Jump to content


Photo

Lots of SPAM getting thru recently


  • Please log in to reply
58 replies to this topic

#1 Chris Meisinger

Chris Meisinger
  • Members
  • 5 posts

Posted 04 January 2019 - 11:26 AM

For the past couple weeks I am noticing a huge amount of SPAM getting thru the filtersz.  They usually start up around 10:00 a.m. and go thru early afternoon.  It's so much that I can't possibly block it all.  My users are starting to get very annoyed with the amounts coming in to their inbox.  Did something change recently?  I am on the latest firmware & updates.

 

Thanks

 

Chris



#2 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 04 January 2019 - 11:36 AM

We have noticed exactly the same thing.  Many of our staff are reporting a significant increase in spam messages getting through to their inboxes in the past several weeks.  We are wondering if it's related to the latest firmware update.  (We updated from 8.0.4.002 to 8.1.0.003 on December 20th.)  One of the enhancements listed in the release notes for 8.1.0.002 is "Spam accuracy improvements [BNSF-28017]".  It seems possible that these changes are actually allowing a lot more spam messages through.

 

We have tightened the spam scoring setting in response, changing it from 3.0 to 2.0.  This will help some, but a lot of what's getting through is scored quite a bit lower than that.

 

Johnny Lee



#3 Chris Meisinger

Chris Meisinger
  • Members
  • 5 posts

Posted 04 January 2019 - 12:05 PM

Yes that could be.  a lot are showing a score of under 1.0.  I have mine set at 4 since lowering it to 3 did block some valid email but I don't think 3 would block a lot that is coming in. 

 

Barracuda please fix this!!!! 



#4 Erin Farnam

Erin Farnam
  • Members
  • 1 posts

Posted 04 January 2019 - 02:14 PM

Same for us. It started 2 days ago. We are unable to catch most of it because the scores are so low.

I upgraded from 8.0.3 to 8.1.0.003 yesterday because of the 'SPAM accuracy improvements' as well - hoping it would help. (It didn't.)

So I don't think it's the new version that is the culprit.



#5 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 04 January 2019 - 03:44 PM

I'm seeing the same thing, not firmware related.  Basically every day there end up being 2-3 IP subnets that hammer our spam filter with thousands of junk email messages.  Tomorrow it will be 2-3 different IP subnets.  My defense is a combination of outright blocking of various colo-hosting provider IP allocations that seem to be repeat offenders, setting the "rate control" feature in the Barracuda to a fairly low number, blocking servers missing reverse DNS entries, and when all that fails logging into the Barracuda every morning and just manually blocking the offending IP address subnets of the day. 



#6 Michael Manning

Michael Manning
  • Members
  • 204 posts
  • LocationOhio, USA

Posted 08 January 2019 - 09:35 AM

I've noticed it too, but had written it off to the fact we had a replacement unit and I needed to train the Bayesian (yeah I still use global bayesian). We see a bunch of spam about space heaters and warm winter jackets and pants. At least it's seasonally appropriate I guess?



#7 Chris Meisinger

Chris Meisinger
  • Members
  • 5 posts

Posted 06 February 2019 - 12:59 PM

I've noticed it too, but had written it off to the fact we had a replacement unit and I needed to train the Bayesian (yeah I still use global bayesian). We see a bunch of spam about space heaters and warm winter jackets and pants. At least it's seasonally appropriate I guess?

 

Yes it's cold weather jackets and vests then engraving tools now kids puzzles.  It's really annoying and I am starting to look into other products because they don't seem to be up on the SPAM anymore.



#8 Michael Manning

Michael Manning
  • Members
  • 204 posts
  • LocationOhio, USA

Posted 18 February 2019 - 10:15 AM

Yes it's cold weather jackets and vests then engraving tools now kids puzzles.  It's really annoying and I am starting to look into other products because they don't seem to be up on the SPAM anymore.

Yeah, their support of this product really seems to be falling off. Buzz I heard recently is they plan to try to move all their customers to cloud based solutions. May explain the slipping focus on the performance of their hardware based systems?

 

I will say I did wind up cranking down the scoring for tagged and quarantine a week or so ago and it has helped with minimal false positives. I think I bumped the score for quarantine down to 4.



#9 Jaybone

Jaybone
  • Members
  • 114 posts

Posted 20 February 2019 - 12:17 PM

We've been hearing this from our users lately, as well.  Same type of content, too, from the sound of it.  Puzzles, cold weather gear, laser engraving tools, etc.



#10 Rob VanFleet

Rob VanFleet
  • Members
  • 4 posts

Posted 26 February 2019 - 03:00 PM

To add my two cents, I've been seeing the exact same messages as well, except add dog beds, automatic ball launchers, "moon lamps", and ear cleaning endoscopes to the topic list.  All of these messages look very similar - usually all image based and occasionally some text, followed by a link view the item.  I've also noticed that the domains that they come from are typically misspelled words that look like something else at first glance: "sisterappaeral.com" and "craigslistsouthjerset.com".  They cycle through mail hosts, changing whenever a host ends up on an RBL (at least as soon as they end up on SpamHaus).  This appears to have been going on since mid December, but has really ramped in frequency over the past month.

 

All of the messages are scoring quite low (usually below 2) and have caused a very noticeable uptick in spam complaints from our users.  Trying to generate custom filters for all of them is nigh impossible, and frankly, not having to chase down custom filters for obvious spam is what we are paying Barracuda for.

 

I'm curious if any posters in this thread are using the CPL instead of on-premise units?  We actually have both (CPL for domain and on-prem for another) and it appears that these spammers are not targeting our CPL users, so I"m unable to see if these types of messages would be stopped by the CPL as opposed to our local units.




#11 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 11:06 AM

Yep, I still get hammered with this junk from 2 or 3 different IP address ranges every day.  Still playing the whack-a-mole game and blocking entire IP address ranges as they occur. 



#12 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 05 March 2019 - 12:12 PM

I'll chime in here too.  I'm getting the same spam as you guys.  3D puzzles, T-Rex, Moon Lamp, Air pump, and on and on.  I block the IPs or networks at my firewall after the fact, so not very effective.  Also see some of the same IPs trying to brute force.  I submit as spam to Barracuda, but to no avail.  Hey Barracuda, do you watch these forums?  What more can we do?



#13 Jaybone

Jaybone
  • Members
  • 114 posts

Posted 05 March 2019 - 12:38 PM

I opened a case about this stuff last week.  They basically told me there was nothing to be done for it, at least with our 300 unit.  They suggested that maybe we should use their advanced cloud scanning option.  Of course, there's a cost involved with that.

Having a hard time trying to figure out why we should pay more for this service, given that we're already paying for a "solution" that's rapidly declining in effectiveness.

 

After using Barracuda products for 15 years, it kinda makes me sad to see this kind of lack of caring on Barracuda's part.  I'm starting to look into alternatives at this point, since Barracuda apparently can no longer be bothered to get their product to actually work.



#14 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 05 March 2019 - 02:33 PM

Just curious if everyone is getting spammed by the same IPs at the same time.  Anybody been getting hammered by 213.227.132.0 today?



#15 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 02:41 PM

Just curious if everyone is getting spammed by the same IPs at the same time.  Anybody been getting hammered by 213.227.132.0 today?

 

Yep, getting hammered today by that one as well as 92.223.72.0 and 216.144.247.150

 

Here's my list since the beginning of the year.  I leave them all on the Blocked IP list because they alot seem to come up again a few weeks later, and I don't receive legitimate mail from any of them.

 

167.160.88.0,255.255.248.0,Block,spam 1-2-2019
174.128.224.0,255.255.224.0,Block,spam-1-3-2019
74.63.192.0,255.255.192.0,Block,spam 1-4-2019
212.103.0.0,255.255.0.0,Block,spam 1-4-2019
162.251.160.0,255.255.255.0,Block,spam 1-4-2019
194.36.111.0,255.255.255.0,Block,spam 1-8-2019
144.76.148.0,255.255.255.0,Block,spam 1-8-2019
67.229.0.0,255.255.0.0,Block,spam 1-9-2019
185.181.208.0,255.255.252.0,Block,spam 1-11-2019
62.210.54.0,255.255.255.0,Block,spam 1-11-2019
23.111.80.0,255.255.240.0,Block,spam 1-14-2019
23.111.0.0,255.255.0.0,Block,spam 1-14-2019
155.94.128.0,255.255.128.0,Block,spam 1-14-2019
23.108.208.0,255.255.240.0,Block,spam 1-14-2019
85.0.0.0,255.128.0.0,Block,spam 12-28-2018
87.101.0.0,255.255.0.0,Block,spam 1-16-2019
69.162.0.0,255.255.0.0,Block,spam 1-24-2019
204.188.192.0,255.255.192.0,Block,spam 1-30-2019
64.32.0.0,255.255.224.0,Block,spam 1-30-2019
208.98.0.0,255.255.192.0,Block,spam 1-30-2019
96.8.112.0,255.255.240.0,Block, spam 1-31-2019
94.232.0.0,255.255.0.0,Block,spam 2-4-2019
100.43.128.0,255.255.192.0,Block,spam 2-5-2019
92.223.0.0,255.255.0.0,Block,spam 2-11-2019
209.205.112.0,255.255.240.0,Block,spam 2-13-2019
160.20.0.0,255.255.0.0,Block,spam 2-19-2019
192.227.128.0,255.255.128.0,Block spam 2-20-2019
67.227.240.0,255.255.240.0,Block,spam 1-10-2019
88.99.0.0,255.255.0.0,Block,spam 2-25-2019
173.0.144.0,255.255.240.0,Block,spam 2-26-2019
193.36.60.0,255.255.255.0,Block,spam 2-28-2019
63.143.53.0,255.255.255.0,Block,spam 3-1-2019
185.136.156.0,255.255.252.0,Block,spam 3-1-2019
38.68.135.0,255.255.255.0,Block,spam 3-1-2019
216.144.240.0,255.255.240.0,Block,spam 3-5-2019
213.227.128.0,255.255.224.0,Block,spam 3-5-2019
 



#16 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 05 March 2019 - 02:44 PM

We've added IP filters for the following ranges over the past 2 days:

 

92.233.72.0

107.174.20.0

213.227.132.0

216.144.247.0



#17 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 02:50 PM

Here are additional IP blocks I added prior to 2019.  Also found that blocking reverse DNS entries ending in .colocrossing.com and .hostwindsdns.com has helped as well.   I still get hit by new ranges most days, but often at least 1 or 2 of them I've already added in the past.

 

185.66.143.0,255.255.255.0,Block,spam 11-30-2018
142.11.250.0,255.255.255.0,Block,spam 12-6-2018
114.228.153.0,255.255.255.0,Block,spam 12-7-2018
114.226.107.0,255.255.255.0,Block,spam 12-7-2018
192.129.215.0,255.255.255.0,Block,spam 12-7-2018
67.229.128.0,255.255.255.0,Block,spam 12-7-2018
174.139.33.0,255.255.255.0,Block,spam 12-7-2018
69.162.114.0,255.255.255.0,Block,spam 12-10-2018
162.251.161.0,255.255.255.0,Block,spam 12-10-2018
198.12.92.0,255.255.255.0,Block,spam 12-10-2018
63.80.190.0,255.255.255.0,Block,spam 12-10-2018
199.60.101.0,255.255.255.0,Block,spam 12-11-2018
64.91.253.0,255.255.255.0,Block,spam 12-11-2018
192.129.128.0,255.255.128.0,Block,spam from hostwindns
142.11.192.0,255.255.192.0,Block,hostwinds spam 12-11-2018
216.126.58.0,255.255.255.0,Block,spam 12-13-2018
192.3.131.0,255.255.255.0,Block,spam 12-14-2018
107.174.18.0,255.255.255.0,Block,spam 12-14-2018
192.129.222.0,255.255.255.0,Block,spam 12-17-2018
69.162.103.0,255.255.255.0,Block,spam 12-20-2018
51.38.78.0,255.255.255.0,Block,spam 12-21-2018
104.36.21.0,255.255.255.0,Block,spam 12-21-2018
23.94.0.0,255.254.0.0,Block,colocrossing spam 12-24-2018
192.210.128.0,255.255.128.0,Block,colocrossing spam
198.23.128.0,255.255.128.0,Block,colocrossing spam
198.46.128.0,255.255.128.0,Block,colocrossing
104.168.0.0,255.255.128.0,Block,colocrossing
107.172.0.0,255.252.0.0,Block,colocrossing
172.245.0.0,255.255.0.0,Block,colocrossing
198.44.0.0,255.255.128.0,Block,hostwindsdns spam
23.238.0.0,255.255.128.0,Block,hostwindsdns spam
23.254.128.0,255.255.128.0,Block,hostwindsdns spam
192.119.64.0,255.255.192.0,Block,hostwindsdns spam
192.236.128.0,255.255.128.0,Block,hostwindsdns spam
192.255.128.0,255.255.128.0,Block,hostwindsdns spam
198.84.64.0,255.255.192.0,Block,hostwindsdns spam
198.143.96.0,255.255.224.0,Block,hostwindsdns spam
144.217.0.0,255.255.0.0,Block,OVH hosting spam 12-24-2018
64.44.32.0,255.255.240.0,Block,nexion spam 12-27-2018
23.227.96.0,255.255.224.0,Block,spam 12-28-2018
76.164.192.0,255.255.224.0,Block,versaweb spam 12-31-2018
76.164.224.0,255.255.240.0,Block,versaweb spam 12-31-2018



#18 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 03:12 PM

Just started receiving it from 212.32.255.0 a few minutes ago  (looks like 212.32.224.0 mask 255.255.224.0 is the larger aggregate)



#19 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 05 March 2019 - 03:14 PM

Anybody blocking by GEO IP in your firewall?  213.227.132.0 is Netherlands and I was not blocking that country.  May cause problems but there's only one way to find out.....



#20 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 05 March 2019 - 03:17 PM

Mook I also see 212.32.255.0 coming in but being blocked by reverse dns.