Because I block some breathtakingly wide swaths of the net from sending mail to FP, I temp-fail almost everything (the exception is anything in the zen.spamhaus.org RBL; they’ve proven consistent enough that I permanent-fail anything on their list). This has served me really well, as the stripped-down spam-sending software on the exploited machines treats a temporary failure the same as a permanent failure, and I can unblock legitimate senders before they give up. Unfortunately, the 419-scammers have started finding mail hosts that retry on temp-failures, so I have had to hard-block three bad actors (that apparently are not such bad actors that they made it into zen) so far.
On the other hand, the recent flood of phishing has died down.
The traffic for johnsmithsvt has dropped off considerably in the last few years, mostly replaced by “elliott”, weirdly enough. This week, though, a new bizarre spam target entered the ring: idlok4.dlqvr. This has the added curiosity of being addressed to a domain that gets just about no mail. Spammers’ ways remain a mystery to me.
I won’t approve the comment, since if you wanted some trendy headphones with the brand of a highly influential hip-hop artist, you would find them in your own way, but this is some of the best comment spam poetry I have seen in a long time:
Substantially, the material is because of fact the freshest on that laudable topic. Certainly with all your conclusions and may eagerly rely on your forthcoming updates. Declaring many thanks are unable to just be all you would like, for the amazing clarity inside your creating. Permit me absolutely directly get your feed regardless of the kind of updates. Genuine work and far achievement while in the enterprise endeavors!
A couple weeks ago, one of my Twitter accounts was followed by a spammer. This is not unusual; a huge percentage of Twitter accounts are spammers. The thing that caught my eye—though perhaps not quite as the spam machinery intended—was in the bio: “dip me over and fuck me doggystyle. Whatever you want I will try it (NO ANAL).”
Let’s say I am so naïve that I believe an actual person has set up this Twitter account, and has invited 267 other people to do her doggystyle; do I find her more enticing because her “Whatever you want” is qualified? Especially given that the qualification excludes a pretty mundane practice—am I to infer that she’s up for (in lieu of listing several other possibilities that would likely get the blog undesirable search engine attention, I’ll just say) bloodplay? I just don’t know.
I occasionally mean to make reporting on the email spam we are rejecting a more regular feature, but then I occasionally mean to do a lot of things that never happen. So, here is another installment of a category I have just dubbed “Spiced Ham.” (note: according to Hormel, it is mere speculation that SPAM is a portmanteau of/for “spiced ham”)
Very little spam actually gets through the defenses of forcedperspective.org. We are able to achieve this relative impregnability primary through the use of the zen.spamhaus.org DNS Black list (I note in reviewing earlier spam observations that this is a reversal from the strategy of four years ago, which relied primarily on IP block banning. While we still ban many, many blocks of IPs, we have gone away from that as a primary defense because of the increasing usefulness of Zen and the very high levels of false-positives we were seeing). For instance, since Sunday, 49 of the 59 spam attempts we have blocked were by virtue of Zen. Of the rest, 3 were refused because the domain of the envelope From address did not exist, 1 because the domain of the envelope From address did not resolve (an interesting distinction), 1 because it originated from res.rr.com (this also would have been caught by Zen, but I preemptively block res.rr.com), and the rest were from countries I’ve banned (2 from India, and one each from Germany, India, Singapore, and Spain). We are able to get away with banning so many countries (65!) by virtue of two facts: first, we don’t get a lot of international traffic; second, (aside from Korea, China, and Bangladesh) banned countries get a soft (4XX) failure, instead of a hard one. This applies to all the other non-Zen blacklisting we do, too. Spammers almost never try again; legitimate senders almost always do. It really amounts to selective manual graylisting, because I choose to monitor what is being blocked in order to see if there are any false positives. I believe automated graylisting would probably work nearly as well, but I dislike the idea of delaying such a large proportion of the legitimate mail we get.
While a bunch of the search-engine traffic that hits the blog is because of my long-ago article Who is johnsmitsvt?, I have not seen spam attempts to that address in quite some time. This week, the only address that I am nearly certain has never existed on the system is elliott, which seems to have taken over as the new johnsmithsvt.
Updated to add: another thing I can recommend is creating an SPF record for your domain. It may be only a coincidence, but we have not experienced a back-scatter spam attack since we created one (with a default-discard (“~all”, not “?all”)).
In the grand tradition of johnsmithsvt, we’ve started seeing spam for mmskuramoto. None of it has been allowed into the system, since it’s coming from a blacklisted IP, so I don’t know what flavor the spam is, but the attempts were surprisingly well-behaved: most spammers treat the 451 we return to blacklisted IPs the same as a 5xx error (they retry maybe once, maybe fifty times, right away, then give up); the mmskuramoto sender backed off the retries very nicely. So nicely, in fact, that I got the originating IP whitelisted and the alias added, just so I could see what the spam was. Unfortunately (or not, probably), they gave up after 14 tries, just a couple hours before they would have gotten through.
For those who care, the blacklisting setup has been modified somewhat since the johnsmithsvt post referred to above: all country-based blocking is done with zz.countries.nerd.dk, but most of the blocking ends up happening because of a bunch of Class A and B size blocks (virtually anything in apnic or south america). We still use zen.spamhaus.org, combined.njabl.org, bl.spamcop.net, dnsbl.sorbs.net, and dnsbl.jammconsulting.com, and they contribute (especially zen), but it’s mostly the huge swaths of net that are blacklisted.
Here’s how many spam attempts we blocked here at fp last week. I don’t expect to publish these regularly, but I find the numbers interesting.
Continue reading →
I recently started tracking the addresses to which spammers are trying to send, and the number of addresses that have never existed in the domain, to which spam is being directed, surprises me. Most notable in this illustrious group (because I get why folks would try info, sales, admin, and the like) is johnsmithsvt. A quick Google indicates that it’s showing up in other folks’ rejection logs, too. Why? Is there some rootkit/worm/whatever that receives its orders at that address? The next message for that address that makes it through my RBLs (sbl-xbl.spamhaus.org, korea.services.net, combined.njabl.org, bl.spamcop.net, china.blackholes.us, dnsbl.sorbs.net, and dnsbl.jammconsulting.net (I have the last two set to return 4xx errors, since they’re awfully aggressive, and that gives me time to whitelist the senders, where appropriate)) will end up in my inbox, so I can see whether it’s just garden-variety spam or something more inimical.
Update: Garden-variety spam. For a variety of pharmaceuticals. I can’t imagine why they’re using that address.