Re: [Discuss] Torrent of new spam
Years ago, I built a very functional greylist spam-thwarter around exim, which provides finer control over each step of the SMTP handshake than the postfix setup I have now. Had to give up on greylisting when ISPs all decided to block port 25 inbound, so I have to use a commercial relay provider that passes my inbound mail on another port. So I rely on them to do whatever level of greylisting they have (clearly, whatever they're doing isn't screening out this latest deluge). -rich ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
I've found that rbl checks, spamassassin, and sender-verify block a significant amount of spam. I do find a bunch of false positive sender-verify blocks... so I have to add some to a whitelist. Right now I think I have about 30-40 entries in that list. Greylisting works too, unless you have an MX that does not.. -derek Sent from my mobile device. Please excuse any typos. - Reply message - From: "Richard Pieri"To: Subject: [Discuss] Torrent of new spam Date: Sat, Feb 18, 2017 7:36 PM On 2/18/2017 12:29 PM, Daniel Barrett wrote: > Where spamassassin is based on heuristics, spastic is literal. You > simply create blacklists and whitelists for blocking & permitting > emails. The lists can include "To" and "From" addresses, subject lines > (substrings), body text, etc. Each list is a plain text file. Static lists like these are a pain to manage. When I tried it I spent more time tweaking lists than reading mail. When a previous employer of mine tried static lists it turned into a full time job for one of our sysadmins. In my experience, grey listing at the SMTP server offers the best bang for the buck. It drops on the order of 95% of incoming spam before it can get into the mail server with no false positives -- it won't drop legitimate mail. Grey listing requires no maintenance and it is very light on system resources. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
On 2/18/2017 12:29 PM, Daniel Barrett wrote: > Where spamassassin is based on heuristics, spastic is literal. You > simply create blacklists and whitelists for blocking & permitting > emails. The lists can include "To" and "From" addresses, subject lines > (substrings), body text, etc. Each list is a plain text file. Static lists like these are a pain to manage. When I tried it I spent more time tweaking lists than reading mail. When a previous employer of mine tried static lists it turned into a full time job for one of our sysadmins. In my experience, grey listing at the SMTP server offers the best bang for the buck. It drops on the order of 95% of incoming spam before it can get into the mail server with no false positives -- it won't drop legitimate mail. Grey listing requires no maintenance and it is very light on system resources. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
On February 17, 2017, Rich Braun wrote: >> ... my approach to spam is to run spastic (spastic.sourceforge.net) >> and spamassassin in sequence. > >I'm not familiar with spastic; its description at sourceforge doesn't provide >much of a clue as to how it would complement spamassassin. Where spamassassin is based on heuristics, spastic is literal. You simply create blacklists and whitelists for blocking & permitting emails. The lists can include "To" and "From" addresses, subject lines (substrings), body text, etc. Each list is a plain text file. You can get exactly the same functionality by using procmail and ~/.spamassassin/user_prefs, but spastic is simpler. Received a spam from id...@blort.com? Just add "id...@blort.com" or "@blort.com" to a text file, and you're done. Spastic by itself is too simple to catch spams that vary their content, but it's a helpful complement to spamassassin. -- Dan Barrett dbarr...@blazemonger.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
Daniel Barrett pondered: > Hmm... how does that work when Craigslist anonymizes all addresses > (e.g., abcde-5950223...@sale.craigslist.org)? Do they ... somehow > discover your real address? It's a possibility they've created bots that seem real enough to engage you in conversation outside Craigslist (for example, I'm apartment-hunting now, and 20-30% of the postings are scam ads that I thought were targeted at suckers who might foolish put down deposits for applications on places they've never been to, but might just be harvesting email addresses). But I doubt that this is the origin of the spam I'm seeing. > ... my approach to spam is to run spastic (spastic.sourceforge.net) > and spamassassin in sequence. I'm not familiar with spastic; its description at sourceforge doesn't provide much of a clue as to how it would complement spamassassin. The new torrent of messages is coming in bursts, about 50 a day, and they seem to rotate IP source addresses: there are patterns of multiple messages on a given IP but I haven't yet figured out a pattern for how they're doing it. One thing that's pretty clear is that most of these have a message body that their "client" has paid to distribute, followed by a screenful of blank lines, followed by several paragraphs of Bayesian-buster text typed by hand (Mechanical Turk or the like) or by a sufficiently-clever algorithm. Whatever firm is behind this obviously has an outbound server farm that has all the same spam-busting tools that we try to use for defense: their messages pass existing tests with flying colors. Tools like sa-learn are no match for them. -rich ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
On February 15, 2017, Bill Horne wrote: >The spammers have now put sucker-bait ads on Craigslist and other >"free" venues, advertising sought-after goods for low prices, and >then they harvest the addresses of anyone who responds. Hmm... how does that work when Craigslist anonymizes all addresses (e.g., abcde-5950223...@sale.craigslist.org)? Do they spam the anonymized address -- I wonder how long they endure -- or somehow discover your real address? I read email locally on my PC (in emacs), and my approach to spam is to run spastic (spastic.sourceforge.net) and spamassassin in sequence. The price is an additional few seconds before delivery to my inbox, but the results are good. -- Dan Barrett dbarr...@blazemonger.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
Spammers have become so much more sophisticated in recent years, that if (as a test) you or someone created an account with a username that makes absolutely no sense: udkpboqaxt, that account would likely receive spam at some point. It's as if spammers are sending it addressed to every possible combination of letters for a username. Comcast has apparently been having an issue with their mail filter recently. One address is using a whitelist, only messages from specific e-mail addresses are allowed to come through, all others are deleted at the server. Within the past two weeks, three spams (so far) have managed to pass through this filter, arriving in my inbox. None of them originated from an allowed sender. Date: Tue, 14 Feb 2017 13:04:50 -0800 From: "Rich Braun" About 3 weeks ago, one of my email addresses found its way into a new list that led to bombardment of 30-50 spams per day. I got rid of forwarding on that address and redirected it into a honeypot folder that (if need be) I could eventually use to detect and divert future spam. Suddenly, this morning my primary email address apparently found its way onto that list. Almost all the spams have Subject Lines That Are Spelled In All Caps, which might make for a useful filtering rule. Until I come up with a solution, I'll have to manually delete several unwanted emails per hour--for the foreseeable future. Apparently this new spammer has figured out a way to get past the RBLs and SpamAssassin filters that I've had a lot of success with in the past. Is this a sudden new/widespread problem, or did I just get unlucky with the combination of my email addresses and the (now fairly old) spam-control software I've been using? -rich ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
On 2/14/2017 4:04 PM, Rich Braun wrote: Suddenly, this morning my primary email address apparently found its way onto that [spam] list. ... Apparently this new spammer has figured out a way to get past the RBLs and SpamAssassin filters that I've had a lot of success with in the past. Is this a sudden new/widespread problem, or did I just get unlucky with the combination of my email addresses and the (now fairly old) spam-control software I've been using? We're all finding out just how tough it is to overcome the "Defender's Dilemma": when protecting a castle or a home or an inbox, there are always weaknesses we can't afford to cover. The spammers have now put sucker-bait ads on Craigslist and other "free" venues, advertising sought-after goods for low prices, and then they harvest the addresses of anyone who responds. There are also frequent leaks from commercial companies that sell their old customer lists, and "affiliated" marketing done by well-known web site owners. As the spam industry gains experience, money, and programming expertise, we can expect less and less help from "one size fits all" applications or services. I've stopped using my "primary" email address anywhere I don't have to^1 . I forward everything through my own server, and if any one address picks up spam, I just delete it. Having the server helps in other ways, too: I can send inquiries to ads on Craigslist without worrying about where the return address will be copied to, and it's trivial to block any IP address that's outside the range of countries I usually correspond with. Of course, that's a bit much for anyone still working full-time, but it's a viable solution for me. Until there's a FUSSP, we'll have to keep patching newly found back-doors that bypass the moats around our various castles. Bill Horne 1. bill at horne etc is OK here on discuss because the Mailman server auto-obfuscates addresses in the archives. So far, it's an effective measure, but of course I'll have to abandon the address if it gets on too many spam lists. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss