Blocking, filtering or reducing "tabloid" spam (emails that bypass Spam Assasin)?
In the past few weeks, we've been hit hard by a new class of spam email (or at least new to me/us). I'm calling it "tabloid spam" because they send supermarket-tabloid headlines with tabloid copy, which bypasses Spam-assassin.
Here's some sample subject lines:
Mark Cuban Tells Anderson Cooper The Economy is in for a Meltdown
Looking for Walk In Bath Information? Compare These Choices.
One of the Biggest Government Lies: "The Food We Eat is Safe"
Donald Trump: I Consult Myself On Foreign Policy, "Because I Have A Very Good Brain"
The messages contain 1-2 links, but it's not clear if they are selling anything or not without clicking on the link. The messages all contain lots of body copy, some of which reads like spun web content. Spam Assassin can't tell this style copy from legitimate mail.
The frequency of these messages are increasing where we got maybe 20 per day a few weeks ago, and it's escalated to where we now get hundreds of these per day. They all come from different email addresses, and the subjects are wide and varied, but most are like supermarket tabloid headlines.
What we've tried / ideas:
The only way we can get Spam-assassin to flag these is to dial it down to a threshold of
2which gets most of them, along with half of our legitimate mail!Someone suggested changing out email addresses. That seems like a drastic measure and a short-term one at best.
We already use rdb blacklists to reject mail on postfix. They aren't stopping this.
Add keywords to Spam Assassin and give them a score, for example, set it to add a +10 spam score to any subject line containing "Donald Trump", "Dr. Oz", "Anderson Cooper", etc. This seems labor intensive, but I will look into adding rules next, at least for temporary relief.
Aside from that, any other ideas or suggestions on how to deal with this? I'm sure we're not the only ones dealing with this new(?) type of spam email.
Our environment is Linux (Ubuntu LTS) with Postfix+Spam Assassin.
This kind of thing (snowshoe/hailstorm spam) is best detected with machine learning. Make sure you're making full use of Bayes in SpamAssassin (i.e. you must regularly train on spam and ham; autolearn is not sufficient).
You want to ensure you have your IP and URI DNSBLs set up properly; see DnsBlocklists. I'd say DNSBLs and Bayesian content inspection are the two best weapons to combat spam overall.
The best reduction to spam volume I got back when I ran a company's mail was to properly return SMTP-time NO SUCH USER and BLOCKED FOR SPAM rejections for nonexisting users and high-scoring spam. This will radically reduce spam from senders that track deliverability metrics (some bad guys plus a lot of dirty marketers). Admittedly, that won't help much with respect to the subtype of snowshoe you're suffering, but it might alleviate other issues you're having—though you cannot consider this if you use a catch-all (wildcard) account to collect mails to non-users. If you can set up SpamAssassin to reject messages at SMTP time, that would provide the same benefit for spam sent with bounce-tracking senders.
You mentioned in the comments that you've tried a number of things but not Nolisting. I've had anecdotal success with nolisting, but it would have been quite an extra burden to implement some way of measuring its impact. I implemented nolisting in its prescribed manner (a solitary primary MX record that responds to ping and has port 25 closed—but not filtered: it must be a fast rejection) and in a nonstandard manner (which nolisting.org insists should be called something else): a solitary lowest priority (highest numeric) MX record that has port 25 filtered (so it'll time out and therefore consume spammer resources).
Measuring nolisting would require standing up a server solely to count connections, then comparing those logs to the logs on the real mail relay to see how many messages do not survive.