Huge amount of spam - self hosted email

Forums › IT Pro and developers › Huge amount of spam - self hosted email

NPCtom

430 posts

Ultimate Geek
+1 received by user: 56

#257461 4-Oct-2019 12:31

Hey everyone. I am receiving a large amount (920 in 24 hours) of spam emails (self hosted running cPanel on a VPS) originating from a variety of domains but all containing a message asking me to "Confirm my subscription" to a marketing list of some sort. The emails weren't getting flagged by Apache SpamAssassin as spam so I had to create a custom rule to redirect the spam messages to my spam inbox.

Would this be a targeted attack or something else? Is there anything else I should do??

SirHumphreyAppleby

2939 posts

Uber Geek
+1 received by user: 1860

#2329568 4-Oct-2019 12:36

I doubt it's targeted. At most I would do exactly what you did and remove the rule after a few days.

I use sieve, very very carefully and don't use any spam filtering - worked in the industry for years, don't trust it.

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4579

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2329581 4-Oct-2019 12:51

Is it all coming from the same server ? If so, just deny/block the server.

XPD / Gavin

LinkTree

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#2329627 4-Oct-2019 14:10

You should contact your web hosting provider or upstream support about it. I have found that good web hosts should be pretty responsive with resolving this sort of thing.

jarledb

Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator

ID Verified

Trusted

Lifetime subscriber

#2329644 4-Oct-2019 14:33

I have not used it, but this service have been recommended and advertised on several tech podcasts I follow.

Mailroute (the link gives you 10% off, I don´t get a cent), and you can test it for free for 30 days.

Captera have a lot of other services you might want to check out as well.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

Pornolio

20 posts

Geek
+1 received by user: 18

#2329655 4-Oct-2019 14:53

Spam is a daily battle for any sysadmin, and once you understand the fundamentals about how spammers operate, it's fairly easy to block them.

First understand the fundamental ways of blocking spam.

1 - Reputation filtering eg. RBL lists, Senderbase reputation, Greylisting etc.

2 - Content filtering eg. Spamassassin / Cloudmark engines / pattern files for engines

So questions that come to my mind, you say you are using the normal open source tools bundled with cPanel / plesk. Spamassassin uses a bayesian engine that auto-trains or learns as it picks up patterns. It works with a scoring threshold system... depending on how low the value is set, the more strict it will be. Start by checking if you are merely flagging messages as potential spam (aka learning mode), or if you are actually dropping messages that exceed the scoring value. Most of the time, these spam messages are sent by bots who would just find an open MX SMTP port and bomb it. There is no proper retries involved as per what a normal MTA would do. For these kinds of problems, look @ Greylisting. This stops bots dead in their tracks.

Greylisting will merely tell the remote sender, please retry in X amount of minutes... as bots don't retry, you drop a ton of spam messages even being accepted, preventing overloading your content scanning engines. Same goes for using RBL authorities... there are some of them which are just plain morons, but stick to the bigger more popular ones like Spamcop / Spamhaus. UCEprotect I categorise under the moron category.

If your MTA is setup to use RBL lists, you wont be accepting mails from dodgy IP ranges. The free tools will also only help you up to a point, once you get to more crafty devious methods of spam like "snowshoe spam", then you have to start looking at commercial solutions for that level of protection.

Everything you have described, is why you pay hosting providers to do stuff like email for you. Its manpower intensive, and requires technical knowledge in how to analyze mail headers, and how to combat entry points. Don't even get me started on webforms, or broken Captcha checkers. Most of the time you pick those things up in mail headers @ the injection point.

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4579

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2329660 4-Oct-2019 14:59

Aren't you running a hosting company ? A sysadmin should be able to implement a solution.

XPD / Gavin

LinkTree

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

SirHumphreyAppleby

2939 posts

Uber Geek
+1 received by user: 1860

#2329663 4-Oct-2019 15:09

Pornolio:

Spam is a daily battle for any sysadmin, and once you understand the fundamentals about how spammers operate, it's fairly easy to block them.

First understand the fundamental ways of blocking spam.

1 - Reputation filtering eg. RBL lists, Senderbase reputation, Greylisting etc.

2 - Content filtering eg. Spamassassin / Cloudmark engines / pattern files for engines

...

Greylisting will merely tell the remote sender, please retry in X amount of minutes... as bots don't retry, you drop a ton of spam messages even being accepted, preventing overloading your content scanning engines. Same goes for using RBL authorities... there are some of them which are just plain morons, but stick to the bigger more popular ones like Spamcop / Spamhaus. UCEprotect I categorise under the moron category.

Also DKIM, SPF and DMARC. These give the sending domain some control over how messages claiming to be from their domain should be handled. Because this is domain policy, it should be considered law, unlike RBLs and filters.

Greylisting doesn't instruct the remote sender to retry in x minutes. SMTP has no mechanism for this, it simply returns a temporary failure. When, or even if the sending server tries again, is entirely up to the sending server. RFC5321 specifies a retry interval of 30 minutes... that's too long to wait for important things to come though. Some verification e-mails aren't even valid for that long. Use with caution.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2329666 4-Oct-2019 15:29

It's almost like being sent spam is a factor for all mailhosts, not just the big ones.....

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

NPCtom

430 posts

Ultimate Geek
+1 received by user: 56

#2329673 4-Oct-2019 16:07

xpd:
Aren't you running a hosting company ? A sysadmin should be able to implement a solution.

I have implemented a permanent solution. Just wondering why this would occur because its something I've never seen before.

NPCtom

430 posts

Ultimate Geek
+1 received by user: 56

#2329674 4-Oct-2019 16:07

mattwnz:
You should contact your web hosting provider or upstream support about it. I have found that good web hosts should be pretty responsive with resolving this sort of thing.

Contacted OVH.