Re: one domain gets 99% of spam
Marc Perkel wrote: What I've noticed is that domains with catchall accounts are usually the ones that get abbused this way. MTAs the reject bad email addresses at SMTP time are not what spammers like when it comes to choices of domains to spam or spoof. To clarify, from the senders' perspective, accepting and then /dev/nulling mail (rather than rejecting it at SMTP time with no such user or rejected for spam style messages) is the exact same thing as a catch-all. When I moved my company's setup to a reject-based system, our spam traffic all-but zeroed pretty quickly. 90% of the rest of it is caught quite nicely by greylisting (implemented a while after that move), and the remaining volume gets eaten by SpamAssassin.
Re: one domain gets 99% of spam
it is common for one domains to get an order of magnitude more spam than another that seems just like it. like mark said, it probably won't stop. low overhead techniques like greylisting or no listing can reduce the stress on your server quite a bit. configuring your mta to close connections after X errors will help with the dictionary attacks, and you can combine that with fail2ban to go even further. What I've noticed is that domains with catchall accounts are usually the ones that get abbused this way. MTAs the reject bad email addresses at SMTP time are not what spammers like when it comes to choices of domains to spam or spoof. i get the feeling that this client's previous ISP had a catch-all set up for them, which i don't. as for banning, i use a combination of tacticts, including fail2ban. even so, in the last 24 hours, i've gotten close to 10,000 attempts on this one domain, which is more than all the other domains on my system combined. one thing i've recently added is MX records pointing to tarbaby.junkemailfilter.com at the DNS for that domain. i haven't seen any drastic drop, but at least someone's harvesting the IPs other than me. --option8. -- View this message in context: http://www.nabble.com/one-domain-gets-99--of-spam-tp23628756p23635714.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: one domain gets 99% of spam
option8 wrote: it is common for one domains to get an order of magnitude more spam than another that seems just like it. like mark said, it probably won't stop. low overhead techniques like greylisting or no listing can reduce the stress on your server quite a bit. configuring your mta to close connections after X errors will help with the dictionary attacks, and you can combine that with fail2ban to go even further. What I've noticed is that domains with catchall accounts are usually the ones that get abbused this way. MTAs the reject bad email addresses at SMTP time are not what spammers like when it comes to choices of domains to spam or spoof. i get the feeling that this client's previous ISP had a catch-all set up for them, which i don't. as for banning, i use a combination of tacticts, including fail2ban. even so, in the last 24 hours, i've gotten close to 10,000 attempts on this one domain, which is more than all the other domains on my system combined. one thing i've recently added is MX records pointing to tarbaby.junkemailfilter.com at the DNS for that domain. i haven't seen any drastic drop, but at least someone's harvesting the IPs other than me. --option8. Thanks for the tarbaby feed. If you use the hostkarma.junkemailfilter.com black list it will work better for you because it's harvesting your data from the high spam domain. If you use that list to block you can reduce your system load.
Re: one domain gets 99% of spam
Thanks for the tarbaby feed. If you use the hostkarma.junkemailfilter.com black list it will work better for you because it's harvesting your data from the high spam domain. If you use that list to block you can reduce your system load. yep. i added that at the same time. so far, not a lot of hits on it, but its caught a few that b.barracudacentral.org missed. -- View this message in context: http://www.nabble.com/one-domain-gets-99--of-spam-tp23628756p23636040.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: one domain gets 99% of spam
On 19-May-2009, at 22:23, option8 wrote: is there any particular reason this might be happening to just this one domain? Many possible reasons. The most obvious is they used to accept all emails (catchall) or they had a lot of users with a lot of virus/ malware on their windows machines. beyond that, is there any hope of this ever stopping? If this has been going on for years? No, I wouldn't think so. That is, assuming you've been REJECTING connections all these years if it hasn't let up, it's never going to. -- The way I see it, the longer I put it off, the better it'll end up being. Heck, school doesn't start for another 43 minutes.
one domain gets 99% of spam
on my small server setup, i host around 30 domains. between SA and a fairly aggressive exim setup, very little spam gets through to the end users. most of it doesn't even get far enough to hit my logs. however, one domain that i host gets constantly bombarded, and has since i took it over from another ISP a few years ago. most of these connections look like dictionary attacks (joe@, bill@, admin@, webmaster@, etc) or backscatter/bounces. at first, i thought it might be an attempt at a DOS on them (or me), since my traffic spiked right after i took over the domain, but it hasn't let up. is there any particular reason this might be happening to just this one domain? beyond that, is there any hope of this ever stopping? short of offloading their MX to gmail or something, i feel like i may be stuck with fending off a ton of spam for this one domain, while the rest only ever see a trickle. --option8. -- View this message in context: http://www.nabble.com/one-domain-gets-99--of-spam-tp23628756p23628756.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: one domain gets 99% of spam
option8 wrote: on my small server setup, i host around 30 domains. between SA and a fairly aggressive exim setup, very little spam gets through to the end users. most of it doesn't even get far enough to hit my logs. however, one domain that i host gets constantly bombarded, and has since i took it over from another ISP a few years ago. most of these connections look like dictionary attacks (joe@, bill@, admin@, webmaster@, etc) or backscatter/bounces. at first, i thought it might be an attempt at a DOS on them (or me), since my traffic spiked right after i took over the domain, but it hasn't let up. is there any particular reason this might be happening to just this one domain? beyond that, is there any hope of this ever stopping? short of offloading their MX to gmail or something, i feel like i may be stuck with fending off a ton of spam for this one domain, while the rest only ever see a trickle. --option8. I have a few of those myself. And since I took over filtering it's down some but they still get a few hundred thousand spams a day. So - it's probably not going away.
Re: one domain gets 99% of spam
On Wed, May 20, 2009 at 1:09 AM, Marc Perkel m...@perkel.com wrote: option8 wrote: on my small server setup, i host around 30 domains. between SA and a fairly aggressive exim setup, very little spam gets through to the end users. most of it doesn't even get far enough to hit my logs. however, one domain that i host gets constantly bombarded, and has since i took it over from another ISP a few years ago. most of these connections look like dictionary attacks (joe@, bill@, admin@, webmaster@, etc) or backscatter/bounces. at first, i thought it might be an attempt at a DOS on them (or me), since my traffic spiked right after i took over the domain, but it hasn't let up. is there any particular reason this might be happening to just this one domain? beyond that, is there any hope of this ever stopping? short of offloading their MX to gmail or something, i feel like i may be stuck with fending off a ton of spam for this one domain, while the rest only ever see a trickle. --option8. it is common for one domains to get an order of magnitude more spam than another that seems just like it. like mark said, it probably won't stop. low overhead techniques like greylisting or no listing can reduce the stress on your server quite a bit. configuring your mta to close connections after X errors will help with the dictionary attacks, and you can combine that with fail2ban to go even further. I have a few of those myself. And since I took over filtering it's down some but they still get a few hundred thousand spams a day. So - it's probably not going away.
Re: one domain gets 99% of spam
Aaron Wolfe wrote: On Wed, May 20, 2009 at 1:09 AM, Marc Perkel m...@perkel.com wrote: option8 wrote: on my small server setup, i host around 30 domains. between SA and a fairly aggressive exim setup, very little spam gets through to the end users. most of it doesn't even get far enough to hit my logs. however, one domain that i host gets constantly bombarded, and has since i took it over from another ISP a few years ago. most of these connections look like dictionary attacks (joe@, bill@, admin@, webmaster@, etc) or backscatter/bounces. at first, i thought it might be an attempt at a DOS on them (or me), since my traffic spiked right after i took over the domain, but it hasn't let up. is there any particular reason this might be happening to just this one domain? beyond that, is there any hope of this ever stopping? short of offloading their MX to gmail or something, i feel like i may be stuck with fending off a ton of spam for this one domain, while the rest only ever see a trickle. --option8. it is common for one domains to get an order of magnitude more spam than another that seems just like it. like mark said, it probably won't stop. low overhead techniques like greylisting or no listing can reduce the stress on your server quite a bit. configuring your mta to close connections after X errors will help with the dictionary attacks, and you can combine that with fail2ban to go even further. What I've noticed is that domains with catchall accounts are usually the ones that get abbused this way. MTAs the reject bad email addresses at SMTP time are not what spammers like when it comes to choices of domains to spam or spoof.
