Sonic.net

I saw 73 spam messages from infoxxxx@* (xxxx=any 4 characters) today sent from 5:02am to 5:52am. None of them was from *.ovh. They all had random fake three letter TLDs.

In addition to the traits I listed above, they also all tripped the SpamAssassin rule INVALID_DATE which I forgot to mention above, so adjusting the score for INVALID_DATE would allow SpamAssassin to catch all of them.

Once again, for the last 3 days the .ovh suffix spam garbage truck has dumped almost 90 scam emails, this time caught by graymail but some legit email is sometimes caught so I have to waste time sorting through the mess. Nobody benefits, all are annoyed, and a few are victimized - clicking on an impersonated email and a computer is infected. All .ovh is spam and could be blocked before even reaching graymail; you successfully block hard core pornography and hate group email obvious scammers could be too.
dodge4

The spam is flooding into my inbox fast and furious right now, 1/28/25, 6:41 a.m. Faster than I can delete it. Can someone please plug that hole?

The most consistent feature of the spam that seems to come from .ovh (and occasionally other TLDs) is that the first part of the From: address is always infoxxxx@ where xxxx is four random characters.

SpamAssassin has two wildcards: * which matches any number of any characters and ? which matches exactly one character.

The obvious way to block all of this spam is to Blocklist From info????@*. However, if you try that the result is

"info????@*" contains invalid characters. Please try again.

due to a bug in Member Tools which blocks ?.

Fortunately there is a workaround. Just Blocklist From infoxxxx@* and then edit the resulting entry to replace xxxx with ????. Member Tools does not block ? when editing an entry.

This will block all of this type of spam no matter what TLD they use. It will not, however, block it when the mail servers get overloaded and allow mail to skip SpamAssassin as they did a couple of months ago. If you want to be immune to SpamAssassin overload, you need to use procmail.

legenda wrote: The most consistent feature of the spam that seems to come from .ovh (and occasionally other TLDs) is that the first part of the From: address is always infoxxxx@ where xxxx is four random characters.

SpamAssassin has two wildcards: * which matches any number of any characters and ? which matches exactly one character.

The obvious way to block all of this spam is to Blocklist From info????@*. However, if you try that the result is

"info????@*" contains invalid characters. Please try again.

due to a bug in Member Tools which blocks ?.

Fortunately there is a workaround. Just Blocklist From infoxxxx@* and then edit the resulting entry to replace xxxx with ????. Member Tools does not block ? when editing an entry.

Thank you for reporting the bug with the 'Blocklist From' entries - I've passed this along to our Programming team for review. That pattern ('info????@*') should be allowed and will indeed block the pattern you were seeing.

Concerning spam from .ovh, we're continuing to revise our incoming mail systems to slow down and reject anything that is coming from a known spam domain or abuse-heavy virtual server providers.

-- Joe M