Spam Spam Spam Spam

[filkertom]

Apparently someone's using tomsmithonline.com for sending spam. I send no spam at all, and I send nothing from any address at tomsmithonline.com. So, if you're getting anything from there, I apologize, but it ain't me. I'm going to try to set up an SPF file to stop it.

How have your spam filters been working lately? About a month ago, I noticed a big increase in the number of messages with Cyrillic characters, as well as a general slowdown of my DSL. You may remember I mentioned that Yahoo was giving me trouble; it seems to be all of AT&T.

Comments

[jmthane.livejournal.com]

Every once in a while, it looks like spam is going out from minstrosity.com. What's fun is that my stats *on* minstrosity.com don't show any e-mails getting sent. Turns out even the "from" was being spoofed. Check your account stats - you might have the same problem, someone spoofing tomsmithonline.com as the sender. That's harder to stop, unfortunately.

And I occasionally get Cyrillic spam, too, on my ripco.com address.

[kengr]

I get stuff that purports to be from my domain all the time. But since it don't *have* access to the SMTP server, it's not. A quick check of the headers shows very elementary spoofing.

The address on the From: line has *nothing* to do with where the mail actually came from.

Here's an example from today's mail.

Return-Path: <dmlist@shadowgard.com>
Received: from asy155.asy31.tellcom.com.tr (asy155.asy31.tellcom.com.tr [92.44.31.155] (may be forged))
by draq.pmaco.net (8.10.2/8.10.2) with ESMTP id n7RAWLi05405
for <dmlist@shadowgard.com>; Thu, 27 Aug 2009 03:32:21 -0700
Date: Thu, 27 Aug 2009 03:32:21 -0700
From: "Britt Ydorjucj" <dmlist@shadowgard.com>
To: dmlist@shadowgard.com
Subject: Mail timeout
Message-ID: <3703GLL.880559FEB2.8670538902EYJNEQDQJGCDINL22@asy155.asy31.tellcom.com.tr>
Content-type: text/html; charset="UTF-8"
MIME-Version: 1.0

The Return-Path: claims it came from a (non-existent) user in my domain (there's a mailing list that is dm_list, spammers often remove "extra" characters to see if they get a valid address)

From: claims the same email address with a totally bogus name.

But it's the Received: line that tells the tale. Unlike From: and Return-Path:, which are generated by the *sending* machine, Received is generated by the *receiving* system.

Received: from asy155.asy31.tellcom.com.tr (asy155.asy31.tellcom.com.tr [92.44.31.155] (may be forged))
by draq.pmaco.net (8.10.2/8.10.2) with ESMTP id n7RAWLi05405
for <dmlist@shadowgard.com>; Thu, 27 Aug 2009 03:32:21 -0700

And there we have it. it was sent from IP address 92.44.31.155. That can't be forged. That system *claimed* to be asy155.asy31.tellcom.com.tr, which may or may not be true. But the IP address on the lowest Received line (if there's more than one) *is* the address that connected to the mail server to deliver the message.

Alas trying to get folks who are complaining to you to look at the headers is difficult. Especially since how you get to them depends on the mail program or the webmail site they are using.

[eruvanna.livejournal.com]

I know for the past couple months I've seen an large increase in missed spam on my hotmail filter

[bedlamhouse]

It probably is not coming from tomsmithonline.com at all. Many spammers use a verified domain for their FROM header in hopes of getting through someone's filters.

It happens to bedlamhouse.com on a regular basis - I can always tell when there are a ton of "I'm not here" replies in my inbox.

Nothing you can really do about it since it isn't touching anything you have control over. The good news is that the spam marker sites recognize that the "From:" header is not good data for the actual spam source and won't blacklist you because of it.

[mdlbear]

Happens to me, too.

[filkertom.livejournal.com]

Thanks, Bill. That's good to know.

[emiofbrie.livejournal.com]

This.

It's happened to me in the past as well. Basically, someone is simply putting a fake address in their "From" header and using an outgoing mail server that allows it.

[ttamsen.livejournal.com]

Well, except as Tom said, if you control your own DNS, adding SPF records indicating which mailservers *are* allowed to relay mail claiming to be from tomsmithonline.com is a Really Good Idea. It can be (and often is) completely ignored, but it at least gives folks the option of filtering out forged crap. I saw our level of inbound spam drop by two orders of magnitude when I started implementing SPF checks at the MXes.

An online form to help you generate the appropriate additions to your DNS is available at http://old.openspf.org/wizard.html for those interested in going that route.

[bedlamhouse]

Yes, but SPF records only really handle it if the relay headers are being spoofed. They don't particularly help if only the "from:" is false, because no DNS activity is being done on that info.

[kengr]

Alas, some ISPs aren't that bright. I've gotten complaints for spam that couldn't have been sent from my domain

[capplor.livejournal.com]

Our spam filter is working well enough that we scarcely ever have to look at it. Right now there's something about enhancing body parts from what looks like a gmail account, but that's it.

[shockwave77598.livejournal.com]

Anyone can put anything into the Sent From block. There is no way to stop that. But that spammers are using that is puzzling. Why would they? It's not like a post from there garners the attention is something from BankofAmerica.com or microsoft.com .

This behavior seems less likely a spammer and more likely that of a troll - someone hoping to harrass you by sending out tons of garbage with your email address in the hopes that so many people will be pissed and email YOU that your inbox gets jammed up (and potentially crash your site.) It's an old dodge, pissing off lots of folks with the target's email address.

[bedlamhouse]

Lots of reasons, involving use of the "From:" field for individual email clients doing filtering, among others.

To be honest I don't particularly grok the whole commercial spammer mentality anyway - or maybe it's just that I don't grok the mentality of anyone who would fall for a sales pitch in an email with fake headers, fake return address, and bad links.

[kengr]

Remember, the spams are essentially free.

*one* person dumb enough to follow up on the spam nets enough money to pay for tens or even *hundreds* of thousands of spams.

The only way to end spam will be to find a way to increase the cost of sending it, but that won't increase the cost of ordinary email and of legit mailing lists.

Given that most spam is coming from infected systems outside the US, anything that has a chance of working is going to be a major effort.

[kengr]

Thing is, they harvest addresses from websites using robots (ie automated programs that troll thru websites, yahoo forums and a lot of other places)

They not only use those to send mail *to*, they use them as From addresses because the odds are much better that they'll get thru spam filters.

[sdelmonte]

The good news is that my spam filters at work and at home (AOL and GMail) are doing their jobs. Very little that is spam gets through.

The less good news is that a decent amount of e-mail - mainly from lists I am on - gets caught in the spam traps, though it's easy to find among all the Acai berry sales and the like.

The bad news is that someone hacked my AOL account last weekend and sent an e-mail to EVERYONE I have ever sent an AOL e-mail to. Twice.

[johnridley.livejournal.com]

I use gmail. I simply do not see spam. OK, one will get through about every 3 months, if it's really close to looking like regular mail.

[alverant.livejournal.com]

My spam filter hasn't been working as well lately. I've been getting messages about a "Mr.X".

[bryanp.livejournal.com]

My spam filters have been working pretty well, but I'm seeing a lot more of it come in of late. Apparently someone out there really thinks I need a fake rolex and to make some body parts larger and other parts smaller.

[wingus.livejournal.com]

Mine's workin' fairly well, but it's rare that I get Spam anyways. Love Thunderbird.

[caligogreywings.livejournal.com]

I use gmail, so rarely get any spam, but lately, I'll have one or two sitting in my inbox, instead of the spambox where they belong. If it's getting through gmail's filters, then somethings heavy.

Also, hi, I've met you many times at millennicon, thanks to Celeste always dragging me up from The South. Nice to see you here too.

[louisadkins.livejournal.com]

I use gmail, as well, and I also only get the occasional spam, where I can see it, heh.

[wildcard9.livejournal.com]

My ISP's spam filters are a little too strict, it does not let through confirmation messages for when I try to sign up for web forums. And they removed the ability for me to whitelist anyone so I can say "I don't care what your spam filter thinks, I want to receive email from this sender". Some ads inserted to the end of emails automatically by some sites make the email tagged as spam as well even if the rest of the message is non-spam. I prefer if the ISP would just throw everything suspect into a spam folder and let me decide, and add whitelists and blacklists.

[gorgeousgary]

My ISP's spam filter works well. I have it turned up to the maximum setting, which means I have to keep an eye on the spam directory to make sure I don't miss anything. That's fairly rare, since I have most folks whitelisted who e-mail me with any regularity.

Interestingly, since the recession began, I have noticed the amount of spam in the filter has plummeted. At one point in 2006 I was getting almost 200 spams a day and was seriously considering setting up a new e-mail address. These days it's less than 40 a day. Guess some of the spammers can't afford 'net connections anymore...

[kengr]

Thing is, most spam is sent for free by bot-nets. Infected machines that get addresses to send to and messages to send from other systems (some of which are compromised themselves).

A big drop happened when one of the biggest bot nets got taken down when programmers where able to determine the algorithm it used to find where to look for updates. They got control (legally) of the address it was going to switch to if the main site went down and them got the authorities to take down the main site. So when the infected machines went to call home for new lists, they got to a site controlled by the good guys and got told to twiddle their thu,mbs. And the good guys got a list of infected systems to try to contact.

Alas, the effects were only temporary as there are a lot of infected systems and many get infected by something else frequently because the users don't havre decent security.

[birder2.livejournal.com]

My spam filter seems to work fairly well; I get a notice that it has filtered out 30 or so messages daily. I still get a lot of ads that I think of as spam because I don't want to buy amything right now, but since a lot of it comes from companies that I have gotten something from at some time, technically that does not count as spam.