Flood of "Legitimate" Spam - ORF Forums

In the last two weeks or so, we have been getting flooded with "legitimate" spam. What I mean is that while the body of the message is clearly junk/spam, none of the domains are blacklisted. All seem to be registered. All seem to have an A/MX record. And they seem to have an endless supply of IP addresses. Domains like:

moluptakeblocks.com
elabs13.com
fitbankoat.com

My experience has been that if I block an IP address, it comes back on another address in the same /24. If I block the entire /24, it may come back with the third octet changed or in an entirely different range the next day.

I'm at a complete loss on what to do to fight this. . . and my users are really starting to become impatient. Any help would be appreciated.

Bill

@Krisztián Fekete (Vamsoft): This problem is being suffered by a lot of us who have followed all of the best practices for our config. Would be great if a solution could be found within the product itself.It's efficiency has been drastically reduced over the years as the spammers have gotten smarter. Time for some changes IMHO.

I'm getting the same sort of thing. Lots of spam getting through all of a sudden. All the sending domains are properly setup with reverse names etc. They went through a lot of work to legitimize these spamming hosts. I unfortunately am reliant on the dns blacklists and urlbls as a last resort and they aren't making it onto the list fast enough I suppose.

I guess I'll have to pay for spamhaus, but their free one was constantly giving me troubles with ORF with timeouts, and I'm certain I'm not high enough volume to warrant getting blacklisted. Hopefully not an issue with paid service. I see an example spam I just checked on is in their blacklist, but not any the free ones.

@CBGraham: I am going to test their datafeed myself and see if it makes much of a difference. $250/year for a non profit is quite reasonable if it improves the catch rate.

@galbicka: Are there any instructions posted on how to make the changes necessary to move from the free Spamhaus DNSBL and SURBL lists to their paid datafeed services?

@Krisztián Fekete (Vamsoft): Thanks. That is exactly what I did and appreciate the confirmation. Will monitor the results now and see what happens.

@Krisztián Fekete (Vamsoft): "I am not sure if the reply codes are the same for the free and commercial feeds, if they differ, you will need to update the Lookup results settings as well. "

According to this blog post it looks like the Spamhaus DBL lookup codes should be changed.
http://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes

The current Spamhaus DBL list for lookup results in Fusion only shows 127.0.1.2

I guess next I will have to check on the Zen settings.

@galbicka: Forgot to note that I was told by Spamhaus that the return codes are the same for free and commercial feeds.

@Krisztián Fekete (Vamsoft): Good to know. Zen responses look fine when compared to my current list.
http://www.spamhaus.org/faq/section/DNSBL%20Usage#200

Thanks to everyone for your comments. Here's a quick update. I decided to use the commercial version of Spamhaus and ordered the free trial on Friday. The weekend was quiet and yesterday, we had almost no spam. I was pretty much rejoicing. . . until today. We're getting clobbered again. Legitimate domains like:
adlerhostforms.com
bessinhostpro.com
helpushellpyou.com (yes, two Ls in help)
onegreatprotein.com

And on and on. I've gotten at least 20 and they generally come in twos - same message, different sender and domain, same IP address. And all of it "legit." I will be touching base with the comapny Security Zones who is the retailer that sells the commercial version and, apparrently also provides some degree of support. Yesterday, I was ready to "write the check." Today, not so much. . .

So. . . I'm still pestered by this. I've been using the free trial of the pay side of Spamhaus and it has had little effect. When it began, I started playing "whack-a-mole" with IP Addresses. That quicly progressed to entire /24s. I had a moment yeseterday and I started looking at the IP blacklist. I had over 100 addresses and about half were /24s. It was clear that many of these addresses were in /17 or /18 bunches. Clearly chasing /24s was getting to be as bad as chasing individual IP addresses. So. . .

I started doing whois on the addresses in bunches. I found that most of the address by far were from a company named B2 Net solutions. The company that was a distant second was NephoScale Inc. In looking a those companies on the web, they both have a rep for hosting spam. So, I made the conscious and probably risky decision to range block all of the addresses listed in whois records for the various /18s I was checking. I know. .. it's a lot of addresses. But at this point, it may just be easier to have my community use the autosender white list or call us if there's an issue.

@Krisztián Fekete (Vamsoft): I updated my definitions per your link but the lookup codes for Spamhaus DBL still don't look current.
http://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes

@Krisztián Fekete (Vamsoft): So why does mine only contain 127.0.1.2? I followed the import instructions in the linked article. You might want to verify this is getting overwritten as it should because my results seem to indicate is isn't. I will update these codes manually for now. Also, why don't the 102-106 results get selected as well?

@Krisztián Fekete (Vamsoft): As I said I followed the instructions which included check the "Full import overwrite" checkbox

As soon as I started my free trial of the Spamhaus datafeed service it seemed my catch rates actually went down 10% instead of the expected other direction. I consulted with them to make sure everything was configured correctly and there were no problems. I switched back to the free and the catch rates stayed at the same lower level. The only possibility I see was at the same time as my initial switch some spam botnet was taken down to reduce the overall catch rates by about 10%. Yesterday I received this from their support and notice today I have recovered that 10% loss and my catch rates are back to where they were a few weeks ago before I started using the datafeed. Anyone else see 10% swings lately? Their reply to me below shows they are aware of this problem and are taking actions to try and mitigate it.

"Hello, from what you write, it looks like the service is working as intended.

You are probably hit by a spammer that rotates IP and domains very rapidly and manages to go through by using new resources for a time of just a few minutes, abandoning them in the moment they get listed.

Yesterday we made some architectural changes to SBL (part of ZEN) to vastly decrease the amplitude of the time window that these guys can use before being listed, so the situation should have now improved."

@mike.galbicka: As noted on a few other threads I am going to uncheck the Skip Greylisting if SPF true option also to see if that helps and bump up the timeout. Snoeshoe spam is usually added to the SpamHaus block lists within a minute or two.

@mike.galbicka: "uncheck the Skip Greylisting if SPF true option"

This has helped a lot and increased catch rates 10% with no adverse effect. The majority of the snowshoe spam is now blocked.

@mike.galbicka: Thank you for that update, we are running out of possible tweaks to our blacklist tests but changing greylisting to not skip is something we've kept on reserve. If you saw your catch rates increase without a large increase in false positives that is promising. As an organization, snowshoe spam is probably the last bit of stuff that trickles in. I may follow your lead Mike and try that out as well. Thanks agian.

@felipe.garcia: Just tweak the greylisting delay to be long enough for Spamhaus to have time to list the domain/IP. I think I am currently at 2 minutes.