advice about stopping recent wave of spam; sample header included
Question asked by Eric Bourland - 9/30/2014 at 12:14 PM
Answered
SmarterMail 12.4
Windows 2008 R2 standard
 
Hi friends. I've been getting hit with a bunch of spam recently. I have read, and believe I have followed closely, Bruce's antispam settings document. (Thanks, Bruce!) But some spam has been getting through. An example header is below. What can I do to block these guys? Thank you for your help.
 
Eric
 
Return-Path: <psychologydegrees@76i7.eu>
Received: from 082a3eaf.76i7.eu (UnknownHost [188.240.210.26]) by tarsier.viviotech.net with SMTP;
   Tue, 30 Sep 2014 14:46:14 -0400
Received: by 082a3eaf.haqq6of.76i7.eu
	(amavisd-new, port 10326) with ESMTP id 08F2A3EFAF;
	for <eb@hwaet.com>; Tue, 30 Sep 2014 14:46:33 -0400
Content-Type: text/html; charset="UTF-8"
List-Unsubscribe: <mailto:unsub-9326-2520-44097-11-136976961@76i7.eu?subject=unsubscribe>, <http://www.76i7.eu/unsubscribe/9326/2520/44097/11/136976961/~~eb@hwaet.com>
Date: Tue, 30 Sep 2014 14:46:33 -0400
From: "Psychology Degrees" <PsychologyDegrees@76i7.eu>
Subject: Get Started On A Psychology Degree
Content-Transfer-Encoding: 8bit
Content-Language: en-us
MIME-Version: 1.0
To: <eb@hwaet.com>
Message-ID: <9326721369769619326268267252044097@haqq6of.76i7.eu>
X-SmarterMail-Spam: SPF_Pass, Truncate, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0

34 Replies

Reply to Thread
0
Robbie Wright Replied
We've been getting some of these as well. We do use Beysian filter though and content filtering and it still gets through. We have been experimenting more last week and this week with hostkarma "familiar" dns lists. Basically, how old is a domain that hostkarma has seen.

Do a whois lookup on that .eu domain and you'll see it was registered today. HK has 24 to 48 hours old, less than 10 days, and over 10 days. Basically, if it is over ten days they have seen mail from that system for a few weeks or more. Just be careful marking everything not listed in the familiar list because there are plenty of legitimate domains that HK doesn't know about yet.
0
Eric Bourland Replied
Robbie, thanks for that input. Do you do anything specific in your antispam measures -- besides Bayesian -- to counter these newly registered domains?

I am feeling particularly defensive these days after receiving a number of these spam blasts. =) And I want to do right by my clients, who depend on me for protection.

I'd be delighted to read anything you have to report about your experiences with hostkarma.

Thanks very much.

Eric
0
Robbie Wright Replied
We just started playing around with their familiarity scores and are just logging low 1 point swings with them now just to get a feel for them. We do have bayesian turned on but with a much lower threshold for learning. Like 50 items instead of 1000 or whatever it was.

We penalize for a lack of DKIM, albeit small. We'll probably be turning up the consequences of a new domain here pretty quick. We're getting some of these, but not many so I'm not too worried about it. Yet.
0
Steve Reid Replied
What are the details of that familiarity rbl?
0
Robbie Wright Replied
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Familiar_Domains
0
Bruce Barnes Replied
Per the information published at the URL provided by Robbie Wright, in the message above, at:
 
 
Which states:
 

"Junk Email Filter dot com provides several public lists -- one is a black list to block spam and the other is a white list to either pass nonspam/ham or to keep sites from being blocked. Blocking is done by IP address which is something spammers can't spoof. We look at email hosts as being one of these kinds:

  • hosts that generate only spam that we blacklist
  • hosts that generate a mix which we yellow list.
  • hosts that generate only nonspam which we whitelist

Our list server is hostkarma.junkemailfilter.com - this server returns several different results depending on what kind of listing it is. If the server returns 127.0.0.1 then it is whitelisted. You can accept the email without any further checking.

If the result is 127.0.0.3 then the host is yellow listed. Yellow listing means that host generates some spam and some nonspam (examples: yahoo.com, hotmail.com). What that means is that this host should never be blacklisted and that other IP based blacklists should be bypassed to prevent false positives.

If the result is 127.0.0.2 it is blacklisted - if the IP is listed here you can bounce it without further checking.

And if the result is 127.0.0.4 it is brownlisted which means it is on its way to being blacklisted but hasn't quite got there yet. But it might be worth a few points using SpamAssassin.

  • 127.0.0.1 - whilelist - trusted nonspam
  • 127.0.0.2 - blacklist - block spam
  • 127.0.0.3 - yellowlist - mix of spam and nonspam
  • 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist
  • 127.0.0.5 - NOBL - This IP is not a spam only source and no blacklists need to be tested"
These tests were included in the antispam document published by me more than a year ago.
 
Here are the configurations for them:
 
HostKarma - Blacklist
HostKarma - Blacklist
.
 
HostKarma - Brownlist
HostKarma - Brownlist
 
The BROWLIST is included because, "127.0.0.4 - brownlist - all spam - but not yet enough to blacklist.
 
We show this as a separate test and the results are so listed in the SMTP logs when trapped.  This test rarely triggers a test.
 
Anyone who has completely implemented the antispam settings document, SmarterMail Antispam Settings Document, should already be using these two tests.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
And for added clarity, what Steve and I are talking about is some additional tools HostKarma has available that return additional records aside from 127.0.0.x. They also have the familiar domains as listed previous that return 127.0.2.x and one that tracks the appropriate use of the QUIT command with 127.0.1.x. We added rules for the familiarity option and are tweaking our rates a bit as we're seeing how it is behaving.
0
Steve Reid Replied
I'm still not familiar with how to add these new options... Bruce you think you can explain?
2
Robbie Wright Replied
Steve, take one of Bruce's existing rules and make a few changes, namely required lookup value. In the wiki link I provided, you'll see this value listed:
  • 127.0.2.3 - domains that are older than 10 days
 
Change the lookup value to 127.0.2.3 and give it a meaningful name and description, like HostKarma > 10 or something so you know what it is. 127.0.2.1 will give you domains that are 24 to 48 hours old and 2.2 will give you domains 2 to 10 days old.
0
Robbie Wright Replied
And on a side note, you can't upload an image to a forum post?
0
Bruce Barnes Replied
It will be interesting to see how this can work.

Giving the weight a negative number will ensure it is not blacklisted, but will also throw the total on actual spam. Have to look at this over the next week or so.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
You cannot add an image to a "comment"

You can directly paste an image into a "reply," which is why I generally prefer to use replies most of the time.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
Yup, that's pretty much what we're doing too. Set it to -1 for when the domain is 10 days older. But still just playing around to see how well it works. Or doesn't work. Lots of these new domains are not in their new list yet because HostKarma hasn't seen the domain yet so it is unlisted. Not super useful so far. Hasn't caught most of these types of spam messages.
1
Andrew Stein Replied
Has anyone had any success yet?   I'm drowning in these messages and am starting to get complaints.
0
Eric Bourland Replied
I've set up the RBLs per notes from Robbie, above. My server is getting hit pretty hard by these messages. The spam filters aren't stopping this wave of spam. The headers look like:
 
Return-Path: <agelessalpha@beecoad.eu>
Received: from 096ec1cc.beecoad.eu (UnknownHost [87.116.65.134]) by tarsier.viviotech.net with SMTP;
   Fri, 10 Oct 2014 21:44:29 -0400
Received: by 096ec1cc.2wd4uk8g0.beecoad.eu
    (amavisd-new, port 8595) with ESMTP id 09AP6EC1JKCC;
    for <eb@hwaet.com>; Fri, 10 Oct 2014 18:44:13 -0700
To: <eb@hwaet.com>
Content-Transfer-Encoding: 8bit
Subject: Do You Know with certainty that Your Mind-- body... and heart Are In the best shape possible.
From: "Ageless Alpha" <AgelessAlpha@beecoad.eu>
Message-ID: <65951371582469216595461450227512390@2wd4uk8g0.beecoad.eu>
Content-Language: en-us
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Date: Fri, 10 Oct 2014 18:44:13 -0700
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0
 
Does anyone have any other ideas about deterring this stuff? I'm getting about ten spam messages per hour on several addresses on my server.
 
Thanks as always.
Eric
0
Andrew Stein Replied
I don't know of any RBLs or built in tests that will stop them. They all have legitimate PTR records and SPF records. They are all new domains and IP addresses that haven't had time to get caught by blocklists. We need an easy way to just block emails from domains that were created within the 10 days, but I know of no good way to do that.
0
Eric Bourland Replied
Yeah. These guys are hammering my server. All of these spurious messages come from recent .eu domains.

We do need some way to stop these guys. =(

Eric
0
Robbie Wright Replied
Eric, my notes above, specifically the scores assigned, are just for testing to ensure nothing gets too severely punished. In real life, once the RBL has proved itself, I'll up those scores. From what I've seen so far though, the HostKarma familiar list is not catching most of these new domains. They don't actively scan for new domains, rather just age out domains that they have recognized for a while. Thus, if they've known a domain for more than 10 days (and it doesn't have other spam flags) chances are its good. I'm a bit disappointed in this lists ability to catch brand new domains, simply because HostKarma hasn't seen the domain yet either and thus can't judge it.
0
Eric Bourland Replied
Robbie, I really appreciate that input.

This wave of spam comes from domains at:

.eu
.webs

I have found that setting up a Content Filter stops them -- but I have to block all mail from these domains -- which obviously is not a viable solution.

I am looking forward to figuring out a solution for this.

Hope you are well; have a great day.

best from Eric
1
Irene Liew Replied
Hi, there are many spam emails in my Smartermail inbox too mainly from .eu domain. I received about 50-100 junk mails per day and it used up my inbox space memory.
 
Please help...
2
Joe Wolf Replied
Marked As Answer
You have no content filtering.  At least enable SpamAssassin Based Pattern Matching, or better yet install SpamAssassin In a Box.  
 
It's ridiculous to not be scanning for common message structure and content issues.  To use only RBL's, URIBL,s and other rudimentary tests result in exactly what you get.... SPAM.   
Thanks,
-Joe
0
Andrew Stein Replied
For whatever it's worth, I tried SAIB and it made things worst. It kept giving negative scores to these message, meaning more were getting through despite being caught by RBLs. I had to disable it after awhile.
0
Steve Reid Replied
I have had to modify my installation of SA to ensure no negative scores are given. You can set your own weights for the different checks. Over time I have fine tuned it to work fairly well. Although there are still a few odd obvious spams that make it through.
0
Emmet McGovern Replied
Why did you get a Truncate hit but no spam score?
1
Nicolas Lambert Replied
I don't know about the age of the domains that are spamming us but we encountered a similar situation a couple times. It seems to happen randomly for a day or two and then stops. We've got this account that we are keeping as a reference since he receives like 3-4 SPAM message an hour 24h/7. Usually we can see the line "X-SmarterMail-Spam:" which details all the SPAM filters and the SPAM weight they add to the TotalSpamWeight. Here's a typical example of a SPAM message:
 
Return-Path: <help-support@clegsnow.com>
Received: from knock.clegsnow.com (UnknownHost [192.82.109.146]) by mailserver1.yuccahosting.com with SMTP;
   Fri, 27 Mar 2015 15:23:21 -0400
Date: Fri, 27 Mar 2015 14:47:00 -0400
Subject: Here are the 5 winning weekend mega lotto numbers
From: "Kathryn" <help-support@clegsnow.com>
To: <cheetah@dreamcite.com>
Mime-Version: 1.0
Message-ID: <45089119029082939953548a46555b99994c687d009c25874f1@knock.clegsnow.com>
Content-type: multipart/alternative; boundary="_NextPart_MzU0OGE0NjU1NWI5OTk5NGM2ODdkMDA5YzI1ODc0ZjE_"
X-SmarterMail-Spam: Bayesian Filtering, Commtouch 25 [value: Confirmed], ISpamAssassin 0 [raw: 0], SPF_Pass, DK_None, DKIM_None, Spamhaus - PBL, Spamhaus - PBL2, Spamhaus - SBL, Spamhaus - XBL, Spamhaus - XBL2
X-SmarterMail-SpamDetail: 0.5 FRT_TODAY2 ReplaceTags: Today (2)
X-CTCH-RefId: str=0001.0A010205.5515AE3F.00C0,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
X-SmarterMail-TotalSpamWeight: 82
 
You can see that the lines "X-SmarterMail-Spam" and "X-SmarterMail-SpamDetail" are there like they should. Now when this problem occurs it's like we don't have any filters at all. Here's the header of one of the messages (clearly SPAM by the way just look at the title) that we received last month:
 
Return-Path: <night@rooshumid.com>
Received: from hair.rooshumid.com (UnknownHost [104.152.189.116]) by mailserver1.yuccahosting.com with SMTP;
   Wed, 4 Mar 2015 15:05:51 -0500
Date: Wed, 4 Mar 2015 14:46:00 -0500
From: "Randy Pike" <night@rooshumid.com>
To: <cheetah@dreamcite.com>
Mime-Version: 1.0
Subject: Cum twice tonight Cheetah (within 10 minutes)
Message-ID: <7457076044935276416.687bd79888ec9edfffb0d8da970c8a61.1864976660@hair.rooshumid.com>
Content-type: multipart/alternative; boundary="_NextPart_Njg3YmQ3OTg4OGVjOWVkZmZmYjBkOGRhOTcwYzhhNjE_"
X-SmarterMail-TotalSpamWeight: 0
 
So for 2 days straight all of the messages we were receiving had 0 TotalSpamWeight and we couldn't see "X-SmarterMail-SpamDetail" or "X-SmarterMail-Spam:" anywhere in the headers. We had to restart the mailserver to solve this issue. This thing happened a couple times now and we still don't have any fix for this.
 
Of course we checked if there was a problem with the AntiSPAM filters in the "AntiSPAM Administration" tab but everything seemed ok there...
 
Did anyone ever encounter a similar issue with SPAM weights?
 
Thanks
0
Eric Bourland Replied
Dear Steve -- can you elaborate? I just installed Spam Assassin in a Box, and saw a very modest -- almost negligible -- decrease in the tidal wave of spam that my server is usually beneath. =) How did you modify your SAIB installation? Thank you for your help. Eric
0
Eric Bourland Replied
Dear Joe -- yep, I really want to do some content filtering. I have installed Spam Assassin in a Box -- but SAIB has not really deterred spam very much, it seems. Is there something I can do to make SAIB more effective? I have read the SAIB documentation and I think I have configured SAIB correctly. Thank you as always for your time and help. Eric
0
Steve Reid Replied
What I did was monitor the headers of emails that pass through, you can see in the headers what Spamassassin is doing. Then you can edit the rules and tweak it to make it detect more things.
0
Eric Bourland Replied
Hi, Steve, thanks for that. Can you tell me -- what exactly do I look for in the headers? And -- do I modify SpamAssassin service.config, or something else? I really appreciate your time. Eric
0
Steve Reid Replied
Make sure you have SpamAssassin set to add score names and details, you find this setting in antispam administration. The file you need to edit is C:\ProgramData\JAM Software\spamdService\sa-config\local.cf, you need to modify below # Rescore some rules. http://portal.smartertools.com/community/a2008/spamassassin-in-a-box-local_cf-customization.aspx
0
CharlesWorks Replied
As regards content filtering, I noticed right away the unknown host in the header sample. One of my content filters is set up to filter unknown hosts, since my observations over many years showed they are nearly always spammers with the exception of a few where the server was set up incorrectly (I notified those and they took care of the issue). Here is what I use in a content filter rule for unknown hosts:
 
Rule Name: UnkHost, Rule Source: Header, Rule Type Wildcard, Rile Text:
*unknown.*
*unknownhost*
*unkhost*
*unassigned.*
received: from unknown (*
(unknown [*
(unknownhost [*
(. [
Rule Weight: 20
 
I have five others set up as well so I know exactly which completed an action:
- an "Allow" filter (Weight -20)
- a "BadAcct" filter acting upon long dead accounts at my company that are still spammed (Weight 20)
- a "BadIP" filtering IP subnets consistently spamming our users (Weight 20)
- a "SpamSrvr" filter looking for server names consistently sending spam (Weight 20)
- a "SpamTxt" filter looking for very specific phrases and words (Weight 20)
 
One thing I noticed early on was that I had to set the size of the spam to be checked to 1 mb which seems pretty effective so far. This is done in:
Security> Antispam Administration> Options >Max message size to content scan
 
We are moving towards not disallowing any email but sending it to the junk e-mail folder where the user can decide upon it within 7 days (which they can change).
 
This system has reduced my own spam (and my email address has been out there for some time now) to one to three a day with most of those addressed to an alias email on our websites from the free email providers. This alias has been a great source of spam to fine tune our filters with.
Take care,
Charles - Please LIKE US at http://facebook.com/CharlesWorksLLC
and connect with me at http://linkedin.com/in/charlesworks

"Bridging the gap between geeks and everyone else since 1998."

CharlesWorks for YOU!
CharlesWorks, LLC, Peterborough, NH 03458-1645 http://CharlesWorks.net
- Domains - Hosting - Web Design - WordPress - Social Media Updating - Search Engine Optimization -

603-924-9867 office
0
Eric Bourland Replied
Charles, thanks for this! Do you set up this Content Filtering rule for every domain in SmarterMail? Eric
0
Eric Bourland Replied
Also, I did not see a place within the Content Filtering interface to apply a weight?
0
CharlesWorks Replied
I set these up server-wide. They still continue to be very effective. The weight is put in at the point you create the Content Filtering rule:
Security > Antispam Administration > Double Click on Custom Rules and add or edit one there. We continue to send filtered items to the junk folder as opposed to deleting them.
Take care,
Charles - Please LIKE US at http://facebook.com/CharlesWorksLLC
and connect with me at http://linkedin.com/in/charlesworks

"Bridging the gap between geeks and everyone else since 1998."

CharlesWorks for YOU!
CharlesWorks, LLC, Peterborough, NH 03458-1645 http://CharlesWorks.net
- Domains - Hosting - Web Design - WordPress - Social Media Updating - Search Engine Optimization -

603-924-9867 office

Reply to Thread