Handling Spammy IP Addresses / Address Blocks

General eFa discussion
Post Reply
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Handling Spammy IP Addresses / Address Blocks

Post by skoppes »

Hello all,

Part of the reason we moved away from our old (failing) solution was that it was failing to filter effectively. We were getting hit by spam-blasts very frequently throughout the day, and the filtering solution was unable to effectively handle the problem. Each blast comes from a handful of closely-knit IP addresses, then goes away, and rarely comes back. As these blasts cycled over a few weeks, I noted that, while the blasts would come from a different set of IP addresses each time, there would often be a 'new' set of hosts within the same Class C network as others from the past. In fact, any spam from a 'new' Class C almost always guaranteed additional spam from that network for about a week or two.

Once I put EFA in place, these almost completely vanished. Only today did I realize what was saving us: sqlgrey! Users often complain about any kind of delay to incoming email, so when I ran across ways to help automate whitelisting within sqlgrey, I figured it didn't hurt to give it a shot: viewtopic.php?f=14&t=1240#p4484

Good idea in theory, but it didn't work out well. We doubled our typical spam-load for the day within 4 hours, and I had so much spam bleeding through I thought we were back to our old failing appliance. Turns out the assumption that spammers don't always have SPF records isn't wrong, but the hardcore spammers do have SPF, and using that as a white-list may get you buried under a deluge of spam!

Some messages were picked off as spam, but far too many were flagged as legitimate. They hit hard and fast with these dump-and-run campaigns. Once they've used an IP block for a few minutes, they rarely come back from those exact addresses.

Here are some of the domains that slammed us over just the last 2 hours:

Code: Select all

184.173.202.31 -- healthinfo.newhealthyupdates.net
184.173.202.28 -- roofinstall.onlinegreatnewinstalls.net
89.46.133.251 -- ninetythreefivemodernopportunities.com
184.173.218.237 -- readupdates.enrolldeadlineextension.net
184.173.206.23 -- yourreward.getthelatestshoppingrewards.net
184.173.218.239 -- newscans.onlineaccuratescaninfo.net
I checked, and they all have a valid SPF record; the 'a' is the gotcha, because that's where the mail is coming from. Most of them are only:

Code: Select all

v=spf1 a mx -all
The last one literally hit us about 50 times total in under 2 minutes, with 19 times in one second second before I clicked 'apply' on a manual IP block at the gateway. The instant I dropped the sqlgrey shortcut, then restarted sqlgrey and postfix, these mass spam-blasts vanished instantly.


Is there some method to craft a rule that could see X or more 'spam' and/or Y or more 'high-scoring spam' from a given IP over Z seconds, then blacklist and/or greylist that IP... for Q amount of time?
Such as 10+ spam, or 3+ high-spam within 30 seconds gets you booted from my EFA for 12 hours.


The other problem is that I've almost never seen these IP addresses on any RBL. Makes it hard to determine what to do! :(

Thanks in advance!
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Handling Spammy IP Addresses / Address Blocks

Post by shawniverson »

The feature you are most likely looking for is POSTSCREEN, but it requires postfix 2.8+.

EFA is on postfix 2.6. So, to get there you would need to do some work.

I have postscreen on the radar for EFA. I am seriously considering bumping up its priority and rolling it into the next update.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Handling Spammy IP Addresses / Address Blocks

Post by pdwalker »

In the meantime, another possible way might be to use fail2ban to monitor the mail log to watch for those frequent abusers and then have it configure iptables to block/allow/rate limit those IPs on the fly.
heronimus
Posts: 24
Joined: 11 Sep 2015 10:19
Location: Netherlands

Re: Handling Spammy IP Addresses / Address Blocks

Post by heronimus »

Reading this thread, i checked the domains you mentioned. Most of them don't have a spf record.
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: Handling Spammy IP Addresses / Address Blocks

Post by skoppes »

The domain names are all disposable to spammers these days. 5 of the 6 domain names don't even resolve as of today, and the 6'th doesn't have SPF any more.

Ugh.
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: Handling Spammy IP Addresses / Address Blocks

Post by zohman »

Hi skoppes ,

In general SPF come to prevent spoofing senders not spam,
because DNS refresh intervals among other things, spammers rarely use SPF
because they always need to "adjust" their SPF syntax..

anyway you give me idea,
maybe we can create list of senders domains that we always want to greylist, no matter if they are SPF authenticated,
like the Optout domain / Optout e-mail / Optin domain / Optin e-mail we have for the recipient.

the idea is:
domain of senders for whom messages are always greylisted unless they are in the auto-whitelist.

need to extend the database schema of SQLGrey..
I will dig into it..

Zohman.
Post Reply