Seeing larger volume of spam email in my FM.com inbox

[danaspiegel]

Over the past few weeks, I've seen a significant uptick in the # of spam emails that are delivered to my inbox. I'm not sure what changed (if anything), but I'm curious of other FM.com users have seen the same.

For FM.com admins, here's one set of email headers (my email has been removed). Perhaps there's something that can be done? If you want more headers from the spam emails I'm getting in my inbox, please let me know…

Code:

Return-Path: <aundria@be-advance.com>
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	 by sloti16d2p1 (Cyrus git2.5+0-git-fastmail-8108) with LMTPA;
	 Mon, 14 May 2012 10:38:29 -0400
X-Sieve: CMU Sieve 2.4
X-Spam-score: 3.0
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.5, RDNS_NONE 0.793, BAYES_USED user,
  SA_VERSION 3.3.1
X-Spam-source: IP='66.197.166.228', Host='noreverse', Country='US', FromHeader='com',
  MailFrom='com'
X-Spam-charsets: plain='us-ascii'
X-Resolved-to: XXXX@XXXXXXXXXXXX.XXX
X-Delivered-to: XXXX@XXXXXXXXXXXX.XXX
X-Mail-from: aundria@be-advance.com
Received: from mx1.nyi.mail.srv.osa ([10.202.2.200])
  by compute3.internal (LMTPProxy); Mon, 14 May 2012 10:38:29 -0400
Received: from smtp.be-advance.com (unknown [66.197.166.228])
	by mx1.messagingengine.com (Postfix) with ESMTP id 5F2904C01C1
	for <XXXX@XXXXXXXXXXXX.XXX>; Mon, 14 May 2012 10:38:28 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=be-advance.com;
 h=Mime-Version:To:From:Message-ID:Date:Subject:Content-Type:Content-Transfer-Encoding; i=aundria@be-advance.com;
 bh=4EMA329ctE3Bfam15Gzfd2exa/g=;
 b=USKL55S9lYs96wAI1TGtqUxudGnYJdiBHubhwIJxeHtX+3sZ0jBS/L1koyApBEIcg5Q/5d2KIvUF
   zVcPNgCbqvzF6fZ1YfDQqkkG6prZJprykQJqJ+gwdw7QVGmpkFMULPS1qSCZDC+Sg/+kLfX3v2FT
   CqC/238QrGoCOvgb9LA=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=be-advance.com;
 b=Zm4u+UjgLpN9n2Vc0jUq9ftMzICxDUCWTPevn6x1545vDRHyOjTh/6n2x/UCdnHmbTg96AsF76FY
   nnTYfDycUdLtl4E2Hht7GG4SchXpPOWIOCcga0OLJEM90VbMR2ODtajPEhT3tnKd20lWts4gHnpA
   FEiHXo/2m7hGnpBDxGM=;
Mime-Version: 1.0
To: <XXXX@XXXXXXXXXXXX.XXX>
From: "May Checkup" <aundria@be-advance.com>
Message-ID: <5864777029007083027.465bd5945494cda7659969899aaa8e7f.1365438059@smtp.be-advance.com>
Date: Mon, 14 May 2012 10:07:58 -0400
Subject: These are your changes for May 14th
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Truedomain-Domain: be-advance.com
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: Pass
X-Truedomain-ID: F1548207E12853C0F94312E2BB88AB3A
X-Truedomain: Neutral

[n5bb]

To reduce confusion, I want to point out that the domain "fm.com" is not associated with Fastmail. I think you meant "Fastmail", which uses many different domains (such as fastmail.fm).

• The message you posted has several characteristics which indicate that it might be spam.
• On the message you listed, the X-Spam-score is 3.0. This is the spam score created by the SpamAssassin classification system.
  • If you use the Normal spam protection level (on the Options>Spam/Virus Protection screen), messages must have a X-Spam-score of 5.0 or greater to be moved to the Junk Mail folder.
  • You can change the spam protection level to Custom and set the spam threshold as you wish. If you set the spam filing threshold to 2.0 for example, the email you posted would be classified as spam. But you need to use Address book whitelisting (described below) to be sure that good messages are not classified as spam.
• The spam score is made up of several components listed in the X-Spam-hits header.
  • BAYES... -- These headers show that you are using the per-user Bayes filtering. If you classify messages you don't like as spam repeatedly (or if they are filed into the Junk Mail folder by the spam filter), then they BAYES score will increase.
  • DCC_Check -- This means that the message has spam-like characteristics as defined in the Distributed Checksum Clearinghouse listings.
  • RDNS_NONE -- This means that the message was sent from a server with no reverse DNS. This is one possible indicator of spam.
• Address book whitelisting: If you want to force messages from other (non-spam) senders to be classified as non-spam, simply add the sender to your online Fastmail address book (when logged into the web interface).
  • When you read an email in the web interface, you will see the [Add] link adjacent to the From address.
  • Click [Add]
  • In the Add to address book screen, be sure that the checkbox at the left of the email address is checked. Edit the name and company if you wish, and change the address book group in the upper right corner if you wish.
  • Then click the +Update Address Book button. This will add the From address from that email to your online address book, and keep such messages from being classified as spam.
• The domain of the From address in the email was created on April 30, 2012. So it's a new spammer domain, and the message was created with SPF and DKIM which pass. So it's a reasonably sophisticated spam message. The sender IP is only on 3 of 53 common spam databases, so it has not been seen very often by spam classification systems.
• All of this means that some more sophisticated spammers are sending messages to your email address. The reason you see more spam isn't anything going on at Fastmail, it's just some ingenious spammers sending a few messages (not enough to get them classified as spam by all services).
• So I suggest that you do what I do:
  • Lower your spam filing threshold.
  • Use Address Book whitelisting so that good messages are not classified as spam.
  • Be sure that you report as many spam as possible as spam, and also report good messages as non-spam. This will keep your user Bayes filter trained on common spam, but won't help for random smart spammers.
  • Remember that it is impossible to remove all spam. If you keep getting spam with common characteristics (such as certain subject or body words or sender domain or IP), you can reject them or file them into your Junk Mail folder using the rules system.
  • But in some cases, you have to use the same procedure as you probably use for your snail mail: Manually throw away the spam mail after looking through your mail. You can reduce spam which is obvious or repeats many times, but you can't do much about the random spam message which passes most tests.

Bill

[danaspiegel]

@n5bb,

I though I was being obvious, but on second read, I see where I wasn't when I wrote "FM.com". My spam issue is happening on my Fastmail.fm account specifically.

One thing of particular note is that over the past few weeks, in addition to seeing the spam message above make it into my Inbox, I've seen a significant increase in spam delivered to my Junk Mail box. You can say that its correct for this email to be delivered there, and I agree, but a month or so ago I used to get almost 0 messages in my Junk Mail folder on Fastmail.fm. Now I get 40 a day. That's a big jump.

Its not that its a problem to clean out the Junk Mail box or even to delete the occasional spam message delivered to my Inbox. Doing those things is fine (up to a point). The question is *WHY* was there a significant change very abruptly a few weeks ago? I don't believe I changed any Fastmail.fm settings, and I don't believe my email is any more available on the internet (though of course Fastmail.fm should be able to block most spam mail in that case anyway).

The question is what happened (if anything), and can I do anything about it?

[danaspiegel]

Here are some more headers from the Spam messages:

Code:

Return-Path: <Julia@mx1c40.zendengine.com>
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	 by sloti16d2p1 (Cyrus git2.5+0-git-fastmail-8118) with LMTPA;
	 Tue, 15 May 2012 11:07:37 -0400
X-Sieve: CMU Sieve 2.4
Subject: {SPAM 09.0} We need you to confirm your changes for May 15
X-Spam: high
X-Spam-score: 9.0
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.5, RCVD_IN_INVALUEMENT 2,
  RCVD_IN_INVALUEMENT24 2, RDNS_NONE 0.793, URIBL_INVALUEMENT 2,
  BAYES_USED user, SA_VERSION 3.3.1
X-Spam-source: IP='66.197.166.234', Host='noreverse', Country='US', FromHeader='com',
  MailFrom='com'
X-Spam-charsets: plain='us-ascii'
X-Resolved-to: XXXXXXXXX@fastmail.fm
X-Delivered-to: xxxxxxx@xxxxxxxx.xxx
X-Mail-from: Julia@mx1c40.zendengine.com
Received: from mx2.nyi.mail.srv.osa ([10.202.2.201])
  by compute3.internal (LMTPProxy); Tue, 15 May 2012 11:07:37 -0400
Received: from mx1c40.zendengine.com (unknown [66.197.166.234])
	by mx2.messagingengine.com (Postfix) with ESMTP id 230C97601D9
	for <xxxxxxx@xxxxxxxx.xxx>; Tue, 15 May 2012 11:07:35 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=zendengine.com;
 h=Date:To:Subject:Message-ID:From:Mime-Version:Content-Type:Content-Transfer-Encoding; i=Julia@mx1c40.zendengine.com;
 bh=ITWJAlthopUd63tZquYsROyvFo4=;
 b=r+kKrank40wJbc2vLBFpm9Ffi+U7AZQ1BXBAO9SlbjMH3TUnd+l8hMAHZo5yUe2pj6O5Dmh7qjGt
   bvqt4bDhWWI0EpzEy4pjvh9uF5VXco93N4TlvFpF8gaBfANus+OkW1nXTVrCAD4bFx3cTo+IQsQ5
   z4ctyoY3TN2se3aCXfg=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=zendengine.com;
 b=mC6ea4tUmYyH1yuADvCOc5KLH5eNPaKPJSQLpwcV/FthWcUlMAToBhx3zgSnub6jyQ5qREc7cG9O
   yaeEfce52ekHF/iTXHAKteoAQRygMWMc5KiKLOtuwJtVBZrAVKzjF1s9XtVudA8oLuY2ILt/5KUs
   LVR3zR9YVZT666/IVII=;
Date: Tue, 15 May 2012 11:03:29 -0400
To: <xxxxxxx@xxxxxxxx.xxx>
X-Spam-orig-subject: We need you to confirm your changes for May 15
Message-ID: <2091611962@mx1c40.zendengine.com>
From: "Verify Updates" <Julia@mx1c40.zendengine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Truedomain-Domain: zendengine.com
X-Truedomain-SPF: No Record
X-Truedomain-DKIM: Pass
X-Truedomain-ID: EFF4987E5AB7EC1BE281E9FE46ED8CDF
X-Truedomain: Neutral

Code:

Return-Path: <huntinfo@caribtf.org>
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	 by sloti16d2p1 (Cyrus git2.5+0-git-fastmail-8118) with LMTPA;
	 Tue, 15 May 2012 09:21:03 -0400
X-Sieve: CMU Sieve 2.4
Subject: {SPAM 06.0} loan status: 05/15/2012
X-Spam: spam
X-Spam-score: 6.0
X-Spam-hits: BAYES_50 0.8, DECEASED_NO_ML 0.001, RCVD_IN_BRBL_LASTEXT 1.449,
  RDNS_NONE 0.793, URIBL_DBL_SPAM 3, BAYES_USED user, SA_VERSION 3.3.1
X-Spam-source: IP='208.98.1.43', Host='noreverse', Country='US', FromHeader='org',
  MailFrom='org'
X-Spam-charsets: plain='us-ascii'
X-Resolved-to: XXXXXXXXX@fastmail.fm
X-Delivered-to: xxxxxxx@xxxxxxxx.xxx
X-Mail-from: huntinfo@caribtf.org
Received: from mx4.nyi.mail.srv.osa ([10.202.2.203])
  by compute3.internal (LMTPProxy); Tue, 15 May 2012 09:21:03 -0400
Received: from remote.caribtf.org (unknown [208.98.1.43])
	by mx4.messagingengine.com (Postfix) with ESMTP id 0B46E180DFB
	for <xxxxxxx@xxxxxxxx.xxx>; Tue, 15 May 2012 09:21:02 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=caribtf.org;
 h=Date:From:Mime-Version:Message-ID:To:Subject:Content-Type:Content-Transfer-Encoding; i=huntinfo@caribtf.org;
 bh=TqhkrL/a3BncrwLJsqp5wCxq3bU=;
 b=m5LqW06Uq7oTWN5ejcToJP4Iq18ILtK2z0U6bSHb5BPp+uPybS3J2I0wCndAMis/UkZ0HwRterjy
   8ipFiw/Sbfpowk3Y5k6vbEf4s2gIg2+Xg6gb8Y6GKk4unJIUw1/MsqaLzU8lwOy+kMNcmkiNoTcU
   izP1r9wlS9AsC3g0gMc=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=caribtf.org;
 b=r/q3kAI32FJXKhHq8nHgbVP6MloIO6oyOPncVjx5G5brqlEeH8tc2SnzL5NlFDsRS2zQplB2SKTU
   eK+LePTRYFcgDBNRgAAuuDawX+VgxVrXp83wqnhoLpOechj4UsEM1otIFz/sg+ZkyyaN2Yd5cE+R
   Zrre5CFVQC4CeZcImZ8=;
Date: Tue, 15 May 2012 09:11:34 -0400
From: "CHECK-ADVANCES" <huntinfo@caribtf.org>
Mime-Version: 1.0
Message-ID: <1630799539148511130@remote.caribtf.org>
To: <xxxxxxx@xxxxxxxx.xxx>
X-Spam-orig-subject: loan status: 05/15/2012
X-Mailer: 4254_9C9154723296
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Truedomain-Domain: caribtf.org
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: Pass
X-Truedomain-ID: 0379C481F73F41D1180E860AB3F33988
X-Truedomain: Neutral

Code:

Return-Path: <Amelia@thedayfly.com>
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	 by sloti16d2p1 (Cyrus git2.5+0-git-fastmail-8108) with LMTPA;
	 Mon, 14 May 2012 17:33:58 -0400
X-Sieve: CMU Sieve 2.4
Subject: {SPAM 07.2} These Status changes are for Monday, The 14th
X-Spam: spam
X-Spam-score: 7.2
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.5, HTML_IMAGE_RATIO_06 0.001, HTML_MESSAGE 0.001,
  LOTS_OF_MONEY 0.001, MIME_HTML_ONLY 0.723, RCVD_IN_BRBL_LASTEXT 1.449,
  RCVD_IN_INVALUEMENT24 2, RDNS_NONE 0.793, T_REMOTE_IMAGE 0.01,
  BAYES_USED user, SA_VERSION 3.3.1
X-Spam-source: IP='173.212.209.12', Host='noreverse', Country='US', FromHeader='com',
  MailFrom='com'
X-Spam-charsets: html='us-ascii'
X-Resolved-to: XXXXXXXXX@fastmail.fm
X-Delivered-to: xxxxxxx@xxxxxxxx.xxx
X-Mail-from: Amelia@thedayfly.com
Received: from mx3.nyi.mail.srv.osa ([10.202.2.202])
  by compute3.internal (LMTPProxy); Mon, 14 May 2012 17:33:58 -0400
Received: from a.thedayfly.com (unknown [173.212.209.12])
	by mx3.messagingengine.com (Postfix) with ESMTP id 9B63C4C27DB
	for <xxxxxxx@xxxxxxxx.xxx>; Mon, 14 May 2012 17:33:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=thedayfly.com;
 h=Subject:Mime-Version:Message-ID:From:To:Date:Content-Type:Content-Transfer-Encoding; i=Amelia@thedayfly.com;
 bh=u3vuMS6dQPXGbAXwf6wi9hGv6h8=;
 b=lViBUc6i5uXaf1Sb8c8AurrgL79D4IbGepjaY6XU8Tx6Ojf6d5bemu0uQ8GHuu2wdTXJQ1CtfhBw
   uS6dpXITqxYrDPCZepYbG/u1lVxO1D6QD8lCUqT6FlRQB9DhTcwtBwQ7G1XOvy4jJujS1ymVPQs3
   5HYts+5dKXyGYRAk9IM=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=thedayfly.com;
 b=Kf2cxTmAtMbiDVk6SQMSvgFWSropHAkW05OGzgSJi1x3CVHae7l0Ak8U+z5InMx9T+RSqYsZ/pDA
   f5YcrqcX4IyJcbkJQ3rvVFjDFfurPozJm7/3PUJHHFGUPulsNF3Owq33ErITti4CsiLJzA1Ht2Pl
   vG6lva3JjbtjI4enIrs=;
X-Spam-orig-subject: These Status changes are for Monday, The 14th
Mime-Version: 1.0
Message-ID: <6431079251095800255.2121668616.JavaMail.java@a.thedayfly.com>
From: "Mondays Overview" <Amelia@thedayfly.com>
To: <xxxxxxx@xxxxxxxx.xxx>
Date: Mon, 14 May 2012 17:33:49 -0400
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Truedomain-Domain: thedayfly.com
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: Pass
X-Truedomain-ID: 4B64523D173846C51CA5C6DDA9FE0CE5
X-Truedomain: Neutral

[n5bb]

I don't think anything unusual is happening with your account. Those last three messages were given a high spam score and should have been filed in your Junk Mail folder. Sending spam is a criminal enterprise, and I don't think we have a very good understanding of exactly how spammers operate. In some cases, one spammer may be running botnets (networks of zombie infected computers) and your email address might have been on the same list which was used for several spam campaigns by one spammer over a few weeks.

f you respond to one of these (such as by sending a rejection message back to the spammer), they might send you many more such messages, since they then know your address is working for them. Some spam is sent to pseudorandom possible addresses (dictionary attacks), while others seem to be on huge lists the spammers build up from various sources. Remember that they may keep these email address lists for many years. It often costs them very little or nothing to send the spam, since they can use hijacked computers infected with viruses or temporary servers which spew spam for a day or two before they are effectively blocked.

If I disable my spam filter discard feature, I usually receive roughly 1 to 4 spam messages per hour. So proper setup of the spam filtering is very important to me. When properly set up, I get a couple of spam in my Junk Mail folder a day, and occasionally an undesired message appears in my Inbox. But remember that for each spam message in your Junk Mail folder, there are several times as many discarded by Fastmail due to their insecure sender rejection. You will never see the vast majority of the spam addressed to you but rejected before arriving at your spam filter.

Bill