Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 12882 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam from very new .US domains?

drxaab
DISCLAIMER: I am *NOT* our email admin, but there are patterns in our spam that make me think they should be easily detectable/score-worthy.

The recent flood of spam that's passed our filtering is largely from the .us domain AND from domains that are less than an hour old.  When you're using blacklist methods to filter, these are probably not going to be stopped as they haven't been around long enough to be in anyone's lists.

Is there a method in PM for checking domain age and adding that to the scoring?  Maybe a DOMAIN_IN_DIAPERS score or something along those lines?

Just curious.  Thanks!

andrew.


This thread was automatically locked due to age.
  • 0
    Hi, Andrew, and welcome to the User BB!

    I agree that this is a new type of attack.  Whenever I see one of those, I send an abuse report to the registrar of the domain.  I think I've been responsible for 14 domain name suspensions in the last week. [;)]

    But the best would be a Feature Suggestion.  If you add one, I'll move a vote to it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    That will be a difficult attack to eliminate -- however, give greylisting a try -- I've found that to wipe out most offending spam traffic that somehow gets past every other test.

    As far as really detecting spam from these new domains, it's something CommTouch (now Cyren) will have to figure out, as they are the key supplier of the cloud anti-spam detection system that the UTM uses.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    I've submitted the feature suggestion, not sure when it will show up for votes/likes.  [:)]
  • 0
    Bruce, since I've been fighting my own personal war on this group, I can tell you that they have all of their ducks in a row.  Here's an extract of a header from yesterday:
    Received: from value.trusteasejointpains.us ([213.163.64.67]:58352 helo=trusteasejointpains.us)
    by mail.ourdomain.com with esmtp (Exim 4.76)
    (envelope-from )
    id 1XHyvi-0002vI-0H
    for info@ourdomain.com; Thu, 14 Aug 2014 12:35:14 -0500
    Date: Thu, 14 Aug 2014 10:37:44 -0700
    Subject: Fwd: News:  The Truth about Joint Pain Relief
    Content-Type: text/plain; charset="utf-8"
    Message-ID: 
    Mime-Version: 1.0
    To: 
    From: Relieve.JointPain.14267751 
    Content-Transfer-Encoding: quoted-printable
    Return-Path: clinically.proven.tfx-751@trusteasejointpains.us
    X-OriginalArrivalTime: 14 Aug 2014 17:35:20.0916 (UTC) FILETIME=[1F198140:01CFB7E6]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML