Email & Spam

Bruce Dawson jbd at codemeta.com
Fri Mar 10 17:02:15 EST 2023 

Essentially, no - all email headers are spoofable except the ones put on 
by your server. Your server should insert a Received-by header that 
indicates who sent that message to you.

You can "generally" trust headers put on by the likes of Google (because 
your server can get the IP address of the server that connected to you) 
and Google IP addresses are moderately static. However, this is not 
always the case.

--Bruce

On 3/10/23 12:43, Bruce Labitt wrote:
> In email headers, are there any fields which are not spoof-able?  Or 
> is email simply a morass that is totally unsolvable and broken?  
> Simply impossible to filter spam?  Now I am getting spam that is 
> passing all the dmarc, spf, and dkim checks.  Volume is relatively low 
> at the moment, 6 in 12 hours, but I am sure the bad guys are working 
> on increasing the volume.
>
> In particular, is
>
> X-Origin-Country reliable?  Or is this data field unsuitable for 
> filtering as well?
>
> Are there any mail client pre-filtering packages that can be added?  
> Or is this a game best left to?
>
>
>
>
> On 3/9/23 2:44 PM, Bruce Labitt wrote:
>> Spoke too soon.  I am far from understanding this all, but why would 
>> my ISP send me mail that failed the following tests?
>> dmarc, spf or dkim?  The latest spam I received failed _all_ three 
>> tests.
>>
>> It appears not everyone is consistent with using this stuff, I found 
>> an email from South West Airlines that apparently doesn't use dmarc, 
>> but at least it passed spf and dkim.  What a mess.
>>
>> I tried to send this email and it was blocked when I included the 
>> dmarc text.
>>
>> On 3/9/23 11:49 AM, Bruce Labitt wrote:
>>> Crossing fingers, my spam storm has paused.  No spam since 3:27 EST
>>> yesterday.
>>>
>>> Cleaned out tons of old spam off my phone, which was tedious.  Found
>>> some miss-classified spam that were legitimate emails, like from
>>> attorneys and banks, that I never received.  Loads of stock tips, scams,
>>> assorted pharmaceuticals, and of course, invitations to honeypots of the
>>> female persuasion.  Some were quite amusing.
>>>
>>> Need to get back to the email spam storm on my wife's account now.
>>> Not sure if one her groups she belongs to was compromised and her email
>>> account sold to spammers or not. Seems like it.
>>>
>>> My kids, both on different ISP's had no increase in spam in the past
>>> week.  I asked them last night, trying to figure out if this was a local
>>> thing, or more wide spread.  Guess it was local, or their ISP's were
>>> more on the ball.
>>>
>>>
>>>
>>> On 3/8/23 5:59 PM, Bruce Labitt wrote:
>>>> I think that something has been going on for a bit now.
>>>>
>>>> However, I did go through some ancient spam emails (don't ask me why
>>>> they were still around, I plumb forgot they were accumulating) and found
>>>> quite a few of them posing as family members and people I knew, but were
>>>> not legitimate.  Examining the headers showed they were trying to fool
>>>> me.  All of them wanted me to click on some link - hoping to do some
>>>> nefarious thing or another to me.  Many were from RU.
>>>>
>>>> Oh, I have been using the filters!  I have filtered every domain ending
>>>> in xyz, .store and a few others.  It's not as easy to filter against
>>>> yourself...
>>>>
>>>> Is it better to have these messages go to junk, or direct to trash?
>>>> Using Thunderbird if that matters.
>>>>
>>>>
>>>> On 3/8/23 5:22 PM, Ronald Smith wrote:
>>>>> Hi all,
>>>>>
>>>>> There is a coordinated attack happening right now on many forms of communication; email, social media, everything -- someone doesn't want people communicating right now. The increase in spam is just part of it.
>>>>>
>>>>> Emails that I've sent to gmail have been bounced, maybe because gmail has tightened their filters, maybe it's a false flag. I'm not sure and I'm not going waste my time tracking it down right now. If someone wants to reach me, they can just call me on the phone.
>>>>>
>>>>> To the guy who said you should block all the IP's in the header -- that's ABSOLUTELY WRONG! Whoever has launched this attack wants folks to do that -- they want folks to block stuff to further limit communication. Don't do that!
>>>>>
>>>>> You can only trust the top "Received" notice in your email header. SMTP servers are supposed to tack on their info to the top of the message and send it along to the next server, but spammers or provocateurs will often falsify the tracking info below the most recent "Received" line, so you should just ignore that.
>>>>>
>>>>> Just put up with the spam for now; don't over-react. Your email providers will know how to handle this if they have enough experience. Use the filters in your client if you need to.
>>>>>
>>>>> Have fun...
>>>>>
>>>>> Ronald Smith
>>>>> r270 at mrt4.com
>>>>> 603-360-1000
>>>>>
>>>>> - - - -
>>>>>
>>>>> On Wed, 8 Mar 2023 13:31:56 -0500
>>>>> Bruce Labitt<bruce.labitt at myfairpoint.net>  wrote:
>>>>>
>>>>>> Seems to be an uptick in spam received lately.  Doesn't seem that my ISP
>>>>>> is on top of it.  In the past 48 hours have received at least three
>>>>>> dozen spams from similar parties.  Many seem to be coming from *.store
>>>>>> domains.  I haven't knowingly ever visited one of these domains.
>>>>>>
>>>>>> I don't think I want to run my own email server - mostly because 1) I
>>>>>> really don't know how to set one up, and 2) it sounds like a bit of work
>>>>>> to maintain.  Of course, I could be wrong, which is why I am asking.
>>>>>>
>>>>>> I did a whois, and due to privacy cr*p, there's no longer a way to get
>>>>>> to the registrants.  I can see why this might be, but it does make it
>>>>>> harder to report people.  I did report a couple of domains as spammers
>>>>>> to godaddy, since I *think* they were the registrar.  This really
>>>>>> doesn't seem kosher to me, since godaddy gets revenue from the
>>>>>> spammers.  I also reported a domain or two to my ISP.  Things have
>>>>>> slightly slowed down, but I am not holding my breath.
>>>>>>
>>>>>> In my wife's case, one or more of her acquaintances (with Windows
>>>>>> computers?) have had their accounts compromised or information stolen,
>>>>>> and she has been super subscribed to what seems like dozens and dozens
>>>>>> of spamming lists.  Her spam folder on her phone receives may hundreds
>>>>>> of emails a day - it's really out of control.  How can we get out of
>>>>>> this mess?
>>>>>>
>>>>>> Anyways, are there any practical ways to get a better handle on this?
>>>>>> Looking for some ideas.  Thanks for any and all suggestions.  I hope
>>>>>> this would be a topic of interest to others on this list.  If for no
>>>>>> other reason to share what worked and what didn't.
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnhlug-discuss mailing list
>>>>>> gnhlug-discuss at mail.gnhlug.org
>>>>>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>>> _______________________________________________
>>>> gnhlug-discuss mailing list
>>>> gnhlug-discuss at mail.gnhlug.org
>>>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>>>
>>> _______________________________________________
>>> gnhlug-discuss mailing list
>>> gnhlug-discuss at mail.gnhlug.org
>>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>>
>>
>>
>> _______________________________________________
>> gnhlug-discuss mailing list
>> gnhlug-discuss at mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20230310/bcf5b7d6/attachment.html

More information about the gnhlug-discuss mailing list