Honeypot test - block email address instead of IP RSS Back to forum
@tomasz.sokolowski:
The Honeypot feature does not support blacklisting sender addresses which send emails to spamtrap addresses.
What you experience is called snowshoe spamming: as a snowshoe spreads the weight of a traveler across a wide area of snow, snowshoe spammers spread their spam output across many IPs and domains, diluting reputation metrics and evading filters. I.e., by the time one source IP gets listed by an online blacklist service or by the DHA/Honeypot test, they had already moved to another IP.
Please send us the following to :
• A short description of your setup (OS version, Exchange roles, are there any other filtering software affecting emails, secondary MXs, perimeter servers in between the senders and your server, etc.)
• The configuration file called orfent.ini (located in Program Files (x86)\ORF Fusion by default)
• .log files from the past 2-3 days (orfee-2015-01-14.log, orfee-2015-01-13.log, orfee-2015-01-12.log, located in Program Files (x86)\ORF Fusion by default). Please send raw .log files, Log Viewer CSV exports are not suitable.
I will review your configuration and make some suggestions to improve the filtering efficiency.
@tomasz.sokolowski: We've succesfully mitigated Snowshoeing at our organization by implemnting GreyListing across the board even for domains that pass SPF checks. The greylisting creates a long enough delay (15-25minutes) for the spammer's IP to be blocked by subsequent testing against DNS blacklists. We also saw a marked improvement in our detection rates by subscribing to the paid SpamHaus feed as well as a paid subscription to the Invaluement DNSBL. Some simply tweaks within ORF has had our detection rate skyrocket to 95% from the low to mid 70s with no increase in false positives.
@tomasz.sokolowski: This could be done as an external agent if you analyze the ORF logs in real time. The snowshoe style can be managed by looking at patterns in IP address, sender address and email subject (allowing for some random characters). You'd need to be careful about false positives since a sender address is easily spoofed - the real sender could be mis-tagged next time they email you.
@felipe.garcia:
We have done and experienced the same as felipe.garcia.
The option to GreyList even for domains that pass SPF checks made a huge difference in catch rates.
@tomasz.sokolowski: I believe this should be the default setting because it is so easily missed and makes such a big difference with almost no false positives. I would almost bet our catch rates went down significantly when this option was first introduced and it didn't get configured.
@mike.galbicka: We are considering this to be the new default option in the upcoming ORF version. Thank you for feedback.
So is this the new default? We'd love to see ~90% catch rates. We follow best practice guides and see ~70-80%
@_: It is the new default (that is, Greylisting is applied on SPF pass). 70-80% spam catch rate is very low, please contact our Customer Service (http://vamsoft.com/customer-service) to review the situation. Make sure to include a few recent log files and your configuration file orfent.ini for analysis.
I can't find a feature for blocking email address of the sender instead of IP.
Nowadays we get hundreds of dodgy emails from hundreds of unique IPs but most of the time from the same sender address. Unique IP will only send 1 email.
Wouldn't it be better to offer an option to block sender's address instead of IP ?
This would help dramatically in the war against malware.