How do I get SEO Email Spam to stop?
7 points by Riolku
7 points by Riolku
I run a tiny static site, https://kgugeler.ca, with a grand total of one blog post (I may revisit it...)
I've recently gotten incessant spam (about once a day) about 'SEO optimizing my site'.
How do I prevent this spam? Obfuscating my email?
Same, it's incessant.
I don't have any tips about the email spam, but I do have one piece of small-server advice: change the port SSH listens on. You can drastically reduce the number of stray attackers trying to SSH in by setting the SSH port to anything other than the default port 22.
Also, fail2ban helps knock down the volume of nonsense, watching logs for various services you might have running.
On top of fail2ban, I use ufw-blocklist [1]. It's essentially a cron job that pulls from IPSum [2], a list of spam / malicious IPs updated every day. It automatically blocks any traffic coming from those IP addresses. I had nearly 1000+ fail attempts a day on my VPS, which around 100-200 banned at any time. After installing ufw-blocklist, it's less than 10 fail attempts a day.
[1] https://github.com/poddmo/ufw-blocklist [2] https://github.com/stamparm/ipsum
Nice! I've got Spamhaus (etc) for spam senders, but mostly just rely on fail2ban for the other services. Since those are trying badly to log in, I just use aggressive limits. (One fail, 12 hours). Since I log in with automation, it never fails for me, and so a first-attempt block seems reasonable. I can keep whacking moles faster than they can pop up with new IPs.
If they want to distribute their password-guessing with more IPs, they'll need a lot more of them...
I have observed myself that attackers try to login with username and password. What do attackers try when you only allow ssh keys?
In this configuration I didn't see the need for fail2ban or changing the port so far.
With key only access, the attacker doesn't really have a chance of breaking your ssh, but that's not the point. Once the attacker runs through their script of common ssh logins, the script will move on to other popular security flaws. You probably aren't vulnerable to any of those attacks either. But why rely on "probably" when you could just fail2ban the attacker entirely?
As the metaphor to physical security, you are not in any danger if I tried to fight you, since I'm terrible in a fight and none of my punches would connect. Even then, would you allow me to spend the afternoon throwing a thousand whiffs around your face, or would you tell me to go away after the first time I even tried to hit you?
You probably aren't vulnerable to any of those attacks either. But why rely on "probably" when you could just fail2ban the attacker entirely?
If I am vulnerable and the attacker is even a little competent they will try from a new IP after I have banned them for trying to login.
The question is more, why would I maintain a fail2ban configuration that carries the risk of locking myself out (too many private different private keys or an attack) if I know that my lock is secure?
EDIT: wireguard is great, if you don't know the key you don't even get a reply, invisible to scans and attacks. Sadly SSH predates this modern design.
If I am vulnerable and the attacker is even a little competent they will try from a new IP after I have banned them for trying to login.
True!
The point is, most attackers are automated, dumb, and not that invested in targeting your server in particular. If you fail2ban them, they'll likely just move on to easier targets.
EDIT: wireguard is great, if you don't know the key you don't even get a reply, invisible to scans and attacks. Sadly SSH predates this modern design.
Tailscale is some nice sugar around wireguard, and I really like it. So much so that I'm experimenting with only binding ssh to my tailnet in a couple of systems. The only thing I don't like about tailscale is that it wants to use github (or similar) for identity, and that makes me mildly uncomfortable and has me considering a VPS with headscale instead. But I really like the workflow and the specific benefit you cite of wireguard.
If I am vulnerable and the attacker is even a little competent they will try from a new IP after I have banned them for trying to login.
Absolutely true. Part of the idea is to make the attacker's cost grow linear with the number of attacks (as they acquire more IP addresses). I'll full admit that acquiring the IP addresses is not that difficult.
why would I maintain a fail2ban configuration that carries the risk of locking myself out ... if I know that my lock is secure?
I have locked myself out before with fail2ban. It was annoying, but, as you pointed out, I could just use a second IP address and get access back. I've never needed more than two IP addresses to re-establish access to my machines because my "attacks" have a very high change of succeeding. Comparatively, the attackers that I've been blocking have been spamming low probability attacks and hoping to win through quantity over quality.
There's also the question of how you know that your lock is secure. I've seen software that was mathematically "proven" secure that were later found to have flaws (due to a mismatch between the model of the proof and the threat model).
Because I'm overly fond of analogies, I'll ask if you lock your front door? After all, that comes with the possibility that you'll lock yourself out (I've certainly done that before). Also, I personally have never lived in a place where the lock on the front door would have truly stopped someone willing to blow a hundred bucks on tool rentals at the hardware store. Yet, I've also found that keeping the front door locked has saved me from multiple opportunistic intruders.
Because I'm overly fond of analogies, I'll ask if you lock your front door? After all, that comes with the possibility that you'll lock yourself out (I've certainly done that before). Also, I personally have never lived in a place where the lock on the front door would have truly stopped someone willing to blow a hundred bucks on tool rentals at the hardware store. Yet, I've also found that keeping the front door locked has saved me from multiple opportunistic intruders.
To keep with the analogy: Yes I keep my front door locked. And I am not sure it is secure (pretty sure it can be picked). Yet I don't have a moat and drawbridge to keep out opportunistic intruders or those that pick locks. For me it's just too much effort to maintain, and climbing the moat sucks when the drawbridge is stuck. I understand that other people value the increased and layered security, its just not for me.
In that case, fail2ban is still nice for lowering the noise a bit. E.g. on my VPS, SSH is on a non-standard point, but I still have plenty of banned IPs going after email logins. ModSecurity provides WAF functionality for my web server, as well as detailed logs so I can see what the miscreants are trying, as well as the ability to mess with them further.
This type of spam has been around for many years, and hasn’t changed all that much. Any competent spam filter should be able to catch it reliably with no or very little extra training.
If the email is coming from a real firm / real address then it's unlikely to be caught by a spam filter. All of these kinds of emails that I receive to my inbox are obviously spammy cold-calls, but they still come from legitimate-looking email servers with proper addresses and SPF/DKIM/DMARC, etc. Unless a spam engine can detect when the prose of an email sounds "spammy" (very prone to false positives) then it's unlikely these kinds are going to be caught.
Hm, I guess mailbox.org takes a different stance on spam, which I largely like since I've missed important emails from spam filters in the past...
https://kb.mailbox.org/en/private/e-mail/customizing-the-mailbox-org-spam-filter-settings/
There was a really great post about email obfuscation in 2026 that I highly recommend. I've had a lightly obfuscated email on my public site for years and barely gotten any spam (using some right-to-left stuff and javascript). After reading the article, I updated it slightly to be a bit better for a11y, so now it looks like this:
<a href='mailto:contact@mywebsite.com'>
contact@mywebsite<span style="display:none">.example</span>.com
</a>
Don't publish your email address, or at least if you do, make it non-trivial for a script to use it (use something like "john (at) somedomain... com"). Right now it's right at the top of your resume, which any script can get.
Attack the spammers. Forward the whole message, with full headers, to their email providers and ISPs. After a while, they'll get booted or will be told they'll be booted if they continue to spam.
I changed my email address format on my website to be less scrapeable, but for my resume I figure I don't want to make it hard for recruiters to use... I guess I probably don't need to link to my resume on my blog.
Interesting point about forwarding messages. Are there well-known email addresses to forward these to (like postmaster@ or similar)?
I report them through https://www.spamcop.net/ which takes care of parsing the WHOIS and hardcoding addresses for some services. Doesn't work for my main source of spam (Sendgrid) as they require spam victims to email them directly, though.
Usually abuse@ addresses should work for reporting abuse, as well as abuse@ the domain that's spamming you.
WHOIS is actively being destroyed for domains, but it still works well for networks. For domains, you can also forward the abuse to the registrar and to the hosters of the spammers' DNS.
For the really egregious spam, I contact:
and more. The point is that if they piss you off enough and keep sending spam, I'll keep going until they stop or they're removed from the Internet.
I had to do this with Uber Eats. Most of the companies didn't do shit, and Uber themselves have no working email, but with perseverance, I got their upstream to threaten to stop relaying email until thei dealt with my complaint.
Also don't use obvious email addresses like info@example.com. Try to be more creative with the part before @.
Unfortunately I don't think there's any way to stop it. I have run various sites over the years from blogs, ecom and products. Every single one is bombarded with spam as soon as they find a way to contact you. Mark as spam in your inbox and use a reputable email service with good spam filtering is my advice.
Don't forget about SSH guard. It's really fast and it works nicely with NF tables and it doesn't make individual rules, but it's much more efficient. I permablock anyone other than me, who's dumb enough to try to SSH to Port 22. Easy way to instantly get rid of the attackers if they're stupid enough to try.
I think preventing it is quite hard (I don't even try), but rspamd should be able to filter most of it out.