Spam filtering hiccup?

[advmkt]

I feel kind of dumb because I should have looked at the spam emails more closely, but I just checked and almost EVERY SINGLE spam landing in my Graymail for the last few days has a from address in this pattern:
support.+<sonic-user-name>=yahoo.com@<random-first-name><random-single-digit-number><random-last-name><random-single-digit-number><random-job-title>.com.ch

I received 42 of these emails today and almost 70 yesterday.

For example, here are some of the from email addresses:
support.+advmkt=yahoo.com@barry1moore5hygienist.com.ch
support.+advmkt=yahoo.com@harold2morris3carpenter.com.ch
support.+advmkt=yahoo.com@jacob9ramos9businessperson.com.ch

Now that I see the pattern, I added this to my Sonic blocklist:
support.+advmkt*yahoo.com@*
Note that "=" is not a valid character (according to the blocklist entry form) so I put a "*" there instead.

I'm sure the spammer will switch up their pattern in the next few days, but at least I'll stop the onslaught for now!

[patty1]

Wow, you're right, advmkt. I have many more messages in graymail than usual, and all the ones I checked were in the format you mentioned. Kudos to Sonic for keeping all of those out of my inbox!

[dodge4]

Yes, this has recently gone beyond ridiculous, spam has gone from 10 or less a day to over 50, almost all from urls of garbled random characters ending in .ch which could be filtered before it even gets into Sonic's system and our graymail. An optical character reader or AI guided system would do the job. To almost all it is annoying but poses a risk of a computer virus infection if inadvertently clicked. A small number of the most vulnerable customers will be victimized, as noted in a recent Press Democrat article. I have Gmail and Yahoo accounts used for online orders and almost never receive spam. Sonic is great with prompt communication and other types of problem resolution but needs to focus on spam filtering before it gets to our graymail.

[kgc]

Sonic is great with prompt communication and other types of problem resolution but needs to focus on spam filtering before it gets to our graymail.

Or focus is to do our best to make sure that spam does not reach your INBOX. Things are functioning correctly if it's being routed to your Graymail folder. We do, of course, enforce what rules we can upon receiving messages but as users have no control or visibility there we will always err on the side of caution and only discard messages or senders that we have an exceedingly high confident are spam.

[advmkt]

Kelsey has a good point. If spam is filling up your Graymail and not hitting your inbox, then the system is working. The issue that was bothering me was that I like to peek at the Graymail daily to make sure that no legit email landed there, and suddenly there was so much Graymail (I say "was" because I stemmed the tide (details below)) that it took more time to look. To be honest though, getting 100 Graymail a day versus the usual 5 only takes a couple minutes to look through. It's just weird that 99% of the Graymail was following this pattern (more detail in my prior post):
support.+<sonic-user-name>=yahoo.com@<random-first-name><random-single-digit-number><random-last-name><random-single-digit-number><random-job-title>.com.ch

Here is how I stemmed the tide:
Initially, I added the pattern "support.+advmkt*yahoo.com@*" to my blocklist (accessible here: https://members.sonic.net/email/spam/we ... t_address/ )
but the Graymail emails were still flooding in. I looked at the Spamassassin headers of the new Graymail and saw:

Code: Select all

 pts rule name              description
---- ---------------------- --------------------------------------------------
 100 USER_IN_BLOCKLIST      From: user is listed in the block-list

Ahh... so my blocklist rule was working and what I did when I added the pattern to my blocklist was guarantee that these emails would land in Graymail, so from outside appearances, nothing changed. So I poked around the settings here:
https://members.sonic.net/email/spam/filtering/
and under "Blocklisted Message Handling" I selected "Discard messages matching Blocklists". This causes email address that match any entry in your blocklist to be immediately disposed of, never to be seen. Since the forementioned pattern was the only entry in my blocklist, I wasn't worried about missing anything legit, and voila, it worked!

Either my blocklist rules are working or something else has changed, because I have zero Graymail today.

Thanks for reading,
Pilvi Lease

[virtualmike]

Seeing the address pattern, I wonder if multiple Sonic members' addresses were in a recent breach, leading to the huge influx spam for those members. Some spammers aren't very judicious and just start hammering their victims, which allows identifying patterns quickly.

A few years ago, one of the aliases for my work work email address (an alias that I'd never used publicly!) suddenly started getting over a dozen spams a day. All of the senders' addresses sounded very businesslike, but the sudden spike made me wary. Examining the Received: headers allowed me to quickly determine the spew wax coming from just four IP addresses. I shared them with the CIO and the flood stopped.

[kgc]

One of our engineers has been debugging SpamAssassin's behavior around this particular spam run and associated DNS timeouts and failures. We noticed this because of increased load and queue depth in the mail cluster caused by poor (in this case, anyway) SA's DNS retry and timeout behavior leading to greatly increased concurrent delivery processes running. At the very least, we'll end up with better tuning of our installation to reduce any further issues with similarly broken spam domains.

I see no reason to think there's anything unusual here like a particular breach or that the messages were specifically crafted to cause problems for SA. But I would suggest that you enroll in https://haveibeenpwned.com/ as a well as any of the other 'darkweb' monitoring services out there.

[apl]

For a few days I was getting 70+ messages per day in graymail, plus a few more leaking into my inbox.
Since adding the following recipe, designed to catch the from address pattern someone noted above, to my .procmailrc-first a little more than 48 hours ago, I have had a total of 4 messages in graymail, with the rest being deleted:

Code: Select all

:0
* ^From.*support\.\+apl=yahoo\.com.*ch
/dev/null

(if anyone else wants to use this, replace my user name with your own)

I am, of course, aware that
1) Sending mail directly to /dev/null (i.e. deleting it) is inherently risky. As Kelsey notes that's why we generally use graymail instead. But that pattern is weird enough that the risk of false positives is essentially 0.
2) Spam filtering is an ongoing game of whac-a-mole, where once you block one attack avenue, the spammers find another one, so it's generally not even worth the time to try to block a specific source. In this case, though, getting rid of 98% of the spams I was getting seemed worth it, even if it only applies for a few days. And if the spamassassin server is still struggling with the load, sonic could easily do this on a system-wide level.

[advmkt]

Here is a follow up to my attempt to filter the relentless spam. I've had great success! Since I have enabled the filtering (similar to apl's filter) that I detailed here on March 29, I have received only about one or two spam in my inbox and one or two Graymail per day, versus the 50 to 80 Graymail I was receiving before I utilized the blocklist filter.

[patty1]

Thanks to advmkt for handing me the right syntax to use in my blocklist. I already had the setting enabled to delete blocklisted items rather than delivering them to graymail, so implementing the new block has prevented any new spam from getting to my graymail mailbox since this morning.

I, too, am always cautious about tweaking settings that might result in legitimate mail getting deleted, but the specificity of that new blocklist entry won't catch anything I wanted to receive.