On 08/23/2014 11:15 AM, Eric Shubert wrote:
On 08/23/2014 08:57 AM, Eric Shubert wrote:
On 08/18/2014 02:15 PM, Angus McIntyre wrote:
I’m seeing an uptick in a particular type of spam that I would very
much like to filter. Fortunately, the spam has a quite distinctive
fingerprint: the envelope sender of each message matches the regex:
^[A-Za-z0-9_-]+-realuser=realdomain\.realtld\@[a-z0-9-]+\.[a-z]{2,4}$
(where ‘realuser’, ‘realdomain’ and ‘realtld’ jointly match an email
address hosted on my server.
For example, if I had a user ‘f...@example.com’, the envelope sender
on the spams might look like:
garcinia-fred=example....@spammydomain.com
The ‘fred=example.com@’ is pretty distinctive for this spammer. There
are a few legitimate domains that use an approximately similar
convention, but the regex above will not match them.
spammydomain.com, obviously, changes from run to run. They seem to be
snowshoe’ing their way all over Cloudflare, with a few instances on
HiVelocity.
My impression is that Spamdyke’s sender blacklists only allow
simplified wildcards, i.e. specifying @example.com to block all email
from the ‘example.com’, so that’s probably not an option. Spamdyke’s
header blacklist feature is slightly more complex/capable, but doesn’t
match on the envelope sender (or allow me the full expressiveness I
need).
I could add a SpamAssassin rule to take care of these cases, but the
way my system is configured, SpamAssassin will only flag spam, not
delete it. Some of the addresses targeted by this particular spammer
are set to forward to external systems, so — in order to preserve the
reputation of my mail server — I’d like to kill this spam dead.
I could use procmail, but this is something of a hassle. So before I
go down that route, I wanted to ask whether there’s anything in the
qmailtoaster toolbox that would allow me to block email based on
applying the regex above to the envelope sender.
I could also just use iptables to block CloudFlare entirely, but that
seems a little extreme.
Any suggestions would be gratefully received.
Angus
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Sorry to delay my reply to this. I wanted to see if anyone would chime
in on this. I guess not (yet). (C'mon folks!)
I too have seen an uptick in spam recently. There are 3 or so that are
persistent daily, and sa-learn doesn't seem to be learning them well
enough (or maybe fast enough) to tag them.
I haven't had a chance to dig into them yet before now. I've had a look
at a few of them, they appear to fit your observation.
The good news is that the badmailto file can handle regexes. The problem
would be having to define a separate entry for each address, which
wouldn't be practical.
The bad news is that this form of address is perfectly legit for mailing
lists. If you implemented this filter, I expect you'd no longer get
messages from this list. (Oops!)
Of course, we'd all love to nail these suckers. They seem to be pretty
diligent though, to the point of even having valid SPF and DKIM
configurations.
The only tool we have at this point that I can see is SA. I think with a
little tuning we should be able to get SA to recognize these, even if we
have to write a new rule or two.
On second thought, one in particular that I'm seeing appears to be a
phishing attempt. I haven't installed sane security (clamav additional
signatures) on my new server yet. I'll do that, and see if these new
spams keep coming or not.
If they persist, then I suggest delve deeper into SA. All the spams
appear to have one or more links in the content which matches the domain
of the sender. I wonder if that couldn't be used somehow. Isn't there a
BL of sorts in SA that examines the domains of the urls in the message?
I wonder if that's not working, or the spammers are just changing
domains so fast that it's not effective. Or perhaps the SA scoring just
needs a little tweaking for those rules.
TIA for everyone's input on this.
After a little investigation, I've concluded that these spammers are
getting good. So we just need to get better. ;)
I happen to have a backup MX host that runs QMT (with spamdyke of
course). I've noticed that there's a lot of spam hitting the backup host
which spamdyke duly catches, usually rDNS related (doesn't exist or
doesn't resolve).
I happened to notice that one of the 3 spams I'm looking at came through
the backup MX host. I recall someone elsewhere mentioning that setting
up a dummy high priority MX server was a good anti-spam deterrent, as
there are quite a few spammers who go straight for the lowest priority
server, figuring that's where the weakest spam defenses are. I think
that's true, and true.
So what would it hurt to create a dummy MX record with low priority
(highest number) for these spammers to use? Probably nothing. I just
wonder if the spamming host is smart enough to go to a higher priority
host when the first doesn't work. Probably not, if the success of
graylisting is any indication.
So the question becomes, where to point the dummy low priority MX
record? It has to the name of a valid type A record. Any type A record.
I'm inclined to use one at yahoo.com. Why the heck not? :)
So my first step is going to be creating a dummy MX record, and see if I
still get emails trying to sell me solar panels. I should also be able
to get a feel for the effectiveness of this by observing the number of
rejections my backup MX host is getting. I don't have hard numbers at
this point (can't wait for ELK!), but I think browsing the logs will
suffice.
That still leaves the other spams that are using my primary host though,
so there's still some work to do.
It appears that these spams are using random text that's hidden inside
of html in order to beat the bayes filter. At least that's my guess.
I'm guessing that if we write a filter/editor that strips out all
unviewable text from html content in a message before sending it to
sa-learn, the bayes filter will be effective once again.
Thoughts on this? Anyone know of a filter we can pipe messages through
on their way to sa-learn?
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
