Spam wave... ? Options

[Torgut]

Is it only me or is there a wave of spam in the last days ? I mean, for months SpamAssassin performed well, filtering well spam mail. But in the last days I've been receiving in my box thousands of mails with subject like this:

From: Marlene Bonilla
Subject: Marlene wrote

Or....


From: Alison Conway
Subject: it me Alison

[Hector]

Is it only me or is there a wave of spam in the last days ? I mean, for months SpamAssassin performed well, filtering well spam mail. But in the last days I've been receiving in my box thousands of mails with subject like this:

From: Marlene Bonilla
Subject: Marlene wrote

Or....


From: Alison Conway
Subject: it me Alison

....We called it! NSLT is RISE on huge volume. We
hope you took a position early and are smiling right
now. If you didn't, don't worry. The big spike is
expected also on Wednesday, November 22nd. Get in now!....

Yep, I have the same.
Find a spamer and send it to the dentist with some broken teeth... a soft dream

[NightStorm]

I found that the ImageInfo plugin knocked it down a bit... some are still slipping through due to the close proximity to the cutoff (I have my settings set to 5, and it's flagging them in the 4.5-5.5 range).
This ruleset in the ImageInfo.cf file really knocked out the "Me again" rules:

CODE

body            DC_GIF_585_356  eval:image_size_exact('gif',585,356)
describe        DC_GIF_585_356  Found 585x356 pixel gif, possible spam
score           DC_GIF_585_356  4.50

And this rule list seems to be nailing most of the debora (blahblah wrote: subjects):

CODE

BAYES_50,DATE_IN_PAST_03_06,HELO_DYNAMIC_DHCP,RCVD_IN_NJABL_DUL

and

CODE

AWL,BAYES_60,HELO_DYNAMIC_IPADDR2,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_1
00,RAZOR2_CHECK,SARE_MILLIONSOF

With cPanel/Exim, I know there is a piece of code that Chirpy posted on the cPanel board that will set a deny rule on an IP after X sends to non-existant email addresses (brute forcing the mailserver), but I don't have a link handy. Shouldn't be too hard to find, but between that, and the above clips, I'm seeing a lot more *****SPAM***** and a lot less untagged trash showing up.
Now if only I could get my customers to actually enable mail filters to remove the spam, instead of letting their boxes fill up and start bouncing back. *sigh*

[imcomguy]

The above mentioned wave of spam once again started up this morning 11/26/06 at 11:55 AM EST, and I am receiving about 4 per minute.

Note! The image filtering no longer applies because there aren't any images associated with this new attack. The e-mail addresses are also becoming more randomized as only some begin with "debora____@___.com", while others are of now of no rhyme or reason, yippee. The IP's are still coming from hundeds of locales all over the world, so blacklisting is pretty useless as of this point.

With that said, I have managed to snag 100% of them to this point, as I've applied MCP rules when the old wave started on Nov 22. My MCP rules flag anything with subject "(space) wrote:", so no matter what bogus name they use in front of that, it gets canned. I suggest many of you do the same if you can.

Below is the full text of every message I've received this morning. Under this message is always a random snippet from a news story, such as Michael Richards, the Russian Poisoning, etc.

We have giving you winner after winner this year and things are only  
become better!

The 21st century home is one in which broadband is available in every  
room.  Video streams to wherever you choose to watch it.  Home  
appliances are seamlessly integrated into a comprehensive network.  
This is already a reality for the wealthy, and is just now becoming a booming  
business as it spreads to the middle class home.  Our next feature makes  
this all possible, and is bringing it to the world!
 
Advanced Powerline Technologies

Sym: APWL
Price:           0.083
Short Term Target:   0.27
Long Term Target:   1.10

An incredible information is expected out of the company very soon.  
This will be backed up by a PR blitz and I'm sure you can guess what will  
happen to the price of this issue!
Tech companies blast off on news like this.  Get in before this one takes  
off and ride it all the way to the bank!

[mickalo]

The above mentioned wave of spam once again started up this morning 11/26/06 at 11:55 AM EST, and I am receiving about 4 per minute.  

Note! The image filtering no longer applies because there aren't any images associated with this new attack. The e-mail addresses are also becoming more randomized as only some begin with "debora____@___.com", while others are of now of no rhyme or reason, yippee. The IP's are still coming from hundeds of locales all over the world, so blacklisting is pretty useless as of this point.

With that said, I have managed to snag 100% of them to this point, as I've applied MCP rules when the old wave started on Nov 22. My MCP rules flag anything with subject "(space) wrote:", so no matter what bogus name they use in front of that, it gets canned. I suggest many of you do the same if you can.

Below is the full text of every message I've received this morning. Under this message is always a random snippet from a news story, such as Michael Richards, the Russian Poisoning, etc.

Yes, we've noticed this too, over the last couple of days. We've been working the past week to cut down on the spam coming through and have reduced it greatly. But now, a new wave of junk coming through like this.

If you or anyone else know how to filter this or a good spam rule to caught this spam, would be much appreciated.

TIA,
Mickalo

[NightStorm]

Mine are all being flagged and stopped still... even being given a pretty substancial spam score, so there are several rules that are catching it.
Here's the clip from my maillog... hopefully the rulesets that it lists will help give you a place to start, or at least an idea on how they are being tagged:

Nov 26 14:15:16 server spamd[16340]: spamd: connection from localhost.localdomain [127.0.0.1] at port 57001
Nov 26 14:15:17 server spamd[16340]: spamd: setuid to qscand succeeded
Nov 26 14:15:17 server spamd[16340]: spamd: checking message <01c71197$7c823370$6c822ecf@deborahvidal> for qscand:10109
Nov 26 14:15:17 server spamd[8253]: spamd: identified spam (20.3/5.0) for qscand:10109 in 21.8 seconds, 2592 bytes.
Nov 26 14:15:17 server spamd[8253]: spamd: result: Y 20 - BAYES_99,DATE_IN_PAST_03_06,NANO_04,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51
_100,RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,SARE_LWSHORTT,SARE_MLB_Stock1,SA
RE_MLB_Stock2,SARE_MLB_Stock5,SARE_PROLOSTOCK_SYM1 scantime=21.8,size=2592,user=qscand,uid=10109,required_score=5.0,rhost=localhost
.localdomain,raddr=127.0.0.1,rport=56998,mid=<01c71197$778c5d50$6c822ecf@deboramep>,bayes=0.999999999961517,autolearn=spam
Nov 26 14:15:17 server spamd[32096]: prefork: child states: IB
Nov 26 14:15:17 server qmail: 1164572117.426781 new msg 2244727
Nov 26 14:15:17 server qmail: 1164572117.427050 info msg 2244727: bytes 3278 from qp 9701 uid 10109
Nov 26 14:15:18 server qmail-scanner[9588]: Clear:RC:0(66.168.145.71):SA:1(20.3/5.0): 21.89802 2546 deboramep@bromleycaldari.com me@mydomain.com Porfirio_wrote: <01c71197$778c5d50$6c822ecf@deboramep> 1164572094.9591-0.my.server.name:1481
Nov 26 14:15:17 server qmail: 1164572117.466047 starting delivery 4786: msg 2244727 to local 33-me@mydomain.com
Nov 26 14:15:17 server qmail: 1164572117.466196 status: local 1/10 remote 1/20
Nov 26 14:15:18 server spamd[16340]: spamd: identified spam (20.6/5.0) for qscand:10109 in 13.1 seconds, 2585 bytes.
Nov 26 14:15:18 server spamd[16340]: spamd: result: Y 20 - BAYES_99,DATE_IN_PAST_03_06,NANO_04,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51
_100,RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,SARE_LWSHORTT,
SARE_MLB_Stock2,SARE_MLB_Stock5,SARE_PROLOSTOCK_SYM1 scantime=13.1,size=2585,user=qscand,uid=10109,required_score=5.0,rhost=localhost
.localdomain,raddr=127.0.0.1,rport=57001,mid=<01c71197$7c823370$6c822ecf@deborahvidal>,bayes=0.999999999999192,autolearn=spam
Nov 26 14:15:17 server qmail: 1164572117.555811 delivery 4786: success: did_1+0+1/
Nov 26 14:15:17 server qmail: 1164572117.556192 status: local 0/10 remote 1/20
Nov 26 14:15:17 server qmail: 1164572117.556349 end msg 2244727
Nov 26 14:15:18 server spamd[32096]: prefork: child states: II
Nov 26 14:15:17 server qmail: 1164572117.998127 new msg 2244727
Nov 26 14:15:17 server qmail: 1164572117.998220 info msg 2244727: bytes 3294 from qp 9708 uid 10109
Nov 26 14:15:18 server qmail-scanner[9648]: Clear:RC:0(66.168.145.71):SA:1(20.6/5.0): 13.21937 2536 deborahvidal@bruno.ebay.sun.com me@anotherdomain.com Ronda_wrote: <01c71197$7c823370$6c822ecf@deborahvidal> 1164572104.9659-0.my.server.name:1540
Nov 26 14:15:18 server qmail: 1164572118.018120 starting delivery 4787: msg 2244727 to local 13-me@anotherdomain.com
Nov 26 14:15:18 server qmail: 1164572118.018208 status: local 1/10 remote 1/20
Nov 26 14:15:18 server qmail-scanner[9648]: Clear:RC:0(66.168.145.71):SA:1(20.6/5.0): 13.21937 2536 deborahvidal@bruno.ebay.sun.com me_again@mydomain.com Ronda_wrote: <01c71197$7c823370$6c822ecf@deborahvidal> 1164572104.9659-0.my.server.name:1540
Nov 26 14:15:18 server qmail: 1164572118.043615 starting delivery 4788: msg 2244727 to local 13-alias@anotherdomain.com
Nov 26 14:15:18 server qmail: 1164572118.068289 status: local 2/10 remote 1/20
Nov 26 14:15:18 server qmail: 1164572118.069536 delivery 4787: success: did_1+0+1/
Nov 26 14:15:18 server qmail: 1164572118.070760 status: local 1/10 remote 1/20
Nov 26 14:15:18 server qmail: 1164572118.071990 delivery 4788: success: did_1+0+1/
Nov 26 14:15:18 server qmail: 1164572118.073209 status: local 0/10 remote 1/20
Nov 26 14:15:18 server qmail: 1164572118.074198 end msg 2244727

[markcausa]

... I've been receiving in my box thousands of mails with subject like this:

From: Marlene Bonilla
Subject: Marlene wrote

Or....


From: Alison Conway
Subject: it me Alison

Same here, to all of my boxes and all domains too! It's getting crazy. Customers are complaining, etc.

[giorgiod]

Greylist them ..... and you'll see the difference

[markcausa]

How can I greylist them?

[giorgiod]

Here: http://forums.ev1servers.net/showthread.ph...hlight=graylist

I used in the past the gray-milter, but recently I've tested the next one to be more effective due to the SPF checks and other nice features.

http://hcpnet.free.fr/milter-greylist/http...ilter-greylist/

With the miltelistr-grey active and two non aggressive RBLs rules in sendmail I have stopped completely the spamd daemon and I receive no spam.

[NightStorm]

I warn: Before proceeding with greylisting, be sure to read ALL the documentation on it... this includes warnings about which major email services will not try again (Yahoo Groups, gmail, and some AOL servers are at the top of the list). Also, some find that php mail() messages will not reach you if you have greylisting installed.
I can confirm that a well-trained bayes database, and a good set of rules from rules emporium (as well as rules_du_jour) is very effective at knocking the spam down to the nonexistant level, and at the same time assures that no messages are forever lost due to older mailservers or mailservers that retry beyond the timeout period set by greylisting.
Out of 868 spam messages I have received to my personal email in the past 48 hours, 2 have managed to slip past the filters... and they didn't even fit the above profile of "so-and-so Wrote" or the debora messages. Those ones have been knocked down 100%.

[ragefast]

Hi

I too have a lot of problem with these waves of spam, so much that I had to disable spamassassin on my 2 Dual Xeon 3.2 boxes because the load was like 10+ and queue started growing like crazy.

And the worse is that most of those messages got a hit of 0.1 to 1.0, some even marked as HAM...

Greylisting here gave me a lot of headache with small enterprises running their own mail system as some of them have problems sending the mail again after the first temporary failure. And explaining that the problem was their server was no good for my customers, as they dont understand that and its easier for them to go to a server that does not greylist and their mail reaches its destination.

One solution I found was recompile qmail with the Plesk patches and the qmail-dnsbl patch, blocking agressively ips listed in 5 or 6 rbls and giving autenticated users permission to send mails even if their ips are listed in the rbl.

That, combined with spamassassin, helped me reduce the amount of spams that i received per day from about 100 to about 10 or 15, using 5.0 hits required in my spamd config.

[jjackson]

Ragefast

Do you have more details about what you did here? Your solution sounds like it may be appealing.

-Jay

[markcausa]

I would send him a PM or "email" via the board to get his attention, that is if your case is urgent.

Good luck.

[JFrechA]

I would send him a PM or "email" via the board to get his attention, that is if your case is urgent.

Good luck.

Hi Mark,

I installed graymilter because spam is make me crazy, is working fine, but I don't find where is the white list in case I need to add someone manually.

Please, does you know where is it?

Thank you in advance,

JFrech

[markcausa]

Please, does you know where is it?

I'm sure another forum member does. I'm just not familiar with graymilter and am not sure where its resources are kept.

If I'm right, I think you're looking for some type of whitelist, which if it is standard with graymilter, should be downloadable somewhere from their site.

Thank you in advance,

JFrech

I'm sorry I can't help. It's always a pleasure, JF.

[JFrechA]

I'm sure another forum member does. I'm just not familiar with graymilter and am not sure where its resources are kept.

If I'm right, I think you're looking for some type of whitelist, which if it is standard with graymilter, should be downloadable somewhere from their site.


I'm sorry I can't help. It's always a pleasure, JF.

Thank you Mark. It's my pleasure too.

I found another Grey Milter that is better organized and you can customize all the options in it.

http://linux.softpedia.com/progDownload/Gr...nload-7609.html

This doesn't have problems with yahoo, google, aol etc.

JFrech

[sen]

I can definately give greylisting the thumbs up. We use Postfix + postgrey. Our already reduced spam rates have now been reduced by a further 95%.

Simply amazing. Well worth the mail delivery performance implications.

[JFrechA]

I can definately give greylisting the thumbs up.  We use Postfix + postgrey.  Our already reduced spam rates have now been reduced by a further 95%.

Simply amazing.  Well worth the mail delivery performance implications.

Is too early to give a complete opinion about this grey list, but yesterday, after I installed it, the spam stops more than 95%, and I have not still installed the SPFlist of this same project.

Also, my load average completely went down: load average: 0.32, 0.23, 0.22

JFrech