Spam Increase

[markbuckles]

I use SpamCop e-mail filtering service, and I usually get a spam or three a month that manage to sneak through into my Inbox. Lately (since about a week ago or so) I have been getting sometimes three a day. I have not changed any of my settings for months - I have all the Blacklists selected, and SpamAssin is selected and set at 1.

Sorry - I don't know how to retrieve report info or tracking data, but I uploaded two example spams that I received today (with complete headers) to my website: http://www.markbuckles.com/misc/spam.txt

Can anyone see any reason for the recent uptick in spam slipping through?

Thanks!

[Farelf]

...Can anyone see any reason for the recent uptick in spam slipping through?...

Hi Mark,

Hopefully a mail user might be able to pick something up or perhaps point to a misbehaving server. In the meantime, you might like to review the Wiki on Tracking URL which is simpler than uploading spamsource to your own pages and provides the parse detail which can be pertinent (for instance it makes it a little easier to discern if a DNSbl is not working in relation to the identified spam injection point).

There are many discussions of how and why spam leaks through from time to time, these pages are searchable (2nd line of any forum page) so another activity while you wait might be to look around - here are a couple that might help

http://forum.spamcop.net/forums/index.php?...amp;#entry26137

http://forum.spamcop.net/forums/index.php?showtopic=8749

[DavidT]

Sorry - I don't know how to retrieve report info or tracking data, but I uploaded two example spams that I received today (with complete headers) to my website: http://www.markbuckles.com/misc/spam.txt

The source IP of the first sample [88.252.73.24] is now on the SCBL, and is due to come off in about 5 hours, which usually would indicate that it's been listed for at least 19 hours. The spam you posted hit the SC email server 13 hours ago (as of this post), so if my math/timezones are all correct, it should have been put into your Held mail due to an SCBL hit...but I could be wrong.

The source of the second, [91.77.113.181], isn't listed on the SCBL, but is listed on SORBS and some other BLs that aren't in our array of options:

http://www.robtex.com/rbl/91.77.113.181.html

We used to have the SORBS DNSBL among our options, but it was dropped at some point and I've not been able to get anyone to tell us why.

http://forum.spamcop.net/forums/index.php?...sorbs&st=20

spam seems to ebb and flow randomly, so it's not that unusual to see what appears to be a sudden increase from time to time. Your SA setting is *very* aggressive, but in that the SA in use isn't properly "trained" using Bayes techniques or other custom tests, it's not always all that effective, thereby making the RBLs even more important...but there are documented problems with the implementation of the RBLs also. That's why I've had to resort to additional filtering on my domain hosting accounts in order to catch the stuff that SpamCop's email system *should* be catching.

DT

[markbuckles]

Okay - I think I figured out the tracking URL for a spam I got today:

http://www.spamcop.net/sc?id=z1630446201z2...dc801ba30f0853z

While I do expect some ebb-and-flow in the filtering process, the marked increase seemed beyond mere natural variance. In this one I got today, the subject was "All Natural Enlargement." I'd have thought that such would have been an easy catch for SpamCop.

[agsteele]

I can't tell for the item you sent a tracking URL for, but the earlier messages all achieved a SpamAssassin score of less than 1 which is why they slipped through the net.

I see you also have spam checking with SpamPal so I wonder if you are forwarding your Email to your SpamCop account. If you are receiving Email direct to your SpamCop address then implementing grey listing may be worthwhile.

Sadly the words used in subject lines are often easily identifiable to human examination but a computer has to treat each word and collection of words according to the rules it has. Updating the SpamAssassin tests is something only done from time-to-time.

Perhaps you should raise the question with JT and his colleague and suggest some additional SA tests that could be implemented.

Andrew

[DavidT]

Okay - I think I figured out the tracking URL for a spam I got today:

http://www.spamcop.net/sc?id=z1630446201z2...dc801ba30f0853z

As I start this reply, it's 13:45 GMT, and the source IP of that message has been on the SCBL for approx. 15 hours. The spam arrived at SpamCop last night at approx 20:51 GMT, almost 17 hours ago, so there's a "lag time" issue, in that the IP wasn't yet listed at the moment of arrival in your mailbox.

That IP is also listed in the following:

cbl.abuseat.org

dnsbl-2.uceprotect.net

dnsbl-3.uceprotect.net

dnsbl.sorbs.net

dul.dnsbl.sorbs.net

sbl-xbl.spamhaus.org

sorbs.dnsbl.net.au

t1.dnsbl.net.au

xbl.spamhaus.org

some of which we're offered in the SpamCop email account settings. Hard to say exactly when it was listed by the other BLs (it's been on the CBL for 15 hours). Any chance that you can get "CarrierZone" to implement RBL filtering? (that's where your mail is currently first received)

DT

[michaelanglo]

Hopefully a mail user might be able to pick something up or perhaps point to a misbehaving server.

I post my statistics from using SpamCop mail from time to time. For the last three months they are

Nov '07 (representative of the months since August, ie implementation of greylisting)

3011 spams (100/d), 77 leakers (=2.6 %), 2 false positive(s)

Dec '07

2799 spams (90/d), 130 leakers (=4.6 %), 3 false positive(s)

Jan '08

2526 spams (81/d), 121 leakers (=4.8 %), 1 false positive(s)

I have SpamAssassin set to 3.0, graylisting on, all blocklists set and some use of personal Blacklist, eg Ebay.com, irs.gov, bankofamerica.com, cn, sg, it.

So spams are going down but the leaker fraction is going up.

The ones that leak typically have SA=0.0 (some 1.8 or so) Subject in Cyrillic or obvious like p*n*s

So my enhancement suggestions are (a) optional test for charset=koi8-r (as SA "faraway" I understand)

( use the code implemented for pbl.spamhaus.org to allow adding a "dynamic IP" blocklist or use the RDNS to gradually identify names containing "dynamic" or "modem" or "ADSL"

© add a optional block on "IP has no RDNS"

By 'block' I mean ==> Held as at present.

HTH

[petzl]

It would help if SpamCop email used its blacklists we select

Brazil keeps being ignored?

http://mailsc.spamcop.net/sc?id=z163383104...df3dcfd643a0faz

IP 200.234.220.8

COMITE GESTOR DA INTERNET NO BRASIL

IP range

200.128.0.0

to

201.95.255.255

[edit] http://www.spamcop.net/sc?id=z1633831048za...df3dcfd643a0faz is the tracking URL

[DavidT]

The Brazil filter currently offered in our SC email settings is "brazil.blackholes.us," but near as I can tell, the person responsible for the "blackholes.us" service pretty much dropped off the face of the earth several years ago and my speculation is that it is no longer a reliable/useful tool, due to the likely staleness of the data it returns. Same thing for the Nigeria and Argentina filters from Blackholes.us that we're offered.

We've been over all of this before here in the forums, and JT has been notified and done almost NOTHING! We managed to get him to swap out the China BL with one from countries.nerd.dk, but he never responded to the issue of the other presumably outdated options from Blackholes.us.

Historical links abound through searching, but here are two:

http://forum.spamcop.net/forums/index.php?...l=blackholes.us

http://forum.spamcop.net/forums/index.php?...l=blackholes.us

Wazoo, perhaps you could try to send something to JT on this. He's not responding to my most recent request regarding the "double errors" that his server is giving when delivery to a bad address is attempted.

DT

[Farelf]

...Wazoo, perhaps you could try to send something to JT on this. He's not responding to my most recent request regarding the "double errors" that his server is giving when delivery to a bad address is attempted.

David, Wazoo hasn't been around for almost a week - I've emailed JT about the Brazil blocking, also mentioning your post on 55x error messages.

[DavidT]

David, Wazoo hasn't been around for almost a week

Wow...five days, no Wazoo....surely a sign of the apocalypse.

Any word on why? I think I saw some sideways mention of medication in one or two of his most recent posts, so is he OK?

DT

[Farelf]

... Any word on why? I think I saw some sideways mention of medication in one or two of his most recent posts, so is he OK?

OT We hope he's OK. He was toughing it out (despite some spirited nagging) which is never a good policy (applies equally to nagging and toughing it out). But, pots and kettles, who among us ...?

[jefft]

The Brazil filter currently offered in our SC email settings is "brazil.blackholes.us," but near as I can tell, the person responsible for the "blackholes.us" service pretty much dropped off the face of the earth several years ago and my speculation is that it is no longer a reliable/useful tool, due to the likely staleness of the data it returns. Same thing for the Nigeria and Argentina filters from Blackholes.us that we're offered.

OK, I switched those zones around to use the countries.nerd.dk list.

JT

[DavidT]

OK, I switched those zones around to use the countries.nerd.dk list.

Thank you very kindly. This might help with Petzl's long-reported "Brazil issues" as seen in his "Block Brazil" topic:

http://forum.spamcop.net/forums/index.php?showtopic=9116

I opted for the new Nigeria filter right away for obvious reasons. :-)

DT