Spam Filtering Change

     The majority of spam filters here put spam in a folder named “spam” rather than rejecting it outright.

     However, there are two types of spam that I manually block when discovered, virii and phishing scams.  Virii are various computer viruses, especially ransomware.  When I find a server is infected, I block mail from that server until there is some indication this has been fixed. The same is true of phishing scams, where people try to social engineer to get your authentication information here or elsewhere.

     There are a few really bad players in this area, an outfit called Sendgrid is the absolute worst.  I have had more than 30 of their servers blocked for ongoing malicious content and I’ve never gotten a response from them beyond a form letter and I’ve never seen the abuse actually stop.  Unfortunately they are also used by major corporations to contact their customers.  Therefore, I try to be very selective about servers blocked and limit only to clearly infected servers, but, occasionally I get overly broad.  And these actions are manual which also make them less effective than they could be because often the scammer or spammer has already dumped his entire list when I notice and take action.

     Yesterday I made a significant change in the way this is handled.  I am no longer blocking servers and address space manually.  Rather, I have created a fail2ban jail that recognizes many of these things, also things like a lot of mails sent to non-existent addresses, mail forged as being from but is coming from external sources, etc, and I’m now using it to block these sites.

     After the first night of this being implemented, my spambox had about one third as much spam as it did previously.  I believe this is because it’s acting much faster than I would do manually, but an additional plus, there will be less legitimate mail blocked because this is ALWAYS done on a per server basis never entire address blocks as I often did for some bad players and because these blocks are automatically removed after two days but if the abuse is repeated from the same server then it will be blocked on a longer basis.