Unwanted email from Communicado Ltd

As my regular readers will know, I run an antispam and antivirus email filtering service called antibodyMX.  About two weeks ago, I started seeing some deeply weird junk traffic coming through.  A lot of it.  It was odder because it was going to an awful lot of different domains we filter.   Statistically we filter a very very tiny set of domains and to see junk mail arriving for many of them all at the same time was very strange indeed.

The domain names the mails were being sent from were also strange.  They were all .co.uk domains and all not-quite-words.   Here are a few:

bagumbayansa.co.uk
balabagansa.co.uk
balambanred.co.uk
balangasere.co.uk
balangigada.co.uk
balangkayansa.co.uk

All the domains are registered to an individual called Chris Hepworth, a company called Communicado, or “World trading Partners BVI 1611097”, or “Phil Neck”, or some combination thereof.  I called them up and asked them what was going on.  I was asked to send an email explaining the problem, I did, no reply.

More mail from yet more domains kept arriving, the domain count got up to over 300.

Using the resources of a somewhat underground entity known to some as The Fish Tank, I spoke to someone who suggested I sign up to Nominet’s PRSS tool which would let me search for domains more easily.  I did so and started domain hunting.

I fed the list of domains I had through a trigram analyser and used the results of that to tease more domains out of the search tool; “qua” was especially useful, finding more than 80 domains.

More mail from yet more domains kept arriving, the domain count got up to over 800.

Searching the web and talking to people, I found that an awful lot of people I knew were getting unwanted email from these people.  I also found one lady who is taking them to court.  I tried calling them again, my voicemail has not been returned.

Today I have spoken to the Information Commissioner’s Office who say they are very interested in the data I have collected.  It will be interesting to see what, if anything, they choose to pursue here.  On the face of it, Communicado do appear to be breaching the DPA.

I have been told there is no immediate reason why I cannot publish the list of domains I have collected, you can find it here and it currently contains 1255 3971 4500 4539 5145 5249 domains.  An example use might be an ACL on your mail server.  If you run exim, you would add an ACL along the lines of:

deny message = http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
sender_domains = ${if exists{/etc/exim4/hepworth.txt}{/etc/exim4/hepworth.txt}}

The file will be updated as and when I have time.  If you want to capture it via a cronjob, you’re welcome to  but please:

  • DO email me to tell me you’re doing so, and from which host(s). You have permission when you click send.
  • DO tell relevant colleagues and friends about it.
  • DO consider donating a little money to charity.  Because of my nephew, I suggest here.
  • DON’T cron it for an obvious time like “12am and 12pm”. Spread the load, please.

You do, of course, use this list entirely at your own risk.

Please stop over-engineering your antispam system

I’m obviously entirely partisan here, having a significant interest in an antispam and antivirus email filtering service called antibodyMX.  That aside, can I please ask you mail administrators to stop making make filtering decisions based on really, really, shonky premises?  Thanks.

Today I responded to a posting on a mailing list for the MTA that antibodyMX is based on.  The point of the the post isn’t really relevant here, save that the sender was seriously suggesting that the list adopt a standards-breaking policy, but I responded citing a technical issue and was surprised when my email to the original poster was rejected.

The reason it was rejected was that the original poster had decided that the presence of the word “adsl” in the DNS-resolved name of the connecting host was an indication of a spam-sending host.  This is an interesting idea, and for the non-technical reader, it’s best summarised as being bollocks.

The reasoning behind this idea isn’t, well, unreasonable.  Most Internet users these days are on some kind of ADSL connection and most use the cheapest ISP they can find. Most forward/reverse DNS entries for IPs in these ranges look like “adsl-1.2.3.4.SomeISP.net/1.2.3.4”. Many of these users have simply no idea about sensible security so thousands of these home PCs are spam zombies. Is it so bad to assume that mail traffic from such ranges is bound to be spam?

Back to my rejected email.  The regular expression rule the mail system owner had decided to use was badly flawed. It decided that my mail server called “olga.hinterlands.org” looked so much like the word “adsl” that rejecting mail from it (hey! all the right letters are there!) was the sensible thing to do.  Subsquent emails went along the lines of “so what if I do <this>?”  “No, that’s broken, too”  “And how about _this_?” “Sorry”.

This worries me for lots of reasons.  Firstly, a lot of perfectly legitimate email comes out of ADSL ranges.  Small companies use these all the time.  Secondly if you must enforce this sort of thing, (your server, your rules after all), at least bother to test your filtering is doing what you expect.   Test the damn thing and don’t make other email administrators have to deal with the fallout from your local policy.

HOWTO: Building a mail server with Exim, Dovecot and Squirrelmail

It’s been a while since I’ve blogged, I find Twitter a bit easier to keep updating. In the fine tradition of itch-scratching, I recently rebuilt my own personal mail server based on a virtual private server from Bitfolk using Exim, Dovecot and Squirrelmail. You can find the HOWTO here, I hope you find it useful.