Jump to content


Photo

Lots of SPAM getting thru recently


  • Please log in to reply
58 replies to this topic

#41 Kurt

Kurt
  • Members
  • 8 posts

Posted 08 March 2019 - 11:02 AM

Yup same here Dan.  Also 62.60.205.0.  Barracuda is taking care of the 185.191.207.0 (Reverse DNS) and I had the 62.60.205.0 on our blocklist. 



#42 Ryan Prosser

Ryan Prosser
  • Members
  • 1 posts

Posted 08 March 2019 - 01:37 PM

The IPs seem to resolve to either UNKNOWN or example.com  I found this thread: https://community.ba...cking-unknowns/

Is there a mean to block these via querying the source and matching "X-Barracuda-Connect: UNKNOWN" and

"X-Barracuda-Connect: example.com" ?


#43 Forrest Mook

Forrest Mook
  • Members
  • 57 posts

Posted 08 March 2019 - 03:15 PM

 

The IPs seem to resolve to either UNKNOWN or example.com  I found this thread: https://community.ba...cking-unknowns/

Is there a mean to block these via querying the source and matching "X-Barracuda-Connect: UNKNOWN" and

"X-Barracuda-Connect: example.com" ?

 

 

You can block both using the "blocking by reverse DNS" options.  Look under Block/Accept->Reverse DNS and choose to "Block Missing PTR Records" and add "example.com" to the list of Custom Reverse DNS rules.



#44 Alan Shoop

Alan Shoop
  • Members
  • 3 posts

Posted 08 March 2019 - 03:16 PM

Ryan - Under "Block/Accept" > "Content Filtering" you can create a filter where pattern ="example.com", Inbound set to Block/Tag/Quarantine as you wish, and checkmark "Header". I have many such filters.

You can also go to "Block/Accept" > "Reverse DNS" and set "Block Missing PTR Records" to "Yes".

That will catch quite a bit of junk for you.



#45 Alan Shoop

Alan Shoop
  • Members
  • 3 posts

Posted 08 March 2019 - 04:00 PM

Sorry Forrest - I think we were both typing at the same time.



#46 Tex

Tex
  • Members
  • 5 posts

Posted 11 March 2019 - 08:15 AM

This was a problem for us as well. Except the boss is holding me responsible for the spam.

 

I've lowered our spam reputation level, I've gone nuts on content filters trying to think of every possible way a person can type video doorbell, 3d puzzles, dog beds, ear endoscopes, etc... blocked entire subnets, 



#47 Chris Meisinger

Chris Meisinger
  • Members
  • 5 posts

Posted 11 March 2019 - 10:18 AM

So glad to see (well not glad it shouldn't be happening) a lot are having the same issue!  It is a daily thing still my users are upset and some higher ups are convinced we were hacked.  My renewal is coming up in a couple days I have a call with someone this afternoon but I already started talking with Mimecast about switching.  The last sales rep I talked to at Barracuda informed me that on top of the triple cost increase I need to replace my 300 hardware or move to the cloud. I told him I have been having an issue with increased SPAM daily and he said he could not find a support case for me on this but he understands if I switch to another product.  If I am going to be spending more money on an inferior product I might as well consider switching to a better solution.  

 

Well another one just came in for inflatable cervical neck device better go block...



#48 Forrest Mook

Forrest Mook
  • Members
  • 57 posts

Posted 12 March 2019 - 09:09 AM

The best defense I've found is to lower the Rate-Control limit to around 10 messages or less per IP address per 30 minutes.  It doesn't eliminate all of it, but it ends up "deferring" a very large quantity of the junk.   After doing that however, I have to periodically look at the "deferred messages" and add IP address exemptions for legitimate servers that send us alot of email so that email delivery doesn't get too slow for legitimate things.

 

Other than that, still playing whack-a-mole of manually blocking IP address ranges to get rid of the rest.



#49 Kurt

Kurt
  • Members
  • 8 posts

Posted 12 March 2019 - 09:58 AM

It's really getting old... the daily monitoring of the inbound log.  Today we are getting hammered by 109.236.80.0.  I setup a spam email account for my domain and users are forwarding spam messages that get through to it.  Unfortunately, this is very reactive.  Everyday around 10:00 AM one of these "engraving" or "puzzle" emails get through.  I block and typically we are good the rest of the day.  I discussed again with our Barracuda Sales Rep and think the Cloud Protection Layer is the way to go.  It will be interesting once I configure it to see if these daily nonsense spam emails get caught.  The problem with setting a Rate Control that low is time of delivery. I know my staff members will complain that emails from our LMS (Schoology) aren't coming through quick enough. 



#50 Forrest Mook

Forrest Mook
  • Members
  • 57 posts

Posted 12 March 2019 - 10:02 AM

 The problem with setting a Rate Control that low is time of delivery. I know my staff members will complain that emails from our LMS (Schoology) aren't coming through quick enough. 

 

Identify the IP addresses that the LMS emails are coming from and add them to the Rate Control Exemption List. 



#51 Kurt

Kurt
  • Members
  • 8 posts

Posted 12 March 2019 - 10:11 AM

That was just one example... we have quite a lot of of legit email traffic from outside coming in bulk.  I guess I could start making a Rate Exemption IP List and see if that helps things.  Thanks Forrest. 



#52 Forrest Mook

Forrest Mook
  • Members
  • 57 posts

Posted 12 March 2019 - 10:23 AM

That was just one example... we have quite a lot of of legit email traffic from outside coming in bulk.  I guess I could start making a Rate Exemption IP List and see if that helps things.  Thanks Forrest. 

 

Yeah, I'm in the same boat.  I've ended up with a Rate Control Exemption List about 20 entries long.   Basically after lowering the Rate Control limit to 10 or less, I periodically did a search of the message log for "deferred messages" that aren't from the IP address ranges that the spammers are using to see what legitimate stuff is being delayed by the Rate Control.   Then exempt those IP addresses of the stuff we care about.

 

So I end up with a message log search that looks like:

Deferred Messages is True and

Source IP doesn't contain 109.236 and

Source IP doesn't contain 63.143

 

etc.....   It pretty quickly identifies legitimate mail that is being delayed and the originating servers.  Then I just add those servers to the exemption list.  

 

It's been worth the work, the low Rate Control limit setting eliminates the vast majority of the junk on it's own, and the small amount that might get through often ends up going to non-existent destination addresses, so very little of the spam reaches my users anymore even without playing whack-a-mole by blocking IP address ranges outright.



#53 Kurt

Kurt
  • Members
  • 8 posts

Posted 12 March 2019 - 10:29 AM

Out of curiosity... Forrest what industry are you in?  K-12?



#54 Forrest Mook

Forrest Mook
  • Members
  • 57 posts

Posted 12 March 2019 - 10:34 AM

Out of curiosity... Forrest what industry are you in?  K-12?

 

Not K-12, local government.  I'm lucky in that we pretty much never receive legitimate email from IP addresses outside of North America, so I've been able to outright block alot of entire /8's assigned to RIPE, LACNIC, APNIC, AFRINIC, etc....  That alone has eliminated a gigantic quantity of spam that the Barracuda never even needs to analyze.



#55 Dan Noble

Dan Noble
  • Members
  • 2 posts

Posted 14 March 2019 - 10:15 AM

Maybe Barracuda figured it out. It seems the last 2 days most of these are being blocked as SPAM before getting on RBLs. 



#56 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 14 March 2019 - 11:28 AM

Don't jinx it!!!!



#57 Alan Brewer

Alan Brewer
  • Members
  • 11 posts

Posted 14 March 2019 - 11:29 AM

But yeah, I'm seeing the same.  Either they fixed it or the spammers are slipping today.



#58 Chris Meisinger

Chris Meisinger
  • Members
  • 5 posts

Posted 14 March 2019 - 11:50 AM

I am wondering if something has finally been done.  Only saw a small few get thru yesterday and today 0!  Hmmmmmmmmm.........



#59 Kurt

Kurt
  • Members
  • 8 posts

Posted 14 March 2019 - 07:03 PM

Same here.. like I said in an earlier post I made a spam@mydomain email and staff members were forwarding spam to it.  Last two days inbox is empty :)