SPAM is just awful TODAY - 6/18/2015
Question asked by Howell Dell - 6/18/2015 at 3:05 PM
According to the SPAM that I'm getting -- all of these eMails are walking right thru the SPAM filter. Normally, we get 25,000 eMails on average and today its 600,000! Yikes! Cyren/Commtouch score = 0, SPF = Good
In doing research on some of these domains they are coming from twistcommonmedcare.us, methodsworkathome.us, bssaha.us, bostk.us, lorehackprofiles.us, prepwindowcostlow.link, bzhuf.link, modernloanssufficient.us and bxhcp.us for example. All of these domains are registered under cassyzambrano(at)yahoo.com and many are coming from /24. I've already contacted the ISP about these IP. Thus far I've seen .110, .109 and .108. The IP Address and the domains continue to rotate...
I just added Spamhaus CSS Component (snowshoe) of the SBL (return response to the RBL list to help. But its not enough!
I would like to implement gray listing, however, I found to many "real" servers don't handle gray listing correct.
Any thoughts on how to combat this?

4 Replies

Reply to Thread
Scarab Replied
Greylisting is very useful to block a lot of spammers. If you don't have it enabled it is highly recommended that you do (we consistently see a 90% decrease in Spam from Greylisting alone). Although it is true that there are some Mail Providers that do not recognize a "451 - Greylisted. Please try again in XXX seconds" message, they aren't as common as you might think. I've had to add relatively few to the Greylisting Filter over the years, some out of convenience rather than necessity (such as EBay, Paypal, and Netflix). The only big names that don't pass Greylisting are generally Bulk Email Providers (like SendGrid, ExactTarget, Constant Contact, Responsys, Silverpop, Appriver) and Amazonses (which commonly has other problems other than not passing Greylisting, like not passing FCrDNS), and generally only occur because we have 3 different Incoming Gateways listed in our MX Records and when they get a 451 soft-fail they just try the next MX Record and the one after that. If you have only one Mail Server with a 2 minute Block Period they will pass Greylisting without intervention. The rest that don't pass Greylisting which are legitimate Mail Servers are very rare occurrences that I have only had to add to the Greylisting Filter on a case-by-case basis and number maybe a dozen over the years.
You could also add a Custom Rule as follows:
Rule Source: Header
Header: Return-Path
Rule Type: Regular-Expression
Weight: (variable based upon your Low/Med/High weights)
Rule Text: .*\.us$
(et cetera for each top-level domain you want to catch)
To be honest, I rarely find anything legitimate ever coming from a .*\.us$ or .*\.info$ domains as they are primarily used by spammers, and the rest are entirely rubbish used exclusively by spammers (in my experience).
One of the most useful things I've used to combat spam is EHLO blocking under SMTP Blocking. Many Spam bot-nets use either the same EHLO (such as ylmf-pc) or a similar EHLO (such as ryf123.twistcommonedcare.us and ryf456.methodsworkathome.us, allowing you to block ryf*.*.us to stop the entire bot-net).
Also, be sure to check out Bruce's Anti-Spam document. It is very useful for configuring the base install of SmarterMail to be far more efficient at blocking Spam.
Joe Burkhead Replied
You do not say which version of SmarterMail you are running. I am on V14 and have enabled the 30 day trial of Message Sniffer. I also use the settings in Bruce's document. Before Message Sniffer most accounts on our domain were getting 10-20 spam messages through. Message Sniffer has killed virtually all of that. Now it is maybe one per day per account.
Also implement the ClamSup settings provided by Joe Wolf. That tool alone is catching 60-100 emails per day that are infected with harmful attachments. The combination of these 3 tools has made my mailbox so quiet that I occasionally have to send myself an email from my personal gmail account just to make sure that my SM is still working!
Howell Dell Replied
I'm using Version 13.x and we have been using Cyren Premium Antispam and Cyren Zero-hour Antivirus for a long time, however, its no longer working well enough. The hackers are using techniques that get past the SPAM Filter.
Joe Burkhead Replied
We used Cyren Premium Antispam for a year, did not renew when it came time. I could really tell very little difference whether it was enabled or not.

Reply to Thread