Mailing List Archive: Anybody else getting bombarded with "I RECORDED YOU" spam?

Anybody else getting bombarded with "I RECORDED YOU" spam?

Nov 9, 2023, 9:31 AM

Post #1 of 13 (317 views)

In the last couple of days, the number of "I RECORDED YOU" spams that my
server has been receiving, has gone way up. Well over a thousand a day.
And the spam is only being sent to about 20 of my users. We had been
receiving these for the last month, but nothing at all like rate it's
now happening. It's not using up a ton of CPU, but it is very annoying
to see happening.

The spam is coming from many different IP ranges, with little
repetition. Most of them are from countries like Afghanistan,
Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the
latest sources that spam software is using, because other countries have
tightened up their security?

I've been using spamassassin for almost several decades, and I've never
noticed anything like this. I don't understand why the spam continues
to be sent over and over. I do reject emails with a very high spam,
which these spams have. So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received. This didn't help. I'm curious if anyone is
noticing this spam. Thanks. - Mark

z

RE: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

Marc at f1-outsourcing

Nov 9, 2023, 9:38 AM

Post #2 of 13 (317 views)

Permalink

>
> The spam is coming from many different IP ranges, with little
> repetition. Most of them are from countries like Afghanistan,
> Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the
> latest sources that spam software is using, because other countries have
> tightened up their security?

Do you at least verify the reverse lookup? That already stops a lot of such networks.

> I've been using spamassassin for almost several decades, and I've never
> noticed anything like this. I don't understand why the spam continues
> to be sent over and over. I do reject emails with a very high spam,
> which these spams have. So I tried changing my configuration to discard
> the email instead, hoping the spammer software would decide that the
> email had been received. This didn't help. I'm curious if anyone is
> noticing this spam. Thanks. - Mark
>

This takes a while (afaik months at least).

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

mrl at psfc

Nov 9, 2023, 10:04 AM

Post #3 of 13 (317 views)

Permalink

Unfortunately most of the ip addresses do have reverse lookups.

On the other hand, I do see that some have common domains. So I could
use block by domain using sendmail.

Heck, maybe I should just block the whole country. :)

On 11/9/2023 12:38 PM, Marc wrote:
>> The spam is coming from many different IP ranges, with little
>> repetition. Most of them are from countries like Afghanistan,
>> Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the
>> latest sources that spam software is using, because other countries have
>> tightened up their security?
> Do you at least verify the reverse lookup? That already stops a lot of such networks.
>
>> I've been using spamassassin for almost several decades, and I've never
>> noticed anything like this. I don't understand why the spam continues
>> to be sent over and over. I do reject emails with a very high spam,
>> which these spams have. So I tried changing my configuration to discard
>> the email instead, hoping the spammer software would decide that the
>> email had been received. This didn't help. I'm curious if anyone is
>> noticing this spam. Thanks. - Mark
>>
> This takes a while (afaik months at least).
>

RE: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

Marc at f1-outsourcing

Nov 9, 2023, 11:28 AM

Post #4 of 13 (316 views)

Permalink

>
> Heck, maybe I should just block the whole country. :)

You have to be careful with this. I think there are 'organisations' that specifically abuse with the intend to provoke you to have blanket block a specific region/range.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

mrl at psfc

Nov 9, 2023, 11:40 PM

Post #5 of 13 (306 views)

Permalink

Marc - You are correct. All the IP sources of this spam, don't a valid
reverse lookup of the IP address, to an IP name. That will solve my
problem. Thanks! - Mark

On 11/9/2023 12:38 PM, Marc wrote:
> Do you at least verify the reverse lookup? That already stops a lot of such networks.

RE: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

Marc at f1-outsourcing

Nov 10, 2023, 12:30 AM

Post #6 of 13 (306 views)

Permalink

Yes that is fucked up that experience and wisdom comes with getting older ;)

https://faculty.cs.niu.edu/~rickert/cf/hack/require_rdns.m4

>
> Marc - You are correct. All the IP sources of this spam, don't a valid
> reverse lookup of the IP address, to an IP name. That will solve my
> problem. Thanks! - Mark
>
> On 11/9/2023 12:38 PM, Marc wrote:
> > Do you at least verify the reverse lookup? That already stops a lot of
> such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

mrl at psfc

Nov 10, 2023, 2:01 AM

Post #7 of 13 (306 views)

Permalink

Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure
I've been using it longer than that. And by default it's not enabled.

It doesn't totally block the "I RECOVERED YOU" spams. Occasional some
come through with ip addresses that have valid reverse lookups. But the
number getting blocked, is still huge.

On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:
>
>
> Am 10.11.23 um 08:40 schrieb Mark London:
>> Marc - You are correct. All the IP sources of this spam, don't a
>> valid reverse lookup of the IP address, to an IP name. That will
>> solve my problem. Thanks! - Mark
>
> in other words your MTA is misconfigured
>
> https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>
>
>> On 11/9/2023 12:38 PM, Marc wrote:
>>> Do you at least verify the reverse lookup? That already stops a lot
>>> of such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

giovanni at paclan

Nov 10, 2023, 2:51 AM

Post #8 of 13 (306 views)

Permalink

To block this type of spam I've increased the score of GB_HASHBL_BTC (Bitcoin rbl) rule.
Giovanni

On 11/10/23 11:01, Mark London wrote:
> Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure I've been using it longer than that. And by default it's not enabled.
>
> It doesn't totally block the "I RECOVERED YOU" spams. Occasional some come through with ip addresses that have valid reverse lookups. But the number getting blocked, is still huge.
>
> On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:
>>
>>
>> Am 10.11.23 um 08:40 schrieb Mark London:
>>> Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark
>>
>> in other words your MTA is misconfigured
>>
>> https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>>
>>> On 11/9/2023 12:38 PM, Marc wrote:
>>>> Do you at least verify the reverse lookup? That already stops a lot of such networks.
>

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

spamassassin.twyie at ambitonline

Nov 10, 2023, 7:56 AM

Post #9 of 13 (306 views)

Permalink

I don't have the specifics at hand but I created a rule that places a
heavy score (like 2.0) on anything that matches existing sex and bitcoin
rules. These messages usually match a bunch of other signals and that
rule pushes the score over my delete-on-sight threshold (8.0).

On 2023-11-10 05:51, giovanni@paclan.it wrote:
> To block this type of spam I've increased the score of GB_HASHBL_BTC
> (Bitcoin rbl) rule.
> Giovanni
>
> On 11/10/23 11:01, Mark London wrote:
>> Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure
>> I've been using it longer than that. And by default it's not enabled.
>>
>> It doesn't totally block the "I RECOVERED YOU" spams. Occasional some
>> come through with ip addresses that have valid reverse lookups. But
>> the number getting blocked, is still huge.
>>
>> On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:
>>>
>>>
>>> Am 10.11.23 um 08:40 schrieb Mark London:
>>>> Marc - You are correct. All the IP sources of this spam, don't a
>>>> valid reverse lookup of the IP address, to an IP name. That will
>>>> solve my problem. Thanks! - Mark
>>>
>>> in other words your MTA is misconfigured
>>>
>>> https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>>>
>>>
>>>> On 11/9/2023 12:38 PM, Marc wrote:
>>>>> Do you at least verify the reverse lookup? That already stops a
>>>>> lot of such networks.
>>
>
--
For SpamAssassin Users List

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

users at spamassassin

Nov 11, 2023, 4:37 AM

Post #10 of 13 (305 views)

Permalink

In your message regarding Re: Anybody else getting bombarded with "I
RECORDED YOU" spam? dated 10/11/2023, Mark London said ...

> Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure
> I've been using it longer than that. And by default it's not enabled.

> It doesn't totally block the "I RECOVERED YOU" spams. Occasional some
> come through with ip addresses that have valid reverse lookups. But the
> number getting blocked, is still huge.

Mark, thank you for this. I have just added this feature to my Sendmail
and installed pyspf-milter as well and I would say it has reduced my spam
by 95%.

There is a way to whitelist domains with no RDNS but so far I haven't
found a way to do this in the .mc file.

Thanks again

--
Mike

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

noel.butler at ausics

Nov 11, 2023, 4:50 AM

Post #11 of 13 (305 views)

Permalink

On 11/11/2023 22:37, Mike Bostock via users wrote:

> There is a way to whitelist domains with no RDNS but so far I haven't
> found a way to do this in the .mc file.
>
> Thanks again

/etc/mail/access

Connect:foo OK

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

users at spamassassin

Nov 11, 2023, 5:09 AM

Post #12 of 13 (305 views)

Permalink

In your message regarding Re: Anybody else getting bombarded with "I
RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ...

> On 11/11/2023 22:37, Mike Bostock via users wrote:

> > There is a way to whitelist domains with no RDNS but so far I haven't
> > found a way to do this in the .mc file.
> >
> > Thanks again

> /etc/mail/access

> Connect:foo OK

Of course, duhhhh! ;-)

--
Mike

Re: Anybody else getting bombarded with "I RECORDED YOU" spam? [ In reply to ]

email at ace

Nov 12, 2023, 1:04 AM

Post #13 of 13 (303 views)

Permalink

Using Sendmail.

I added milter-regex which allows very simple rules eg.

reject "Unsolicited Spam" - make this as rude as you like.
body /I RECORDED YOU/i

Done and dusted.

It's available as an RPM frpm epel for RedHat and variants.

*********** REPLY SEPARATOR ***********

On 11/11/2023 at 1:09 PM Mike Bostock via users wrote:

>In your message regarding Re: Anybody else getting bombarded with "I
>RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ...
>
>> On 11/11/2023 22:37, Mike Bostock via users wrote:
>
>> > There is a way to whitelist domains with no RDNS but so far I haven't
>> > found a way to do this in the .mc file.
>> >
>> > Thanks again
>
>> /etc/mail/access
>
>> Connect:foo OK
>
>Of course, duhhhh! ;-)
>
>
>--
>Mike

Mailing List Archive

Mailing List Archive

Attached Files: