Huge amount of spam - self hosted email

Forums › IT Pro and developers › Huge amount of spam - self hosted email

NPCtom

430 posts

Ultimate Geek

#257461 4-Oct-2019 12:31

Hey everyone. I am receiving a large amount (920 in 24 hours) of spam emails (self hosted running cPanel on a VPS) originating from a variety of domains but all containing a message asking me to "Confirm my subscription" to a marketing list of some sort. The emails weren't getting flagged by Apache SpamAssassin as spam so I had to create a custom rule to redirect the spam messages to my spam inbox.

Would this be a targeted attack or something else? Is there anything else I should do??

SirHumphreyAppleby

2844 posts

Uber Geek

#2329568 4-Oct-2019 12:36

I doubt it's targeted. At most I would do exactly what you did and remove the rule after a few days.

I use sieve, very very carefully and don't use any spam filtering - worked in the industry for years, don't trust it.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2329581 4-Oct-2019 12:51

Is it all coming from the same server ? If so, just deny/block the server.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

mattwnz

20141 posts

Uber Geek

#2329627 4-Oct-2019 14:10

You should contact your web hosting provider or upstream support about it. I have found that good web hosts should be pretty responsive with resolving this sort of thing.

jarledb

Webhead
3253 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2329644 4-Oct-2019 14:33

I have not used it, but this service have been recommended and advertised on several tech podcasts I follow.

Mailroute (the link gives you 10% off, I don´t get a cent), and you can test it for free for 30 days.

Captera have a lot of other services you might want to check out as well.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

Pornolio

20 posts

Geek

#2329655 4-Oct-2019 14:53

Spam is a daily battle for any sysadmin, and once you understand the fundamentals about how spammers operate, it's fairly easy to block them.

First understand the fundamental ways of blocking spam.

1 - Reputation filtering eg. RBL lists, Senderbase reputation, Greylisting etc.

2 - Content filtering eg. Spamassassin / Cloudmark engines / pattern files for engines

So questions that come to my mind, you say you are using the normal open source tools bundled with cPanel / plesk. Spamassassin uses a bayesian engine that auto-trains or learns as it picks up patterns. It works with a scoring threshold system... depending on how low the value is set, the more strict it will be. Start by checking if you are merely flagging messages as potential spam (aka learning mode), or if you are actually dropping messages that exceed the scoring value. Most of the time, these spam messages are sent by bots who would just find an open MX SMTP port and bomb it. There is no proper retries involved as per what a normal MTA would do. For these kinds of problems, look @ Greylisting. This stops bots dead in their tracks.

Greylisting will merely tell the remote sender, please retry in X amount of minutes... as bots don't retry, you drop a ton of spam messages even being accepted, preventing overloading your content scanning engines. Same goes for using RBL authorities... there are some of them which are just plain morons, but stick to the bigger more popular ones like Spamcop / Spamhaus. UCEprotect I categorise under the moron category.

If your MTA is setup to use RBL lists, you wont be accepting mails from dodgy IP ranges. The free tools will also only help you up to a point, once you get to more crafty devious methods of spam like "snowshoe spam", then you have to start looking at commercial solutions for that level of protection.

Everything you have described, is why you pay hosting providers to do stuff like email for you. Its manpower intensive, and requires technical knowledge in how to analyze mail headers, and how to combat entry points. Don't even get me started on webforms, or broken Captcha checkers. Most of the time you pick those things up in mail headers @ the injection point.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2329660 4-Oct-2019 14:59

Aren't you running a hosting company ? A sysadmin should be able to implement a solution.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

SirHumphreyAppleby

2844 posts

Uber Geek

#2329663 4-Oct-2019 15:09

Pornolio:

Spam is a daily battle for any sysadmin, and once you understand the fundamentals about how spammers operate, it's fairly easy to block them.

First understand the fundamental ways of blocking spam.

1 - Reputation filtering eg. RBL lists, Senderbase reputation, Greylisting etc.

2 - Content filtering eg. Spamassassin / Cloudmark engines / pattern files for engines

...

Greylisting will merely tell the remote sender, please retry in X amount of minutes... as bots don't retry, you drop a ton of spam messages even being accepted, preventing overloading your content scanning engines. Same goes for using RBL authorities... there are some of them which are just plain morons, but stick to the bigger more popular ones like Spamcop / Spamhaus. UCEprotect I categorise under the moron category.

Also DKIM, SPF and DMARC. These give the sending domain some control over how messages claiming to be from their domain should be handled. Because this is domain policy, it should be considered law, unlike RBLs and filters.

Greylisting doesn't instruct the remote sender to retry in x minutes. SMTP has no mechanism for this, it simply returns a temporary failure. When, or even if the sending server tries again, is entirely up to the sending server. RFC5321 specifies a retry interval of 30 minutes... that's too long to wait for important things to come though. Some verification e-mails aren't even valid for that long. Use with caution.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2329666 4-Oct-2019 15:29

It's almost like being sent spam is a factor for all mailhosts, not just the big ones.....

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

NPCtom

430 posts

Ultimate Geek

#2329673 4-Oct-2019 16:07

xpd:
Aren't you running a hosting company ? A sysadmin should be able to implement a solution.

I have implemented a permanent solution. Just wondering why this would occur because its something I've never seen before.

NPCtom

430 posts

Ultimate Geek

#2329674 4-Oct-2019 16:07

mattwnz:
You should contact your web hosting provider or upstream support about it. I have found that good web hosts should be pretty responsive with resolving this sort of thing.

Contacted OVH.

timmmay

20575 posts

Uber Geek

Trusted

Lifetime subscriber

#2329677 4-Oct-2019 16:22

I gave up hosting my own email, it's someone else's problem now. FastMail does a good job of spam filtering, as does Gmail.

NPCtom

430 posts

Ultimate Geek

#2329678 4-Oct-2019 16:25

timmmay:
I gave up hosting my own email, it's someone else's problem now. FastMail does a good job of spam filtering, as does Gmail.

I use G-Suite for my main email account but I use self hosted for others because its much cheaper.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2331015 5-Oct-2019 14:32

I still host my own (Hmail) , get extremely little spam coming in. Using a combo of Spam Assassin and DNS/SURBL lists.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree