out of control spam

Discuss here all what concerns the MailCleaner anti-spam efficiency, share your rulesets and tips for SpamAssassin !

Moderators: Pascal, mentor, FlorianB, bourgeois

User avatar
CCGTECH
Posts: 92
Joined: Thu Apr 25, 2013 4:59 am
How did you hear about Mailcleaner: open source community
Location: West Hollywood, CA

out of control spam

Postby CCGTECH » Tue Mar 24, 2015 2:12 am

Hi All,

This is the reason I did a new deployment of MC in the first place. Spam is out of control for many users for this environment, and I have not been able to determine the root cause. It seems the spam is arriving from outside through MC, but MC will not filter any of this spam. I've enabled all filters, yet most of this junk still gets through. Most of it seems to be coming from a .work TLD. anyone else having this problem? fix? thanks.
Attachments
spam3.jpg
spam3.jpg (73.98 KiB) Viewed 4738 times
spam2.jpg
spam2.jpg (82.29 KiB) Viewed 4738 times
spam1.jpg
spam1.jpg (120.02 KiB) Viewed 4738 times
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: out of control spam

Postby cglmicro » Tue Mar 24, 2015 3:07 am

Is there a bunch of unrelated sentence at the end of every mail? Like some piece of text from other forums just to confuse Bayesian filters?
User avatar
CCGTECH
Posts: 92
Joined: Thu Apr 25, 2013 4:59 am
How did you hear about Mailcleaner: open source community
Location: West Hollywood, CA

Re: out of control spam

Postby CCGTECH » Tue Mar 24, 2015 3:55 am

yes, there usually is some paragraph with random garbage to fool the filter.

for example:

My grandmother lives around the corner from here and I have, quite literally, grown up on the biltong. I was born & raised in New York but visited LA 1-2x per year since childhood. Without fail, after I said hello to my Grandma, I would immediately walk over to the Sausage Kitchen for my biltong fix. I have bought biltong to take with me on travel all over the world and on cross country road trips. My 13 cousins, whom grew up everywhere from LA to New Mexico to Illinois to New York, all have the same story. This place is a big part of our lives!

This fine establishment has been family owned for 3 generations now (I think) and that is something you don't see in LA very often. I now actually live in LA and I still get my biltong and sausages from the Kitchen when I come over to my Grandma's house. The food is always great quality, fresh, clean, consistent and delicious. Love this place.80412fadc60b794e97e077859e8402bf
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: out of control spam

Postby cglmicro » Tue Mar 24, 2015 1:19 pm

I had the exact same emails. The only way I was able to reduce a lot of it is by refusing delivery of /24 segment since they send send from 107.182.137.18 after .64 after .200 and they stop for a few days from this IP to get back after with IPs in the same range.

Here is the segments I added in CONFIGURATION / SMTP / CONNECTION CONTROL / REJECT CONNECTION FROM THESE HOSTS. This is my own RBL for "spammer friendly hosts"; never got a false positive from this over my huindreds of domains / thousand of users :

Code: Select all

107.182.137.0/24
142.0.195.0/21
157.55.0.0/24
157.55.234.0/24
174.47.100.0/24
178.216.242.0/20
181.119.207.0/24
185.44.107.0/24
193.188.255.0/24
198.20.78.0/24
198.59.98.0/24
198.59.123.0/20
198.159.180.0/24
199.91.52.0/23
199.122.125.0/24
206.82.200.0/24
207.66.3.0/24
207.188.132.0/23
207.200.40.0/24
207.66.25.0/24
207.66.3.0/24
207.66.58.0/24
207.66.66.0/24
208.123.118.0/24
208.123.122.0/24
208.88.154.0/24
209.172.40.211
37.143.114.0/24
46.30.151.0/24
5.149.128.0/21
5.175.175.0/17
5.175.99.0/24
5.231.28.0/24
5.231.248.0/24
66.231.88.239
66.55.116.44
66.22.159.238
69.22.177.0/24
69.64.28.0/24
74.121.52.28
89.167.206.0/24
91.222.207.0/24
91.244.120.0/24
91.247.76.0/24
94.103.174.0/24
23.95.24.201
217.174.152.111
146.0.78.120
207.66.112.0/24
96.46.177.0/24
173.233.131.0/24
173.237.63.0/24
173.233.158.0/24
104.144.164.0/24
204.74.244.0/24
204.74.246.0/24
204.74.247.0/24
138.128.6.0/24
94.73.19.0/24
94.73.39.0/24
138.128.4.0/24
207.188.187.0/24
94.73.37.0/24
173.0.157.0/24
207.66.103.0/24
207.66.88.0/24
94.73.38.0/24
206.206.183.0/24
207.66.93.0/24
66.172.86.0/24
66.172.89.0/24
207.66.34.0/24
173.233.139.0/24
199.204.46.0/24
94.73.40.0/24
199.168.138.0/24
104.144.162.0/24
173.237.6.0/24
94.73.46.0/24
170.130.76.0/24
198.59.185.0/24
198.41.96.0/24
207.188.180.0/24
173.233.140.0/24
104.144.169.0/24
207.66.97.0/24
104.144.172.0/24
94.73.41.0/24
103.255.220.0/24
207.188.181.0/24
104.243.24.0/24
104.144.161.0/24
206.206.168.0/24
104.144.163.0/24
104.243.27.0/24
104.144.168.0/24
104.245.25.0/24
104.243.25.0/24
206.206.175.0/24
207.188.174.0/24
23.250.106.0/24
104.144.170.0/24
207.66.80.0/24
195.230.22.0/24
23.229.35.0/24
104.144.165.0/24
23.229.73.0/24
104.243.26.0/24
104.144.166.0/24
104.243.19.0/24
104.144.171.0/24
69.4.81.0/24
104.243.29.0/24
104.144.174.0/24
104.243.22.0/24
69.4.80.0/24
104.243.30.0/24
69.4.91.0/24
69.58.0.0/24
69.58.7.0/24
69.4.92.0/24
69.4.94.0/24
202.69.241.0/24
216.246.109.0/24
162.248.7.0/24
172.246.241.0/24
192.228.107.0/24
198.52.235.0/24
63.223.69.0/24
178.156.217.0/24
198.52.128.0/24
165.254.153.0/24
162.144.117.0/24
190.103.240.0/24
63.223.72.0/24
5.255.95.0/24
200.147.34.0/24
113.190.168.0/24
198.210.56.0/24
208.75.123.0/24


After this, if you want to monitor the rejected connections in real time, you can open an SSH windows on your master and each slave and run:

Code: Select all

tail /var/mailcleaner/log/exim_stage1/mainlog -n 500 -f | egrep "ACL: blacklisted host:"

You should see IP within the range blocked. You need to CTRL+C and rerun each morning because the tail will end every 0h00.

You should also add some other RBL at different stage like the one mentionned on the other thread SUPER RBL FUN PACK.
User avatar
CCGTECH
Posts: 92
Joined: Thu Apr 25, 2013 4:59 am
How did you hear about Mailcleaner: open source community
Location: West Hollywood, CA

Re: out of control spam

Postby CCGTECH » Tue Mar 24, 2015 9:10 pm

I have added your list to the "reject connection from these hosts". I'll report back if this helped or not. thanks for the help. I did not want to abandon MC completely.

Can you provide an implementation list you used on your deployments that summarizes the RBL FUNPACK thread? Perhaps a best practices things to do list after initial install and HOWTO. would be AMAZING. thanks.
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: out of control spam

Postby cglmicro » Thu Mar 26, 2015 1:22 pm

In capture MAILCLEANER_1 for SMTP section :
In "don't check these hosts", I've added all major ISP/3G/4G/LTE of my customers since they get on and off these RBL and it can cause many false positive.

In capture MAILCLEANER_2 for ANTISPAM / PRERBLS section :
I've also added the same for "don't check these hosts".

In capture MAILCLEANER_3 for ANTISPAM / URIRBLS section :
Nothing to say.

...
Attachments
mailcleaner_3.png
mailcleaner_3.png (13.61 KiB) Viewed 4716 times
mailcleaner_2.png
mailcleaner_2.png (29.83 KiB) Viewed 4716 times
mailcleaner_1.png
mailcleaner_1.png (37.44 KiB) Viewed 4716 times
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: out of control spam

Postby cglmicro » Thu Mar 26, 2015 1:22 pm

...

In capture MAILCLEANER_4 for ANTISPAM / SPAMC section :
Nothing to say.

I don't know if I have the perfect configuration, but it work pretty smooth.
Attachments
mailcleaner_4.png
mailcleaner_4.png (39.67 KiB) Viewed 4716 times
User avatar
CCGTECH
Posts: 92
Joined: Thu Apr 25, 2013 4:59 am
How did you hear about Mailcleaner: open source community
Location: West Hollywood, CA

Re: out of control spam

Postby CCGTECH » Wed Apr 01, 2015 6:05 pm

is removed by root normal behavior to see in the inbound log? spam still out of control, and trying to figure out why MC is permitting this junk through. it seems MC is acting as a relay for the spam.



2015-04-01 09:56:34 1YdLwQ-0007uR-El => 904-usr-691.0.2156.0.0.4388.7.1221334@e ... tomail.com <904-USR-691.0.2156.0.0.4388.7.1221334@em-sj-77.mktomail.com> R=dnslookup T=remote_smtp S=19332 H=em-sj-77.mktomail.com [199.15.215.77] C="250 2.0.0 OK C0/2C-29254-9432C155"
2015-04-01 09:56:34 1YdLwQ-0007uR-El Completed
2015-04-01 09:56:35 1YdK1Z-0003fE-5p removed by root
2015-04-01 09:56:35 1YdK1Z-0003fE-5p Completed
2015-04-01 09:56:39 1YdK1V-0003ep-72 removed by root
2015-04-01 09:56:39 1YdK1V-0003ep-72 Completed
2015-04-01 09:56:40 1YdK1R-0003eK-KL removed by root
2015-04-01 09:56:40 1YdK1R-0003eK-KL Completed
2015-04-01 09:56:42 1YdK1Q-0003eB-Mb removed by root
2015-04-01 09:56:42 1YdK1Q-0003eB-Mb Completed
2015-04-01 09:56:44 1YdK1Q-0003dj-9H removed by root
2015-04-01 09:56:44 1YdK1Q-0003dj-9H Completed
2015-04-01 09:56:45 1YdK1P-0003dd-RV removed by root
2015-04-01 09:56:45 1YdK1P-0003dd-RV Completed
2015-04-01 09:56:47 1YdK1D-0003d9-Kd removed by root
2015-04-01 09:56:47 1YdK1D-0003d9-Kd Completed
2015-04-01 09:56:48 1YdK1D-0003d1-Eo removed by root
2015-04-01 09:56:48 1YdK1D-0003d1-Eo Completed
2015-04-01 09:56:49 1YdK19-0003c9-Gj removed by root
2015-04-01 09:56:49 1YdK19-0003c9-Gj Completed
2015-04-01 09:56:50 1Ycxsb-0005ms-7h 1qj8ookp.trabant.science [173.232.206.53] Connection timed out
2015-04-01 09:56:50 1Ycxsb-0005ms-7h == preventmemoryloss@trabant.science <PreventMemoryLoss@trabant.science> R=dnslookup T=remote_smtp defer (110): Connection timed out
2015-04-01 09:56:50 1YdK16-0003bO-AG removed by root
2015-04-01 09:56:50 1YdK16-0003bO-AG Completed
2015-04-01 09:57:20 1Ycmll-0000ca-Jt fhua12.currentinfodoubt.work [46.166.178.18] Connection timed out
2015-04-01 09:57:20 1Ycmll-0000ca-Jt == deadly.food.conspiracy@fhua12.currentinfodoubt.work R=dnslookup T=remote_smtp defer (110): Connection timed out
2015-04-01 09:57:20 1Ycmll-0000ca-Jt ** deadly.food.conspiracy@fhua12.currentinfodoubt.work: retry timeout exceeded
2015-04-01 09:57:20 1Ycmll-0000ca-Jt deadly.food.conspiracy@fhua12.currentinfodoubt.work: error ignored
User avatar
CCGTECH
Posts: 92
Joined: Thu Apr 25, 2013 4:59 am
How did you hear about Mailcleaner: open source community
Location: West Hollywood, CA

Re: out of control spam

Postby CCGTECH » Mon Apr 06, 2015 11:19 am

Code:
tail /var/mailcleaner/log/exim_stage1/mainlog -n 500 -f | egrep "ACL: blacklisted host:"

Thank you, CGLMICRO for your help. I was able to monitor the blacklist using this. I've added a couple dozen additional subnets to the block list, which seems to have resolved all my spam issues.

Return to “Filter efficiency”

Who is online

Users browsing this forum: No registered users and 3 guests