NinerNet Communications™
Blog

Corporate Blog

Scammers never sleep

31 December 2018 10:02:41 +0000

If you thought you could get a break from scammers over Christmas, think again. This one landed in our in box on Christmas day, as is clear from the date the countdown starts!

From: greatroadnorth.com is about to expire. <no-replay@renewal-service.info>
Reply-to: “greatroadnorth.com is about to expire.” <no-replay@renewal-service.info>
Subject: Domain Administrator
Date: Tue, 25 Dec 2018 17:52:19 +0000
Return-path: <01020167e67ef75e-d5d2ee16-fd2f-457e-9a8d-00dba3dc6492-000000@eu-west-1.amazonses.com>
X-spam-score: 2.125

Tucows Domains Inc.
====================
IMPORTANT NOTIFICATION
====================
greatroadnorth.com
Date: 2018-12-25

Dear Domain Administrator,

The Domain SEO-listing shown below are set for renewal and need to be processed in the next 48 hours.

No need to worry, please go to this link and follow the instructions:
renewal-service.info/greatroadnorth.com

Your product details are listed below:
====================

Product Name:
SEO-Renewal for greatroadnorth.com
Expire Time:
48 hours from 2018-12-25
Renewal cost per annum:
$69.00

====================
Amount due: $69.00

PAYMENT INFORMATION
Information on how to renew your domain can be found here:
renewal-service.info/greatroadnorth.com

This offer is only valid for 48 hours as a courtesy to let you know that your domain is expiring soon and this search engine optimization offer will expire.
Should your domain name expire, there is going to be a signifcant drop
in search engine services for your website, email and any other associated services.
This domain seo registration for greatroadnorth.com limited time offer will end in 48 hours from 2018-12-25.

Thank you!

Sincerely,
Renewal department

====================

Note:
You received this message because you elected to receive notification offers. Should you no longer wish to receive our offers, please unsubscribe here. If you have multiple accounts with us, you must opt out for each one individually.

Some characteristics of this spam/scam:

  • Your name (available from the WHOIS) will be in the subject, along with a flag emoji to draw attention to the email.
  • The name of your legitimate domain registrar (also available from the WHOIS) will be at the top of the email, even though they did not send the email.
  • There is the usual very close deadline (48 hours), after which the world will end for you and your domain.
  • The plain-looking links in the email mask tracking links to the domain wizz.netvalue.io.
  • The scammer makes the unusual claim that not sending them money will cause “a signifcant [sic] drop in search engine services for your … email”. This, of course, is absolutely false, as your email traffic is not tied directly to search engine traffic anyway.
  • Sent through the best and biggest “bulletproof” spam hosting service in the world: Amazon.

Given the fact that most gTLD registrars (including the ones we use) have not pubished WHOIS information since May 2018, these scams are being sent to old mailing lists compiled before publishing stopped, and are out of date. (For example, the domain that is the subject of this email no longer exists.) Changing the contact email address on your domain and shutting down the old address is something you should consider doing.

Spam and virus filtering on the mail server

11 October 2018 15:15:22 +0000

Over the last five months we’ve been monitoring the effectiveness of the anti-spam systems on server NC036 with a view to setting the point at which emails are considered by the system to be spam. We have slowly lowered the cut-off point from the default of 6.2 to 3.0, and have found that at 3.0 the rate of legitimate email caught in the filter rises sharply. Therefore we have now set the default, server-wide level at 3.5. At this point we’re blocking about one thousand to fifteen hundred spams a day, and anywhere from a handful to a few dozen viruses a month.

You can set a different cut-off point for spam to your domain(s) as follows:

  1. Log into the mail server control panel.
  2. Click “Domains & Accounts”.
  3. Click the domain you want to manage.
  4. Click “Spam Policy”.
  5. Enter a different number in the “Classify mail as spam when score is >=” field.
  6. Click the green “Save changes” button.

In short, the lower you set the score the more spam is caught, but the greater the likelihood of legitimate email being classified as spam. Conversely, the higher the score you set the less spam will be caught and the lower the likelihood of legitimate email being classified as spam.

You can also manage other aspects of the spam filter on this page, but we recommend that you do not. The server-wide defaults are to enable all four checks (spam, virus, bad headers and banned files) and to quarantine spam and viruses. If you want to allow any of those four classes of undesirable emails through on your domain that’s your call, but you take full responsibility for the results. The results include everything from annoyance to compromised machines, devices and accounts. NinerNet does charge for time spent recovering and cleaning up compromised accounts.

Please note that the spam and virus filters monitor both incoming and outgoing email.

We strongly recommend, now that we have finished our evaluation, that you conduct your own evaluation of the situation with undesirable email on your own domain or domains. Once logged into the mail server control panel, please navigate to System -> Quarantined Mails. There you will find spam and virus emails to and from your domain(s) for approximately the last week. As mentioned above, if you find that too many legitimate emails are being classified as spam, you have two options: 1) Increase the score at which messages are considered spam, and/or 2) Whitelist any legitimate senders or domains that consistently receive high scores. To whitelist a “sender” (a single email address) or a domain or a domain and all of its sub-domains, follow these instructions:

  1. Log into the mail server control panel.
  2. Click “Domains & Accounts”.
  3. Click the domain you want to manage.
  4. Click “White/Blacklist”.
  5. Follow the instructions on the right of the page to add records to the appropriate whitelist, incoming or outgoing.

Please note that it might be tempting to add something like @yourdomain.com to the outgoing whitelist (thereby whitelisting all addresses on your domain), but we strongly advise you not to. If you do, and a machine on your network is infected with a virus or is compromised and starts spamming, the system will follow your instructions and let it all through. Please see above about our fees for cleaning up after a mess like this. The emails will likely be blocked on the receiving server anyway, and your domain possibly blacklisted. You don’t want you domain (or our mail server) blacklisted, so not whitelisting all of your users is a defence against getting your domain (and our mail server) blacklisted.

Something else to note is that it’s fairly pointless to blacklist spammers and virus senders. If you blacklist bob@example.com because he sent a virus that the virus scanner caught, you’ll also block the legitimate email he sends once he cleans up his machine and sends you an email to apologise. Similarly, spammers rarely use the same email address or domain more than a few times, so you’ll just be filling your blacklist with a lot of crap. Of course, if a persistent spammer keeps getting through the spam filter, then go ahead and blacklist them if they’re actually using the same email address or domain.

Please monitor your quarantine on a regular basis so that you notice trends and compensate for them. With our evaluation ended we will only occasionally monitor the quarantine to make human judgement calls about letting some emails through, as we have been doing over the last five months.

It is worth noting here a couple of points. One is that no spam filter is perfect. During our evaluation we have seen spam come in that was scored less than 3.5, and so will make it through the filter now that we have settled on a cut-off of 3.5. Another is that some legitimate email from senders hosted on this server — i.e., you and your colleagues and employees — has been scored above 3.5 and so has been (or will be) quarantined instead of being delivered to the sender’s mail server. This is why you need to keep an eye on the quarantine for the domains under your account, and if necessary release legitimate emails for delivery. This is how you release emails:

  1. Log into the mail server control panel.
  2. Navigate to System -> Quarantined Mails.
  3. Select the legitimate email or emails.
  4. At the bottom of the page select “release selected” from the “Choose Action” drop-down list.
  5. Click the green “Apply” button.

The emails will then disappear from the quarantine and will be delivered to the recipients. You may also select one of the other three “release” options if you want to release the email and add the sender to your whitelist if their email is consistently being scored highly. As mentioned above, it’s generally a waste of time to select one of the blacklisting options; there’s also no need to manually delete items from the quarantine, as they are rotated out after about a week.

With respect to your own emails being marked as spam, there are some glaring spam markers that we’ve seen commonly used that you and your colleagues and employees can avoid by following these suggestions:

  • Don’t use blank subjects.
  • Don’t use ALL CAPITALS subjects. If you do, keep in mind that your method of trying to get the recipient’s attention might fail completely if your message is blocked as spam.
  • Avoid using very short subjects.
  • Avoid using “Dear xxxx” in your salutations. Email is a less formal mode of communication than letters, and opening an email with “Dear” is a classic spam marker and will give your email enough extra points that it could push it over the cut-off score, especially when combined with other spam markers listed here.
    • Update: Thanks to a client for pointing out that “Dear Bob” or “Dear Mrs. Smith” are not scored as badly as generic salutations such as “Dear sir”, “Dear madam”, “Dear investor”, “Dear home owner”, “Dear winner”, “Dear beneficiary”, “Dear friend”, “Dear you@example.com”, etc.
  • Don’t send blank emails with only an attachment.

Please note that we don’t read your email. This data is gleaned from the spam reports and the reasons that certain messages were blocked because they were classified as spam.

This spam filter is much better than what we had on the old email server, and now you have access to the information it contains and control over how it works. If you have any questions or concerns, please contact NinerNet support. Thank-you.

Diet and weight loss spam

24 July 2017 07:06:34 +0000

This is a long post, but certain sections of it might be useful to you.

We have been hearing from some clients over the last few months that they are being inundated with spam advertising weight loss drugs, diet pills, etc. ad nauseam. NinerNet does have anti-spam measures on our mail servers — and they stop thousands of messages a day that you never see — but they generally rely on methods of filtering that do not involve what is called “content scanning” — i.e., having a machine essentially read all of your email to see if it mentions topics you don’t want to hear about. They also don’t generally involve blocking email addresses, as spammers almost always send from a different email address every time, so blocking one email address after the fact is pointless.

Additionally, what is a clear indicator of spam for one client can be part of a perfectly legitimate email for another client: for example, a medical client might send and receive completely legitimate emails that include the word “diet” or the phrase “weight loss”, and so we can’t filter for those words across the entire server. Even everyday communications can contain these words when one person enquires after another person’s health, even in a business email: “How’s the diet going?”; “Bob has experienced significant weight loss since he got sick last month”; and so on. In other words, if we deleted all messages containing the word “diet”, for example, we’d delete a lot of legitimate email and upset a lot of clients.

Then there are spelling mistakes: If we delete email containing the phrase “diet supplement”, we’ll miss the misspelling “diet suplemment”.

So what can you do? Potential solutions fall into two categories — prevention and cure — and we all know that an ounce of prevention is worth a pound of cure. We’ll deal with prevention first, but if it’s already too late for you, skip right to the (potential) cures at the end.

Prevention

  • Don’t put your email address(es) on websites: Spammers use the same techniques as the search engines to index (“scrape”) websites for email addresses. If you put an email address on a website — yours, or a forum that you’re involved in — it is going to be spammed. Instead use a contact form. These are not foolproof either, but they’re better than nothing and you can tweak them over time in response to their misuse.
  • Avoid using certain email addresses: Certain email addresses get more spam than others. These are called RFC 2142 addresses, and they include info@example.com, sales@, etc. These are common addresses that spammers will send email to in the hope that they go to a real person. Instead of info@, consider an alternative like contact@.
  • Avoid common first names: Yes, your name might be Jim and you want to use jim@example.com, but avoid it. If your surname is Smith, try jims@example.com, jsmith@example.com or even jimsmith@example.com instead. Consider adding punctuation — e.g., j.smith@example.com.
  • Domain registrations: Use a dedicated email address for your domain registrations. Over the years most domain registries have been part of the spam problem by publishing email addresses in their “WHOIS” databases, which are scraped the same way websites are. Instead of using your primary address as the public contact for your domain registration, use a secondary one. However, it must work and you should check it regularly — e.g., once a month or so. The registry that NinerNet uses does not publish the billing contact’s email address, making the email address for this contact less likely to receive spam. And while we do provide WHOIS privacy where all of the contact information for your domain registration is hidden, we don’t recommend this for businesses as looking up the WHOIS information for a domain is a legitimate method for your customers to verifying the legitimacy of your business.
  • Use throwaway addresses: If you need to give an email address out in situations where you’re concerned it might be abused by the person or organisation you’re giving it to, create a throwaway address for one-time use.
  • Don’t be part of the problem!: See “How and Why to Blind Copy Multiple-Recipient Emails“. Also, don’t send mass emails yourself to people you assume will be happy to receive them — e.g., customers who once did business with you six years ago!
  • Use an anti-virus scanner: Prevent your computer being taken over by criminals who want to mine it for data, not the least of which are the email addresses of your friends, family and business contacts.

Cure

In truth, there is no cure. If your email address is on a spammer’s list, it’s going to be sold and traded on. But no matter how well you do on the prevention side, someone else who has your email address on their computer is going to allow a virus in, and your email address will end up on a list.

However, on the particular topic of this blog post — weight loss spam — if no legitimate email coming into your account is going to refer to “diet pills” or “weight loss”, then you can set up a filter in your webmail account. Follow these instructions (illustrated at right):

  1. Log into your email account at mail.niner.net.

    Spam filtering

    Spam filtering.

  2. Click “Settings” in the top, right-hand corner.
  3. Click “Filters” in the left-hand column under the “Settings” heading.
  4. Click the plus sign at the bottom of the third column from the left under the “Filters” heading.
  5. In the “Filter name” box, give the filter a name like “Diet spam”.
  6. In the “For incoming mail” section you probably want to leave the default “matching any of the following rules” setting in place.
  7. In the first drop-down list, select “Body”.
  8. In the second drop-down list leave “contains” selected.
  9. In the blank field to the right, enter a word (single words are risky) or phrase that you think indicates spam. (Some suggestions culled from sample emails sent to us by clients are below.)
  10. To add more spammy words or phrases, click the plus sign to the right to add another “rule”.
  11. In the “…execute the following actions” section, we recommend you select “Move message to” in the first drop-down list, and “Junk” in the second drop-down list.
  12. At the bottom of the page click the “Save” button.

Now emails matching the filter you have created will automatically be filtered to your “junk” folder. We suggest that you check your junk folder regularly for a while after you create a rule to make sure it doesn’t catch any legitimate email.

Some spammy words and phrases from sample emails sent to us by clients:

  • diet aid
  • weight loss
  • fat
  • body
  • skinny
  • weight goals
  • diet supplement
  • weight reduction
  • excessive weight
  • boost your metabolism
  • beach body
  • live a better life
  • living a better life
  • dietary product
  • fight weight
  • big discount

Please note that you use these phrases and instructions for filtering your email at your own risk!

We hope this helps you fight some of the spam you’re receiving. If you have any questions, please contact support.

Senegal IP addresses blocked

1 August 2012 06:59:29 +0000

Over the years we have resisted the temptation to block whole countries based on the bad behaviour of only a few of their residents. Many mail servers out there block email from all of China, roughly 20% of the world’s population! We do not.

However, due to a constant onslaught from determined spammers in Senegal, we have blocked all IP addresses assigned to that country. We hope to remove the block after some time, but we cannot predict when that might come to pass.

These are the IP address ranges that we have blocked:

31.201.2.0 - 31.201.2.3
37.59.137.240 - 37.59.137.255
37.222.209.0 - 37.222.209.255
41.62.0.0 - 41.62.255.255
41.82.0.0 - 41.83.255.255
41.208.128.0 - 41.208.191.255
41.214.0.0 - 41.214.127.255
41.219.0.0 - 41.219.63.255
46.36.197.111 - 46.36.197.120
64.182.63.133 - 64.182.63.141
69.13.133.138 - 69.13.133.146
69.13.190.244 - 69.13.190.252
80.84.25.48 - 80.84.25.63
82.206.180.0 - 82.206.180.255
82.206.198.128 - 82.206.198.255
92.39.112.0 - 92.39.112.127
178.32.167.96 - 178.32.167.111
193.220.57.104 - 193.220.57.111
193.220.72.224 - 193.220.72.231
193.220.72.248 - 193.220.72.255
194.117.53.0 - 194.117.53.127
196.1.92.0 - 196.1.100.255
196.207.192.0 - 196.207.255.255
208.68.251.0 - 208.68.251.255
213.154.64.0 - 213.154.95.255
216.139.166.0 - 216.139.166.255

If this adversely affects you in any way, please contact NinerNet support with details. Thank-you

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: