Jump to content

Influx of spam?!


Recommended Posts

I as well only had 2 messages get through the filters to my Inbox.

...but I'd consider that two too many! If spammers are actually sending directly to your SC address, turn on your "greylisting" and most of your spam will probably disappear.

DT

Link to comment
Share on other sites

I'm also seeing a large increase in the quantity of spam reaching my inbox. Up to around a month ago 90+% of spam was held, now it's down to less than 40%. The overall volume of spam I'm receiving seems to be about the same at 10-20/day.

Here's a couple of examples (all the others are similar):

http://www.spamcop.net/sc?id=z2812121131zd...4d9f587c0d8fe3z

http://www.spamcop.net/sc?id=z2811840289z4...ede35e886dbf06z

They don't appear to be triggering much (if any) in the way of SpamAssassin rules, perhaps some tweaking's in order? I have pretty aggressive filter settings - all blocklists selected and SpamAssassin threshold set to 3 which had worked well up until recently.

Link to comment
Share on other sites

I don't have spamcop email service, but I have noticed that a lot of times people mention 'greylisting' as an answer to spam that sneaks in.

I'm already using greylisting, both on my spamcop email account and my personal domain e-mail - prior to this I was seeing several hundred per day. Spamcop was correctly holding 90+% of them but reporting that volume was a bit of a chore, even using quick reporting, so I started to greylist a couple of years ago. It's only pretty recently that the filers seem to be leaking a significant percentage of spam, possibly due to a new set of source IPs that aren't yet on any of the blocklists combined with techniques that aren't being picked up by SpamAssassin.

Link to comment
Share on other sites

This line in your TrackingURL indicates "Easily" is a host of yours.

SpamCop received mail from Easily ( 212.53.64.116 )

If you have messages forwarded from other hosts of yours, greylisting will not help in that situation because that is a valid email server which will retry until the message is delivered. Greylisting will only help in messages sent directly to the spamcop server.

Link to comment
Share on other sites

If you have messages forwarded from other hosts of yours, greylisting will not help in that situation because that is a valid email server which will retry until the message is delivered. Greylisting will only help in messages sent directly to the spamcop server.

Correct, note that I also mentioned that greylisting is enabled for my personal domain (hosted by easily, where the greylisting is enabled). Close to 100% of my e-mail comes via that route - the only reason I enabled greylisting on the spamcop account was that the only mail received directly to that address was spam - I've never given the address out or used it on-line.

Link to comment
Share on other sites

Correct, note that I also mentioned that greylisting is enabled for my personal domain (hosted by easily, where the greylisting is enabled). Close to 100% of my e-mail comes via that route - the only reason I enabled greylisting on the spamcop account was that the only mail received directly to that address was spam - I've never given the address out or used it on-line.

I have not seen a large percentage of spam being seen on the spamcop list since spammers started using botnets for more than a year now. Because each host only sends a small amount of spam, not enough messages are seen to list them. Other lists are still very useful. I use every blocklist available as well as the greylisting option and the only spam I get in my inbox is forwarded through my ISP.

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

I have been also facing a big increase in unheld spam since a couple of months. I have checked the answers here and tried changing some parameters in my filtering options, but it doesn't seem to work. I checked all black lists available, reduced SpamAssassin level to 4, yet the following mail just went through:

===

Return-Path: <comedic[at]mobogogo.com>

Delivered-To: <x>

Received: (qmail 2197 invoked from network); 2 May 2009 09:37:46 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=3.2.4

Received: from unknown (192.168.1.88)

by filter8.cesmail.net with QMQP; 2 May 2009 09:37:46 -0000

Received: from smtp2.net4all-dns.com (HELO smtp2.clm.net4all.ch) (80.80.228.43)

by mxin1.cesmail.net with SMTP; 2 May 2009 09:37:21 -0000

Received: from mail5.clm.net4all.ch (unknown [10.3.0.5])

by smtp2.clm.net4all.ch (Postfix) with ESMTP id 878B413EF8

for <x>; Sat, 2 May 2009 11:37:45 +0200 (CEST)

Received: by mail5.clm.net4all.ch (Postfix, from userid 8539)

id 5133A6065573; Sat, 2 May 2009 09:37:45 +0000 (UTC)

Delivered-To: <x>

Received: from avas2.clm.net4all.ch (avas2.clm.net4all.ch [10.4.0.2])

by mail5.clm.net4all.ch (Postfix) with ESMTP id 44798606556C

for <x>; Sat, 2 May 2009 09:37:45 +0000 (UTC)

X-Greylist: Passed host: 79.2.166.4

Received: from bwiqfta.telecomitalia.it (host4-166-dynamic.2-79-r.retail.telecomitalia.it [79.2.166.4])

by avas2.clm.net4all.ch (Postfix) with SMTP id 8E317B0002

for <x>; Sat, 2 May 2009 11:37:44 +0200 (CEST)

Message-ID: <89l1________________________________________.com>

Date: Sat, 02 May 2009 09:37:43 -0100

From: Barness <comedic[at]mobogogo.com>

MIME-Version: 1.0

To: <x>

Subject: Top 5 Hot Sexy Tips to Spice Up Your Love Life Beefore It's Too Late

Content-Type: multipart/mixed;

boundary="------------069F5ECA0E5F"

X-Net4all-MailScanner-Information: Please contact the ISP for more information

X-Net4all-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details

X-Net4all-MailScanner-SpamCheck:

X-Net4all-MailScanner-From: comedic[at]mobogogo.com

X-SpamCop-Checked: 80.80.228.43 79.2.166.4

X-Antivirus: AVG for E-mail 8.5.323 [270.12.13/2091]

===

I am forwarding all my mails from my official address swarsystems.com, hosted on net4all.ch servers, then POPing mails from these spamcop accounts.

When I first joined SpamCop, it was working pretty well, without any specific configuration, which is what I wanted, because I'm neither qualified in that domain, nor have time to try it. So your help on this matter would be very much appreciated.

I am also no longer reporting any emails as spam, because I was told that it was blacklisting the net4all.ch server from which the mail was transferred. Is there any solution to avoid that?

Thanks again.

Mariano

[edit] spam munged <x> for public display

Link to comment
Share on other sites

...

I am forwarding all my mails from my official address swarsystems.com, hosted on net4all.ch servers, then POPing mails from these spamcop accounts.

When I first joined SpamCop, it was working pretty well, without any specific configuration, which is what I wanted, because I'm neither qualified in that domain, nor have time to try it. So your help on this matter would be very much appreciated. ...

You will certainly benefit from changes to your filtering rules. I am sorry I cannot help with that - hopefully others with some experience with similar mail processing to yours will advise you.
...I am also no longer reporting any emails as spam, because I was told that it was blacklisting the net4all.ch server from which the mail was transferred. Is there any solution to avoid that?
Yes indeed. That is exactly the problem the mailhosting system was designed to eliminate. You get to it from your member's page (when logged in) from the "Mailhosts" tab - http://members.spamcop.net

As it happens, the example you gave would be parsed perfectly without mailhosting: http://www.spamcop.net/sc?id=z2850198697zb...9a2a688a7228fcz - but you cannot rely on that always being the case. Setting up mailhosts is definitely recommended.

Link to comment
Share on other sites

Thanks for the info, but this is still very complex. Can anyone post a simple step by step procedure to do that? I have gone through the different documentation and it's very confusing.

Say I have 2 addresses (a and B) forwarded to one spamcop account ©. What should I enter in the configuration?

Also I understand this as a way to avoid reporting my forwarding server as spammer, but how would this solve the problem listed above of spam going through?

Thanks for any additional help. As I said before, I ordered 4 spamcop accounts because it seemed easy to set up for basic spam filtering. I understand that it's a complex subject and that you may have lots of possibilities for improvement, but there should be a default config that does a good job, without having to lose time in understanding the whole subject.

Any further help much appreciated!

Mariano

Link to comment
Share on other sites

...Say I have 2 addresses (a and b ) forwarded to one spamcop account c. What should I enter in the configuration?
You will find surely it easier than you think. Yours sounds like the configuration 2 described in http://www.spamcop.net/fom-serve/cache/397.html - but it might be even easier because you register hosts, not addresses - so if a and b are (say) you[at]swar and u2[at]swar then you only register swar (and then spamcop, maybe, I'm not sure there because I don't use that system). There is a 'step-by-step' example at http://forum.spamcop.net/forums/index.php?...amp;#entry21169 Give it a try and if you get into difficulty post here or contact SC admin (service[at]admin.spamcop.net) for further assistance.
...Also I understand this as a way to avoid reporting my forwarding server as spammer, but how would this solve the problem listed above of spam going through?...
Reporting has nothing to do (directly) about spam reaching your inbox. Someone needs to talk with you about filtering. I think you might need to add some RBLs to your SC account settings (and the SpamAssassin options). It needs someone who uses that system to walk through that with you. Filtering is mentioned many places, including http://forum.spamcop.net/scwik/SCEmailFiltersandBLs Miss Betsy also mentions 'greylisting'. That would be effective against spam sent direct to the SC account.
Link to comment
Share on other sites

Thanks for your help and time. I have managed to add my forwarding emails in the mailhosts tab, though it was only taking one from the same server. I assume all email addresses from that server will be included in that, right?

Regarding the filtering, what I don't understand is that I had set SpamAssassin to be active (was already before) and set the threshold to 4 instead of 5, so it should be more sensitive to spam. But the email mentioned below went just through. I have also all possible BL checked.

Link to comment
Share on other sites

In a hurry, but I'll see if I can help a little:

1. In the headers you provided, I see "X-Net4all-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details." Since you seem to be using the services of "Net4all," I think you might want to look into the scanning service mentioned in the headers...you don't seem to be using it. I allow my original server to do some scanning before it forwards to my SC address, and that helps cut down on "false negatives."

2. Why is the SA score so low? Hard to say...the SA system at SC doesn't really "learn" -- it only picks up on any new rules as the local admins have time to configure them (I think...although there might be some automation to the acquisition of new rules). So, stuff gets through with very low scores sometimes.

3. Why didn't your blacklist settings catch this? Hmmm...the source IP *does* seem to be on the SpamHaus PBL, and if you have that one selected, then it's due to the forwarding from the original host. The SC blacklists system isn't connected with the MailHosts system, so it's not smart enough to deal with this situation. I've complained about that here before and gotten nowhere.

4. Also in the headers is "X-Greylist: Passed host: 79.2.166.4" which is curious, in that that's the IP used by the spammer. I don't use SC greylisting, so I'm not sure if that header line came from SpamCop or not, but others will be able to shed more light on that.

DT

Link to comment
Share on other sites

Thanks, David. It's refreshing to see how people in this forum are willing to share their time to help others.

1) I have asked my Internet E-Mail service provider to remove any spam filtering on purpose. Because I don't want to have to check held email on 2 separate locations.

2) I'm wondering why, indeed, because a mail that starts with "Top 5 Hot Sexy Tips" should not be too difficult to catalog;-) Is SpamAssassin working fine for you lately? Couldn't that be the reason for a surge in such unheld spam?

3) good question

4) I have not used grey lists as yet, because I'm not ready to wait for an hour for some emails. If I can do without that, then I prefer.

Cheers!

Mariano

Link to comment
Share on other sites

1) I have asked my Internet E-Mail service provider to remove any spam filtering on purpose. Because I don't want to have to check held email on 2 separate locations.

That's logical, but I'm willing to put up with it in order to reduce the amount of spam leaking to my inbox (which is now only a few per week). On my first server (using Exim on a WHM/cPanel setup), I've got an ACL configuration that makes a lot of incoming spam simply disappear, so although I have some of it show up in a "junkbox" (to which I maintain an IMAP connection), it gets rid of some things that the SC blacklist config won't do, since people are not sending directly to my SC address. If you're getting more than a few false positives a day, you might consider seeing if you can opt for only specific types of scanning/tests at your host.

Is SpamAssassin working fine for you lately?

Yes -- it seems to be scoring things fairly appropriately. I occasionally have to add new senders to my whitelist if their message scores above my threshhold.

DT

Link to comment
Share on other sites

I have also been experiencing a significant increase in spam email, to my Spamcop account. On the plus side, Spamcop is, and has been in the several years I've had a paid account, catching 99% of spam and sending it to Held Mail. On the down side, I am now receiving approximately 180 spam emails a day. It is a pain and time consuming to go through Held Mail, just to ensure a legitimate email didn't get tagged as spam. Does anyone have any idea why the amount of spam has increased lately? I can't believe I'm longing for the days of receiving, "only", 40-50 spam emails a day!

Thanks,

Chuck

Link to comment
Share on other sites

Do you find many false positives? If you do, then possibly your filters are set too high? Lowering them might allow more spam to your inbox, but it would be easier to pick out a few spam from your inbox than finding one or two legitimate email in your Held mail, I would think.

Also, do you get many 'new' emails? Whitelisting your regular correspondents would keep them out of the Held mail. When you give out your email address, get theirs so that you can whitelist it. Of course, if you have many people who would get your email address without your knowledge (if you are selling something,for instance), then you won't be able to do that.

If you are forwarding from other accounts, see about using their filtering. I don't know a lot about spam filters, but it looks to me as though most of them use the blocklist that lists the botnets because it doesn't matter if those emails are dropped, none of them are coming from real mail servers and are not ever real email.

It all depends on why you are looking in Held mail for false positives. If you want to be sure that they are really spam that you are reporting, do as many as you feel comfortable with and delete the rest. Better to do a little than not do any.

Maybe someone who uses the email system will come up with better solutions.

Miss Betsy

Link to comment
Share on other sites

Do you find many false positives?

Actually, Spamcop is doing what's it's supposed to do, and very effectively. The problem is outside of Spamcop's control. My Spamcop account has been given out to many different entitites--friends, family, businesses, lists, job sites, etc. Unfortunately, some of these entities, probably the majority being business related, are less than honest folks, and sell email addresses. Then you end up getting crap emails touting Viagra pills, porn, fake high end watches, get rich quick schemes, etc. I use an application called Nyms, which are specific, disposable email addresses tied to my Spamcop account (which the person being given my email doesn't know). The concept is, if I create this new account, and start getting spam, I can easily check the source and see that it came from a specific email address, which is directly tied to a specific entity/web site. If I want to stop receiving from them, I simply delete the email account. Unfortunately, with me receiving approximately 180 emails a day going into Held Mail, it would be a very time intensive effort to check every received email in there to look for the offending spammer. The only solution I see is to cancel my specific Spamcop account name and start using another. The problem is, so many people have that email address that legitimate folks wouldn't be able to reach me unless I remembered who they were and provided them another email address.

Thanks,

Chuck

Link to comment
Share on other sites

If you are not getting false positives in Held mail, then your problem is with wanting to check on the Nyms address to find out who 'sold' or otherwise let your email address out to spammers (sometimes they just get a virus or trojan who harvests the email addresses it finds). Also, once an address is on a spammer list, it starts to get on more spammer lists.

I would think that it would be easier to just check as many as you are comfortable with and cancel those (or whatever you do - perhaps contact them and say that your email addressed was compromised by them?). It doesn't really matter whether you do that or not - once the email address is out there, you will get spam to it.

As long as your real email is not getting caught in Held mail, then you only have to do whatever is easiest to do. Maybe some days you will have more time and you can check more addresses and report more spam. Other days, you may just delete the whole lot.

As long as you are getting your real mail in your inbox without a lot spam cluttering it up, then you are fine. There are enough reporters for you to take a day off now and then. And, while knowing which address is known to the spammers is good if you can delete it, it doesn't really make a big difference if you skip a couple of days and simply report or delete it all.

At least to me, it seems a better solution than create a new address. Though someone once said that it doesn't take long to get people to know your new address if you keep the old one to catch those you have forgotten about. If you kept the old one, you could use it for merchants and businesses - particularly the ones that are doubtful. If you change your address to one that is not easily guessed by the dictionary spammers (like c1s5p), then your new address would not get spam.

If I had to organize my emails again, I would have one for family and friends who do not send me FW FW's; one for family and friends who send FW FW's, but occasionally send a real email; one for my bank and insurance; one for merchants that I regularly do business with; one for any other online merchant I buy from maybe once a year or if I make an online inquiry and one for organizations with newsletters. Of course, I think you can sort them into folders which does the same thing - I am just haven't had the time to do it.

Miss Betsy

Link to comment
Share on other sites

Thanks for the information and suggestions. I just went through my daily dose of held mail (ONLY 120 because it's Sunday), and I could not find any attributable to any of my NYMS disposable email addresses. These are all going to Spamcop. Some are going to my Spamcop email address specifically, but a good many others seem to be using a wildcard of sorts to send to a mass number of undisclosed Spamcop email addressees. The good part is that Spamcop filters are catching them. The bad part is that the Spamcop filters are catching them and I still end up with an unacceptably high number of daily emails going into Held Mail.

Thanks,

Chuck

Link to comment
Share on other sites

There are no 'unacceptably' high numbers of spam in Held mail! spam should be reported or deleted!

For reporting, more is better except if it is a problem in reporting. If you have Mailhosts configured, then you only have to do a random check to make sure that your ISP hasn't changed a server on you so that you have to redo Mailhosts.

Some people have many more emails in Held mail. The purpose of filtering is to get it out of your inbox. Those who use email services with good filtering don't see the increase because it is deleted before it gets to them except those who 'tag' spam as the spamcop email service does and they only see it in their in Held or Junk mail.

Some other method of spam control will have to be devised to stop the spam from coming. I personally think that all email should be blocked at the server level. If people can't use email because they, or their email service, do not control spam leaving their networks, then customers will eventually learn how to run a mail server or move to services that are responsible. I don't think it should be based on volume. Occasionally, a responsible server admin will have a breakdown, but it shouldn't last long.

Filtering works well, but the only effect it seems to have had is to drive the spammers to send more spam in the hopes some of it will reach a target. The only place to stop spam from coming is at the sending end. The reason spamcop reports are useful because they still do alert responsible server admins to a problem.

It is increasing all the time for everyone so if you want to not receive spam, you will have to change your email address and be extremely careful who you give it to and that still does not guarantee a spam free inbox forever as spammers get more desperate to evade filters and acquire new addresses.

Miss Betsy

PS I am editing out the quote in your post since it takes up disk space and is not necessary to understand your reply.

Link to comment
Share on other sites

  • 4 weeks later...

Add me as one that is also receiving a lot of spam in my Spamcop inbox in the last month. I've changed my filter level to 2 now to try and stop it but it hasn't help even a little, but now I get a lot of good email going into the Held Mail folder. BTW, all my mail comes through my Yahoo account.

It's not looking to good that I'll be extending my spamcop account as this is what I have it for.

Link to comment
Share on other sites

Don't you have spam filtering turned on in your yahoo account? Do you not have it turned on because you are afraid that yahoo will drop your real email?

I don't get much spam (or real email) at my yahoo account, but both yahoo and hotmail seem to have extremely rigorous filtering systems. On one hotmail account that used to receive dozens every day, I get less than two or three per week now. There may be a spurt, as a spammer figures out how to get around hotmail filters, but then it slacks off again.

There are ways to tweak filtering - whitelisting those real emails that go to held mail would help. There have been several discussions in the Email section of the forum about how to tweak spamcop filters. (I am not a spamcop email account user).

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...