Forgot to state v15.7.6754.

I have been using Symantec email security.cloud (messagelabs) for years. These days they stop most (but not all) of these emails. 

The creators of this stuff are pretty crafty; it's a moving target - this is not a surprise to any of us.

I was going to add in my post that I've been considering outsourcing MX services to messagelabs or one of many competitors but am hoping against hope for an in-house solution whether an additional SM spam test or a virtual appliance incoming gateway solution. Thanks for the note, Paul.

Matt

If they all contain DOC attachments the easy solution would just be to add that to the Incoming Extension Blocklist in SmarterMail. In this day and age most clients should be used to sharing links to attachments stored in Google Drive, Dropbox, OneDrive, iCloud, SpiderOak, OwnCloud/NextCloud, or SmarterMail's File Storage, instead of receiving or sending attachments direct.

We still use Declude, primarily because we can easily add global filters to catch content based on strings, which you cannot do effectively in SmarterMail (the base filters that come with Declude are "okay" but the ability to create our own in-house makes it invaluable). We had the same lag issue with Declude (due to it using as much CPU as is  available) and eventually opted for using separate Incoming Mail Servers that run antispam and antivirus checks, along with Declude, before passing it to our SmarterMail server. Doing such took the delay down to a mere 2 seconds in most cases and 10 seconds max under heavy usage above and beyond peak.

The only other option would be to start capturing IPs (and HELO/EHLO) of the Spear Phishers and track them over time. You'll start to see them coming from the same providers, moving to the next provider every 7-14 days and cycling back through every 60-90 days, which is how they circumvent traditional RBLs (and the sloppy ones use the same naming scheme for their HELO/EHLO regardless of what provider they are using to send from that week). Once you've tracked them you can start being heavy-fisted with blocking entire IP Ranges (or HELO/EHLO patterns using wildcards) in your Smartermail Security Blacklist & SMTP Blocking. It's tedious, but it is definitely effective. Once you start seeing the same provider names over and over again you can just lookup all the IP Ranges assigned to that network owner and block them wholesale.

Our shortlist of blocked network owners (most of whom are in business only for Spammers) are:

China Telecom

Turk Telekom

myLoc managed IT AG
Choopa, LLC

Aruba S.p.A.

Rostelecom

Psychz Networks

Limestone Networks

Worldstream B.V.

Interactive 3D B.V.

Global Layer B.V.

DataShack

Joe's Datacenter

QuadraNet

Hostwinds LLC

Sharktech

Toqen LLC

Global Frag Networks

It is amazing how much Spam originates from only 18 network owners on roughly 100 IP Ranges (adding Talos Intelligence, formerly Senderbase, to your RBLs with a heavy score will catch most of these top harbors for spammers without potentially blocking legitimate email traffic and tediously adding IP Ranges to your SmarterMail Blacklist every week.)

For SMTP Blocking if you add the HELO/EHLO of ylmf-pc you'll probably block far more than you ever imagined you might (they are also one of the biggest Brute-Force botnets).

Unfortunately there is no single silver bullet option for stopping all Spam. Spammers and Phishers have far more money to throw at it than the AntiSpam industry has at their disposal. It's a losing game where you have to use every tool in your arsenal, constantly change tactics, and at the end of the day just accept that you're only going to catch 90-94% and that some are always going to slip through.

Thanks for the detailed reply; that certainly took you some time to type out. I'd love to block .doc (etc.) and/or move most file attachments to Owncloud/DropBox but I think I'd get a lot of push-back on that. As I'm sure you know all too well, customers want it all. Years ago I blocked many of those foreign IP blocks but then started to run into legitimate mail getting blocked for my clients in manufacturing who have to deal with China and a few other countries that I had blocked. Maybe I'll revisit that. I blocked the ylmf-pc a few years ago. Forgot all about that! If I recall, that was the option we begged for and eventually got in SM15? I remember years ago that we asked ST for EHLO keyword blocking and it took ages to get it.

Anyway, thanks for the input. I think I'll revisit the IP net block blocks. Also, I'm going to test out a few VM appliances as MX gateways in front of SM. I'll report back on how it goes.

Matt

Maybe someone can make an IP block list and we can have an import method to block those IPs (at least reduces some spam if not more) or make sure SPF is valid or else send them to junk or reject them? Blacklisting extensions is a bad idea. Stops valid documents too. Until SmarterMail allows creating docs and sharing docs (not the link method) but like Google Drive or through a better method, I would not think we should even consider blocking extensions.