2018-03-07 5:52 GMT-03:00 Sebastian Arcus <s.ar...@open-t.co.uk>: > > 6. The links they include in the body of the email are almost never > flagged up either by Clam or Spamassassin - and they point to a different > domain in every single message. >
Although they use multiple domains in the URLs at body, many of these URLs are addressed to the same IPv4/IPv6 address or IP ranges, that is just one shared web server or a group of shared web servers of the spammer. The key to solving this problem is that you all start to cross the data and start scoring the URL host IP, that is the exact fiscal place they want to you visit even fired by many hacked mail servers at world and many distinct domains. The mail services and domains are very disperse but the web servers are very concentrated. We are doing this technique here and the problem has been mitigated to our customers. > > The bizarre thing is that I only see them coming to this one particular > email account, at a single domain of all the ones I administer. Based on > the above whoever sends them really know what they are doing, and must have > significant resources at their disposal - but I still have no idea why they > only hit this particular email address. I can only assume that greylisting > wouldn't help much, as they seem to arrive from properly configured smpt > servers, which would retry like any other regular smtp server and bypass > greylisting. Has anybody else seen these, and is there anything else that I > could try to block them? >
