This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about spam Reject

My question is, when spam is "rejected", is the spam sender getting an error message on the smtp transaction?

Or, is UTM accepting the transaction then deleting it?

 

The reason I'm asking is that we are continuing to receive .us domain spam, about 4 a second, 24 hours a day, 7 days a week for as long as I can remember.

Every single one, 100% of them is marked rejected.

Yet they still come.  Month after month.  Millions of them.

 

Does the spammer think they are getting through?  Or are they getting a "you are rejected" smtp transaction?



This thread was automatically locked due to age.
Parents
  • I don't think this is spam, but a denial-of-service attempt.  Are these emails coming from a single IP?  If so, I would make a blackhole DNAT of all traffic coming from it.  They'll never even establish a connection then.  Did that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've been watching this for about 6 months now.  The pattern is exactly the same.

    They register a fake domain such as talk.regalcy.us (that one came in just this minute).

    Then they send a million spams until spamhaus flags them, then they register a new random domain and continue.  All the domains are the same pattern, and they are ALL registered to CLOUDFLARE.COM, every single one of them.

    This has been going on 24x7 for at least 6 months now.  It's always exactly the same, one.two.us.  The same kind of spam, and the each time they get a new domain they get a new IP.

     

    It's not an attack against me.  spamhaus is flagging them.  But only after they have left thousands of spams in my smtp queue.

    We 100% reject every single one of them, about 3-4 a second, 24 hours a day.  I've been adding their subnets to a blackhole, but like I said, every few hours they register a new domain and new IP subnet.

    They apparently don't have much of a life, whoever it is.  Every domain is registered in a new country too, so country blocking doesn't work.  If I could just block any domain registered by Cloudflare.com.

     

    The only common pattern is they are all .us.  We block ALL .us.

  • Looks like they just started adding .top domain.  OK, blocked.

  • the domain registrar in every case is namecheap.com.  (cloudflare.com is their name server).

    I just did a check on namecheap.com and it looks like a criminal hosting service.  There is no way to even contact them without a namecheap account.

    Big surprise.

  • I believe that NameCheap is a reseller for eNom, so you can make a complaint to abuse@enom.com and copy support@namecheap.com.  I reported spammers for several years and don't remember eNom/NameCheap as being unresponsive.

    It sounds like CloudFlare also needs to be put on notice that they have a criminal customer that they need to prevent frpm acquiring new accounts based on things other than their domain name.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I believe that NameCheap is a reseller for eNom, so you can make a complaint to abuse@enom.com and copy support@namecheap.com.  I reported spammers for several years and don't remember eNom/NameCheap as being unresponsive.

    It sounds like CloudFlare also needs to be put on notice that they have a criminal customer that they need to prevent frpm acquiring new accounts based on things other than their domain name.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data