Graymail broken?

[johnv]

I got 102 spams this morning from .ovh and my wife got 106. Mostly sent between 4 and 6AM. I hope Sonic figures this out soon. I guess we may have to wait until Monday when everyone is back to work...unless they took the entire week off.

[patty1]

The Sonic staff should be back tomorrow morning, although it's odd that they didn't post a status update about that. The latest one was from last week about their Christmas hours.

I looked at the raw headers of one of the OVH spam emails and the sending information looks straightforward:

Message-Id: <DmuiAsr.36936.250.qcV@servizistudio2.ovh>
From: T-boosting breakfast<infoWbWl@servizistudio2.ovh>

So I don't understand why a Blocklist Sender entry of *@*.ovh isn't working. Sure hope the Sonic folks can figure it out ASAP tomorrow.

[js9erfan]

On some email clients you can create a rule to send anything with ovh in the sender field to your trash/spam folder or delete them entirely so they don't clog your inbox. Doesn't hurt either to submit the raw source of these emails to Spamhaus, etc. https://submit.spamhaus.org/submit You can also report to ovh here: https://www.ovhcloud.com/en/abuse/

But yes, hopefully Sonic will address this soon.

[roger1]

What a time to find out that Outlook removed "Client Rules" as of Oct. 2020. You can however revert to "Classic Outlook" to get it back. I'll give Sonic time to look at Spam-assassin first.

[patty1]

I went ahead and added a rule in Apple Mail that says to send anything with "From" contains ".ovh" to Junk. Hopefully that will nuke tomorrow mornings flood of spam before the Sonic folks have a chance to dig into the issue. I tested it by moving some of this morning's spams back into my inbox and then applying the rule, and they disappeared.

[legenda]

This topic is related to topic 18139 below.

The servers that run SpamAssassin are being overloaded, so lots of mail is bypassing SpamAssassin. That means that new SpamAssassin rules won't have much effect and that lots of mail that normally goes to Graymail will end up in Inbox.

The spam that seems to be coming from .ovh has several constant traits, but .ovh is not one of them. It has used other TLDs in the past and will probably use others in the future.

The most obvious trait is that the From: address always matches infoxxxx@*, where xxxx is four random characters. If you have a mail client that allows filters with wild cards, you can easily filter all of this spam.

Other traits are

• It always has Return-Path: <MAILER-DAEMON> as the first header
• The first character after Date: is not a space
• There is no white space immediately preceding < in the From: header
• It always has co=RU spf=skip dkim=none in the X-Orthrus: header

These traits can easily be filtered with procmail which works even when SpamAssassin is being bypassed.

[virtualmike]

This is clearly a spoofed domain (ovh)...

It's a valid domain: OVHCloud Worldwide, a French company.

https://www.ovhcloud.com/en/domains/

[linelle]

Success on two fronts! I created a rule sending the ovh to Junk (thanks for the reminder I have that tool at my disposal) *and* the rest (80+) ended up in Graymail (presumably by SpamAssassin?).

[roger1]

So I saw a few ovh spam mails in the inbox around 0430, but as of 0922, none. Graymail did catch 4 others, but hopefully the flood is over.

[patty1]

Good news with my email today, too. Only four .ovh emails escaped Sonic's filters, and those were caught by the rule I added to Apple Mail yesterday. So not a single .ovh spam in my Inbox today, yay!