Answer for: What topics would you like to see covered on the Modwest Blog?
#4 Latest SPAM trends and how Modwest
is coping
Starting in mid-July 2009, the incoming SPAM rate for our four domains is about one a minute, 7x24, up from a steady 100 per day for the last year or two. Whazzup with that? Are the filters clogged or is there just too much to handle? Are there new strategies? Are megaspammers on the rise? Netbots that infect everyone's 'Doze machines? Are we being specifically targeted, i.e., more than other domains? Harried sysadmins want to know.
7 votes
Comments |
Leave a comment
We have heard this from a few customers this week, and I am seeing it in my inbox as well.
My sense is that the spammers have gotten trickier -- I am seeing pretty obvious spam receiving just 1 or 2 points now.
I have a new post in the works about spam scores of our most recent 2 million deliveries (this week).
We last covered this almost two years ago, so it's time for an update.
http://blog.modwest.co...g-spam.html
I'd be curious to see a sample of these messages. The rate you're getting them seems wildly outside of what I've seen. Therefore, it seems something is amiss. Send them in with full headers to support-at-modwest-dot-com.
Because we manage several domains, and I am too lazy to set up mailboxes for all the "required" addresses, such as webmaster, postmaster, abuse, etc., plus the "usual and customary": sales, info, etc., I just let everything into my mailbox and sort it out later.
What we are seeing are mostly dictionary attacks on the domain users, where we get 20 of the same message to variations on usernames. If the SPAM filters let the first one through, they will let *all* of them through. Even an adaptive filter, that says, "Hey, if someone emails everyone in our company the same content, it's probably SPAM and we should cut it off after five highly similar messages," will let five through before clamping them. For every 100 messages that get through the filters, about 300-400 get trapped. There is just a huge volume. I also hold the trapped mail and empty it myself, in case I want to do my own analysis and to check for the occasional *real* message that gets flagged.
There are so many "free" email services that pad legitimate mail with paid ads that setting the SPAM filter lower than "let'r rip" catches too many mailing list submissions, so our filters are set fairly high to begin with.
We also have the problem of being too visible: several of our domains are more than 10 years old, from back in the day when *all* domain information was public. You can't put the genie back in the bottle.
Another problem is that about two or three times a year, each of our domains get tagged by the SPAMmers to be the fake return address for their messages, and we get all of the bounced mail from dictionary attacks. When this happens, we get a huge spike in "MAILER-DAEMON" mail in the postmaster's box as well as the spam trap.
Yes, I could redirect everything to the bit bucket and drop the SPAM detection threshhold, but, then, I don't walk or bike with earphones on, either. I like to know what's going on in my environment, so I can take more positive action.
My spam has gone thru the roof lately, too. I had to lower my protection, though, because some of my email was ending up in the Trash Folder. Not Spam Folder, mind you, Trash. And it was being caught on my Webmail site when I use Outlook. So I either had to lower my protection or remember to visit my Modwest Webmail several times a day. Methinks my delete key is frying.
Mine too, glorybeegood -- though I'm not sure why some spam would go to your Spam folder and others to your Trash. Let the support team know if there's something perplexing going on.
A few hours ago, we implemented some relatively aggressive spam filter updates; so far, they're catching a lot of spam, but we need to hear from customers whether there's a noticeable improvement.
By the way, we announced this change on twitter, to which we're still getting accustomed. http://twitter.com/modwest
Great. Will follow you on Twitter and hope both our delete keys stop smmmokin'!
Seriously, I'm not receiving any from Modwest, if by chance I am, them I'm oblivious to it, and if some it isn't spam, I'm oblivious to that too :)
Seeing the odd bit here and there from elsewhere.
We made some more changes yesterday, increasing the sensitivity of some spam-check rules, and in aggregate anyway, things seem to be better so far today.
I'll get that blog post about this most recent battle with the spammers up late this afternoon.
http://blog.modwest.com
Done!
http://blog.modwest.co...n-spam.html
Great informative article. And graphics always help. I understand you do have to walk a fine line - if you set too tight of controls we complain that we aren't getting email. Too low and our delete keys fry. Thanks for the great explanation and will keep you posted on the delete key smoke status.
Larye and others -- I hope the spam situation is somewhat better now? We've made a lot of changes to various filter rules to catch more spam. Let us know.
Still getting a lot through the filters, even since midnight. About half of the messages that leak through are Cyrillic unicode, with the Russian spellings for all of the bogus health remedies that leak through in English.
We had dropped the SPAM leakage considerably by cranking up the threshhold, but the higher setting grabbeed *all* of my Yahoo Groups mail, of which I get 20-40 per day, so I lowered it again a couple days ago and I get about 100 a day actual SPAM leakage. This is for the postmaster account (catchall). My wife, who owns two of the domains we manage and has her primary email address in a third, gets about 20-30 a day in her mailbox, no doubt our own addresses are on mailing lists harvested from web crawlers and whois searches, and we just aren't willing to give up our legal names as email addresses or obfuscate them with numbers. We're just not ready for the world of THX1138.
Rather than try to outsmart the SPAMmers, perhaps we should try to smarten up the mailing list operators, like Yahoo, so the ads they tack onto list mail don't look blatantly like SPAM, so we can crank up the BS filter and get the real ones.
I haven't done a programmatic analysis of the SPAMs that get through versus the ones that don't, but a lot of them that get through are pretty obvious to the filter between the screen and the chair, and not that much different from the ones that get trapped. I had been planning on doing a Bayesian analysis of the "real" mail I want to see versus the ones I don't, but haven't done that: the SPAM content and style seems to adapt faster than I can collect samples.
The SPAM filter settings of "High, medium, and low" aren't selective enough--there is an "always allow" list, but that is for sender, which doesn't work with maiing lists, where the key is the "To:" line, or a bracketed tag in the Subject line. I'm not advocating blacklists, but there should be a way of raising the suspicion level for messages from certain top-level domains or that contain Unicode (I don't read Russian, so I'm not interested in the 20-30 all-Cyrillic messages I get each day). Maybe some advanced settings with Subject/Content/To/From lists with keywords and/or regular expression patterns. I used to use procmail to implement my own filters, but we don't have that option anymore. I'd use fetchmail and filter on my own servers, but we need to read our mail on the web too often and we don't have enough volume to warrant the cost of a VPS or colo to run our own mail servers.
Thanks for the detailed feedback.
We added a specific rule to make groups.yahoo.com URLs suspect, since a lot of the chinese malware spammers are using it as their go-between site. Try adding an entry to 'always allow' for the real yahoo sender.
As for character sets -- good news: we can set per-mailbox preferences on language/characterset. Send us (to support) the list of mailboxes you want changed and I'll make sure those mailboxes get the english-only preference set up. (We can't do it globally because we have customers all over the world.)
It's true we don't support procmail, but we do support Sieve; Thunderbird now has a decent Sieve-editing add-on.
The OnSite spam filter also allows 'custom', and you can enter a number (with decimal). On my various mailboxes I'm using anywhere from 0.5 to 3.5 as an aggressive preference.
Finally, as you know, the catch-all will certainly ensure you receive a lot more spam, for the reasons you've mentioned.
Larye,
I recommend you build contact form and replace your email address with a link to that form.
One of the easiest to configure is NMS FormMail http://nms-cgi.sourceforge.net/scripts.shtml Drop it into your cgi-bin, edit it accordingly and don't forget to use recipient aliases (see link for examples)
%recipient_alias = (
'contact1' => 'alias@your.com',
'contact2' => 'alternate@dot.com',
);
On your form page call the script as part of the form action. Test before removing your email address from your page.
This will stop new harvesting.
Next. You probably have accounts all round the net where you will have provided your email address. For each one of those add an alias via on-site and then update your details with a change of email address. When sites send a confirmation email you'll know it works.
If you start getting spam on an alias you'll now know the source and can either change supplier or or change the alias for that source to put an end to it.
When reading your email on the web, use https://beta-webmail.modwest.com/ as will allow you to set up a separate identity for each alias giving the impression of a dedicated mailbox.
This isn't a complete solution to your problem, but it will allow you to move legitimate email to a new box, which you do not give out to anyone (a variation of your name for example).
Thanks, Squiggle--
I've been meaning to clean up the "contact" links in our webs for some time. They're all PHP, so pretty simple, but our own webs suffer from the shoemaker's children problem.
I did create another mailbox for catch-all, which is doing nicely to keep my personal box fairly clean, and I still get the service account mail that I identified in the profile, some of which is, of course, SPAM (e.g., to webmaster, sales, info, etc).