Protection against subscription bomb

AirForLife

Member
Mar 21, 2019
24
1
8
35
Hello,
I currently have few users who are targeted with subscription bombs.
Initially they received over 1000 subscription request/confirmations at fist day.
From then, mailboxes receive over 100 various emails from various legitimate websites/servers every day with subscribed content.

Has anyone experience with protecting against it ?

Problem is, that most of emails are legitimate, and they pass spam filters easily. A good part of email comes from amazon servers or Mailchimp for example, so blocking it by IP is not reasonable, as good mail flow will also be effected.

Also, some emails are coming from bad quality websites, which has one-click subscribe feature, and email doesn't even include unsubscribe headers or url in email itself. That makes collecting a bunch of emails and feeding them to unsubscribe services also not effective.

My last idea is to block all senders with senders email addresses.
Is there an easy way to create Object list with mass records instead of putting it one by one ?

Also, bouncing-rejecting those emails would be useful, as blocking them (accepting and then dropping) without any response would assume we do love that spam and want to receive it further ...

Some paid antispam services do have qualifiers for email flow, so it can mark most of that email as marketing/newsletter email. But not sure if Proxmox has any of that capability.
 
* Could you provide some (anonymized) examples of such mails?
* also the mail.log while these mails are accepted would be helpful
* have you configured some DNSBL sites? (for the mailproxy)

please also provide an overview of your configuration (which options have you activated in the spamdetector etc.

Thanks!
 
* Could you provide some (anonymized) examples of such mails?
* also the mail.log while these mails are accepted would be helpful
* have you configured some DNSBL sites? (for the mailproxy)

please also provide an overview of your configuration (which options have you activated in the spamdetector etc.

Thanks!

Overview - attacker scans various websites for unprotected one-click e-mail subscription forms.
Collects 1000 of those sites (for example: http://harmonyacupuncturemilwaukee.com/ or https://bongino.com/ )
Then adds your email addresses to some script, that instantly subscribes it to all these valid website newsletters.
Context of newsletters vary, one could be from blogsite, including selfie and saying hello, another could be e-shop newsletter with new offers.

So to think that all this email should be qualified by Proxmox as spam would be false idea, and it needs another approach.

Better description of subscription bombs can be found here https://support.symantec.com/en_US/article.TECH248142.html

Proxmox and its protection against spam is working great for us, we do use DNSBL that blocks over 70% of bad connections.
We do have all options turned on on Spam Detector, and it works also great as qualifying bad emails as SPAM.

To rephrase my question:

1. Is it possible to somehow identify that kind of email as newsletters/marketing emails and configure specific rules with them further.
2. Is it possible to modify/add Object to the Object list (f.example email addresses) not one-by-one in GUI, but by mass - copy-paste ? Or at least feed them through console from file ?
3. If anyone has experience with subscription bombs and protecting against it, feedback would be appreciated.
 
1. Is it possible to somehow identify that kind of email as newsletters/marketing emails and configure specific rules with them further.
* For this we need to find common things in those e-mails - hence the question for a few sample mails.
* From what I gather the only common thing in that kind of spam is the recipient (and blocking those is not what you want ..)
* If there is a certain header which occurs in those mails (and not in others) you can create a rule with a 'match field' what object to catch them

2. Is it possible to modify/add Object to the Object list (f.example email addresses) not one-by-one in GUI, but by mass - copy-paste ? Or at least feed them through console from file ?
Yes - you can use `pmgsh` for this - e.g. you create a new 'Who Object' in the GUI - find out its ID with
Code:
pmgsh get /config/ruledb/who
then you can create new e-mail entries like this:
Code:
pmgsh create /config/ruledb/who/91/email --email 'foo@spamnewsletter.com'
(you can also create other entries like domains and regexes of course)

3. If anyone has experience with subscription bombs and protecting against it, feedback would be appreciated.
Sadly not really (short of the radical solution of temporarily suspending the recepient)

Hope this helps!
 
* For this we need to find common things in those e-mails - hence the question for a few sample mails.
* From what I gather the only common thing in that kind of spam is the recipient (and blocking those is not what you want ..)
* If there is a certain header which occurs in those mails (and not in others) you can create a rule with a 'match field' what object to catch them


Yes - you can use `pmgsh` for this - e.g. you create a new 'Who Object' in the GUI - find out its ID with
Code:
pmgsh get /config/ruledb/who
then you can create new e-mail entries like this:
Code:
pmgsh create /config/ruledb/who/91/email --email 'foo@spamnewsletter.com'
(you can also create other entries like domains and regexes of course)


Sadly not really (short of the radical solution of temporarily suspending the recepient)

Hope this helps!
Thanks,it helps me,too
 
Would also be interested, if someone has experience, that's a worse thing and I really dunno on how to handle. For sure, you can blame the senders because of making so easy to sign-up, but that's no solution. Maybe the Blacklist unsubscore may help, maybe you can contact the list owner of invaluement, he always has good ideas, maybe he would also help out to provide an extra list for that. It's the additional paid list I recommend.
 
Hello,

I know that our expert @heutger has a lot of good ideeas(he deserve a virtual gift at least ...). The sad thing is the fact that I try very hard during many years, to :

Blacklist unsubscore may help
- let say thy that for me it was 0% as help

maybe you can contact the list owner of invaluement
- 0% result

But I can say what help(and if I remember I post this things more or less, be kindly with a old guy), not in a importance order:
- the spam rate, is proportional with what you send(take it as a postulat)
- block everything that is in not your interest area(by country, continent, and so on, using a IP list or a dns, but not a mail-server itself)
- do not send mails on un-numbers recepients(20 is ok for what I see)
- instruct your users to report ANY spam activity
- daily watch your mail logs, and block any 3rd consecutive spam(I am doing this for many years )
- reject/drop any mail who say .... if you want to be remove from mail-list xxxx
- any user who want to receive mails from ANY mail-list, must announce his intention, and he/she will get a separate adress for this
- block/drop/reject(according your own country laws/rules) any host who are using a home host, like ppp/pptp/dynamic/dhcp/and so on
- do not permit if you can ANY html content emails(this is the most important trick, who permit spammers to know that their mails was landing in a inbox, and some users was read this email - so no html=no feed-back to spammers)
- remove or teach your users to not check receive confirmation , excepting well known senders
- a smart firewall(linux, or mikrotik, or Cisco, or whatever) who will block any smtp connection from the same IP if you have more then T connecions/time unit.
- make any spam that can reach your system to be be very higher as resurces cost for the spammers


As OP say, Mailchimp and other send spam and good mails. This sound to mike like I say that at the same time I am naked but I also have some shirt of me. This is a wrong statement, and because of that we see some spam bout also not spam emails. In my own oppininion you are sending spam or not!. If you send spam, you are rejected in my case, for may months. Becouse the spam is only the first step. The second is the malware. So in the end you will spend many resurces, time and money. And not at lest, think why the client yyy who send only legitimate mails, and who have his own mail server will need to use a spammer laike MailZZZZ?

The OP say that suddenly he is receive a lot of spam .... but you must know that the spammers engeniers are not so fulish, as we think. They are very smart compares with most of us! The have start to collect info about your mails that you send, they are test you to see if you can react or not, and in the end they do what you now see! OMG, how bad luck do i have ;) ... and how othes are extremly lucky?

Spam protect is not a tool, it is a process that do you follow or not! Yes many tools can help you, but not 120% as you want!

I can write many other things, about how to prevent spam, but I do not want to make a book on this nice Forum, and like in Bible, we can know a lot of things but not all that we know are useful! No offense to anybody ... ;)
 
Many thanks @guletz ;-)

Unsubscore normally only lists such senders, which ignore unsubscribe requests, so it could be a chance, but no guarantee.

@guletz tips work at all, however, for legit subscription confirmation requests from legit servers (as been performed by a subscription bomb) there are really less possibilities, unless you want to block all subscription confirmations and newsletters. The question is, which advantage someone has to send you a subscription bomb, but if he only wants to flood your inbox, you could try to filter by content "confirmation, subscription, ...". If the platforms are legit ones (also they usually don't require captcha or sth. similar), I also won't believe in any support from any list providers or rule writers. However, by content check you may be able to tag separate, a list provider may be able to tag such mails as been related to newsletters, but that's all, what you can get. PMG hasn't such possibility, so it's required to be done by content based rules (you may be able to score/tag on that or you may be able to reject on that by manual postfix body checks) and you may be able to ask the inventor of invaluement, if he may provide a list therefor, you can use for RBL check.

Regards,
Christian
 
  • Like
Reactions: guletz

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!