.US TLD SPAM has gone to orbit - how to stop!
Question asked by Ben Smith - 5/16/2017 at 7:38 PM
Hello SmarterMail Folks;
Just very recently, we have been getting absolutely bombed by .us TLD SPAM emails. They come in almost unimpeded regardless of so many filters, RBL's, custom rules. Nothing works.
Of course, we cant just block the entire .US TLD.
Here is a sample(sorry no logs just yet);
Return-Path: <elizabeth-mack@extreme.uprex.us>
Received: from extreme.uprex.us (cartable.placestanding.com []) by MY MAIL SERVER with SMTP;
   Tue, 16 May 2017 18:44:17 -0700
Date: Tue, 16 May 2017 18:20:52 -0700
Subject: SPAM-LOW:  Fwd: Oz's rapid belly-melt helps women get in shape for Summer
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative; boundary="11306487_17693211_11306487"
From: Elizabeth Mack <Elizabeth-Mack@extreme.uprex.us>
Message-ID: <c0cf4db29eda8acaa4a416d94d5e8b70_c0cf4db29eda8acaa4a416d94d5e8b70.Inspired11306487@extreme.uprex.us_v7g>
To: <ME>
Snack: 11306487_c0cf4db29eda8acaa4a416d94d5e8b70-17693211
X-SmarterMail-Spam: SPF_Pass, Bayesian Filtering, ISpamAssassin 1 [raw: 0], DK_None, DKIM_None, Custom Rules []
X-SmarterMail-SpamDetail: 0.7 DIET_1 Lose Weight Spam
X-SmarterMail-TotalSpamWeight: 10
I realize several may ask for more info (i.e. FULL SMTP logs, entire ANTI SPAM filters etc.) but I would hope there can be some more fundamental reason for this recent explosion with no filters catching these. I have sooo many filters that seem to work great, including tons of custom rules blocking anything from 'localthost' variants to 'unknown' variants in the headers, to outright blocking of .TOP, .SCIENCE, and more recently .LT country domains that my head is spinning on this one.
Any chance a recent RBL went bust and is now allowing all this .US SPAM through?
FOLKS, we are talking similar .US SPAM emails every 4-6 minutes in waves!
Thanks for ANY preliminary response(s) before I decide to use a SmarterMails Email support ticket. 
Oh, also, have run Antimalwarebytes ET AL on mail server and local servers and personal computers that I login to admin smartermail. Also running CLAMWIN w updated definitions on mail server. Check rootkits....all seems just fine.
Regards, Ben

10 Replies

Reply to Thread
User Replied
Hi Ben. My company has a few free tools that can help with this. I'm not sure if you have heard of Declude. It's an antispam program that integrates beautifully with SmarterMail. It comes with content filters that can be used to catch this type of pre-tested spam. Also, we have a program that can be used with Declude called The Gauntlet. This will help as well. You see, the problem with pre-tested spam is that a lot of it makes it through before the RBLs recognize that it's spam. With Declude and The Gauntlet, a lot of this can be stopped regardless. Both of these programs are free on our website: http://mailsbestfriend.com/downloads. Feel free to use them and if you have any questions, please send me an email at my address in my signature. Thanks.
Scarab Replied
I give a thumbs up to Declude (it can be resource heavy, using all the resources on your Mail Server that it can, but it is definitely effective).
We also setup a Custom Rule in Smartermail ANTISPAM ADMINISTRATION as follows:
Rule Source: Header
Header: Return-Path
Rule Type: Regular Expression
Weight: 7
Rule Text: .+\.us>$
Notice that if you are using 10/20/30 for Low/Med/High probability it isn't enough on it's own to flag an email as Low Probability as there are many legitimate domains with the .us extension (especially local & state government departments). However, it is generally enough to tip the scales if they fail at least one RBL, URIBL, Spam Assassin, or Bayesian Filtering.
We do similar for other domains, such as .CLICK, .CRICKET, .DATE, .DOWNLOAD, .LINK, .MEN, .PARTY, .REVIEW, .ROCKS, .SCIENCE, .SPACE, .STREAM, .TOP, .WIN, .WORK, .XYZ, .ZIP but with a 20 Weight as I have yet to see a single legitimate piece of email come from any of these domains.
Ben Smith Replied
Your link is dead;

Not Found

The requested URL /downloads. was not found on this server.

Apache/2.2.22 (Ubuntu) Server at mailsbestfriend.com Port 80
Ben Smith Replied
YES! This may work as well. Most of these emails are close to being dumped into the junkmail folder, so this should help. Thank you.
I will also implement Declude as well (as long as it addresses .US SPAM and NO false positives properly).
Scarab Replied
Post-Script: I know there are a few here who may beg to (strongly) differ but don't be afraid to use the BLACKLIST & SMTP Blocking in Smartermail to stop these emails before Spam Checks. Although at first it may seem like you are swatting a swarm of flies large Spam Networks are mappable and they do rotate through the same IP Addresses and domains with regular frequency (every 30, 60, 90 & 180 days depending on the Spammer). After 6 months of diligence you'll see a significant drop in Spam overall as these sources won't be able to deliver at all to you and have millions of blocked connections a day in your SMTP Error Report. (Seriously, someone just needs to develop a "Never forget, never forgive" RBL)

In the example you gave I would add the following to your Smartermail Blacklist:

IP Range: -
Protocols: SMTP
Description: Galaxy Traiding Ltd (BG)

And add the following to your Smartermail SMTP Blocked Senders:

Block Type: EHLO Domain
Blocked Address: *.placestanding.com
Description: Galaxy Traiding Ltd (BG)

Eventually you'll see the same Descriptions over and over in both of these lists to where when you can just lookup all IP Addresses assigned to that entity and safely block them all.
User Replied
I'm sorry about that Ben. Looks like I added a period to the end of the link. Here is the corrected link: http://mailsbestfriend.com/downloads/
Paul Blank Replied
Can Declude be installed on a different machine, so it doesn't impact SM services so much?
echoDreamz Replied
Nothing will give you no false positives, spam filtering is an art, not science :).

Declude works pretty well, we use it along side message sniffer. A few of the filters had to be "disabled" as they were causing too many issues with false positives. Designed a few of our own external spam processes to run alongside declude, mainly that is why we like declude is the ability to create our own spam check processes as well as filters.
Elazar Broad Replied
I have found blocking via the SpamHaus CSS (www.spamhaus.org/css/) list to be very effective. Note that it does take some time for the spammers to get listed and typically they are hitting you at the same time they are hitting SpamHaus's sensors. This is where greylisting comes in. While I have it enabled system-wide, you could enable it on a per-TLD basis using the rule suggested above, something like:
Assign the rule a desired weight, say 10, and then under the SMTP Blocking tab, configure your 'Greylist Weight Threshold' setting to match. If you haven't already configured Greylisting, do so with a block period of at least 10 minutes.
My .02, YMMV
- elazar
User Replied
Declude can be installed on any server, but the server it runs on must have SM running on it as well. For example, you can spin up a new server, install the free version of SM, install Declude and Sniffer then use it as an antispam gateway to keep the load off of the primary SM server. We have a lot of customers who do this without issue.

Reply to Thread