You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by polloxx <po...@gmail.com> on 2013/06/12 14:59:06 UTC
Massive spamruns
Dear list,
We see massive spamruns since begin june. Are other people also similar
runs? They fill our maillog. Fortunately most is blocked.
Re: Massive spamruns
Posted by John Hardin <jh...@impsec.org>.
On Wed, 12 Jun 2013, Alex wrote:
> I know I should have mentioned that. Yes, I'm using the above RBLs,
> and they're all correctly tagged here now.
>
> I was hoping for something more preemptive to trigger on these more
> generally because the IPs are only used for a short while, but long
> enough to get 25 spams in from the address.
As was suggested earlier: greylisting?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
377 days since the first successful private support mission to ISS (SpaceX)
Re: Massive spamruns
Posted by Dave Warren <da...@hireahit.com>.
On 2013-06-13 18:49, John Hardin wrote:
> On Thu, 13 Jun 2013, Alex wrote:
>
>>> There's anecdotal reports that spammers focus on backup MX hosts in the
>>> hopes they are less-well-protected. You might also try changing the MX
>>> weighting and see if that causes the spam to concentrate on a
>>> specific MX
>>> host. That might give you a little more positive control over it.
>>
>> Yes, I've also heard that before, but thought it was typically based
>> on MX weight, not just based on the name of the host.
>
> "MX weight" is what I was referring to. The spammers may be using rDNS
> or IP sorting or some other method not under your control to pick from
> a pool of equally-weighted MX hosts to focus on.
Keep in mind that spammer's software may not follow the RFCs correctly
at all. It's entirely possible that they do something silly like apply a
reverse-sort on the whole MX record (including the MX weight and the
hostname) rather than randomizing servers of equal weights.
Since we have a couple MXes that aren't quite as strict about spam
filtering as our primary server, we also have a final lowest-priority MX
that just returns a 4xx error to everything to try and head off this
approach. It seems to work well on a small scale, but we don't apply
this configuration to customer domains at this time.
Currently we're using mx.fakemx.net for this, although I may have to
change this since it makes the (sometimes mistaken) assumption that
entire commands come through in one packet, so when you telnet in, it
incorrectly returns errors after every letter rather than waiting for a
CRLF.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Re: Massive spamruns
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Jun 2013, Alex wrote:
>> There's anecdotal reports that spammers focus on backup MX hosts in the
>> hopes they are less-well-protected. You might also try changing the MX
>> weighting and see if that causes the spam to concentrate on a specific MX
>> host. That might give you a little more positive control over it.
>
> Yes, I've also heard that before, but thought it was typically based
> on MX weight, not just based on the name of the host.
"MX weight" is what I was referring to. The spammers may be using rDNS or
IP sorting or some other method not under your control to pick from a pool
of equally-weighted MX hosts to focus on.
> I don't have control over the DNS for this zone, and not sure any one
> server could take the bulk of the mail instead of the round-robin load
> balancing trying to be achieved with equal weighting.
Assuming the anecdotes are correct, setting one server to a slightly
higher weighting would tend to shift legitimate mail to the other hosts
and spam to that host. "tend to" meaning you'll still get legitimate mail
at the "backup" MX host and spam at the pool of primary MX hosts, ths
balance might just shift some. I wouldn't say this would focus the *bulk*
of your mail on one host, unless you're getting a *lot* more spam than ham
and that spam isn't trivially blockable using Zen or greylisting, both of
which are fairly lightweight.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Yet another example of a Mexican doing a job Americans are
unwilling to do. -- Reno Sepulveda, on UniVision reporters asking
President Obama some pointed questions about
the BATFE Fast and Furious scandal.
-----------------------------------------------------------------------
5 days until SWMBO's Birthday
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
On Thu, Jun 13, 2013 at 6:53 PM, John Hardin <jh...@impsec.org> wrote:
> On Thu, 13 Jun 2013, Alex wrote:
>> I'm thinking this is sounding like a better option. The IPs change way
>> too quickly for me to be able to keep up with updating a DNSBL. It's
>> funny -- despite all MXs having the same weight, mail03 is really the
>> one that's pounded with these pump-and-dump spams. Maybe I'll start
>> with implementing greylisting there.
>
> If the spammers are preferring a particular MX host, greylisting only on
> that host to start with sounds like a good approach.
Okay, great to hear.
> There's anecdotal reports that spammers focus on backup MX hosts in the
> hopes they are less-well-protected. You might also try changing the MX
> weighting and see if that causes the spam to concentrate on a specific MX
> host. That might give you a little more positive control over it.
Yes, I've also heard that before, but thought it was typically based
on MX weight, not just based on the name of the host. I don't have
control over the DNS for this zone, and not sure any one server could
take the bulk of the mail instead of the round-robin load balancing
trying to be achieved with equal weighting.
Thanks,
Alex
Re: Massive spamruns
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Jun 2013, Alex wrote:
>>> John Hardin wrote:
>>>> As was suggested earlier: greylisting?
>
> I'm thinking this is sounding like a better option. The IPs change way
> too quickly for me to be able to keep up with updating a DNSBL. It's
> funny -- despite all MXs having the same weight, mail03 is really the
> one that's pounded with these pump-and-dump spams. Maybe I'll start
> with implementing greylisting there.
If the spammers are preferring a particular MX host, greylisting only on
that host to start with sounds like a good approach.
There's anecdotal reports that spammers focus on backup MX hosts in the
hopes they are less-well-protected. You might also try changing the MX
weighting and see if that causes the spam to concentrate on a specific MX
host. That might give you a little more positive control over it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
5 days until SWMBO's Birthday
Re: Massive spamruns
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2013-06-14 00:42:
> I'm thinking this is sounding like a better option. The IPs change
> way
> too quickly for me to be able to keep up with updating a DNSBL. It's
> funny -- despite all MXs having the same weight, mail03 is really the
> one that's pounded with these pump-and-dump spams. Maybe I'll start
> with implementing greylisting there.
try with one mx hostname that have multiple ips first
so you test with just one mx priority
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
On Wed, Jun 12, 2013 at 2:54 PM, Daniel McDonald
<da...@austinenergy.com> wrote:
> On 6/12/13 1:25 PM, "Alex" <my...@gmail.com> wrote:
>
>> John Hardin wrote:
>>> As was suggested earlier: greylisting?
>>
>> I really don't think my users would tolerate the delay, so I've never
>> implemented it. They would have vendors calling them on the phone
>> complaining, not to mention users. From what I understand the delay
>> can be multiple minutes, correct?
>
> Yes, but only for the first message. Once you've proved that they are a
> real mail-server greylisting is pretty pointless.
I'm thinking this is sounding like a better option. The IPs change way
too quickly for me to be able to keep up with updating a DNSBL. It's
funny -- despite all MXs having the same weight, mail03 is really the
one that's pounded with these pump-and-dump spams. Maybe I'll start
with implementing greylisting there.
Thanks again,
Alex
Re: Massive spamruns
Posted by polloxx <po...@gmail.com>.
Neil,
I'm sorry but I can't disclose the logs. fortunately 95% of them were
blocked by blacklisting or greylisting. I just wanted to know if other
people see a massive increase of spam the last weeks.
On Wed, Jun 12, 2013 at 9:31 PM, Benny Pedersen <me...@junc.eu> wrote:
> Alex skrev den 2013-06-12 20:25:
>
>
> John Hardin wrote:
>>
>>> As was suggested earlier: greylisting?
>>>
>>
>> I really don't think my users would tolerate the delay, so I've never
>> implemented it. They would have vendors calling them on the phone
>> complaining, not to mention users. From what I understand the delay
>> can be multiple minutes, correct? I'd imagine there's support for
>> whitelisting an IP after receiving multiple messages over some
>> extended period? Is it something suitable for an environment with a
>> few hundred thousand messages per day?
>>
>
> https://github.com/mmatuska/**sqlgrey/blob/master/sqlgrey<https://github.com/mmatuska/sqlgrey/blob/master/sqlgrey>
> http://www.hardwarefreak.com/**fqrdns.pcre<http://www.hardwarefreak.com/fqrdns.pcre>< used as a discriminatore list, so greylist only this hosts
>
> and if possible patch sqlgreywebui to be pr user, or make it possible for
> each recipient to opt in
>
> with this the most important mails are not delayed at all, else there is
> only sagrey left
>
>
> --
> senders that put my email into body content will deliver it to my own
> trashcan, so if you like to get reply, dont do it
>
Re: Massive spamruns
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2013-06-12 20:25:
> John Hardin wrote:
>> As was suggested earlier: greylisting?
>
> I really don't think my users would tolerate the delay, so I've never
> implemented it. They would have vendors calling them on the phone
> complaining, not to mention users. From what I understand the delay
> can be multiple minutes, correct? I'd imagine there's support for
> whitelisting an IP after receiving multiple messages over some
> extended period? Is it something suitable for an environment with a
> few hundred thousand messages per day?
https://github.com/mmatuska/sqlgrey/blob/master/sqlgrey
http://www.hardwarefreak.com/fqrdns.pcre < used as a discriminatore
list, so greylist only this hosts
and if possible patch sqlgreywebui to be pr user, or make it possible
for each recipient to opt in
with this the most important mails are not delayed at all, else there
is only sagrey left
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Massive spamruns
Posted by Daniel McDonald <da...@austinenergy.com>.
On 6/12/13 1:25 PM, "Alex" <my...@gmail.com> wrote:
>
> John Hardin wrote:
>> As was suggested earlier: greylisting?
>
> I really don't think my users would tolerate the delay, so I've never
> implemented it. They would have vendors calling them on the phone
> complaining, not to mention users. From what I understand the delay
> can be multiple minutes, correct?
Yes, but only for the first message. Once you've proved that they are a
real mail-server greylisting is pretty pointless.
>I'd imagine there's support for
> whitelisting an IP after receiving multiple messages over some
> extended period?
Yes, once a machine has gone through greylisting successfully, it is added
to the white list.
> Is it something suitable for an environment with a
> few hundred thousand messages per day?
In my opinion, yes, but you have to watch out for systems that need to be
exempted from grey-listing. Mostly large pools of outbound servers like
Microsoft Live and gmail.
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
>>>> # 2013 cars local dealership
>>>> http://pastebin.com/3bEMiV3B
>>>
>>> URI in that sample
>>>
>>> pohformed.com listed on black.uribl.com
>>> pohformed.com listed on jp.surbl.org
>>> pohformed.com listed on sc.surbl.org
>>> pohformed.com listed on dbl.spamhaus.org
>>
>> I know I should have mentioned that. Yes, I'm using the above RBLs,
>> and they're all correctly tagged here now.
>>
>> I was hoping for something more preemptive to trigger on these more
>> generally because the IPs are only used for a short while, but long
>> enough to get 25 spams in from the address. I was hoping to find
>> commonalities between the messages that could be used to generate some
>> other rules.
>>
>
> Isn't this the function that Bayes is intended to serve, rather precisely?
For the most part, my FNs typically do hit bayes99. This example hit
bayes80, although many times they do only hit bayes50, despite
training them regularly.
I really don't think there's a problem with my bayes database, due to
the frequency with which I see bayes99 in my FNs.
This is especially true for the yahoo compromised account single-link
spam. The headers are always nearly identical and the body is either a
single URL or a bunch of html junk with a link embedded in it.
Of course after learning these messages, then running through SA
again, they hit bayes99. The next one that comes in is apparently just
different enough to not quite hit bayes99.
I even periodically go through the quarantine, and train those which
have only hit bayes50.
John Hardin wrote:
> As was suggested earlier: greylisting?
I really don't think my users would tolerate the delay, so I've never
implemented it. They would have vendors calling them on the phone
complaining, not to mention users. From what I understand the delay
can be multiple minutes, correct? I'd imagine there's support for
whitelisting an IP after receiving multiple messages over some
extended period? Is it something suitable for an environment with a
few hundred thousand messages per day?
Axb wrote:
> pohformed.com's A record 66.197.138.39 listed on sbl.spamhaus.org
Can this be implemented in v3.2 or as a postfix rhsbl?
Isn't it already included in zen, which I'm already implementing at SMTP time?
Thanks,
Alex
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
On Wed, Jun 12, 2013 at 3:07 PM, Benny Pedersen <me...@junc.eu> wrote:
> Ben Johnson skrev den 2013-06-12 18:26:
>
>> Isn't this the function that Bayes is intended to serve, rather precisely?
>
> sa-grey plugin might help, spammers change sender address and ips, so lets
> track it, works well here, rbl is not a content, but url is, in other words,
> if one check rbl in mta stage then disable dnseval in spamassassin, url
> check still works with is more on content then where it comes from, spammers
> have more then one ip, but only one payload url, block the url then
sagrey requires the use of AWL. What are people's general opinion of
implementing the AWL in v3.3?
I'm also confused about the description of sagrey. It appears that
there must first be at least one message marked as spam before it's
used. I'm finding that if there is one message marked as spam, then
all those which follow are also spam, and don't require any additional
scoring.
"...if the score indicates that the message is spam and the sender is
unknown to the AWL subsystem, then the SAGrey module assumes that the
message is one-time spam from a throwaway or zombie account, triggers
the SAGREY rule, adds a user-defined score to the current spam score,
and optionally creates a new header in the message. "
Can someone clarify this for me?
Thanks,
Alex
Re: Massive spamruns
Posted by Benny Pedersen <me...@junc.eu>.
Ben Johnson skrev den 2013-06-12 18:26:
> Isn't this the function that Bayes is intended to serve, rather
> precisely?
sa-grey plugin might help, spammers change sender address and ips, so
lets track it, works well here, rbl is not a content, but url is, in
other words, if one check rbl in mta stage then disable dnseval in
spamassassin, url check still works with is more on content then where
it comes from, spammers have more then one ip, but only one payload url,
block the url then
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Massive spamruns
Posted by Ben Johnson <be...@indietorrent.org>.
On 6/12/2013 12:22 PM, Alex wrote:
> Hi,
>
>>> # 2013 cars local dealership
>>> http://pastebin.com/3bEMiV3B
>>
>> URI in that sample
>>
>> pohformed.com listed on black.uribl.com
>> pohformed.com listed on jp.surbl.org
>> pohformed.com listed on sc.surbl.org
>> pohformed.com listed on dbl.spamhaus.org
>
> I know I should have mentioned that. Yes, I'm using the above RBLs,
> and they're all correctly tagged here now.
>
> I was hoping for something more preemptive to trigger on these more
> generally because the IPs are only used for a short while, but long
> enough to get 25 spams in from the address. I was hoping to find
> commonalities between the messages that could be used to generate some
> other rules.
>
> Thanks,
> Alex
>
Isn't this the function that Bayes is intended to serve, rather precisely?
-Ben
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
>> # 2013 cars local dealership
>> http://pastebin.com/3bEMiV3B
>
> URI in that sample
>
> pohformed.com listed on black.uribl.com
> pohformed.com listed on jp.surbl.org
> pohformed.com listed on sc.surbl.org
> pohformed.com listed on dbl.spamhaus.org
I know I should have mentioned that. Yes, I'm using the above RBLs,
and they're all correctly tagged here now.
I was hoping for something more preemptive to trigger on these more
generally because the IPs are only used for a short while, but long
enough to get 25 spams in from the address. I was hoping to find
commonalities between the messages that could be used to generate some
other rules.
Thanks,
Alex
Re: Massive spamruns
Posted by Axb <ax...@gmail.com>.
On 06/12/2013 05:09 PM, Alex wrote:
>
> # 2013 cars local dealership
> http://pastebin.com/3bEMiV3B
URI in that sample
pohformed.com listed on black.uribl.com
pohformed.com listed on jp.surbl.org
pohformed.com listed on sc.surbl.org
pohformed.com listed on dbl.spamhaus.org
using SA 3.4 it adds:
pohformed.com's A record 66.197.138.39 listed on sbl.spamhaus.org
You must have got that spam real early or you're not doing URIBL queries.
Re: Massive spamruns
Posted by Alex <my...@gmail.com>.
Hi,
On Wed, Jun 12, 2013 at 9:03 AM, Neil Schwartzman <ne...@cauce.org> wrote:
> Uhm. perhaps some snippets from the maillogs, or examples?
I thought I would take the opportunity to post a few I'm seeing and
can't figure out. I've created a bunch of local subject rules, and
continually train them with bayes, but I haven't had much success.
# single-link spam from yahoo
http://pastebin.com/uR5ses1d
# 2013 cars local dealership
http://pastebin.com/3bEMiV3B
I've also added some helpful body checks, but everyone knows their
utility is very short-lived. I think it would be really helpful if
someone had a script to scan the body from an mbox of FNs, a la
SOUGHT, that they could maintain locally. I'm not sure if that's
currently automated, but these rules meta'd together with other small
rules are very helpful.
Thanks for any ideas.
Alex
Re: Massive spamruns
Posted by Neil Schwartzman <ne...@cauce.org>.
Uhm. perhaps some snippets from the maillogs, or examples?
On Jun 12, 2013, at 5:59 AM, polloxx <po...@gmail.com> wrote:
> Dear list,
>
> We see massive spamruns since begin june. Are other people also similar runs? They fill our maillog. Fortunately most is blocked.