Porous spam filtering

General discussions and other topics.
25 posts Page 1 of 3
by ronks » Wed Apr 12, 2023 9:09 am
A large amount of spam with no discernible pattern ("Replace you old pillow", "New earwax cleaner", "Congratulations, you have won ___", etc.) from sites ending in .store, .shop, .site is pouring in daily. I have SpamAssassin turned on but one or two a day slip through to my in-box.
I'm wondering if all this (possibly from a single sender) can be identified and filtered; the filtering I use today doesn't seem to be adequate to their ingenuity.
by jordan.m » Thu Apr 13, 2023 11:08 am
ronks wrote:A large amount of spam with no discernible pattern ("Replace you old pillow", "New earwax cleaner", "Congratulations, you have won ___", etc.) from sites ending in .store, .shop, .site is pouring in daily. I have SpamAssassin turned on but one or two a day slip through to my in-box.
I'm wondering if all this (possibly from a single sender) can be identified and filtered; the filtering I use today doesn't seem to be adequate to their ingenuity.
Hello. Aside from block listing particular email addresses/domains, I would recommend tightening the required amount of hits that are required to flag a message as spam. Instead of 3 hits, try changing it to 2 or 1.5. This does increase the chance of important emails being falsely flagged, so I would suggest monitoring your spam folder after making this change and "welcome list" any legitimate senders. Also, if you notice spam emails containing a particular subject, you can block list that as well by going to:
Email > Spam Filtering > Welcomelists/Blocklists > Blocklist Subject.

I hope this helps!
Jordan M.
Community and Escalations Specialist
Sonic
by ronks » Mon Apr 17, 2023 8:59 pm
Thanks! I added .site to the domain blocklist along with .store and .shop, and that seems to have made a great difference.
I don't believe I have ever seen any valid email from those domains, so false positives are unlikely.
But the sender(s) constantly change to evade the rules; if they slip past the latest blockade I will follow your suggestions.
by kgc » Tue Apr 18, 2023 1:24 pm
ronks wrote: But the sender(s) constantly change to evade the rules; if they slip past the latest blockade.
That's the rub of the problem right there, this has always been an arms race of sorts. There's been a semi-recent uptick in spam runs that seem to largely be using the *.store tld, these actually got our attention since they're coming in at a high enough burst rate that they've raised system level monitoring alerts for high load, etc. I've done a bunch of work to mitigate them in our front line defenses on the MX servers (just outright rejecting them at the SMTP transaction before we accept them for delivery and SpamAssassin based filtering) but it didn't have as much of an impact as I'd hoped on these particular spammers despite improving our reject rate considerably.

This is a graph of messages marked as spam (green line) vs mesages marked as not-spam (blue line) at delivery time - you can see the upward trend Jan -> Mar, where it dives back drops bad down after some of the initial big changes were made to our MX cluster.
Screenshot 2023-04-18 132128.png
Screenshot 2023-04-18 132128.png (276.35 KiB) Viewed 1570 times
Kelsey Cummings
System Architect, Sonic.net, Inc.
by dragonsclaw » Mon Apr 24, 2023 10:23 am
Thanks for all the hard work. Playing Whack a mole seems to be a losing battle.

There was a batch (6-15) every day in previous weeks that snuck by. What they had in common was words with spaces and always an attachment .
Thanks again
by kgc » Mon Apr 24, 2023 12:02 pm
dragonsclaw wrote:Thanks for all the hard work. Playing Whack a mole seems to be a losing battle.
It's less a losing battle versus and endless one.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by virtualmike » Mon Apr 24, 2023 4:17 pm
Likely AI will help spread the spew, but it also might help combat it.

https://www.msn.com/en-us/news/technolo ... r-AA1a6bl9
by ronks » Sat May 20, 2023 12:03 pm
Here is a specific query; I don't understand the math here.
I have modified my SpamAssassin scores, and I flag a message as spam at a score of 2.0; but this obvious spam got a clean 0.0 which doesn't seem to add up unless the unexplained SNF4SA gave it a pass:

X-Spam-Status: No, score=0.0 required=2.0 tests=
0.1 DKIM_SIGNED,
-0.1 DKIM_VALID,
-0.1 DKIM_VALID_AU,
1.048 HTML_IMAGE_ONLY_16,
0.001 HTML_MESSAGE,
0.635 HTML_MIME_NO_HTML_TAG,
0.001 LONG_IMG_URI,
0.1 MIME_HTML_ONLY,
-0.001 RCVD_IN_DNSWL_NONE,
-0.001 RCVD_IN_MSPIKE_H2,
0.001 SCC_BODY_URI_ONLY,
????? SNF4SA, (not documented)
0.5 SONIC_BX_A2, (default 0.001)
0.5 SPF_HELO_NONE, (default 0.001)
0.2 T_KAM_HTML_FONT_INVALID, (default 0.01)
0/01 T_REMOTE_IMAGE,
-0.01 T_SCC_BODY_TEXT_LINE
by kgc » Sat May 20, 2023 3:31 pm
SNF4SA is one of a couple commercial plugins that we use in our deployment that use dynamic scores that can be both positive and negative.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by ankh » Wed Jun 28, 2023 8:53 am
Would it be possible to set up a shared/Co-Op blocklist? I"d guess the flood I'm seeing is affecting others as well. I just captured a hadful of recent frequent spam sources for my blocklist, but there are dozens more pending that I need to add. Anyone find this useful?

@3wishes.com
*@betterratesforyou.com
*@diversecoverageinsurance.com
*@exactratestoday.com
*@itsallaboutfinances.com
*@lockperfectquote.com
*@offersflash.com
*@qq.com
*@refirenew.com
*@scalternatives.com
*@skinrealty.com
*@wixemails.com
*@yourfinanceanswers.com
25 posts Page 1 of 3

Who is online

In total there are 29 users online :: 1 registered, 0 hidden and 28 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Bing [Bot] and 28 guests