Apparently, Spammers Keep Lists of Spam Reporters

[RJM62]

Or so says a friend of mine who is involved in cybersecurity work, but who can't get more specific about exactly what it is that he does. He works indirectly for our Uncle. That's all I know.

I was having a casual conversation with him during which I mentioned that I rarely receive spam at any of my email addresses anymore, including the honeypot addresses I have floating here and there throughout the interwebs. It's not uncommon for me to go several days between spam messages. I used to get hundreds every day.

I do have server-side filtering enabled (except on the honeypots), but it's not set very aggressively. It also doesn't work very hard. There are very few spam messages directed at any of my regular addresses pre-filtering.

My friend told me, "Oh, you must be a reporter," which I am. I've been a Spamcop reporter for many years and have reported almost 200,000 spam emails, generally within 10 minutes of their being sent. According to my friend, this doesn't go unnoticed in the spammer community. He claims there are databases of addressees who report spam, and professional spammers avoid spamming those addresses. He said that entire domains are sometimes added to the lists when multiple email addresses in the same domain are tagged as reporters.

I've always suspected that this was the case just because of the steady decline of spam I've received over the years, even pre-filtering. It also explains why the honeypots stop getting spammed after a while. I'll have to create new ones.

Rich

 

[Rykymus]

Spam doesn't really bother me much. I too used to get a ton, now its down to a few a day. I don't do anything other than tell Outlook to add to blocked senders list. (Which doesn't always work.) But like I said, It doesn't bother me. In the grand scheme of things, it's no worse than the crap-ton of physical junk mail that I throw away every day.

Now, robo-calls are a different story. A special place in hell do their owners deserve.

 

[EdFred]

I have an untangle box with tarpitting. It's interesting to watch the gamesmanship of spammers vs the blacklist. I will go days with no spam at all, then suddenly a bunch, then it wanes to nothing. Then a bunch of spam, and it diminishes, and the cycle repeats.

 

[mcdewey]

Spam doesn't really bother me much. I too used to get a ton, now its down to a few a day. I don't do anything other than tell Outlook to add to blocked senders list. (Which doesn't always work.) But like I said, It doesn't bother me. In the grand scheme of things, it's no worse than the crap-ton of physical junk mail that I throw away every day.

Now, robo-calls are a different story. A special place in hell do their owners deserve.

Robocalls:
Landline: Take a look at nomorobo. It has a fee for cell phone, but is free for landlines. It isn't available for all carriers. I use Verizon Fios.
Cell: I have AT&T, and am using CallProtect on my iPhone.

These two have cut out almost all my robocalls.

 

[Ghery]

Now, robo-calls are a different story. A special place in hell do their owners deserve.

Robocalls:
Landline: Take a look at nomorobo. It has a fee for cell phone, but is free for landlines. It isn't available for all carriers. I use Verizon Fios.
Cell: I have AT&T, and am using CallProtect on my iPhone.

These two have cut out almost all my robocalls.

I'll second nomorobo. If you have a VoIP line, it works like gangbusters. We use Comcast's VoIP service and it (nomorobo) is great.

Nothing on my Verizon mobile phone. I don't get very many spam calls on it.

 

[Bulldog573]

+1 for CallProtect. It’s a game changer.

@RJM62 , thanks for the tip on the email stuff.

 

[denverpilot]

I too used to get a ton, now its down to a few a day.

Thank your sysadmin of your mail provider. You're likely getting thousands a day, but they're dumping the vast majority of them.

Anybody running any significantly sized multi-user mail system knows. E-mail is a cesspool of crap. And no, small servers with a few users don't count. The spammers know they're not worth it.

Authenticating servers in a mandatory way would clean up most of the problems of spam and spoofing, and yet the world still makes it "optional"... we really shouldn't anymore. Don't have a valid public IP and proper TLS key along with an SPF record that's accurate and DKIM signing...? Bit-bucket. Trash.

But then again, I talk to "IT experts" at small companies who can't figure out how to use an FTP or SFTP client on a regular basis (our junior guy talked to one this morning...

"Okay, so you're hitting my server on port 22 with your command line SFTP client AND logging in, AND uploading files successfully... and you think the problem with your user's SFTP client is us? Bye..."

So the chances of most small businesses getting TLS settings, SPF, and DKIM all right at the same time, when they don't understand what a DNS MX record is... is about zero.

"You need to be THIS tall, to ride the ride."

 

[dmspilot]

Or so says a friend of mine who is involved in cybersecurity work, but who can't get more specific about exactly what it is that he does. He works indirectly for our Uncle. That's all I know.

I was having a casual conversation with him during which I mentioned that I rarely receive spam at any of my email addresses anymore, including the honeypot addresses I have floating here and there throughout the interwebs. It's not uncommon for me to go several days between spam messages. I used to get hundreds every day.

I do have server-side filtering enabled (except on the honeypots), but it's not set very aggressively. It also doesn't work very hard. There are very few spam messages directed at any of my regular addresses pre-filtering.

My friend told me, "Oh, you must be a reporter," which I am. I've been a Spamcop reporter for many years and have reported almost 200,000 spam emails, generally within 10 minutes of their being sent. According to my friend, this doesn't go unnoticed in the spammer community. He claims there are databases of addressees who report spam, and professional spammers avoid spamming those addresses. He said that entire domains are sometimes added to the lists when multiple email addresses in the same domain are tagged as reporters.

I've always suspected that this was the case just because of the steady decline of spam I've received over the years, even pre-filtering. It also explains why the honeypots stop getting spammed after a while. I'll have to create new ones.

Rich

I didn't know this but at the same time I'm not surprised at all. At a company I used to work for, we would get in big trouble if people reported our emails as spam. All it really took was one or a couple reports and the ISP/email provider (e.g. Yahoo, AT&T, etc) would block all our messages to all their customers.

 

[RJM62]

Thank your sysadmin of your mail provider. You're likely getting thousands a day, but they're dumping the vast majority of them.

Anybody running any significantly sized multi-user mail system knows. E-mail is a cesspool of crap. And no, small servers with a few users don't count. The spammers know they're not worth it.

Authenticating servers in a mandatory way would clean up most of the problems of spam and spoofing, and yet the world still makes it "optional"... we really shouldn't anymore. Don't have a valid public IP and proper TLS key along with an SPF record that's accurate and DKIM signing...? Bit-bucket. Trash.

But then again, I talk to "IT experts" at small companies who can't figure out how to use an FTP or SFTP client on a regular basis (our junior guy talked to one this morning...

"Okay, so you're hitting my server on port 22 with your command line SFTP client AND logging in, AND uploading files successfully... and you think the problem with your user's SFTP client is us? Bye..."

So the chances of most small businesses getting TLS settings, SPF, and DKIM all right at the same time, when they don't understand what a DNS MX record is... is about zero.

"You need to be THIS tall, to ride the ride."

Having SPF, DKIM, rDNS, etc. properly configured doesn't prevent mail from hitting the server. It just takes a machete to a large percentage of it.

More than 90 percent of the mail hitting my servers used to be spam. Over the years, however, it's tapered down to very little on the addresses for which I report spam, including the honeypot addresses. They average about 10 percent spam according to the Exim logs. Most users are at about the 70-80 percent rate pre-filtering; but that number does wax and wane.

The addresses on which I report spam getting far less spam directed at them than addresses that presumably do not report spam suggests to me that my friend may be right about there being lists of "reporter" addresses that spammers intentionally avoid. I also notice very little spam directed at non-existent addresses on the domains for which I report spam, suggesting that the lists may in fact include entire domains to be avoided.

I didn't know this but at the same time I'm not surprised at all. At a company I used to work for, we would get in big trouble if people reported our emails as spam. All it really took was one or a couple reports and the ISP/email provider (e.g. Yahoo, AT&T, etc) would block all our messages to all their customers.

It's a pain in the ass, especially when Verizon and BellSouth blacklist you. They're totally unhelpful. Cablevision isn't much better. Usually you have to talk to at least half a dozen people before you find one who has any idea what you're talking about. But at least eventually you will. Verizon and BellSouth, not so much.

I recently was told that AT&T has access to the same blacklists as Verizon and BellSouth, however; so if you can get someone at AT&T who has some common sense, they can solve problems with Verizon and BellSouth. The one time I tried it, it seemed to work.

Being on the FBLs helps some, too. If the recipient ISP or mail admin has an address to report "spam" to, and if it's only an occasional thing, they'll usually send you an email rather than blacklisting the whole IP.

Most of the reports filed against my servers are errors. Some of my clients use automatic invoicing programs that trigger less-than-brilliant spam filters. Usually all I have to do is point out that it was a legitimate invoice, and not spam, when the recipient ISPs notify me through the FBLs. Except with Verizon and BellSouth, that always works.

Once in a while, however, a user's password gets compromised or their computer gets infected, and they start spewing spam with wild abandon. SpamAssassin, the firewall, or Exim usually catch this right away and notify me in every way they know how. They all look for different things, but between the three of them, I usually know within a minute if a client's outgoing mail seems fishy.

If it turns out to be spam, I suspend that user's outgoing mail until they fix the problem. If an ISP sends me an FBL report on spam that's already been sent, I simply explain what happened and that the user is suspended. Except for Verizon and BellSouth, that always works to remove any blocks.

The problem is that there are well over a hundred RBLs, and each one has their own procedure to remove the blocks. So it can be several hours' of work to get off all of the ones that block you, and some of the unblocks may not take effect for 24 hours. And again, Verizon and BellSouth will do nothing at all to help you.

Running mail servers is no fun. I often consider farming it out.

Rich

 

[denverpilot]

Having SPF, DKIM, rDNS, etc. properly configured doesn't prevent mail from hitting the server. It just takes a machete to a large percentage of it.

Ahh you missed the big one in my list. When I ran my non-business server, TLS was required.

If you couldn’t be bothered to put a proper encryption key configured correctly with all that other stuff on your server, I dropped the connection.

It was surprising which large businesses are too lazy to do it. I only ran into one I had to whitelist. The rest I just didn’t do business with anymore.

Can’t be a proper online Citizen and offer TLS transport properly identified back to your server(s), I didn’t need to talk to you.

More businesses should block non TLS transport inbound mail, or immediately send back a note to the sender saying their mail server is misconduct figured and their message to XYZ will be delayed by three hours.

 

[RJM62]

Ahh you missed the big one in my list. When I ran my non-business server, TLS was required.

If you couldn’t be bothered to put a proper encryption key configured correctly with all that other stuff on your server, I dropped the connection.

It was surprising which large businesses are too lazy to do it. I only ran into one I had to whitelist. The rest I just didn’t do business with anymore.

Can’t be a proper online Citizen and offer TLS transport properly identified back to your server(s), I didn’t need to talk to you.

More businesses should block non TLS transport inbound mail, or immediately send back a note to the sender saying their mail server is misconduct figured and their message to XYZ will be delayed by three hours.

I tried that for a while, but got complaints from too many clients about not being able to receive mail from their providers or customers. Maybe it's time to try it again. It's pretty much standard these days.

I also got complaints when I started rejecting mail without valid SPF / DKIM. In fact, there are still a few of my clients' correspondents that I have to whitelist (so they bypass all checks) because of SPF / rDNS / DKIM problems on their servers. It's kind of bizarre. I literally have a ticket in to the datacenter to set up rDNS before I'm even done updating the OS when I set up a new server. As soon as it has an IP and a reachable hostname, I put the ticket in.

Having to make compromises is part of the problem when dealing with clients rather than only your own domains. You really can't do everything the way you'd like. That's one of the reasons I moved all my own personally-owned sites onto their own server.

It's also one of the reasons I use cPanel on servers with client accounts. For all its quirks, it has some helpful features, such as the ability to set different PHP versions for different domains. I used to get floods of complaints every time I upgraded PHP because people's ****ty old deprecated code would stop working. Multi-PHP handily remedies that problem until they can fix their code.

Another nice thing about cPanel is that it includes several webmail clients, one of which (Roundcube) isn't bad at all. I try to nudge clients toward using webmail so I don't have to unblock them every time they hose the settings on their email clients. It also has auto-configuration scripts for most clients that save me a lot of time reading off ports and such to them. It's well worth the price.

The other thing I'm test-driving is KernelCare. I'm getting sick of the reboots every time there's a high-priority kernel patch. So far, it seems to be doing what it claims to do (patch the kernel without a reboot).

Rich

 

[Pilawt]

+1 for CallProtect. It’s a game changer.

I downloaded CallProtect. The interface looks the same as the "Hiya" app I already use. I've been happy with Hiya; it's cut the number of incoming spam calls considerably.

 

[ejensen]

I think spammers, voice and email do try to focus on actual prospects makes their list sales more valuable. We try not to answer calls from unknown numbers. If we do by mistake the number quickly goes on the reject list. Most calls will ring out and then a quick redial.

 

[denverpilot]

We had a customer complain today that they couldn’t do Sender Verification on e-mails from “donotreply@[domain].com” that come out of our automated system that sends 15,000 emails a day to them.

Of course the emails come from one of our SPF authorized servers and are all signed with our DKIM key...

Another “IT Professional”... had a fancier job title than I do, too. Not that I really need anything more than “Internet Janitor” and a large paycheck to be just fine teaching these people how e-mail works.

“Does your spam filtering system have some sort of whitelist function? Yeah, you may want to use that.”

He didn’t take us up on the offer to have them come from his address.

Plus that would break SPF and DKIM.

 

[Clip4]

I don’t know what I am doing right, but I don’t get any spam emails or calls.

 

[DaleB]

So the chances of most small businesses getting TLS settings, SPF, and DKIM all right at the same time, when they don't understand what a DNS MX record is... is about zero.

"You need to be THIS tall, to ride the ride."

Sigh. Things were so much better when you had to actually have some understanding of How This **** Works(tm) to get connected to the rest of the world. Now an awful lot of people seem to think that clicking buttons in the web UI of some vendor's appliance qualifies them as some sort of "expert", when they have no more idea of what's actually going on than the woman playing Candy Crush on her iPhone next to me on the flight home last night.

 

[DaleB]

What's a honeypot address?

Sorry, but I promised I'd never give out her address or number.

 

[ejensen]

If you move it starts all over again.

 

[RJM62]

What's a honeypot address?

It's a dedicated address that you place here and there throughout the Interwebs specifically for the purpose of attracting spam, which you then report to the RBL(s) of your choice as it starts flowing in. It's like running a sting operation for spammers.

Rich