Flood of "Legitimate" Spam RSS

1

In the last two weeks or so, we have been getting flooded with "legitimate" spam. What I mean is that while the body of the message is clearly junk/spam, none of the domains are blacklisted. All seem to be registered. All seem to have an A/MX record. And they seem to have an endless supply of IP addresses. Domains like:

moluptakeblocks.com
elabs13.com
fitbankoat.com

My experience has been that if I block an IP address, it comes back on another address in the same /24. If I block the entire /24, it may come back with the third octet changed or in an entirely different range the next day.

I'm at a complete loss on what to do to fight this. . . and my users are really starting to become impatient. Any help would be appreciated.

Bill

by bill.schleifer 4 years ago
2

@bill.schleifer: The first and the last domains are now listed on Spamhaus DBL and SURBL: Combined: I assume you received these before they got listed (i.e., hit the spam trap addresses of these SURBL services).

Please send us your configuration file called orfent.ini (located in Program Files (x86)\ORF Fusion by default) and some recent .log files from the past few days (orfee-2014-10-31.log, orfee-2014-10-30.log) (also located in Program Files (x86)\ORF Fusion by default). Please send raw .log files, Log Viewer CSV exports are not suitable. Send the above files to .

I will review your current configuration and see if I can make some suggestions to improve the filtering efficiency. If that won't help, I recommend giving Spamhaus' commercial datafeed service a try:

http://www.spamhaus.org/datafeed/

It is updated more frequently than the free one. They offer a free 30-day trial and non-profit discounts.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

3

@Krisztián Fekete (Vamsoft): This problem is being suffered by a lot of us who have followed all of the best practices for our config. Would be great if a solution could be found within the product itself.It's efficiency has been drastically reduced over the years as the spammers have gotten smarter. Time for some changes IMHO.

by galbicka 4 years ago
(in reply to this post)

4

I'm getting the same sort of thing. Lots of spam getting through all of a sudden. All the sending domains are properly setup with reverse names etc. They went through a lot of work to legitimize these spamming hosts. I unfortunately am reliant on the dns blacklists and urlbls as a last resort and they aren't making it onto the list fast enough I suppose.

I guess I'll have to pay for spamhaus, but their free one was constantly giving me troubles with ORF with timeouts, and I'm certain I'm not high enough volume to warrant getting blacklisted. Hopefully not an issue with paid service. I see an example spam I just checked on is in their blacklist, but not any the free ones.

by CBGraham 4 years ago
5

@CBGraham: I am going to test their datafeed myself and see if it makes much of a difference. $250/year for a non profit is quite reasonable if it improves the catch rate.

by galbicka 4 years ago
(in reply to this post)

6

@galbicka: Are there any instructions posted on how to make the changes necessary to move from the free Spamhaus DNSBL and SURBL lists to their paid datafeed services?

by galbicka 4 years ago
(in reply to this post)

7

@galbicka: As far as I know, after applying for the free trial of the data feed service (or after paying for the subscription) you will get a customized query URL from Spamhaus, which you will need to set in ORF (either by updating the already existing definitions of Spamhaus ZEN and DBL, or adding new ones). So, for the DNSBL:

1. Start the Administration Tool and connect to the local or remote ORF instance
2. Navigate to the Blacklists / DNS Blacklists page
3. Double-click Spamhaus ZEN and select the Lookup tab
4. Replace zen.spamhaus.org with the customized lookup URL you received from Spamhaus
5. Click OK and save the configuration

For the DBL:

1. Start the Administration Tool and connect to the local or remote ORF instance
2. Navigate to the Blacklists / SURBL Test page
3. Double-click Spamhaus DBL and select the Lookup tab
4. Replace dbl.spamhaus.org with the customized lookup URL you received from Spamhaus
5. Click OK and save the configuration

I am not sure if the reply codes are the same for the free and commercial feeds, if they differ, you will need to update the Lookup results settings as well.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

8

@Krisztián Fekete (Vamsoft): Thanks. That is exactly what I did and appreciate the confirmation. Will monitor the results now and see what happens.

by galbicka 4 years ago
(in reply to this post)

9

@Krisztián Fekete (Vamsoft): "I am not sure if the reply codes are the same for the free and commercial feeds, if they differ, you will need to update the Lookup results settings as well. "

According to this blog post it looks like the Spamhaus DBL lookup codes should be changed.
http://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes

The current Spamhaus DBL list for lookup results in Fusion only shows 127.0.1.2

I guess next I will have to check on the Zen settings.

by galbicka 4 years ago
(in reply to this post)

10

@galbicka: Forgot to note that I was told by Spamhaus that the return codes are the same for free and commercial feeds.

by galbicka 4 years ago
(in reply to this post)

11

@galbicka: There is an updated definition available with those response codes:

http://vamsoft.com/support/docs/knowledge-base/update-dnsbl-surbl

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

12

@Krisztián Fekete (Vamsoft): Good to know. Zen responses look fine when compared to my current list.
http://www.spamhaus.org/faq/section/DNSBL%20Usage#200

by galbicka 4 years ago
(in reply to this post)

13

Thanks to everyone for your comments. Here's a quick update. I decided to use the commercial version of Spamhaus and ordered the free trial on Friday. The weekend was quiet and yesterday, we had almost no spam. I was pretty much rejoicing. . . until today. We're getting clobbered again. Legitimate domains like:
adlerhostforms.com
bessinhostpro.com
helpushellpyou.com (yes, two Ls in help)
onegreatprotein.com

And on and on. I've gotten at least 20 and they generally come in twos - same message, different sender and domain, same IP address. And all of it "legit." I will be touching base with the comapny Security Zones who is the retailer that sells the commercial version and, apparrently also provides some degree of support. Yesterday, I was ready to "write the check." Today, not so much. . .

by bill.schleifer 4 years ago
14

@bill.schleifer: Snowshoe attacks usually utilize freshly created domains, and there is at least one service that I know of which lists such domains: Farsight NOD (Newly Observed Domains), it might worth a try:

https://www.farsightsecurity.com/Services/NOD/

"NOD DNSBL consumers can use Farsight's cloud-based DNS servers if they do not wish to have the data exported to their local servers. Farsight's DNS servers for NOD DNSBL are publicly accessible but have a very low rate limit by default. NOD DNSBL customers must coordinate with Farsight to relax the NOD DNSBL rate limit for each of the customer's internal name server addresses."

So, if I understand correctly, their servers can be queried via DNS (they support rsync, too), but I found no information about the reply codes, and it seems they have a limit on free queries (again, zero information).

When I queried one of the domain names you mentioned (onegreatprotein.com) using nslookup (onegreatprotein.com.v1.bl.dns-nod.net) I received 127.0.0.8 back, not sure if that means a hit...

Their website is not very informative.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

15

So. . . I'm still pestered by this. I've been using the free trial of the pay side of Spamhaus and it has had little effect. When it began, I started playing "whack-a-mole" with IP Addresses. That quicly progressed to entire /24s. I had a moment yeseterday and I started looking at the IP blacklist. I had over 100 addresses and about half were /24s. It was clear that many of these addresses were in /17 or /18 bunches. Clearly chasing /24s was getting to be as bad as chasing individual IP addresses. So. . .

I started doing whois on the addresses in bunches. I found that most of the address by far were from a company named B2 Net solutions. The company that was a distant second was NephoScale Inc. In looking a those companies on the web, they both have a rep for hosting spam. So, I made the conscious and probably risky decision to range block all of the addresses listed in whois records for the various /18s I was checking. I know. .. it's a lot of addresses. But at this point, it may just be easier to have my community use the autosender white list or call us if there's an issue.

by bill.schleifer 4 years ago
16

@Krisztián Fekete (Vamsoft): I updated my definitions per your link but the lookup codes for Spamhaus DBL still don't look current.
http://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes

by mike.galbicka 4 years ago
(in reply to this post)

17

@mike.galbicka: I double-checked this, it looks fine to me (I downloaded the definition file linked in our KB article and imported it):

http://imageshack.com/a/img537/5409/8bUMTC.jpg

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

18

@Krisztián Fekete (Vamsoft): So why does mine only contain 127.0.1.2? I followed the import instructions in the linked article. You might want to verify this is getting overwritten as it should because my results seem to indicate is isn't. I will update these codes manually for now. Also, why don't the 102-106 results get selected as well?

by mike.galbicka 4 years ago
(in reply to this post)

19

@mike.galbicka: Most likely you have not checked the "Full import overwrite" checkbox when importing the updated definition file:

http://imageshack.com/a/img537/8559/eayEKh.jpg

102-106 responses are not checked by default as they may cause false positives (as these list abused legit sites), so we decided to leave it to our users to enable them if they are willing risk blocking some legitimate emails. Spamhaus says these are quite safe to enable, but your mileage may vary.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

20

@Krisztián Fekete (Vamsoft): As I said I followed the instructions which included check the "Full import overwrite" checkbox

by mike.galbicka 4 years ago
(in reply to this post)

21

As soon as I started my free trial of the Spamhaus datafeed service it seemed my catch rates actually went down 10% instead of the expected other direction. I consulted with them to make sure everything was configured correctly and there were no problems. I switched back to the free and the catch rates stayed at the same lower level. The only possibility I see was at the same time as my initial switch some spam botnet was taken down to reduce the overall catch rates by about 10%. Yesterday I received this from their support and notice today I have recovered that 10% loss and my catch rates are back to where they were a few weeks ago before I started using the datafeed. Anyone else see 10% swings lately? Their reply to me below shows they are aware of this problem and are taking actions to try and mitigate it.

"Hello, from what you write, it looks like the service is working as intended.

You are probably hit by a spammer that rotates IP and domains very rapidly and manages to go through by using new resources for a time of just a few minutes, abandoning them in the moment they get listed.

Yesterday we made some architectural changes to SBL (part of ZEN) to vastly decrease the amplitude of the time window that these guys can use before being listed, so the situation should have now improved."

by mike.galbicka 4 years ago
22

@mike.galbicka: As noted on a few other threads I am going to uncheck the Skip Greylisting if SPF true option also to see if that helps and bump up the timeout. Snoeshoe spam is usually added to the SpamHaus block lists within a minute or two.

by mike.galbicka 4 years ago
(in reply to this post)

23

@mike.galbicka: "uncheck the Skip Greylisting if SPF true option"

This has helped a lot and increased catch rates 10% with no adverse effect. The majority of the snowshoe spam is now blocked.

by mike.galbicka 4 years ago
(in reply to this post)

24

@mike.galbicka: Thank you for that update, we are running out of possible tweaks to our blacklist tests but changing greylisting to not skip is something we've kept on reserve. If you saw your catch rates increase without a large increase in false positives that is promising. As an organization, snowshoe spam is probably the last bit of stuff that trickles in. I may follow your lead Mike and try that out as well. Thanks agian.

by felipe.garcia 4 years ago
(in reply to this post)

25

@felipe.garcia: Just tweak the greylisting delay to be long enough for Spamhaus to have time to list the domain/IP. I think I am currently at 2 minutes.

by mike.galbicka 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed