Possible To Stop Some Email Spam?

Factual Questions
1

I’ve been getting a lot of spam email recently, and I take the time to not only report the stuff as Spam to my ISP (which seems to do no good), but I also add the domain to my ISP Block List. Unfortunately, my block list allows only a maximum of 250 entries. I’ve cleaned out old blocks so that I can add new ones, but I’ll run out of room again pretty soon.

Here’s a sample of some of the domains from which I’ve gotten spam - I’ve changed .com to .cam:

deviousnessimmotile.cam
deviousnessphotoengraver.cam
deviousnesspleadings.cam
discerningdefoliate.cam
sabatinielectrocuted.cam
sabatinilither.cam
sabatinimattery.cam
sabatinireasonsured.cam
sixtmilestrendingpartners.info
unchaffedhoustonia.cam
unchaffedtoltec.cam
unemulousdunnaging.cam

Here’s a sample of the header info one one of the spam message (windtream.net is my ISP, and my email is shown here as <MYADDRESS@windstream.net) Again, I’ve changed .com to .cam:

Return-Path: <hlohnmauaqbvppblpvr@lcbfjlwvm.gcjbr.reallycoolstuffstore.info>
Received: from pacmmta07.windstream.net ([10.135.134.12])
by pamxfep04-srv.windstream.net with ESMTP
id <20151203190318.MWGS26703.pamxfep04-srv.windstream.net@pacmmta07.windstream.net>
for <MYADDRESS@windstream.net>;
Thu, 3 Dec 2015 14:03:18 -0500
Received: from fmubjdsmg.cam ([94.155.163.63])
by pacmmta07.windstream.net with pacmmta07
id p6Ul1r06f1NNzfA016Unqc; Thu, 03 Dec 2015 14:00:25 -0500
X-WS-COS: WS802
X-Cloudmark-Category: undefined
X-Cloudmark-Analysis: v=2.1 cv=E75e+8tl c=1 sm=1 tr=0
a=0LV6Hhqs/uYvj1Sm0R2bNw==:117 a=0LV6Hhqs/uYvj1Sm0R2bNw==:17 a=2ho8UP85AAAA:8
a=o2QoyYduAAAA:8 a=9cW_t1CCXrUA:10 a=cJ0TcWhTAAAA:8 a=MKtGQD3n3ToA:10
a=ZZnuYtJkoWoA:10 a=SFk0LFJCrjoy2mmFq3wA:9 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10
X-Cloudmark-Score: 0.00
From: “Medicare Plans” <hlohnmauaqbvppblpvr@lcbfjlwvm.gcjbr.reallycoolstuffstore.info>
Subject: Browse TOP Medicare Plans - AARP, Humana, Kaiser, BlueCross & More!
X-ID: afymrjf-humiargfqmo
MIME-version: 1.0
Content-type: text/html
Return-Path: “Medicare Plans” <hlohnmauaqbvppblpvr@lcbfjlwvm.gcjbr.reallycoolstuffstore.info>
Date: Thu, 3 Dec 2015 14:03:18 -0500
Message-Id: <20151203190318.MWGS26703.pamxfep04-srv.windstream.net@pacmmta07.windstream.net>

The message itself contains a few links, then a really long list of random words (which I won’t show here).

I assume that all of these are coming from just a few locations around the world. Maybe that’s a false assumption, but my question is this - is there anything that you can spot in the header that would be more effective at blocking this sort of thing other than the seemingly random domains that are obvious in the message?

I’m hoping that there might be a “silver bullet” within the header that can more effectively kill these things.

Thanks for your help!

2

What e-mail client do you use? Many of them have features or add-ons that don’t depend on manual blacklisting at the ISP level like you are trying to do. There are other strategies that work very wel and are simple to implement as long as you give it examples of what you consider SPAM. I have Thunderbird and it has enhancements that learn over time what is likely SPAM so it just puts it in a special folder. The results are so good that I just dump the folder every few weeks without even looking at it closely. It is possible to get stray SPAM every once in a while but it learns quite well not to present similar messages in your main inbox once you flag the first couple of occurrences as SPAM. Other clients have similar features or add-ons. It sounds like you are trying to do it the hard way and reinvent the wheel which I wouldn’t recommend unless you have very good reasons for trying to do it that way.

Here is one example of a tool for Thunderbird that is highly customizable:

3

I use Outlook which is pretty good at flagging and segregating spam, but I’ve been trying to stop it at the ISP. Since Outlook can be told to delete the messages from the ISP when deleted, maybe I am trying to reinvent the wheel.

That’s a very good point.

4

Yes, there are add-ons for Outlook as well but even the base client has a very robust Rules engine that you can use to segregate messages any way you want. I don’t believe there is a limit on the number of rules you can have even if you want to do it the brute force way like you described. You can tell it to segregate messages into a separate folder or even delete them immediately upon receipt so that you never see them at all.

The type of “smart” filter that I described are called Bayesian SPAM filters. They are typically easy to use and learn what you think a SPAM message looks like over time as you train them. There are very good, free ones available for Outlook as well that improves on its base SPAM spotting algorithms.

https://www.google.com/search?q=bayesian+spam+filter+for+outlook&oq=bayesian+spam+filter+for+outlook&aqs=chrome..69i57j0l4.9435j0j4&sourceid=chrome&es_sm=93&ie=UTF-8#q=free+bayesian+spam+filter+for+outlook

5

Yes… and No.

You see those lines tagged “Cloudmark”? “Cloudmark Sender Intelligence uses real-time data from the Cloudmark Global Threat Network to create accurate, comprehensive sender profiles enabling communications service providers to set informed policies against good, bad and suspect senders.”

That’s telling you that the sender address information has been analysed by a professional, and they weren’t able to identify it as spam based on the header information.

I paid and subscribed my Mother to a co-operative anti-spam service, installed as an outllok add-in, where I could tag individual messages as spam, and it worked perfectly: I never had to tag anything as spam, because it was all recognised immediately anyway. I don’t remember the name of the company, but I have no hesitation recomending it as an approach.

6

I think the problem started when I needed to make sure that messages were left on my ISP’s server so that I could retrieve them from outside my home computer. My ISP’s “Spam” reporting is worthless, my allotted space is limited, and I was having to identify and delete (and trying to block) spam manually.

I now have no need to leave messages on my ISP’s server and I can let Outlook handle this, but I must know:
Is there no “silver bullet” within the header info? No way to tell and block the REAL domain other than the obvious “bandghellogorgeous.info” and "thorndyketutoyer.cam’?

In other words, is it possible to determine where this crap is REALLY coming from?

On preview, Melbourne’s info is interesting. If you could remember the company that offered the add-in, I would appreciate that.

Also, thanks to both Shagnasty and Melbourne for your advice. This is helping.

7

This spam problem is a minor irritation at most, but I am still curious. The domains these messages are coming from seem to be completely random and fictional. “deviousnessexpressional.cam” and “dodecaphonystoreroom.cam” and “haemophiliabdominous.cam”?

How are these domains generated? Any way to tell?
It seems that there is a random domain generator for this.

No way to tell who is generating it?

I can deal with this spam according to the excellent advice already offered, but now I would like to be educated on how this works.

8

The spambot that sends the mail probably includes a domain name generator based on concatenating words picked from a list at random. For the most part, the ‘from’ address in emails is not validated - a program that can send mail can put anything it likes in there. I guess they’re randomising it to make it harder to filter.

9

How it works:
Email is a really old, mostly insecure systems. All but the best-configured email systems are too trusthworthy, meaning when mail server A tells mail server B “Hey, I’m actually mail server C… just believe me! And this message is totally legit!”, it’s up to mail server B to verify all that and many servers/ISPs don’t do a good job at that. Look up “SPF” and “DKIM” and the such if this really interests you, but it’s boring to read and haphazardly implemented anyway.

Basically you can trust the headers from your ISP near the top, after the final relay, but the ones before that could’ve been faked by the 94.155.163.63 mail server, which is actually associated with the “services.penciltechgarment.com” domain name – could be a fake, or just a poorly-configured “open relay” mail server that’s being exploited by spammers. Or any PC could become a mail server if the right malware gets on it.

Long story short, most mail is super unreliable, especially those from small email providers.

For the best spam and phishing protection that I’d ever seen, I would very, very strongly recommend using Gmail (free) or Google Apps for Work email ($5/mo, custom domain name). You don’t have to use a new address, even: You can set up Gmail to both receive and send from your current email address. And if you don’t like the Gmail interface, you can then set Outlook up to check your Gmail inbox, AFTER it’s received and filtered your actual email inbox.

Your recipients would know no better, you can still use whatever mail client you want, and you’d get a lot less spam and phishing.

It’s the same logic as the rest of this thread has mentioned, except on a MUCH bigger scale – Gmail processes about half of the world’s cloud-based email and they use that to create very, very effective spam filters that you as an individual can never match, and that still far exceeds any other cooperative effort I’ve come across so far. YMMV, of course, but I’m willing to bet money you’ll not find a better spam solution.

10

All good advice. Thanks, folks!

11

If you go the Gmail route, check your spam folder every week or so until you are satisfied the filtering is working correctly; Gmail is great at making sure spam doesn’t reach your inbox, but it can be over-aggressive in filtering out group emails (family reunion planning, company-wide messages), newsletters, newsgroups (if you still use those), and some types of messages from companies (especially the “check out this bargain” or “look at our new gizmo” type messages - which could certainly be considered spam…). You may need to manually whitelist some senders or keywords to make sure you get those messages.

If you are getting a lot of spam, you could consider changing your email address, and making sure it’s never posted anywhere potentially visible to the web (such as comments sections, “sign up for updates” from smaller companies or bands/artists/writers, etc). That will cut it down to spammers who use random attempts to guess email addresses, at least until they scrape your new address off of some inadequately secured server somewhere. Or you could have an address for “important stuff” that you only use in secured contexts and one for “casual stuff” that you set to autodelete unread mail after a month or something.