twofers wrote:
>What could be going on here? Any ideas? Is it coincidence?
TwoFers, did these start after mid-afternoon (1600 Eastern time)
of Oct 26? If so, this is PURE coincidence. :)
I checked four of my domains, including one which (by policy) has
NEVER received any authentic Facebook/Twitter stuff, and ALL
started receiving significant quantities (1.9% to 2.8% of total
post-gateway-RBL spam) with the first appearing between 1601 and
1630.
That's based on all emails (regardless of score) which survived
gateway RBL checks.
There are two campaigns: one with a viral attachment, one with a
click-thru with Facebook as the subhost (most of those are being
caught by Uribl and/or Surbl).
What's neither coincidence NOR acceptable is that ANY of these are
getting thru. They're trivially easy to kill, and SA has the tools
to do so.
Facebook does the Right Thing and publishes an SPF record, which is
extremely easy (i.e. cheap) to test & SELECTIVELY block on.
Another option (if you'd rather not mess with SPF) is to just add
some simple manual rules which high score anything with:
1. Facebook's domain in the From header and NOT in the SMTP Sender
2. Facebook's domain in the From header and NOT from its known IPs
Either of those rules would catch 100% of these spams.
I get the vague impression you're probably using a stock control
panel installation of SpamAssassin, in which case you're probably
seeing only a mid-80% killrate. SA is an extremely powerful tool,
but the "stock" installs (typical of most webhosts) is crippled.
SpamAssassin is meant to be tuned to YOUR unique email ecology, not
left at generic settings.
If you invest sufficient time to build a Ham corpus, and analyze
ALL your missed spam on a regular basis, you'll quickly be able to
tune things so the "easy" spams are taken care of. Maintenance
time will drop off quickly, as your skill level increases.
Only about 2% (or less) of all spam poses any kind of challenge.
Um, most of the time. :)
Ugh. I just checked Twitter, and no SPF record. :(
Their DNS MX records are funky, all having Google hostnames, which
is weird since they definitely _DO_ use their own servers (based on
one of my Ham corpora).
If you decide to add a manual IP-range rule for Facebook, I
recommend you also add one for Twitter. I've only seen a tiny
trickle of viral stuff forged as coming from them, but they're
a logical target. Pre-emptive first strike... with spam, there's
no reason not to. :)
Good luck!
- "Chip"
