Porous spam filtering

[ronks]

Since the flood I reported in April, I am now down to no spam getting through and no trapped messages in Graymail.
My guess is that someone found the sender(s) of the torrent and blocked it.
Also, I tightened up my rules and scoring.
Curiously, when I inspected some, I found outside of the HTML content the word "Vistula", a river in Russia. Hmm.
My personal non-expert feeling is that a blocklist of senders would be of minimal use, given the constant changes that spammers make to them.

[ankh]

I figured the spammers will be changing their sender address, but near as I can tell the blocklist is the only tool Sonic offers and right nowindividuals have to keep up with those changes.

So wondering if enough of us are noticing new spam sources _and_ we had a shared/coop place to list them,it might be helpful.

Of course we can post our blocklists as I did agove as text, but I guess it would require a simple matter of programming (yeah I know) to creat a way ndividuals could import that kind of long listfrom a shared blocklist to a personal one.

Or, hm, could that be automated too?

[virtualmike]

[...]I just captured a hadful of recent frequent spam sources for my blocklist, but there are dozens more pending that I need to add.[...]

The spammers make up domains frequently, and some of them many not even be registered.

What would be more effective is to determine the IP addresses from which the spams are being sent. In my experience, a flood of spam from a set of domains like that usually ends up being sent from a small set of IP addresses, which can be more effectively filtered or blocked than continually playing whack-a-mole with domain names.

[ankh]

Can I get the IP from the mail Sonic shows me in Mail?

And can I enter the IP into the blocklist list system?

[virtualmike]

Can I get the IP from the mail Sonic shows me in Mail?

According to this article, View > Message > All Headers. You'll see one or more screens full of information about the message. Look for something that looks like this:

Code: Select all

Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2116.outbound.protection.outlook.com [40.107.94.116])
	by b.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 35T08etn045012
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <my_address@my_domain>; Wed, 28 Jun 2023 17:08:42 -0700

There will be multiple "Received:" headers in the message, so you need to find the one that has "by *.mx.sonic.net," as that's the server that handed the message to Sonic's mail system. The IP address is in brackets; in this example, it's 40.107.94.116.

And can I enter the IP into the blocklist list system?

I don't know that... sorry. I'm sure some other experts here can help. You may need to set up a procmail recipe to block them for you. Or, perhaps if you build a list showing the number of spams coming from a few IP addresses, you can share that with Sonic Support and request that those IP addresses get blocked by Sonic (it has been done before).

[ankh]

> find the one that has "by *.mx.sonic.net," as that's the server that handed the message to Sonic's mail system.
> The IP address is in brackets; in this example, it's 40.107.94.116.

OK, would that be the IP address used by the original spam sender? If so, blocking that would be hepful?
Or could it just be the last of a chain of IPs through which the spam got forwarded?

[virtualmike]

OK, would that be the IP address used by the original spam sender? If so, blocking that would be hepful?
Or could it just be the last of a chain of IPs through which the spam got forwarded?

More likely, it's the former, but it possibly could be the latter. However, even if it is the latter, then the owner of that server should be ashamed for allowing spam to go through its system.

One point I neglected to make is that you should build a history of the IP addresses from which the spam is coming. A single spam from a particular server doesn't mean that server is being used for wholesale spamming.

When I make a request for having certain IP addresses blocked, I list each IP address, the dates/times that each spam was received, and the domain that is claimed within the spam. When I build that history (over a week or two), I often find that each of the domains has used more than one of the IP addresses, pretty much proving that it's a single operation generating the spew.

Requesting a block for the IP address of each individual spam doesn't really help Sonic's admins see the pattern. It's like the people who want to block every single phone number that calls their line, not understanding that many (if not most) of them are spoofed, which means that the phone spammer really isn't affected at all, while innocent people would get their numbers blocked for no valid reason.

[ankh]

Well, I report each spam to Spamcop and their reports include the list of all the IP addresses used by the spammer. Supposedly , I think,Sonic uses Spamcop's blocklist -- but if so there's a long lag time before any individual spammer gets blocked by that system.

[virtualmike]

I believe that SpamCop doesn't immediately add an IP address to its blocklists, as it waits until a sufficient number of reports that suggest the IP address is significantly used for spamming.

[ankh]

Well, I've added more than 60 "*@whatever"email addresses to my blocklist and I'm down to one or two fresh spams per day that get through (previously it was ten or twenty per day. I should have done this long ago.

I do wish we could do a collaborative collection sharing blocklist fodder, but I appreciate it would be a burden for staff to enable such a collective effort.


It would look like the existing tool for propagating spammers if you have more than one Sonic email address, thus:

Copy [cooperatively collected} Entries to your Mailbox Accounts
Overwrite (or add to) existing mailbox settings