1
.US TLD SPAM has gone to orbit - how to stop!
Question asked by Ben Smith - May 16 at 7:38 PM
Unanswered
Hello SmarterMail Folks;
 
Just very recently, we have been getting absolutely bombed by .us TLD SPAM emails. They come in almost unimpeded regardless of so many filters, RBL's, custom rules. Nothing works.
 
Of course, we cant just block the entire .US TLD.
 
Here is a sample(sorry no logs just yet);
 
Return-Path: <elizabeth-mack@extreme.uprex.us>
Received: from extreme.uprex.us (cartable.placestanding.com [93.79.106.109]) by MY MAIL SERVER with SMTP;
   Tue, 16 May 2017 18:44:17 -0700
Date: Tue, 16 May 2017 18:20:52 -0700
Subject: SPAM-LOW:  Fwd: Oz's rapid belly-melt helps women get in shape for Summer
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative; boundary="11306487_17693211_11306487"
From: Elizabeth Mack <Elizabeth-Mack@extreme.uprex.us>
Message-ID: <c0cf4db29eda8acaa4a416d94d5e8b70_c0cf4db29eda8acaa4a416d94d5e8b70.Inspired11306487@extreme.uprex.us_v7g>
To: <ME>
Snack: 11306487_c0cf4db29eda8acaa4a416d94d5e8b70-17693211
X-SmarterMail-Spam: SPF_Pass, Bayesian Filtering, ISpamAssassin 1 [raw: 0], DK_None, DKIM_None, Custom Rules []
X-SmarterMail-SpamDetail: 0.7 DIET_1 Lose Weight Spam
X-SmarterMail-TotalSpamWeight: 10
I realize several may ask for more info (i.e. FULL SMTP logs, entire ANTI SPAM filters etc.) but I would hope there can be some more fundamental reason for this recent explosion with no filters catching these. I have sooo many filters that seem to work great, including tons of custom rules blocking anything from 'localthost' variants to 'unknown' variants in the headers, to outright blocking of .TOP, .SCIENCE, and more recently .LT country domains that my head is spinning on this one.
Any chance a recent RBL went bust and is now allowing all this .US SPAM through?
 
FOLKS, we are talking similar .US SPAM emails every 4-6 minutes in waves!
 
Thanks for ANY preliminary response(s) before I decide to use a SmarterMails Email support ticket. 
 
Oh, also, have run Antimalwarebytes ET AL on mail server and local servers and personal computers that I login to admin smartermail. Also running CLAMWIN w updated definitions on mail server. Check rootkits....all seems just fine.
 
Regards, Ben

6 Replies

Reply to Thread
1
Linda Pagillo Replied
May 17 at 7:04 AM
Hi Ben. My company has a few free tools that can help with this. I'm not sure if you have heard of Declude. It's an antispam program that integrates beautifully with SmarterMail. It comes with content filters that can be used to catch this type of pre-tested spam. Also, we have a program that can be used with Declude called The Gauntlet. This will help as well. You see, the problem with pre-tested spam is that a lot of it makes it through before the RBLs recognize that it's spam. With Declude and The Gauntlet, a lot of this can be stopped regardless. Both of these programs are free on our website: http://mailsbestfriend.com/downloads. Feel free to use them and if you have any questions, please send me an email at my address in my signature. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized reseller of SmarterTools Products
Authorized reseller of Message Sniffer
1
Scarab Replied
May 17 at 12:47 PM
I give a thumbs up to Declude (it can be resource heavy, using all the resources on your Mail Server that it can, but it is definitely effective).
 
We also setup a Custom Rule in Smartermail ANTISPAM ADMINISTRATION as follows:
 
Rule Source: Header
Header: Return-Path
Rule Type: Regular Expression
Weight: 7
Rule Text: .+\.us>$
 
Notice that if you are using 10/20/30 for Low/Med/High probability it isn't enough on it's own to flag an email as Low Probability as there are many legitimate domains with the .us extension (especially local & state government departments). However, it is generally enough to tip the scales if they fail at least one RBL, URIBL, Spam Assassin, or Bayesian Filtering.
 
We do similar for other domains, such as .CLICK, .CRICKET, .DATE, .DOWNLOAD, .LINK, .MEN, .PARTY, .REVIEW, .ROCKS, .SCIENCE, .SPACE, .STREAM, .TOP, .WIN, .WORK, .XYZ, .ZIP but with a 20 Weight as I have yet to see a single legitimate piece of email come from any of these domains.
0
Ben Smith Replied
May 17 at 12:55 PM
Linda;
 
Your link is dead;
 

Not Found

The requested URL /downloads. was not found on this server.


Apache/2.2.22 (Ubuntu) Server at mailsbestfriend.com Port 80
1
Ben Smith Replied
May 17 at 1:00 PM
Scarab;
 
YES! This may work as well. Most of these emails are close to being dumped into the junkmail folder, so this should help. Thank you.
 
I will also implement Declude as well (as long as it addresses .US SPAM and NO false positives properly).
 
 
0
Paul Blank Replied
May 19 at 8:40 AM
Can Declude be installed on a different machine, so it doesn't impact SM services so much?
 
0
Elazar Broad Replied
May 19 at 9:34 AM
I have found blocking via the SpamHaus CSS (www.spamhaus.org/css/) list to be very effective. Note that it does take some time for the spammers to get listed and typically they are hitting you at the same time they are hitting SpamHaus's sensors. This is where greylisting comes in. While I have it enabled system-wide, you could enable it on a per-TLD basis using the rule suggested above, something like:
 
\.(us|xyz|click|cricket|date|download|top|win|zip|rocks)>?$
 
Assign the rule a desired weight, say 10, and then under the SMTP Blocking tab, configure your 'Greylist Weight Threshold' setting to match. If you haven't already configured Greylisting, do so with a block period of at least 10 minutes.
 
My .02, YMMV
 
- elazar

Reply to Thread