Riddled by spam from .xyz domains
Posted: Wed Jul 15, 2015 1:18 pm
Lately several of my users get tons of spam that is incorrectly accepted as ham. What's kinda weird is that they all share the pattern of having a HELO that ends with .xyz. Is there a way to block all incoming mail with this pattern? If not, what should I do?
Here's an excert of the log:
I have all the recommended server policies activated, in addition to resolve_helo_domain. In IP-reputation I have all recommended plus MIPSpace-poor, and I've added Spamhous Zen to my RBL.
Since their HELO is resolving and they are always varying their senders IP address I'm really at loss at what I can do here. I could probably block every IP as soon as I see them, but it seems to me they would be likely to change it next time around.
Ideas?
Here's an excert of the log:
Code: Select all
Date / Time Type Mua IP Address Hostname Helo Sender Recipient
15.07.2015 02:59 HAM no 81.31.44.8 valve08.zhnws.xyz valve08.zhnws.xyz CNN-PowerSavings@valve08.zhnws.xyz customer@mydomain.com
15.07.2015 02:44 HAM no 81.31.44.5 valve05.zgnev.xyz valve05.zgnev.xyz AcuvueContacts@valve05.zgnev.xyz customer@mydomain.com
15.07.2015 02:40 HAM no 81.31.44.4 valve04.yxsyk.xyz valve04.yxsyk.xyz As-Seen-on-NBC@valve04.yxsyk.xyz customer@mydomain.com
15.07.2015 02:35 HAM no 81.31.44.3 valve03.yxsys.xyz valve03.yxsys.xyz Walk-in.Whirlpool.Tubs@valve03.yxsys.xyz customer@mydomain.com
15.07.2015 02:29 HAM no 81.31.44.2 valve02.perfectaffairsforknows.xyz valve02.perfectaffairsforknows.xyz BigBeautifulWomenAvailable@valve02.perfectaffairsforknows.xyz customer@mydomain.com
15.07.2015 02:18 HAM no 80.79.17.64 valve64.sightsecretaffairatnight.xyz sightsecretaffairatnight.xyz Your-Secret-Invitation@sightsecretaffairatnight.xyz customer@mydomain.com
15.07.2015 02:10 HAM no 80.79.17.62 valve62.meancureheartmade.xyz valve62.meancureheartmade.xyz ReliefFromHeartburn@valve62.meancureheartmade.xyz customer@mydomain.com
15.07.2015 01:55 HAM no 80.79.17.60 valve60.xmoho.xyz valve60.xmoho.xyz SouthwestRewardCard@valve60.xmoho.xyz customer@mydomain.com
15.07.2015 01:51 HAM no 80.79.17.59 valve59.newestbookgoal.xyz valve59.newestbookgoal.xyz Safe-GuardYourSavings@valve59.newestbookgoal.xyz customer@mydomain.com
15.07.2015 01:45 HAM no 80.79.17.58 valve58.backgroundcheckimps.xyz valve58.backgroundcheckimps.xyz Your-Criminal-Records@valve58.backgroundcheckimps.xyz customer@mydomain.com
15.07.2015 01:28 HAM no 80.79.17.55 valve55.xarer.xyz valve55.xarer.xyz Experian.Score.Check@valve55.xarer.xyz customer@mydomain.com
15.07.2015 00:58 HAM no 50.2.66.50 axiom50.vscri.xyz axiom50.vscri.xyz Apple-iPad-Gadget@axiom50.vscri.xyz customer@mydomain.com
15.07.2015 00:50 HAM no 50.2.66.48 axiom48.plowgenerator.xyz axiom48.plowgenerator.xyz CutYourElectricBill@axiom48.plowgenerator.xyz customer@mydomain.com
15.07.2015 00:44 HAM no 50.2.66.47 axiom47.dayhealthguidecool.xyz axiom47.dayhealthguidecool.xyz Govt-Tax-Loopholes@axiom47.dayhealthguidecool.xyz customer@mydomain.com
15.07.2015 00:27 HAM no 50.2.66.44 axiom44.viznx.xyz axiom44.viznx.xyz Stop-Driving-Glare@axiom44.viznx.xyz customer@mydomain.com
15.07.2015 00:21 HAM no 50.2.66.43 axiom43.inquirycoupongift.xyz axiom43.inquirycoupongift.xyz Costco500Coupon@axiom43.inquirycoupongift.xyz customer@mydomain.com
15.07.2015 00:12 HAM no 50.2.66.42 axiom42.livednewjobforthemonth.xyz axiom42.livednewjobforthemonth.xyz Alexa-Dunn@axiom42.livednewjobforthemonth.xyz customer@mydomain.com
15.07.2015 00:01 HAM no 50.2.66.40 axiom40.slowlyburnforheart.xyz axiom40.slowlyburnforheart.xyz 2DayMayoHeartburnRelief@axiom40.slowlyburnforheart.xyz customer@mydomain.com
14.07.2015 23:57 HAM no 50.2.66.39 axiom39.veriy.xyz axiom39.veriy.xyz JiffyLube-Oil-Change@axiom39.veriy.xyz customer@mydomain.com
14.07.2015 23:38 HAM no 50.2.66.36 axiom36.herraveinstantview.xyz axiom36.herraveinstantview.xyz Public-Records-Revealed@axiom36.herraveinstantview.xyz customer@mydomain.com
14.07.2015 23:10 HAM no 50.2.66.31 axiom31.shzxt.xyz axiom31.shzxt.xyz MercedesSummerClearance@axiom31.shzxt.xyz customer@mydomain.com
14.07.2015 17:31 HAM no 198.52.150.59 alpha59.dessd.xyz alpha59.dessd.xyz AirOptixContactLenses@alpha59.dessd.xyz customer@mydomain.com
14.07.2015 17:16 HAM no 198.52.150.57 alpha57.byyyk.xyz alpha57.byyyk.xyz Therapeudic.Kohler.Bath@alpha57.byyyk.xyz customer@mydomain.com
14.07.2015 17:05 HAM no 198.52.150.55 alpha55.buhey.xyz alpha55.buhey.xyz Your-Reduced-Rates@alpha55.buhey.xyz customer@mydomain.com
14.07.2015 16:44 HAM no 198.52.150.51 alpha51.stophypothyroidismview.xyz alpha51.stophypothyroidismview.xyz Hypothyroidism-Treatment@alpha51.stophypothyroidismview.xyz customer@mydomain.com
14.07.2015 16:38 HAM no 198.52.150.48 alpha48.somehowcoupon.xyz alpha48.somehowcoupon.xyz Costco500Coupon@alpha48.somehowcoupon.xyz customer@mydomain.com
14.07.2015 16:30 HAM no 198.52.150.50 alpha50.yosweatingmed.xyz alpha50.yosweatingmed.xyz EndYourSweating@alpha50.yosweatingmed.xyz customer@mydomain.com
14.07.2015 16:26 HAM no 198.52.150.49 alpha49.bobki.xyz alpha49.bobki.xyz No-Driving-Glare@alpha49.bobki.xyz customer@mydomain.com
14.07.2015 16:07 HAM no 198.52.150.47 alpha47.richjobmonthly.xyz alpha47.richjobmonthly.xyz Jorden-Hines@alpha47.richjobmonthly.xyz customer@mydomain.com
14.07.2015 16:04 HAM no 198.52.150.46 alpha46.seeingsurfacegiantany.xyz alpha46.seeingsurfacegiantany.xyz Restore-Your-Patio@alpha46.seeingsurfacegiantany.xyz customer@mydomain.com
14.07.2015 15:45 HAM no 198.52.150.43 alpha43.bjxfg.xyz alpha43.bjxfg.xyz SouthwestOnlineGiftCard@alpha43.bjxfg.xyz customer@mydomain.com
14.07.2015 15:33 HAM no 198.52.150.41 alpha41.ablepersonalrecords.xyz alpha41.ablepersonalrecords.xyz Criminal-Records-Exposed@alpha41.ablepersonalrecords.xyz customer@mydomain.com
14.07.2015 15:25 HAM no 198.52.150.40 alpha40.bhdnc.xyz alpha40.bhdnc.xyz DrOzCarb-Blocker@alpha40.bhdnc.xyz customer@mydomain.com
14.07.2015 15:19 HAM no 198.52.150.39 alpha39.bbhyh.xyz alpha39.bbhyh.xyz CBSNewsPowerSavings@alpha39.bbhyh.xyz customer@mydomain.com
13.07.2015 23:31 HAM no 198.154.80.20 m20.therabox.net kitcm.xyz SouthwestAwardBonus@kitcm.xyz customer@mydomain.com
13.07.2015 23:23 HAM no 198.154.80.19 m19.therabox.net purposesbooktowealth.xyz Safe-Guard-Your-Wealth@purposesbooktowealth.xyz customer@mydomain.com
Since their HELO is resolving and they are always varying their senders IP address I'm really at loss at what I can do here. I could probably block every IP as soon as I see them, but it seems to me they would be likely to change it next time around.
Ideas?