6
spam deluge?
Question asked by Eric Bourland - 11/18/2014 at 4:46 AM
Unanswered
SmarterMail 12.5
 
Is anyone else getting bombed with spam?
 
Email addresses at my server's IP address have been getting hit hard with spam for the past ... eight days or so.
 
I mentioned a similar situation in a post here on October 10. Sorry to bring this up again, but I am not sure what to do about it. I followed closely the antispam settings in Bruce's SmarterMail document, and I have read the "Recommended Spam Settings" knowledge base article.
 
I welcome advice. =) Thank you as always.

Eric
 
Return-Path: <1-ink@bgt5.co.at>
Received: from nkx3jsjct.bgt5.bgt5.bgt5.co.at (nkx3jsjct.bgt5.co.at [107.6.36.105]) by tarsier.viviotech.net with SMTP;
   Tue, 18 Nov 2014 06:32:48 -0500
Received: by 096f68c3.nkx3jsjct.bgt5.bgt5.bgt5.co.at
	(amavisd-new, port 12972) with ESMTP id 09OPHEGN6F68OUMLROC3;
	for <eric@ebwebwork.com>; Tue, 18 Nov 2014 06:33:32 -0500
To: <eric@ebwebwork.com>
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 Nov 2014 06:33:32 -0500
From: "1-ink" <1-ink@bgt5.co.at>
Subject: Your source for Printer Ink at A discount
Content-Language: en-us
MIME-Version: 1.0
Message-ID: <69721371582892876972515506258015754@nkx3jsjct.bgt5.bgt5.bgt5.co.at>
Content-Type: text/html; charset="UTF-8"
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0

34 Replies

Reply to Thread
0
Andrew Stein Replied
Yup. I've been fighting this for awhile. The blacklists catch the majority of them, but not all. The volume is enough that even the small percent that get through are annoying the hell out of everyone.
0
Eric Bourland Replied
Thanks, Andrew. My server is getting slammed. I wish there were something I could do.
0
Andrew Stein Replied
I've been checking the IPs and blacklisting the /24 block as spam comes in. They mostly come from the same block for that day. It seems to help until they switch to the next block.
0
Chris Daley Replied
Unfortunately SmarterMail is well behind the times in dealing with SPAM, it has been for many years. RBL lists only slightly help these days, again unfortunately SmarterMail is next to impossible to use with an external anti-spam appliance/service if you have more than one domain. Don't bother with cyren (commtouch) we used it for over 12 months and it didn't help, they are very slow at picking up on new spam patterns it can take up to 24hrs for them to catch up. If the message sniffer support finally arrives then the situation should improve however ST need to be constantly evolving their Anti-Spam solution.
0
Eric Bourland Replied
Chris, thanks for that input. Unfortunately, my experience bears out your testimony. Thank you for your remarks about Cyren. I need SmarterMail to get better at this. I feel like I have no options. -- Eric
0
Chris Daley Replied
:( We looked at SpamTitan not cheap but its well built and maintained however its impossible to use it with SmarterMail, two small modifications would be required to make it work, we asked about custom dev however ST were too busy with the v13 release to even consider some custom $$$ work. SM hasn't made sense for many years now e.g. XMPP, never understood why this was chosen over improving security, anti-spam or even looking at redeveloping how email is stored so SM could finally move to a clustered system, made me laugh in v12 they supported MS NLB, complete joke no sys admin who has earned their stripes would use MS NLB in the real world, its a disaster waiting to happen. Unfortunately ST appears to not be focused on the enterprise/service provider customers but on SMB users which is reflected in the features SM offers.
2
Scarab Replied
We get overrun by Spam especially during the first week of every month, and then it usually tapers off throughout the month.
 
Although it isn't recommended to keep track the IPs of Denial of Service, Harvesters, and Spammers doing so for 90 days will give you a pretty good outlook of who is hitting your servers the hardest.
 
In our case we found that almost all of our Spam traffic came from 10 sources which have never had legitimate traffic in the past 13 months. Doing ARIN lookups of those providers and blocking all the IP Ranges those providers used stopped the majority of traffic dead in it's tracks.
 
  1. Psychz Networks
  2. Krypt Technologies
  3. B2 Net Solutions Inc.
  4. Eonix Corporation
  5. Email Ocean
  6. Host Sailor Ltd
  7. Worldstream
  8. Toqen LLC
  9. Interactive 3D B.V.
  10. Limestone Networks, Inc.
We also found that heavily weighing email from the IP Addresses of 10 specific countries to decrease that amount even further.
 
  1. The Netherlands (NL)
  2. Germany (DE)
  3. Chile (CL)
  4. Bulgaria (BG)
  5. Romania (RO)
  6. Russia (RU)
  7. India (IN)
  8. Ukraine (UA)
  9. Malaysia (MY)
  10. Turkey (TR)
Of course, every Mail Server is different and the sources of Spam are greatly varied, but once you identify the biggest offenders unique to your server and block them, it takes a huge enough chunk out that Spam Filters will catch the majority of the rest with only "Snow-Shoe" Spam getting past.
 
 
0
Scarab Replied
Part of the problem is that Spamming is a big multi-billion dollar industry and the major players (most studies show there are only a dozen of them) game the system. They cycle through different IP Blocks with different providers so that by the time they are Blacklisted on an RBL they have already moved on to a different IP Block and won't reuse that range until it drops off the RBLs and has obtained a "Good" rating with Senderbase (the same goes for the URLs they use making URIBLs less effective). They quickly learn what Anti-Spam methods your Mail Server uses and what your IDS Thresholds are. They efficiently adapt and modify their behavior to keep from triggering your IDS Thresholds or getting caught by your Anti-Spam filters (such as using SPF, rDNS/FCrDNS, DKIM, DMARC, ADSP). Even once SM has integrated mail filtering support it will only be a matter of weeks before the spammers adapt and find a way to circumvent it.

Perma-blocks are the only way currently of dealing with them. If you monitor their activity over time you will see that they cycle through the same IP Blocks over and over and over which is behavior that RBLs don't track. However, blocking can get messy if you aren't careful as it is very easy to accidentally block legitimate mail (for example, one major Spammer uses an entire Class B IP Range that doesn't have a single legitimate Mail Server in it, with the solitary exception of the one owned by Avast! Anti-Virus!, Blocking that network would result in your customers never receiving their emails from Avast!). Some of them like hiding in networks that have a small handful of legitimate Mail Servers just to make it more difficult to block them based on IP Range alone.

Regrettably there is never going to be a way to block all Spam. Acknowledge, Accept, Move On (as they say). The best you can do is try to hit somewhere in the 90% effectiveness range and call it a day. The Spammers simply have more money, resources, and nimble development to circumvent your every effort...and to be honest, I'm perfectly fine with letting a Spammer trickle in less than a half-dozen Spam messages an hour undetected as it sure beats being hammered by 10,000 Spam messages an hour and using up 99% of our CPU trying to score them. As long as you train the Spammers (using your SM Blacklist, Enable for Incoming SMTP Blocking, Incoming Weight Thresholds, and SMTP Blocked Senders) as to what thresholds are unacceptable and which are negotiably acceptable, they will adapt their behavior and behave relatively civil, as it is better from their perspective to be able to deliver only a handful of emails than none at all.
0
Eric Bourland Replied
Scarab, this is extremely helpful. I really appreciate this insight, and that you took time to write it so thoughtfully.

So, it sounds like, for starters, I should do ARIN lookups on these guys:

Psychz Networks
Krypt Technologies
B2 Net Solutions Inc.
Eonix Corporation
Email Ocean
Host Sailor Ltd
Worldstream
Toqen LLC
Interactive 3D B.V.
Limestone Networks, Inc.

Discover the IP ranges they use, then block those IP ranges?

And then, I look up IP addresses used in these nations:

The Netherlands (NL)
Germany (DE)
Chile (CL)
Bulgaria (BG)
Romania (RO)
Russia (RU)
India (IN)
Ukraine (UA)
Malaysia (MY)
Turkey (TR)

And ... well, I am not sure what exactly to do next. In the SmarterMail interface, how can I apply a weight to these IP addresses?

Is there a handy list somewhere of suspect IP addresses to block, or weight down?

Thank you again. This is so useful.

best from Eric
1
Paul Blank Replied
One of my clients is "inspired" enough that we've gone with symantec.cloud (messagelabs) at least 3 years ago for email filtering, and don't use the ST/SM antispam filters at all.  Costs about $ 1000/yr for 30 users and is well worth it in cutting the maintenance overhead for email admin.
 
Not to mention (and this is a big deal, even if you have lots of Internet bandwidth)... it keeps ALL that filtered-spam away from you.  It never crosses the border into your network / mail server.  There is no on-site filtering that can make that claim.
 
I've had my issues here and there with symantec.cloud, but all in all, they do a very good job. 
 
 
5
Bruce Barnes Replied
I will have a new version of the antispam settings posted later today. These are a significant improvement to the last updates. Look for a posting late this afternoon.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Eric Bourland Replied
Bruce, sweeeeet! Looking forward. Eric
5
Bruce Barnes Replied
My SmarterMail antispam settings have been updated to reflect changes made to SmarterMail 13.X.  These settings are, for the most part, backward compatible with previous versions of SmarterMail.
 
The document can be accessed via either: 
 
 
 
There are significant changes to the document and RBU/URIBL settings.
 
Please note that this document takes into consideration that no outside antispam checking is being done and that the ability to override antispam settings by individuals and domains is disabled.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Eric Bourland Replied
Got it. I am going to test these over the weekend. Bruce, thanks as always. Eric
0
CCWH Replied
Thanks Bruce.

Don't know where to ask this so will put it here for now...

Just gone through your updated list (Thank you!!), however there's a few discrepancies that I am working through:

1) In the Spam Checks screenshot is does not show 'CBL - Abuse Seat' but that is mentioned and shows the individual screenshot firther down
2) In the Spam Checks screenshot is shows 'RBL - BCGUSMX' & 'RBL - DSN' but neither have any individual screenshots or information

Just thought I would ask...am I missing something?

Thanks

**EDIT**

Also, in 'F. Options' the screenshot is incorrect.

Sorry not picking...just wanted to keep you updated.
1
Bruce Barnes Replied
Thanks for catching those - they have been, as appropriate, updated.

1) In the Spam Checks screenshot is does not show 'CBL - Abuse Seat' but that is mentioned and shows the individual screenshot firther down
 
RESPONSE:  RBL CBL ABUSE SEAT is shown on page 18
 
2) In the Spam Checks screenshot is shows 'RBL - BCGUSMX'
 
RESPONSE: The RBL - BCGUSMX has been properly added.
 
 
3. 'RBL - DSN' but neither have any individual screenshots or information
 
RBL DNS should not have been included and has been removed from the summary shot

4. in 'F. Options' the screenshot is incorrect.
 
Response: Screenshot corrected
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Eric Bourland Replied
Thanks, Bruce!
0
CCWH Replied
Thanks Bruce, very much appreciated.

I still can't find the 'RBL - BCGUSMX' screenshot though?
0
Bruce Barnes Replied
Re-download, it was added last night.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
CCWH Replied
Thanks Bruce. Looks like the 'RBL - BCGUSMX' has been completely removed so was searching for something that is no longer there.

Version - Rev 5.0025: 23-Nov-2014

Cheers
0
Eric Bourland Replied
I've downloaded the latest revision and am implementing the configuration, step by step. I look forward to seeing the result. Bruce, and everyone -- thanks as always. Eric
0
Jeff Weiss Replied
11/19 - Spam count 135 spam emails. WTF Smarter Mail, can you at least TRY and fix the spam filter?

11/20- Todays count, 112.

11/22 & 11/23 - Weekend count 308.

11/24 - Todays count 307
0
Steve Reid Replied
There is nothing wrong with Smartermail's spam filter. The problem is with your configuration.
1
Eric Bourland Replied
FYI -- I have configured Bruce's new antispam settings, per his document at:
 
 
I followed the guide very carefully, and reviewed every RBL and URIBL that I use. The result is a considerably diminished spam influx on my server.
 
Thanks and kudos to Bruce. A bunch of us rely on the "Barnes Document" for SmarterMail antispam configuration updates.
 
Eric
0
Jeff Weiss Replied
Why should the end user be responsible for configuration? Isn't that what Smarter Mail is getting paid to do?
0
Steve Reid Replied
Smartermail is a server program that Administrators are responsible for configuring. If you are an "End User" then you should be complaining to your service provider.
2
John Marx Replied
Is there anyway we can get a new "feature" on the spam settings to install the "Defaults" (defaults being Bruce's document)? 
0
Steve Reid Replied
I have asked for this as well a few times in the past...
0
Eric Bourland Replied
Yep, I too. It seems like SmarterTools could collaborate with Bruce on this.
0
Employee Replied
Employee Post
We have added Bruce's spam settings as an option in the setup wizard to our feature request list.

See this related thread:
http://portal.smartertools.com/community/a506/implement-bruces-spam-settings-as-default_.aspx#2269
0
Andrew Stein Replied
Is rfc-ignorant.org shutdown?

Per rfc-clueless.org:
"RFC Ignorant

With RFC Ignorant closed down, we've expanded our initial RBL to include their lists. You can check to see if a hostname is contained in our lists by attempting to resolve one of the following patterns (generally you need only check whether the host resolves or not rather than worry about the exact IP)."
0
Andrew Stein Replied
I updated my spam settings per the document last night and so far so good. I hardly had anything slip through after that, but we still have problems with spam like the example I'm pasting below. It comes up clean on every check on mxtoolbox, so RBL will catch it. It has valid PTR, SPF etc. It responds properly to greylisting. Unless there are any other checks, we can do, spam like this will keep slipping through until the RBLs catch up to them.

Below are the header than the body:

X-Antivirus: AVG for E-mail
Return-Path: <ryleighwalton@alm01p.leshearinggroup.com>
Received: from alm01p.leshearinggroup.com (alm01p.leshearinggroup.com [198.59.185.15]) by mail.advantagetel.com with SMTP;
Wed, 3 Dec 2014 09:50:27 -0500
Date: Wed, 03 Dec 2014 06:50:27 -0800
From: Hear Ringing In Ears? <Walton@leshearinggroup.com>
Reply-to: <Walton@leshearinggroup.com>
Message-ID: <555320141203063372748.416313186903.90BLPuivSzmDxgl@alm01p.leshearinggroup.com>
To: <redacted>
Subject: TinnitusCure: Eliminating Tinnitus
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0

* WebMD University Research
* How do I stop the ringing in my ears?
* .
* (Tinnitus) - After 5 years of ongoing research scientist are able to turn-off the ringing/buzzing in the ears with a perminant solution.
* http://www.leshearinggroup.com/poke/cumbersome/ghettoized/hairlines/reenlightening/sillers.html

This condition is something we no longer have to live with. The whole process takes as little as 14 days. Already we haev seen over 100k people who were able to end their Tinnitus.





Study and research conducted under the presence of YAL Research Group

We have 2 ways to end-communications:

1. This this url <http://www.leshearinggroup.com/torturous/futurist/missourians.php>
2. Write to: 2529 Forest Lodge Fayettville NC.28306
3. MID - 3454357











Gathering Holiday Baking

* prep time10 min
* total time45 min
* ingredients6
* servings6

Ingredients

* 1 can Pillsbury Grands Biscuits
* 1 bag frozen meatballs
* 1 cup to 2 cups spaghetti sauce
* 1 cups shredded mozzarella

Steps:

1. Cut the uncooked biscuits into 8ths.
2. Place into greased 913 dish.
3. Cover with sauce, start with 1 cups, add more if you think it needs a little extra.
4. Place the meatballs on top of the biscuits.
5. Sprinkle with the cheese.
6. Bake at 375 for about 30-40 minutes.
7. Serve to your hungry family!



________________________________

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5577 / Virus Database: 4213/8587 - Release Date: 11/17/14 Internal Virus Database is out of date.

0
Scarab Replied
Andrew, That is correct. RFC Ignorant is being run by RFC Clueless until the end of the year whereupon they will retire the rfc-ignorant.org alias and will only respond to RBL lookups on rfc-clueless.org as of 1/1/2015.

Bruce, you may want to update your docs to reflect this pending change.
2
David Finley Replied
Bruces document is not available online any more.  This was the latest version we could get our hands on: https://www.dropbox.com/s/1ddkytzopfhy2ql/Antispam%20Settings%20-%20SmarterMail.pdf?dl=0
 
http://www.interactivewebs.com

Reply to Thread