by clicking in a link received
> by email. If the greylisting insert more then 15 minutes of delay...
Tell the greylist software to whitelist the wifi provider's mail
server. You *can* tune things like this - they are intended to be
suspicious of strangers, not people or firms you know you will be
communicating with - but, as with children, you need to tell them how
to distinguish.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The first time I saw a bagpipe, I thought the player was torturing
an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
5 days until the campaign ads stop
R: R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
Greylisting is not always good...
The greylisting insert delay in delevery and sometimes the email have to
be delever fast.
For example: on some public wireless network, you have to register to have
access to the internet. You can access internet without authentification
for 15 minutes. In this 15 minutes, you have to register in the captive
portal and then go confirm your inscription by clicking in a link received
by email. If the greylisting insert more then 15 minutes of delay...
Yes, this is a well-known argument. The fact is that smtp is designed for
reliability, not for low latency. Smtp isn't probably well-suited for a
subscription system with such a tight time window.
I think technologies like SPF have a better futur.
Greylisting is present, not future. SPF is actually not that common...
Probably, SPF WILL have a better future.
Come on: use the Force! :)
François Rousseau
2006/11/2, Giampaolo Tomassoni <g.tomassoni@libero.it >:
> On 11/2/06, Debbie D <webmaster@beautytech.com > wrote:
> >
> > Yes Chris I did notice.. my server was attacked with spam yesterday
> > morning.. it was coming from several different ip, so fast I
> could not keep
> > it quiet
> >
>
> There's been a lot of chatter about this:
>
> http://it.slashdot.org/article.pl?sid=06/11/01/1321226
>
> Actually, it's getting to the extent that some at work are raising
> questions as to whether our SA setup will be able to maintain adequate
> protection from this growing onslaught. However, I have a feeling that
> even the appliance vendors are going to be equally hard pressed to
> deal with it.
Use greylisting: if they're bots, they will not even reach your SA.
Greylisting is a force.
Use the Force!
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
>
> Amos
Re: R: BIG increase in spam today
Posted by François Rousseau <fr...@gmail.com>.
Greylisting is not always good...
The greylisting insert delay in delevery and sometimes the email have to be
delever fast.
For example: on some public wireless network, you have to register to have
access to the internet. You can access internet without authentification
for 15 minutes. In this 15 minutes, you have to register in the captive
portal and then go confirm your inscription by clicking in a link received
by email. If the greylisting insert more then 15 minutes of delay...
I think technologies like SPF have a better futur.
François Rousseau
2006/11/2, Giampaolo Tomassoni <g....@libero.it>:
>
> > On 11/2/06, Debbie D <we...@beautytech.com> wrote:
> > >
> > > Yes Chris I did notice.. my server was attacked with spam yesterday
> > > morning.. it was coming from several different ip, so fast I
> > could not keep
> > > it quiet
> > >
> >
> > There's been a lot of chatter about this:
> >
> > http://it.slashdot.org/article.pl?sid=06/11/01/1321226
> >
> > Actually, it's getting to the extent that some at work are raising
> > questions as to whether our SA setup will be able to maintain adequate
> > protection from this growing onslaught. However, I have a feeling that
> > even the appliance vendors are going to be equally hard pressed to
> > deal with it.
>
> Use greylisting: if they're bots, they will not even reach your SA.
>
> Greylisting is a force.
>
> Use the Force!
>
> -----------------------------------
> Giampaolo Tomassoni - IT Consultant
> Piazza VIII Aprile 1948, 4
> I-53044 Chiusi (SI) - Italy
> Ph: +39-0578-21100
>
> MAI inviare una e-mail a:
> NEVER send an e-mail to:
> rainbowl@tomassoni.eu
>
>
> >
> > Amos
>
>
Re: BIG increase in spam today
Posted by jdow <jd...@earthlink.net>.
From: "Mark" <ad...@asarian-host.net>
>> From: Marc Perkel [mailto:marc@perkel.com]
>>
>> I'm not an appliance vendor but I run a fornt end spam
>> filtering service and it's been a struggle. Most of my spam
>> defense isn't SA though. I'm using Exim rules to do most of the
>> work and SA gets what's left.
>
> Same here. A custom brewed milter-type setup of mine (a combined set of
> socketmap invocations, to be precise) handles the vast majority of spam at
> the gate.
>
> 92% (!) of all incoming spam uses an invalid HELO.
>
> 9% pretends to be me in their HELO.
I presume those that pretend to be you are invalid HELO, also. Otherwise
the addition produces an overflow. {^_-}
> 83% of all spam here comes from dynamic IP space.
>
> 8% of the incoming spam uses a country-level TLD which does not match the
> HELO country TLD ("EHLO foo.de" vs. "bar.uk" PTR, for instance).
But the remainder is -92%.
{^_-}
RE: BIG increase in spam today
Posted by Benny Pedersen <me...@junc.org>.
On Thu, November 2, 2006 20:22, Mark wrote:
> The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or
> IP addresses (not inside braces, like an address literal).
could be a spammer that call his computer "friend" since Microsoft have a
habit of deniding . in the computer name
most spams also just have a computer name as message-id again without a dot
> Seriously, HELO tests rock!
don't tell spammer how fool icy thay are :-)
--
"This message was sent using 100% recycled spam mails."
Re: BIG increase in spam today
Posted by jdow <jd...@earthlink.net>.
From: "Mark" <ad...@asarian-host.net>
>> From: Jim Maul [mailto:jmaul@elih.org]
>>
>> > 92% (!) of all incoming spam uses an invalid HELO.
>> >
>> > 9% pretends to be me in their HELO.
>> >
>>
>> Is this 9% included in the above 'invalid HELO' number?
>
> Yes. I should have been more clear about that. 92% fails the HELO tests,
> for one reason or another. Of those 92%, 9% are HELOs pretending to be me
> (either my primary domain, or the domains I host, or address literals
> pretending to be me). The 8% that fails the PTR != HELO country TLD is
> also included in the 92%.
>
> The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or
> IP addresses (not inside braces, like an address literal).
>
> Then there's a complex HELO category I mark, to counter spam bursts, based
> on sequence heuristics within a very short time-frame, like:
>
> Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: <-- EHLO
> MATTHIAS.uuuiguu.net
> Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: <-- EHLO
> MATTHIAS.me1n93.net
> Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: <-- EHLO
> MATTHIAS
>
> (where the third-level TLD, in caps, is the basis for the group as a
> total). I'm still experimenting with it (not actually blocking on it yet);
> but the number of FPs is zero so far (running for several weeks).
>
> Seriously, HELO tests rock!
That still leaves that 83% dangling out in the breeze giving you a
-75% ham amount.
{^_-}
RE: BIG increase in spam today
Posted by Mark <ad...@asarian-host.net>.
> -----Original Message-----
> From: Jim Maul [mailto:jmaul@elih.org]
> Sent: donderdag 2 november 2006 19:58
> To: users@spamassassin.apache.org
> Subject: Re: BIG increase in spam today
>
>
>
> > 92% (!) of all incoming spam uses an invalid HELO.
> >
> > 9% pretends to be me in their HELO.
> >
>
> Is this 9% included in the above 'invalid HELO' number?
Yes. I should have been more clear about that. 92% fails the HELO tests,
for one reason or another. Of those 92%, 9% are HELOs pretending to be me
(either my primary domain, or the domains I host, or address literals
pretending to be me). The 8% that fails the PTR != HELO country TLD is
also included in the 92%.
The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or
IP addresses (not inside braces, like an address literal).
Then there's a complex HELO category I mark, to counter spam bursts, based
on sequence heuristics within a very short time-frame, like:
Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: <-- EHLO
MATTHIAS.uuuiguu.net
Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: <-- EHLO
MATTHIAS.me1n93.net
Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: <-- EHLO
MATTHIAS
(where the third-level TLD, in caps, is the basis for the group as a
total). I'm still experimenting with it (not actually blocking on it yet);
but the number of FPs is zero so far (running for several weeks).
Seriously, HELO tests rock!
- Mark
Re: BIG increase in spam today
Posted by Jim Maul <jm...@elih.org>.
Mark wrote:
>> -----Original Message-----
>> From: Marc Perkel [mailto:marc@perkel.com]
>> Sent: donderdag 2 november 2006 19:00
>> To: users@spamassassin.apache.org
>> Subject: Re: BIG increase in spam today
>>
>>
>> I'm not an appliance vendor but I run a fornt end spam
>> filtering service and it's been a struggle. Most of my spam
>> defense isn't SA though. I'm using Exim rules to do most of the
>> work and SA gets what's left.
>
> Same here. A custom brewed milter-type setup of mine (a combined set of
> socketmap invocations, to be precise) handles the vast majority of spam at
> the gate.
>
> 92% (!) of all incoming spam uses an invalid HELO.
>
> 9% pretends to be me in their HELO.
>
Is this 9% included in the above 'invalid HELO' number?
-Jim
RE: BIG increase in spam today
Posted by Mark <ad...@asarian-host.net>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: donderdag 2 november 2006 19:00
> To: users@spamassassin.apache.org
> Subject: Re: BIG increase in spam today
>
>
> I'm not an appliance vendor but I run a fornt end spam
> filtering service and it's been a struggle. Most of my spam
> defense isn't SA though. I'm using Exim rules to do most of the
> work and SA gets what's left.
Same here. A custom brewed milter-type setup of mine (a combined set of
socketmap invocations, to be precise) handles the vast majority of spam at
the gate.
92% (!) of all incoming spam uses an invalid HELO.
9% pretends to be me in their HELO.
83% of all spam here comes from dynamic IP space.
8% of the incoming spam uses a country-level TLD which does not match the
HELO country TLD ("EHLO foo.de" vs. "bar.uk" PTR, for instance).
SA gets the rest. :)
- Mark
Re: BIG increase in spam today
Posted by Marc Perkel <ma...@perkel.com>.
Amos wrote:
> On 11/2/06, Debbie D <we...@beautytech.com> wrote:
>>
>> Yes Chris I did notice.. my server was attacked with spam yesterday
>> morning.. it was coming from several different ip, so fast I could
>> not keep
>> it quiet
>>
>
> There's been a lot of chatter about this:
>
> http://it.slashdot.org/article.pl?sid=06/11/01/1321226
>
> Actually, it's getting to the extent that some at work are raising
> questions as to whether our SA setup will be able to maintain adequate
> protection from this growing onslaught. However, I have a feeling that
> even the appliance vendors are going to be equally hard pressed to
> deal with it.
>
> Amos
>
I'm not an appliance vendor but I run a fornt end spam filtering service
and it's been a struggle. Most of my spam defense isn't SA though. I'm
using Exim rules to do most of the work and SA gets what's left. Right
now I'm trying to reject the bayes poisoning spam before it gets to SA
so that I can get my bayes back as raise my bayes scores again.
RE: BIG increase in spam today
Posted by Bret Miller <br...@wcg.org>.
> Am Donnerstag, 2. November 2006 16:04 schrieb Amos:
> (...)
> > Actually, it's getting to the extent that some at work are raising
> > questions as to whether our SA setup will be able to
> maintain adequate
> > protection from this growing onslaught.
> >
> > Amos
>
> Only AFTER adequate initial RBL filtering. Spamhaus does a
> great job here.
It's not doing as great as it used to here. The amount of spam that SA
is processing is about 4X what it was in January. If this keep up, we'll
have to look at other possible options, maybe more RBLs?
Bret
Re: BIG increase in spam today
Posted by Michael Schwartzkopff <mi...@multinet.de>.
Am Donnerstag, 2. November 2006 16:04 schrieb Amos:
(...)
> Actually, it's getting to the extent that some at work are raising
> questions as to whether our SA setup will be able to maintain adequate
> protection from this growing onslaught.
>
> Amos
Only AFTER adequate initial RBL filtering. Spamhaus does a great job here.
Michael.
R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
> On 11/2/06, Debbie D <we...@beautytech.com> wrote:
> >
> > Yes Chris I did notice.. my server was attacked with spam yesterday
> > morning.. it was coming from several different ip, so fast I
> could not keep
> > it quiet
> >
>
> There's been a lot of chatter about this:
>
> http://it.slashdot.org/article.pl?sid=06/11/01/1321226
>
> Actually, it's getting to the extent that some at work are raising
> questions as to whether our SA setup will be able to maintain adequate
> protection from this growing onslaught. However, I have a feeling that
> even the appliance vendors are going to be equally hard pressed to
> deal with it.
Use greylisting: if they're bots, they will not even reach your SA.
Greylisting is a force.
Use the Force!
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
>
> Amos
Re: BIG increase in spam today
Posted by Amos <a....@gmail.com>.
On 11/2/06, Debbie D <we...@beautytech.com> wrote:
>
> Yes Chris I did notice.. my server was attacked with spam yesterday
> morning.. it was coming from several different ip, so fast I could not keep
> it quiet
>
There's been a lot of chatter about this:
http://it.slashdot.org/article.pl?sid=06/11/01/1321226
Actually, it's getting to the extent that some at work are raising
questions as to whether our SA setup will be able to maintain adequate
protection from this growing onslaught. However, I have a feeling that
even the appliance vendors are going to be equally hard pressed to
deal with it.
Amos
R: BIG increase in spam today
Posted by Giampaolo Tomassoni <g....@libero.it>.
> "Chris" <cp...@earthlink.net> wrote in message
>
> >>I usually come home from work to find about 60-80 spam's in my spam
> >>folder.
> Today upon bringing up the mailer there were over 400! Looks like a large
> bonnet attack or something. Has anyone else noticed this? I've
> not finished
> looking at the Ash's to see where they're from, but I do notice that there
> are about 25-30 with the same subject in each group.
>
> Yes Chris I did notice.. my server was attacked with spam yesterday
> morning.. it was coming from several different ip, so fast I
> could not keep
> it quiet
Confirmed. A friend of mine had this problem too (It isn't me, I swear! :) )
The worse is that he uses the simple antispam engine embedded into MDaemon...
His server seemed simply unable to handle the big quantity of inbound messages.
This happened yesterday and today morning (CET). Now it seems that the mail flux stopped.
I wonder what effect are the senders tring to obtain... DoS?
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
Re: BIG increase in spam today
Posted by Debbie D <we...@beautytech.com>.
"Chris" <cp...@earthlink.net> wrote in message
>>I usually come home from work to find about 60-80 spam's in my spam
>>folder.
Today upon bringing up the mailer there were over 400! Looks like a large
bonnet attack or something. Has anyone else noticed this? I've not finished
looking at the Ash's to see where they're from, but I do notice that there
are about 25-30 with the same subject in each group.
Yes Chris I did notice.. my server was attacked with spam yesterday
morning.. it was coming from several different ip, so fast I could not keep
it quiet
Re: BIG increase in spam today
Posted by Jon Trulson <jo...@radscan.com>.
On Wed, 1 Nov 2006, Chris wrote:
> I usually come home from work to find about 60-80 spam's in my spam folder.
> Today upon bringing up the mailer there were over 400! Looks like a large
> botnet attack or something. Has anyone else noticed this? I've not finished
> looking at the ASN's to see where they're from, but I do notice that there
> are about 25-30 with the same subject in each group.
>
>
I've noticed a significant uptick over the last month
actually - both at home and work.
At work, spam is now about 95% of all inbound mail (where it
was hovering in the 75-80% range for some months).
Scanning is still going ok (no overloads), and still *very
few* FN's. I love bayes.
Secondary MX has over 12000 hosts in the greylist, whereas it
was hovering around 6-7k for the last few months. So it's
definitely on the rise from where I sit.
At home, I've also seen an increase - approx 150 a
day from around 80-90 previously.
--
Jon Trulson
mailto:jon@radscan.com
#include <std/disclaimer.h>
"No Kill I" -Horta