Re: [Discuss] Torrent of new spam

[Rich Braun]

Years ago, I built a very functional greylist spam-thwarter around exim, which 
provides finer control over each step of the SMTP handshake than the postfix 
setup I have now.

Had to give up on greylisting when ISPs all decided to block port 25 inbound, 
so I have to use a commercial relay provider that passes my inbound mail on 
another port. So I rely on them to do whatever level of greylisting they have 
(clearly, whatever they're doing isn't screening out this latest deluge).

-rich
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Derek Atkins]

I've found that rbl checks, spamassassin, and sender-verify block a significant 
amount of spam.  I do find a bunch of false positive sender-verify blocks...  
so I have to add some to a whitelist.  Right now I think I have about 30-40 
entries in that list.  Greylisting works too, unless you have an MX that does 
not..

-derek

Sent from my mobile device. Please excuse any typos.

- Reply message -
From: "Richard Pieri" 
To: 
Subject: [Discuss] Torrent of new spam
Date: Sat, Feb 18, 2017 7:36 PM

On 2/18/2017 12:29 PM, Daniel Barrett wrote:
> Where spamassassin is based on heuristics, spastic is literal. You
> simply create blacklists and whitelists for blocking & permitting
> emails. The lists can include "To" and "From" addresses, subject lines
> (substrings), body text, etc.  Each list is a plain text file.

Static lists like these are a pain to manage. When I tried it I spent
more time tweaking lists than reading mail. When a previous employer of
mine tried static lists it turned into a full time job for one of our
sysadmins.

In my experience, grey listing at the SMTP server offers the best bang
for the buck. It drops on the order of 95% of incoming spam before it
can get into the mail server with no false positives -- it won't drop
legitimate mail. Grey listing requires no maintenance and it is very
light on system resources.

-- 
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Richard Pieri]

On 2/18/2017 12:29 PM, Daniel Barrett wrote:
> Where spamassassin is based on heuristics, spastic is literal. You
> simply create blacklists and whitelists for blocking & permitting
> emails. The lists can include "To" and "From" addresses, subject lines
> (substrings), body text, etc.  Each list is a plain text file.

Static lists like these are a pain to manage. When I tried it I spent
more time tweaking lists than reading mail. When a previous employer of
mine tried static lists it turned into a full time job for one of our
sysadmins.

In my experience, grey listing at the SMTP server offers the best bang
for the buck. It drops on the order of 95% of incoming spam before it
can get into the mail server with no false positives -- it won't drop
legitimate mail. Grey listing requires no maintenance and it is very
light on system resources.

-- 
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Daniel Barrett]

On February 17, 2017, Rich Braun wrote:
>> ... my approach to spam is to run spastic (spastic.sourceforge.net)
>> and spamassassin in sequence.
>
>I'm not familiar with spastic; its description at sourceforge doesn't provide
>much of a clue as to how it would complement spamassassin.

Where spamassassin is based on heuristics, spastic is literal. You
simply create blacklists and whitelists for blocking & permitting
emails. The lists can include "To" and "From" addresses, subject lines
(substrings), body text, etc.  Each list is a plain text file.

You can get exactly the same functionality by using procmail and
~/.spamassassin/user_prefs, but spastic is simpler. Received a spam
from id...@blort.com? Just add "id...@blort.com" or "@blort.com" to a
text file, and you're done.

Spastic by itself is too simple to catch spams that vary their
content, but it's a helpful complement to spamassassin.

--
Dan Barrett
dbarr...@blazemonger.com

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Rich Braun]

Daniel Barrett pondered:
> Hmm... how does that work when Craigslist anonymizes all addresses
> (e.g., abcde-5950223...@sale.craigslist.org)? Do they ... somehow
> discover your real address?

It's a possibility they've created bots that seem real enough to engage you in
conversation outside Craigslist (for example, I'm apartment-hunting now, and
20-30% of the postings are scam ads that I thought were targeted at suckers
who might foolish put down deposits for applications on places they've never
been to, but might just be harvesting email addresses). But I doubt that this
is the origin of the spam I'm seeing.

> ... my approach to spam is to run spastic (spastic.sourceforge.net)
> and spamassassin in sequence.

I'm not familiar with spastic; its description at sourceforge doesn't provide
much of a clue as to how it would complement spamassassin.

The new torrent of messages is coming in bursts, about 50 a day, and they seem
to rotate IP source addresses: there are patterns of multiple messages on a
given IP but I haven't yet figured out a pattern for how they're doing it. One
thing that's pretty clear is that most of these have a message body that their
"client" has paid to distribute, followed by a screenful of blank lines,
followed by several paragraphs of Bayesian-buster text typed by hand
(Mechanical Turk or the like) or by a sufficiently-clever algorithm. Whatever
firm is behind this obviously has an outbound server farm that has all the
same spam-busting tools that we try to use for defense: their messages pass
existing tests with flying colors. Tools like sa-learn are no match for them.

-rich


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Daniel Barrett]

On February 15, 2017, Bill Horne wrote:
>The spammers have now put sucker-bait ads on Craigslist and other
>"free" venues, advertising sought-after goods for low prices, and
>then they harvest the addresses of anyone who responds.

Hmm... how does that work when Craigslist anonymizes all addresses
(e.g., abcde-5950223...@sale.craigslist.org)? Do they spam the
anonymized address -- I wonder how long they endure -- or somehow
discover your real address?

I read email locally on my PC (in emacs), and my approach to spam is
to run spastic (spastic.sourceforge.net) and spamassassin in
sequence. The price is an additional few seconds before delivery to my
inbox, but the results are good.

--
Dan Barrett
dbarr...@blazemonger.com

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[edwardp]

Spammers have become so much more sophisticated in recent years, that if 
(as a test) you or someone created an account with a username that makes 
absolutely no sense: udkpboqaxt, that account would likely receive spam 
at some point. It's as if spammers are sending it addressed to every 
possible combination of letters for a username.


Comcast has apparently been having an issue with their mail filter 
recently. One address is using a whitelist, only messages from specific 
e-mail addresses are allowed to come through, all others are deleted at 
the server. Within the past two weeks, three spams (so far) have managed 
to pass through this filter, arriving in my inbox. None of them 
originated from an allowed sender.





Date: Tue, 14 Feb 2017 13:04:50 -0800
From: "Rich Braun"

About 3 weeks ago, one of my email addresses found its way into a new list
that led to bombardment of 30-50 spams per day. I got rid of forwarding on
that address and redirected it into a honeypot folder that (if need be) I
could eventually use to detect and divert future spam.

Suddenly, this morning my primary email address apparently found its way onto
that list. Almost all the spams have Subject Lines That Are Spelled In All
Caps, which might make for a useful filtering rule. Until I come up with a
solution, I'll have to manually delete several unwanted emails per hour--for
the foreseeable future.

Apparently this new spammer has figured out a way to get past the RBLs and
SpamAssassin filters that I've had a lot of success with in the past.

Is this a sudden new/widespread problem, or did I just get unlucky with the
combination of my email addresses and the (now fairly old) spam-control
software I've been using?

-rich



___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Torrent of new spam

[Bill Horne]

On 2/14/2017 4:04 PM, Rich Braun wrote:

Suddenly, this morning my primary email address apparently found its way onto
that [spam] list. ...

Apparently this new spammer has figured out a way to get past the RBLs and
SpamAssassin filters that I've had a lot of success with in the past.

Is this a sudden new/widespread problem, or did I just get unlucky with the
combination of my email addresses and the (now fairly old) spam-control
software I've been using?


We're all finding out just how tough it is to overcome the "Defender's 
Dilemma": when protecting a castle or a home or an inbox, there are 
always weaknesses we can't afford to cover. The spammers have now put 
sucker-bait ads on Craigslist and other "free" venues, advertising 
sought-after goods for low prices, and then they harvest the addresses 
of anyone who responds. There are also frequent leaks from commercial 
companies that sell their old customer lists, and "affiliated" marketing 
done by well-known web site owners. As the spam industry gains 
experience, money, and programming expertise, we can expect less and 
less help from "one size fits all" applications or services.


I've stopped using my "primary" email address anywhere I don't have to^1 
. I forward everything through my own server, and if any one address 
picks up spam, I just delete it. Having the server helps in other ways, 
too: I can send inquiries to ads on Craigslist without worrying about 
where the return address will be copied to, and it's trivial to block 
any IP address that's outside the range of countries I usually 
correspond with. Of course, that's a bit much for anyone still working 
full-time, but it's a viable solution for me.


Until there's a FUSSP, we'll have to keep patching newly found 
back-doors that bypass the moats around our various castles.


Bill Horne

1. bill at horne etc is OK here on discuss because the Mailman server 
auto-obfuscates addresses in the archives. So far, it's an effective 
measure, but of course I'll have to abandon the address if it gets on 
too many spam lists.



___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss