Riddled by spam from .xyz domains

There will always be opinions, both good and bad on how MagicSpam protection, rules and policies are used, and what the defaults should be. Different environments may have different needs. We try to find the perfect balance, and that is not always easy. Just remember that we have to satisfy millions of users.. not just one person.

Moderators: wizard, magicspam

Post Reply
grbrandt
Posts: 1
Joined: Wed Jul 15, 2015 1:06 pm

Riddled by spam from .xyz domains

Post by grbrandt » Wed Jul 15, 2015 1:18 pm

Lately several of my users get tons of spam that is incorrectly accepted as ham. What's kinda weird is that they all share the pattern of having a HELO that ends with .xyz. Is there a way to block all incoming mail with this pattern? If not, what should I do?

Here's an excert of the log:

Code: Select all

Date / Time	Type	Mua	IP Address	Hostname	Helo	Sender	Recipient
15.07.2015 02:59	HAM	no	81.31.44.8	valve08.zhnws.xyz	valve08.zhnws.xyz	CNN-PowerSavings@valve08.zhnws.xyz	customer@mydomain.com
15.07.2015 02:44	HAM	no	81.31.44.5	valve05.zgnev.xyz	valve05.zgnev.xyz	AcuvueContacts@valve05.zgnev.xyz	customer@mydomain.com
15.07.2015 02:40	HAM	no	81.31.44.4	valve04.yxsyk.xyz	valve04.yxsyk.xyz	As-Seen-on-NBC@valve04.yxsyk.xyz	customer@mydomain.com
15.07.2015 02:35	HAM	no	81.31.44.3	valve03.yxsys.xyz	valve03.yxsys.xyz	Walk-in.Whirlpool.Tubs@valve03.yxsys.xyz	customer@mydomain.com
15.07.2015 02:29	HAM	no	81.31.44.2	valve02.perfectaffairsforknows.xyz	valve02.perfectaffairsforknows.xyz	BigBeautifulWomenAvailable@valve02.perfectaffairsforknows.xyz	customer@mydomain.com
15.07.2015 02:18	HAM	no	80.79.17.64	valve64.sightsecretaffairatnight.xyz	sightsecretaffairatnight.xyz	Your-Secret-Invitation@sightsecretaffairatnight.xyz	customer@mydomain.com
15.07.2015 02:10	HAM	no	80.79.17.62	valve62.meancureheartmade.xyz	valve62.meancureheartmade.xyz	ReliefFromHeartburn@valve62.meancureheartmade.xyz	customer@mydomain.com
15.07.2015 01:55	HAM	no	80.79.17.60	valve60.xmoho.xyz	valve60.xmoho.xyz	SouthwestRewardCard@valve60.xmoho.xyz	customer@mydomain.com
15.07.2015 01:51	HAM	no	80.79.17.59	valve59.newestbookgoal.xyz	valve59.newestbookgoal.xyz	Safe-GuardYourSavings@valve59.newestbookgoal.xyz	customer@mydomain.com
15.07.2015 01:45	HAM	no	80.79.17.58	valve58.backgroundcheckimps.xyz	valve58.backgroundcheckimps.xyz	Your-Criminal-Records@valve58.backgroundcheckimps.xyz	customer@mydomain.com
15.07.2015 01:28	HAM	no	80.79.17.55	valve55.xarer.xyz	valve55.xarer.xyz	Experian.Score.Check@valve55.xarer.xyz	customer@mydomain.com
15.07.2015 00:58	HAM	no	50.2.66.50	axiom50.vscri.xyz	axiom50.vscri.xyz	Apple-iPad-Gadget@axiom50.vscri.xyz	customer@mydomain.com
15.07.2015 00:50	HAM	no	50.2.66.48	axiom48.plowgenerator.xyz	axiom48.plowgenerator.xyz	CutYourElectricBill@axiom48.plowgenerator.xyz	customer@mydomain.com
15.07.2015 00:44	HAM	no	50.2.66.47	axiom47.dayhealthguidecool.xyz	axiom47.dayhealthguidecool.xyz	Govt-Tax-Loopholes@axiom47.dayhealthguidecool.xyz	customer@mydomain.com
15.07.2015 00:27	HAM	no	50.2.66.44	axiom44.viznx.xyz	axiom44.viznx.xyz	Stop-Driving-Glare@axiom44.viznx.xyz	customer@mydomain.com
15.07.2015 00:21	HAM	no	50.2.66.43	axiom43.inquirycoupongift.xyz	axiom43.inquirycoupongift.xyz	Costco500Coupon@axiom43.inquirycoupongift.xyz	customer@mydomain.com
15.07.2015 00:12	HAM	no	50.2.66.42	axiom42.livednewjobforthemonth.xyz	axiom42.livednewjobforthemonth.xyz	Alexa-Dunn@axiom42.livednewjobforthemonth.xyz	customer@mydomain.com
15.07.2015 00:01	HAM	no	50.2.66.40	axiom40.slowlyburnforheart.xyz	axiom40.slowlyburnforheart.xyz	2DayMayoHeartburnRelief@axiom40.slowlyburnforheart.xyz	customer@mydomain.com
14.07.2015 23:57	HAM	no	50.2.66.39	axiom39.veriy.xyz	axiom39.veriy.xyz	JiffyLube-Oil-Change@axiom39.veriy.xyz	customer@mydomain.com
14.07.2015 23:38	HAM	no	50.2.66.36	axiom36.herraveinstantview.xyz	axiom36.herraveinstantview.xyz	Public-Records-Revealed@axiom36.herraveinstantview.xyz	customer@mydomain.com
14.07.2015 23:10	HAM	no	50.2.66.31	axiom31.shzxt.xyz	axiom31.shzxt.xyz	MercedesSummerClearance@axiom31.shzxt.xyz	customer@mydomain.com
14.07.2015 17:31	HAM	no	198.52.150.59	alpha59.dessd.xyz	alpha59.dessd.xyz	AirOptixContactLenses@alpha59.dessd.xyz	customer@mydomain.com
14.07.2015 17:16	HAM	no	198.52.150.57	alpha57.byyyk.xyz	alpha57.byyyk.xyz	Therapeudic.Kohler.Bath@alpha57.byyyk.xyz	customer@mydomain.com
14.07.2015 17:05	HAM	no	198.52.150.55	alpha55.buhey.xyz	alpha55.buhey.xyz	Your-Reduced-Rates@alpha55.buhey.xyz	customer@mydomain.com
14.07.2015 16:44	HAM	no	198.52.150.51	alpha51.stophypothyroidismview.xyz	alpha51.stophypothyroidismview.xyz	Hypothyroidism-Treatment@alpha51.stophypothyroidismview.xyz	customer@mydomain.com
14.07.2015 16:38	HAM	no	198.52.150.48	alpha48.somehowcoupon.xyz	alpha48.somehowcoupon.xyz	Costco500Coupon@alpha48.somehowcoupon.xyz	customer@mydomain.com
14.07.2015 16:30	HAM	no	198.52.150.50	alpha50.yosweatingmed.xyz	alpha50.yosweatingmed.xyz	EndYourSweating@alpha50.yosweatingmed.xyz	customer@mydomain.com
14.07.2015 16:26	HAM	no	198.52.150.49	alpha49.bobki.xyz	alpha49.bobki.xyz	No-Driving-Glare@alpha49.bobki.xyz	customer@mydomain.com
14.07.2015 16:07	HAM	no	198.52.150.47	alpha47.richjobmonthly.xyz	alpha47.richjobmonthly.xyz	Jorden-Hines@alpha47.richjobmonthly.xyz	customer@mydomain.com
14.07.2015 16:04	HAM	no	198.52.150.46	alpha46.seeingsurfacegiantany.xyz	alpha46.seeingsurfacegiantany.xyz	Restore-Your-Patio@alpha46.seeingsurfacegiantany.xyz	customer@mydomain.com
14.07.2015 15:45	HAM	no	198.52.150.43	alpha43.bjxfg.xyz	alpha43.bjxfg.xyz	SouthwestOnlineGiftCard@alpha43.bjxfg.xyz	customer@mydomain.com
14.07.2015 15:33	HAM	no	198.52.150.41	alpha41.ablepersonalrecords.xyz	alpha41.ablepersonalrecords.xyz	Criminal-Records-Exposed@alpha41.ablepersonalrecords.xyz	customer@mydomain.com
14.07.2015 15:25	HAM	no	198.52.150.40	alpha40.bhdnc.xyz	alpha40.bhdnc.xyz	DrOzCarb-Blocker@alpha40.bhdnc.xyz	customer@mydomain.com
14.07.2015 15:19	HAM	no	198.52.150.39	alpha39.bbhyh.xyz	alpha39.bbhyh.xyz	CBSNewsPowerSavings@alpha39.bbhyh.xyz	customer@mydomain.com
13.07.2015 23:31	HAM	no	198.154.80.20	m20.therabox.net	kitcm.xyz	SouthwestAwardBonus@kitcm.xyz	customer@mydomain.com
13.07.2015 23:23	HAM	no	198.154.80.19	m19.therabox.net	purposesbooktowealth.xyz	Safe-Guard-Your-Wealth@purposesbooktowealth.xyz	customer@mydomain.com
I have all the recommended server policies activated, in addition to resolve_helo_domain. In IP-reputation I have all recommended plus MIPSpace-poor, and I've added Spamhous Zen to my RBL.

Since their HELO is resolving and they are always varying their senders IP address I'm really at loss at what I can do here. I could probably block every IP as soon as I see them, but it seems to me they would be likely to change it next time around.

Ideas?

magicspam
Posts: 982
Joined: Tue Oct 28, 2008 2:27 pm

Re: Riddled by spam from .xyz domains

Post by magicspam » Thu Jul 16, 2015 11:12 am

Hello grbrandt,

Thank you for your post and for include great information! You appear to be doing all the right things, and this appears to be a case where a new set of IPs was lit up by a spammer and your server was attacked before anybody could get their IPs onto a reputation list.

We think you really hit the mark here with your suggestion about the HELO and it could be a great feature if we were able to provide our customers the ability to white or blacklist based on the sender's EHLO/HELO. We have passed this onto our development team and hopefully we can include it in the near future!

We apologize that we cannot be of more direct assistance in this case grbrandt, but we do very much appreciate your feedback and communication.
-- MagicSpam Support Team --

j*z
Posts: 8
Joined: Tue Jul 07, 2015 8:02 am

Re: Riddled by spam from .xyz domains

Post by j*z » Fri Sep 16, 2016 8:08 am

I had that problem too. My server also runs Spamassasin and so I was able to block all .xyz and .top using Spamassasin settings. I'm running Plesk which allows me to block either serverwide or by individual domains.

rickfrombrooklyn
Posts: 1
Joined: Wed Aug 10, 2016 2:18 pm

Re: Riddled by spam from .xyz domains

Post by rickfrombrooklyn » Mon Oct 03, 2016 8:08 am

We have in the last week seen a uptick of Spam slipping past MagicSpam and the native anti-spam filters in our Zimbra Server with extensions like .download, .date, .stream and .top. I am consulting with our programmer to see if there's anything we can do to block those with the tools in the Zimbra Collaboration Suite. Is there a tool in our MagicSpam to address this in front of our server?

magicspam
Posts: 982
Joined: Tue Oct 28, 2008 2:27 pm

Re: Riddled by spam from .xyz domains

Post by magicspam » Mon Oct 03, 2016 4:53 pm

Hello rickfrombrooklyn,

Thank you for your post.

We understand that you have increased number of spam messages slipping past the native anti-spam filters on your system. Also, most of those spam messages are coming from .download, .date, .stream and .top domains.

We are also aware of this spam issue and we are getting all our focus in fighting this spam outbreak.

We noticed that messages from these domains are usually listed on MIPSpace reputation lists, and these emails are mostly rejected by MagicSpam; could you please confirm that you have MIPSpace lists enabled in your:

Settings / IP Reputation / BMS lists

tab in your MagicSpam admin-interface panel, particularly MIPSpace-poor?

Also it would be very helpful if you can send us logs for these uncaught spam messages for further analysis at our support email address:

support@magicspam.com

Please let us know if you have any questions or updates in the meantime.
-- MagicSpam Support Team --

floogy
Posts: 1
Joined: Wed Oct 12, 2016 6:03 am

Re: Riddled by spam from .xyz domains

Post by floogy » Wed Oct 12, 2016 6:22 am

j*z wrote:I had that problem too. My server also runs Spamassasin and so I was able to block all .xyz and .top using Spamassasin settings. I'm running Plesk which allows me to block either serverwide or by individual domains.
Do you mind sharing how you blocked all .xyz and .top top-level domains in SpamAssassin? Is yours a Plesk server? We were advised to buy MagicSpam for this reason, but it appears they don't support it after all.

Post Reply

Return to “Discussions on Spam Protection Policies and Default Rules”

Who is online

Users browsing this forum: No registered users and 1 guest