Topic: Spam

[duncan]

Gotta love it. At the moment I am noticing an ever increasing amount of spam comming thru and it`s pretty simple stuff.

I have read that there is an advatage to running the mailserver in server-gateway mode whan it comes to rejecting spam. We are presently running Gateway only behind a vpn concentrator.

Can someone confirm this is correct and perhaps post a link to why this is the case. I have had a look but can`t really find much in the way of info.

Anyone else seeing a rise - We are getting a large number of "re:hi" and stock related emails.

Cheers.

[chris burnat]

"Anyone else seeing a rise - We are getting a large number of "re:hi" and stock related emails. "

Yes, over the past few weeks, it comes and it goes.... The past three days for me have been rather bad, stock market stuff etc.   Out of 500 emails received, 10 -15 manage to get through with spamassassin set at threshold = 3 .  Some target the admin account.  Most are coming via my MX backups....  Perhaps time to fly solo and take my chances...

[JonB]

Here's my mail stats for the past 24 hours. It has been worse but have had a couple of major hits of spam over the past 24 hours.

I am acting as a backup MX for comptroub.com which is why most of it is spam. The rest is mail from Exchange servers that seem to insist on sending to the secondary MX.

Code: [Select]


SMEServer daily Anti-Virus and Spamfilter statistics
----------------------------------------------------

Period Beginning : Fri 06 Oct 2006 01:03:18 AM NZDT
Period Ending    : Sat 07 Oct 2006 01:03:18 AM NZDT

Clam Version : ClamAV 0.88.2/1999/Fri Oct  6 06:35:38 2006
SpamAssassin Version : SpamAssassin version 3.1.3
  running on Perl version 5.8.5
Tag level:   5; Reject level:   7  

Reporting Period : 24.00 hrs
----------------------------

All SMTP connections accepted    :    19208          
Connections from Fetchmail       :       20          
SMTP from local workstations     :        3          

RBL rejected                     :    16526 ( 69.39%)
Pattern filter rejected          :        1 (  0.00%)
Misc.rejected                    :     5395 ( 22.65%)
Infected by Virus                :        3 (  0.16%)
Spam rejected (over reject level):     1030 ( 98.66%)
Spam detected (over tag level)   :     1044 ( 55.15%)
Ham detected (under tag level)   :      569 ( 30.06%)
Total emails accepted            :      859 ( 45.38%)
                                 --------------------
Total emails processed           :     1893 (   78.88/hr)

Average spam score (accepted):        5.99
Average spam score (rejected):       26.84
Average ham score            :        0.12

Statistics by Hour
-----------------------------------------------------------------------------
Hour           Fetchml  Local    Virus      Spam     Ham    RBL/DNS   Execut.
-------------- -------- -------- -------- -------- -------- -------- --------
2006-10-06, 01        1        0        0       36       78      529        0
2006-10-06, 02        2        0        0       41       38      681        0
2006-10-06, 03        1        0        0       33       16      638        0
2006-10-06, 04        0        0        0       45       89      524        0
2006-10-06, 05        0        0        0       54       19      631        0
2006-10-06, 06        0        0        0       59       12      588        0
2006-10-06, 07        0        0        0       72       15      959        0
2006-10-06, 08        0        0        0       51       15      582        0
2006-10-06, 09        0        0        0       28       30      594        0
2006-10-06, 10        0        0        0       21       12      391        0
2006-10-06, 11        0        0        3       24       12      555        1
2006-10-06, 12        0        0        0       31       14      431        0
2006-10-06, 13        1        0        0       28       63      451        0
2006-10-06, 14        0        0        0       39       29     1015        0
2006-10-06, 15        4        0        0       29       10      493        0
2006-10-06, 16        3        2        0       36       13      657        0
2006-10-06, 17        1        0        0       69        7      602        0
2006-10-06, 18        1        1        0       19       17      424        0
2006-10-06, 19        0        0        0      193        7     1542        0
2006-10-06, 20        2        0        0       26       16      647        0
2006-10-06, 21        3        0        0       23        6      892        0
2006-10-06, 22        0        0        0       40        9     1896        0
2006-10-06, 23        1        0        0       28        2      392        0
2006-10-07, 00        0        0        0       19       34      392        0
2006-10-07, 01        0        0        0        0        6       20        0
--------------------------------------------------------------------
*Fetchml* means connections from Fetchmail delivering email
*Local* means connections from workstations on local LAN


Incoming mails by recipient domains usage
------------------------------------------
Domains              Type       Total  Denied XferErr Accept %accept
-------------------- ---------- ------ ------ ------- ------ -------
Others               other         101    100       0      1   0.99%
comptroub.com        mxbackup-1  20031  19457     223    351   1.75%
www.comptroub.com    other           1      1       0      0   0.00%
khunjarnet.com       local         507    394       6    107  21.10%
comptroub.co.nz      local         966    875       9     82   8.49%
halls.co.nz          local           5      5       0      0   0.00%
second-life.co.nz    local          24      2       0     22  91.67%
technologysolved.co.nz local           2      0       1      1  50.00%
-------------------- ---------- ------ ------- ------ ------ -------
Total                            21637  20834     239    564   2.61%

21637 mails were processed for 22354 Recipients
The average recipients by mail is 1.03

Virus Statistics by name:
---------------------------------------------
Rejected 3 Worm.Mydoom.I
---------------------------------------------


[CharlieBrady]

I am acting as a backup MX for comptroub.com which is why most of it is spam.

Backup MXs are not required and are almost always more trouble than they are worth.

[JonB]

I agree Charlie, but it is an extra revenue stream for me so I'm not complaining

Jon

[rexgaylord]

I'm seeing these stock market spams go sky high also on several domains.  This information from Panda Labs infers there might be some serious corporate money behind these.  I'm goig to to see if the SEC is looking into this yet.  See info below.  Rex Gaylord
-------------
                 - Spam used to boost stock prices -
   Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, October 12, 2006 - Spam is no longer simply a tool for mass-mailing unsolicited advertising, it is now being used in some cases to drive up certain prices on the stock market. According to PandaLabs, there has been a series of mass-mailings containing stock market information, advising users to buy stocks in certain companies.

PandaLabs has analyzed one of these cases and found that stock prices in one of the companies mentioned increased significantly over a period of a few days -even rising 12 percent in one day-, thanks to this type of spam.

"This new use of spam would seem to be quite effective from what we have seen so far. There are two possible sources: either the companies themselves are trying to boost their stock value, or -and this would seem more likely-, individuals that have bought cheap stocks and are looking for a quick profit on selling them", explains Luis Corrons, director of PandaLabs.

The typical model of this financial spam includes an image in which the user can read the information. Another characteristic is that the subject of the messages has nothing to do with the content. The aim of all this is to try to avoid anti-spam filtering systems.

"These attacks are interesting in the sense that they demonstrate how the Internet can manipulate real-world financial situations. Until now we have just seen a few cases, albeit with relatively successful results. It is not too far-fetched then, to imagine attacks of this nature in the future used not just for direct profit but also as a weapon against companies, similar to the way in which companies are blackmailed with threats to crash their IT systems, " explains Corrons.

[rexgaylord]

Maybe somebody can recommend an RBL that will hold the stock market spam down?

[piran]

Maybe somebody can recommend an RBL that will hold the stock market spam down?

We don't know what you're receiving;~) You do.
Plug the incoming IP into http://www.dnsstuff.com/.
Use the 'Spam database lookup   Enter IP (or host name)' box.
Read off all the RBLs that *DID* already block it and use them.

Check what you're already configured for:

Code: [Select]

config getprop qpsmtpd RBLList
sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org

Add your chosen RBLs:

Code: [Select]

config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org,whois.rfc-ignorant.org, \ dnsbl.njabl.org,relays.ordb.org,bl.spamcop.net,korea.services.net

Restart:

Code: [Select]

signal-event email-update

Job done... and thank the bright sparks who made SME7.

[gippsweb]

Maybe somebody can recommend an RBL that will hold the stock market spam down?

We don't know what you're receiving;~) You do.
Plug the incoming IP into http://www.dnsstuff.com/.
Use the 'Spam database lookup   Enter IP (or host name)' box.
Read off all the RBLs that *DID* already block it and use them.

Not meaning to hijack the thread, but looking to stop the same sort of spam here I've just checked those ip's on dnsstuff and the ones we are seeing are already blocked by the standard RBLList's.

I've checked to see it's active as per your previous post Piran and its exactly per your first section of code but stats email show no rbl rejections

RBL rejected                     :        0 (  0.00%)
Pattern filter rejected          :        0 (  0.00%)
Misc.rejected                    :        0 (  0.00%)
Infected by Virus                :        1 (  0.99%)
Spam rejected (over reject level):        0 (  0.00%)
Spam detected (over tag level)   :       40 ( 39.60%)
Ham detected (under tag level)   :       59 ( 58.42%)
Total emails accepted            :      100 ( 99.01%)
                                 --------------------
Total emails processed           :      101 (    4.21/hr)

Average spam score (accepted):        1.47
Average spam score (rejected):      803.20
Average ham score            :        0.58

[piran]

Mine was only a suggestion;~) To get value from your own checking
of the troublesome IPs arriving you have to be 'quick'... A delay in your
own manual check means that the previous RBL lookout your SME7 did
(finding them to be OK and so passed the stuff on to your workstation)
becomes largely invalid. They or one of their feeds might now have
appropriately updated their RBLs to the point whereby they NOW control
the new spam outburst. Hope this fact of life is apparent to you now;~)
Choose your RBLs with care, there is no single right choice.

FWIW I don't even have SA activated. I rely entirely on my chosen RBLs
and a personally prepared and maintained 'hotlist' of troublesome areas
of IPs that simply never even see my server let alone send it anything;~)

It's late here... g'night.

[mark_s_tt]

I've been using the FuzzyOCR plugin for spam assasin mentioned here: http://forums.contribs.org/index.php?topic=34166.0 and it's been working great with images embedded in emails. I get lots of image based email that is scanned with the message header confirming this:

X-Spam-Status: Yes, hits=15.4 required=3.0
   tests=EXTRA_MPART_TYPE,FROM_DOMAIN_NOVOWEL,FROM_LOCAL_NOVOWEL,FUZZY_OCR,HTML_IMAGE_ONLY_20,HTML_MESSAGE
X-Spam-Flag: YES

But the stock exchange stuff, I think you guys are talking about on occasions it doesn't seem to trigger the filter, or if it does, very few tests:

X-Spam-Status: No, hits= required=
   tests=


X-Spam-Status: No, hits=0.6 required=3.0
   tests=HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY


X-Spam-Status: No, hits=0.6 required=3.0
   tests=HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLYSPAMD/1.0 79 Timeout: (300 second timeout while trying to SYMBOLS)


Also a lot are timing out as shown above.

Overall though the spam filter is brill (set to High). I don't have RBL enabled, I'll try and and post back  with the results regarding these particular emails.

[CKConsulting]

What is the command for showing mail stats like JonB did?

Thanks
Rick

[piran]

http://forums.contribs.org/index.php?topic=31357.0