Jump to content


Photo

Lots of SPAM getting thru recently


  • Please log in to reply
58 replies to this topic

#21 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 03:18 PM

Anybody blocking by GEO IP in your firewall?  213.227.132.0 is Netherlands and I was not blocking that country.  May cause problems but there's only one way to find out.....

 

I've tried it in the past, and I am selectively blocking some entire /8's assigned to other continents, but I've also run into sporadic problems because some places we were legitimately getting mail from were using 3rd party mail relay services located in other countries (probably cheapest cost).   Usually before blocking huge ranges I'll check the last month or so of the spam filter and see if we've gotten any legitimate email at all from there.



#22 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 03:20 PM

Mook I also see 212.32.255.0 coming in but being blocked by reverse dns.

 

Yep, I'm blocking that by reverse DNS, but I don't count on that working for long.  It seems like eventually the spammers manage to get the reverse DNS delegated later, so even stuff like 212.32.255.0 I end up just blocking by IP as well.



#23 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 03:25 PM

The other thing I've done which has helped a lot is to set the "Block/Accept -> Rate Control -> Maximum Connections per IP address/30 minutes" setting down to a fairly low number (like 10).   This ends up just "deferring" alot of this junk if I'm not already blocking it outright by IP address.  It doesn't eliminate all of it obviously, but it cuts way down on the amount that actually reaches the end user.

 

Consequently, I've also had to go through and add specific servers to the Rate Control Exemption List for servers that send us alot of legitimate email.



#24 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 05 March 2019 - 03:27 PM

My Rate Control is currently set to 20.  Maybe I'll drop that even lower.



#25 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 05 March 2019 - 04:49 PM

My Rate Control is currently set to 20.  Maybe I'll drop that even lower.

 

Basically what I did was set my Rate Control down to 10, and then I search through the logs for any Deferred messages (excluding the current spammer IP addresses that we've been talking about).     That way I can find legitimate servers that might be getting hit by the low Rate Control setting and add them to the exemption list.   Even if they don't get added to the exemption list, the legitimate emails get delivered eventually, but not as quickly as they could be since they might get deferred once or twice.



#26 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 06 March 2019 - 10:34 AM

So far today the spam is coming from 74.63.255.0, which I blocked on my spam filter back in early January.  As I mentioned, it's not futile to block these addresses even if a bunch of stuff has already gotten through.  Chances are you'll see the same address ranges again at a later date.



#27 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 06 March 2019 - 12:15 PM

Yep.  74.63.255.0 here too. and lucky me, I was in need of some ear wax remover! ;)



#28 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 06 March 2019 - 01:40 PM

:D   Just started receiving junk from 216.245.192.0/18 (specifically 216.245.213.0), as well as 38.91.101.0 (can't tell what larger aggregate it's out of).

 

One thing that I find interesting about all of this junk email, a large quantity of the recipient addresses are really really old and haven't existed for 10+ years, but an even larger quantity are destination addresses that have NEVER existed at all.  I wonder where all of these recipients came from that have never existed?  Did some spammer accidentally sort an Excel file by a single column or what? :P



#29 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 06 March 2019 - 02:37 PM

I found exactly the same thing, really old recipient addresses, about half don't exist anymore and about half are old timers who are still here.  And there are a small number of what appear to be randomly generated 8 character names.  There is no telling

I just had to block those 2 subnets as well.  I have a hard time believing that Barracuda can't stop this @#!hole.  Playing whack-a-mole is getting old.



#30 Admin

Admin
  • Members
  • 1 posts

Posted 06 March 2019 - 03:21 PM

We started experiencing the exact same types of junk that you all have.  It began hitting us a week ago.  I have placed two calls to tech support and they have supposedly escalated this to the definition team.  However, just like clockwork, 10am the inundation begins.  Puzzles, wax, lamps, laser, and now weight loss and cannabis oil.  I appreciate the others who have chimed in.  Maybe if more us can get involved here, we can get Support's attention that they are really falling flat on stopping this barrage



#31 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 06 March 2019 - 03:23 PM

I'm just thankful for all of the non-existent recipients that the majority of the spam messages are intended for.  A decent percentage of the messages that get through before triggering the Rate Control Limit end up going nowhere because the recipient doesn't exist.  But yeah, whack-a-mole has gotten old.  I'm really surprised about the general lack of continuing improvement/changes in the spam appliance, has Barracuda basically abandoned this product or what?



#32 Kurt

Kurt
  • Members
  • 8 posts

Posted 07 March 2019 - 09:56 AM

We are also seeing the same issues.  Our Model 600 has been strong for years.  Opened two different tickets with support and pretty much their response was implement Cloud Layer Protection or buy the more advanced "Sentinel" appliance.  Thank you for this thread!  I added blocked ranges:

 

74.63.255.0

107.174.20.0

213.227.132.0

216.144.247.0

216.245.213.0

38.91.101.0

 

Like others are seeing, everyday around 10:00 AM to 4:00 PM we are seeing the influx of spam coming through.

 

UPDATE - blocks seem to be working!  This morning we were getting hammered with 62.60.206.223 and 104.168.123.227 which I added to the list. Also, many of those moon lamp and earwax emails are being blocked by spamhaus now.  I have spamhaus as an RBL.  So far big improvements.  I'm just concerned moving forward.  I'm not monitoring the inbound queue on a daily basis as I've been the last few days. 



#33 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 07 March 2019 - 10:32 AM

Today it's 104.168.123.0

 

I wonder if there is an external blacklist that is on top of this.  I have spamcop but it doesn't stop these.



#34 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 07 March 2019 - 11:06 AM

I'm using Spamcop and zen.spamhaus.org and neither stop this spam typically (at least not initially).  Add 62.60.206.0 as another today.



#35 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 07 March 2019 - 11:19 AM

And the other one today so far, 104.168.123.0 I blocked on my spam filter back in December (I'm actually blocking the whole allocation to Colocrossing 104.168.0.0 mask 255.255.128.0).

 

Here's a link to a blog post about Colocrossing spam from a couple years ago.  It's helpful in pointing to the various allocations that Colocrossing is using. 

 

https://irulan.net/blocking-colocrossing-spam/



#36 Forrest Mook

Forrest Mook
  • Members
  • 56 posts

Posted 07 March 2019 - 11:59 AM

Unrelated to this specific spam, but would anyone else find it helpful if Barracuda implemented a feature to add or subtract to the SPAM score, rather than having to outright block an IP address or completely whitelist an IP address?   More details at the following links.

 

https://community.ba...p-address-list/

https://community.ba...-on-ip-address/

 

https://community.ba...-to-spam-score/

 

 

If this would be helpful to other people, can you post a reply to the following thread saying so?  That thread is actually being read and responded to be someone who works for Barracuda.

 

https://community.ba...-the-community/

 

Thanks!



#37 Kurt

Kurt
  • Members
  • 8 posts

Posted 07 March 2019 - 01:34 PM

Thanks for the info.  This forum has been more helpful than Barracuda support.  It's funny how we are dealing with the exact same spam related issues.  I'm a Network Engineer for a K-12 district outside of Philadelphia.  After this whole spam incident happened this week I thought about moving to Google or O365 this summer.  I manage an on prem Exchange 2013 DAG.  I'm just curious if the spam filters for Google/Microsoft would prevent this kind of spam? 



#38 Kurt

Kurt
  • Members
  • 8 posts

Posted 07 March 2019 - 02:02 PM

I'm also seeing that these "puzzle" emails that have been coming through this week are now being blocked by Barracuda.  The reason is Fingerprint (*Spam.Unknown).  Also, I just talked to Barracuda Sales.  Apparently anyone who was licensed for ATP automatically has Cloud Layer Protection available.  I might look into implementing this sooner than later. 



#39 Alan Shoop

Alan Shoop
  • Members
  • 3 posts

Posted 07 March 2019 - 02:38 PM

I just found this forum today. At least I know I am not alone. On-prem SPAM appliance, same earwax, walking T-rex, puzzle, video doorbell, etc SPAM that has been mentioned. I had learned to do the same tricks as everyone else here in blocking hosting providers that are either naive or spammer friendly. My best weapon has been obtaining the IP of the SPAM source (Example: 62.60.206.228), then visiting Hurricane Electric at https://bgp.he.net. There I can look at the "Prefixes v4" for that ASN and locate ALL if the IP Ranges for that particular host (Psychz Networks in this case). I can then enter them all into the Barracuda to block them. As long as Barracuda relies on "IP Reputation" as the primary filter, the spammers will keep walking through Barracuda. The host IP is new, and therefore "clean" until it is blacklisted. I have done the same as others and search the logs for anything valid where Source IP starts with the first two (62.60.) numbers. Generally I find that I had previously received junk from another IP range that I wan not even aware of. Let's hope there is a fix forthcoming. This is time consuming. Has there been a definitive answer that the Cloud product is detecting it? Or is it getting through that as well?



#40 Dan Noble

Dan Noble
  • Members
  • 2 posts

Posted 08 March 2019 - 10:23 AM

Looks like today started 185.191.207.0