Spam on the Rise

[Sarah]

Our MailScanner install uses the cPanel-provided version of SpamAssassin, so you should contact cPanel to find out if they plan to update to a newer version.

Regards,
Sarah

[Gene Steinberg]

They take their time. So that means you'll update anything that needs to be updated when/if they update?

Peace,
Gene

[Gene Steinberg]

One more thing: It appears that cPanel won't update SpamAssassin till some time this fall, even though the current version reportedly isn't getting rules updates:

http://features.cpanel.net/responses/up ... ssin-340_2

Peace,
Gene

[Sergio]

Also our servers has been attacked with the same kind of spam, but what we have done is to trace the IPs where the spam is coming from and added the /24 range of the IPs in MailScanner and in my secondary MX we have blocked the IPs permanently.

To do this, use MailWatch and search for any of the domains that is hammering your server, check the details and get the IP. Next, search looking in Headers for the IP but taking out the last octect and that will search in all your emails for the /24 range of that IP, it will show you a list of all the messages that those IPs have delivered to your server, if it is only spam you can safely add the /24 to your blocked IPs.

For us it has fixed the issue and the spam has lowered a lot.

If you want to share the list of IPs blocked you can send me a PM and in return I will send you mine.

[Gene Steinberg]

So, to use one example of spam that I'm happy to post publicly, if the IP number is 103.252.96.99, you remove the "99" from it and add /24?

I'm a little light on this stuff, so explain carefully.

Also, I would presume IP numbers are sometimes spoofed, and spammers would use a wide range in any case.

Peace,
Gene

[Sergio]

If you have the IP and you want to check it, go to
http://www.senderbase.org/lookup/?searc ... .252.96.99
You will see that this IP is considered "Poor Reputation" and all the /24 are marked as well.

So, in your MailScanner enter into the "Front End" option and on the "Server Black Spam" list add the following:
103.252.96.0/24
save the change and from that moment any email coming from that IP range will be blocked by MailScanner and not delivered to your customers.

[Gene Steinberg]

OK, I have gone through all the IP numbers sending uncaught spam in the last day or so. Only this IP was listed as having a bad rating. So it's blocked. Thanks.

At least it's progress — but I still suspect the IP numbers will continue to vary.

Peace,
Gene

[Sergio]

Yes, they will vary because there are a lot of spammers out there, but every time you block a range you are stopping spam to enter into your server.

Word of caution, if you don't know what your are doing you can block leggit IPs, so, before you block an IP or a range, use the "report" option in MailWatch to double check that all the email coming from that IP is spam.

[Gene Steinberg]

Yes, spam, but only five messages are listed in the report. So this is going to be a moving target.

At least, since all these problems have first been reported, the amount of uncaught spam is lower — still not quite there, but improved.

Peace,
Gene

[Gene Steinberg]

Just an update with the spam received on September 8. While one of the IP numbers has a poor reputation, only one message came from that number. So this is a moving target, and trying to block ranges is mostly a waste of time.

Peace,
Gene