SpamCop Discussion > How to block/filter? (cyrillic spam)

Full Version: How to block/filter? (cyrillic spam)

SpamCop Discussion > Discussions & Observations > SpamCop Email System & Accounts

Pages: 1, 2

mrmaxx

Oct 11 2007, 05:15 AM

I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Here's the headers for a sample:

CODE

Message-ID: <000801c80bce$0210f908$63143a82[at]cefrk>
From: =?koi8-r?B?4sHM0cLJzg==?= <yuh_lin340welch[at]batnet.com>
To: <john[at]highertech.net>
Subject: =?koi8-r?B?8M/Ex8/Uz9fLxSDcy9PQxdLUz9cg0M8g08nT1MXNwc0gzcXOxcTWzQ==?=
    =?koi8-r?B?xc7UwSDLwd7F09TXwQ==?=
Date: Thu, 11 Oct 2007 04:32:31 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0005_01C80BCE.020E738F"
Status: R

This is a multi-part message in MIME format.

Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.

DavidT

Oct 11 2007, 08:57 AM

QUOTE(mrmaxx @ Oct 11 2007, 03:15 AM)

I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.

When creating filters in the webmail system, there's a "body" option at the very bottom of the "Select a field" drop-down list, and then you can paste "koi8-r" into the box to the right of "Contains" and define an action (sound like you'd like to select "Delete message completely"). You might also go into your Filter Options (found among the other SpamCop Options) and make sure that all of these are selected:

Apply filter rules upon logging on?
Apply filter rules whenever INBOX is displayed?
Allow filter rules to be applied in any mailbox?

I ran a test on a MIME message with a "Content-Transfer-Encoding: quoted-printable" line in the body, after the MIME declaration, in which I told the webmail system to look for "quoted-printable" in the body and then move the message to a "test" folder, and it worked just fine, so you can do it with your "koi8-r" charset declaration also.

DT

mrmaxx

Oct 12 2007, 02:26 PM

Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me.

mrmaxx

Oct 18 2007, 05:06 AM

QUOTE(mrmaxx @ Oct 12 2007, 03:26 PM)

Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me.

Well, I've tried it for a few days, but I'm still getting some spam with cyrillic characters getting through. Fortunately, it appears from looking at my held mail folder that most of it is getting caught. Any ideas why the filters are not catching the rest?

Filter is as follows:
Body contains charset="windows-1251"
or
Body contains charset="koi8-r"
or
self-defined header contains charset="koi8-r"
move to folder "held mail"

FWIW, I also checked to make sure it wasn't something that I had white-listed. The spot-checks I've done on the ones that get through seem to indicate that they were one-off messages sent to me, although they were probably BCC-ed to who knows how many others.

DavidT

Oct 18 2007, 08:09 AM

The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL.

DT

mrmaxx

Oct 18 2007, 10:52 AM

QUOTE(DavidT @ Oct 18 2007, 09:09 AM)

The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL.

Hmm... Good point. Stand by while I try and find one... Probably a couple in my inbox right now. :-)

mrmaxx

Oct 19 2007, 05:11 AM

As requested here's a tracking URL for one that made it all the way to my desktop:

http://www.spamcop.net/sc?id=z1484424580z7...bea2b77424e7a8z

And here's another:

http://www.spamcop.net/sc?id=z1484428867za...45050510d8dc94z

DavidT

Oct 19 2007, 08:24 AM

QUOTE(mrmaxx @ Oct 18 2007, 03:06 AM)

Any ideas why the filters are not catching the rest?

Filter is as follows:
Body contains charset="windows-1251"
or
Body contains charset="koi8-r"
or
self-defined header contains charset="koi8-r"
move to folder "held mail"

I just did some testing and found that using filter terms with quotes, as shown above, doesn't work. Maybe you could make it work with the regular expression option (which I didn't try), but if you simply filter on koi8-r or windows-1251, it should work just fine. I just successfully filtered some Chines spam using gb2312 from charset declaration in the body.

I also discovered that for the following Subject:

Subject: =?koi8-r?B?88vJxMvJIM7BIO/z4efvIMTPIDQ1JQ==?=

simple "contains" filters looking at the Subject didn't work when I used koi8-r or =?koi8-r?, so maybe someone else will come up with a way to filter Subjects that are in alternate charsets.

BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing.

DT

mrmaxx

Oct 20 2007, 08:15 AM

QUOTE(DavidT @ Oct 19 2007, 09:24 AM)

BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing.

Hmm... I just parsed it as I got it. :-) I can't help it if the Russian spammers are too stupid to send one at a time. :-)

DavidT

Oct 20 2007, 10:42 AM

QUOTE(mrmaxx @ Oct 20 2007, 06:15 AM)

Hmm... I just parsed it as I got it.

I don't think so...if you click on the "View entire message" link and then scroll all the way down that page, you'll see that you accidentally pasted the same message into the parsing form twice. That was my point.

But more importantly, did you try my solution, and did it work?

DT

DavidT

Oct 22 2007, 10:00 AM

QUOTE(DavidT @ Oct 20 2007, 08:42 AM)

But more importantly, did you try my solution, and did it work?

mrmaxx - I don't understand why you haven't answered. You've been back to the forum since I posted this.

DT

djtodd

Nov 15 2007, 08:48 AM

I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. Works well, stops about 98% of my spam and very few false positives.

Probably everyone around here has noticed the recent upswing in Russian spam. Is there a way to blanket block anything using the cyrillic text type (language? charset?) with the way I use SC? I report it all, so it's getting less and less, but usually every morning I wake up to 5-6 junk mails to be reported...

Thanks!

Moderator Edit: 'new' Topic brought into this existing one .. PM sent.

agsteele

Nov 15 2007, 08:59 AM

QUOTE(djtodd @ Nov 15 2007, 01:48 PM)

A Moderator has merged your discussion with another which was recently on filtering based on a language. Of course, that only works if you access your mail via the webmail interface - which isn't your described method.

All that said, all my Russian language spam ends up in my held mail folder.

So it could be that you could toughen up the blocklists you're using and also drop your SpamAssassin level a little. That might fix things for you.

You'll need to experiment what works best for you... I block based on
SpamCop Blacklist
Spamhaus Blacklist
China (the country)
Nigeria
Argentina
Brazil
Composite Blocking List
Spamhaus XBL

SpamAssassin is set at 4

If you find a better setting do report back.

Andrew

djtodd

Nov 15 2007, 09:05 AM

Actually, my settings are already tighter than that. I'm using all of the black lists and SA is set at 3.

My personal whitelist is pared down to the absolute minimum (and I'm not on it) as well.

Oh well. Thanks anyhow!

Wazoo

Nov 15 2007, 09:09 AM

QUOTE(agsteele @ Nov 15 2007, 07:59 AM)

I did it, with the intent to follow up .. thanks for filling the void while I was busy elsewhere.

However, the real intent was to get more data from the poster, as seen in this existing Topic .... samples of the spam in question, etc.

djtodd

Nov 15 2007, 10:20 AM

QUOTE(Wazoo @ Nov 15 2007, 09:09 AM)

Here are some samples from this morning if it helps.

http://www.spamcop.net/sc?id=z1524800773z6...4325f748c4bf53z
http://www.spamcop.net/sc?id=z1524800775zb...c01245f04613a1z
http://www.spamcop.net/sc?id=z1524800778zf...ba16b039be6ab3z
http://www.spamcop.net/sc?id=z1524800779zf...32c7676b38af55z
http://www.spamcop.net/sc?id=z1524800784ze...8286ddc8ee6c44z

Wazoo

Dec 31 2007, 12:13 AM

I found this while searching for something else .. noted that it seems to have been left without answers from those involved ... posting this to bring it 'current' such that perhaps some answers, perhaps resolution can possibly bring this to a close ...?????

mrmaxx

Dec 31 2007, 08:12 AM

QUOTE(Wazoo @ Dec 31 2007, 12:13 AM)

As the OP, I can safely say that my level of spam in my inbox has dropped dramatically since I've followed the suggestions to get rid of 'catchall' email addresses that are forwarded to my SC mailbox. That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis.

Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

agsteele

Dec 31 2007, 08:35 AM

QUOTE(mrmaxx @ Dec 31 2007, 01:12 PM)

Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

Sadly I cannot think of a means of achieving that...

For example, I'm based in the UK but I have a .org Email address and I send my outgoing mail through a US mail server (the SpamCop outgoing mail server).

The only means of establishing my location is the IP of the machine I'm working on but that only says where I'm working at the time so may not be effective either.

And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either.

Some folk speak highly of greylisting.

Andrew

Wazoo

Dec 31 2007, 01:26 PM

QUOTE(mrmaxx @ Dec 31 2007, 07:12 AM)

That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis.

Ah, but that's where the Topic started. What's issing thus far is the results of the vaarious 'fixes' in the filtering schemes you've suggested, like the remival of the apostrophies .....

Looking at a couple of djtodd's examples ... not sure what to say there. One didn't have but a one-line spaced out "Domain . com" for a body, although the header Content-Type was koi8r ... another had the Header Content type including koi8r, but it and the body were sent as plain-text, so there wasn't a 'body' included koi8r reference.

I'm going to change the Title of this Topic a bit, to scope the How to block? down to cyrillic at least, and to include the word "filter" as 'blocking' doesn't seem to be the only action being looked at.

michaelanglo

Jan 1 2008, 04:27 PM

QUOTE(mrmaxx @ Dec 31 2007, 01:12 PM)

[...] I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

QUOTE(agsteele @ Dec 31 2007, 01:35 PM)

Sadly I cannot think of a means of achieving that...
[...]
And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either.

How about this method then ?

Look up every IP address in the header using a geographical locator such as http://www.geobytes.com/IpLocator.htm?GetLocation
(note the SpamCop email service already scans and looks up every IP address when the SpamAssassin score is under threshold and it continues to check the selected blocklists)

If any are outside the US & Canada or are unknown then FAIL.

This may cause difficulty, eg in the past Bigfoot's servers were in South Korea, but it appears to do what is wanted.

BTW last month I got

2799 spams (90/d), 130 leakers (=4.6 %), 3 false positive(s)

of those 130 spams 12 were spamsource reportable to ISPs in the US, 5 to the UK A previous full analysis had 53 % of the spam I received reportable to China but only about 1 a month leaks through.

ViRGE

Feb 1 2008, 09:40 PM

QUOTE(DavidT @ Oct 11 2007, 08:57 AM)

I too am looking to block Cyrillic spam, and it sounds like this is the kind of method that would work well enough. However I'm not familiar with the filter function in webmail, all of my blocking up until now has been through the SpamCop Tools section (BLs, greylisting, etc). Looking at the filters, it sounds like this is a function of the Horde webmail package, and not the Spamcop backend. I don't use webmail daily, I'm using IMAP (with that being on my iPhone a lot of the time).

Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis?

StevenUnderwood

Feb 1 2008, 10:22 PM

QUOTE(ViRGE @ Feb 1 2008, 09:40 PM)

Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis?

Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.

ViRGE

Feb 2 2008, 09:11 PM

QUOTE(StevenUnderwood @ Feb 1 2008, 10:22 PM)

Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.

Unfortunately there are no filtering options on the iPhone. Hopefully some day this kind of filtering can get added to the Spamcop Tools.

Javier

Feb 11 2008, 11:45 AM

QUOTE(djtodd @ Nov 15 2007, 02:48 PM)

I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it.
...

Hello, I'm a newbie here and I use the Spamcop mail in the same way that djtodd have described.

Me too I've notized an increase of cyrillic, koi8-r encoded spam messages, that are leaking under the radar, like this one (I have obfuscated some the email accounts):

CODE

Received: from [192.168.24.21] (helo=mx01.myISP.net)
        by mbox01 with esmtp (Exim 4.63)
        (envelope-from <andre[at]escortcorp.com>)
        id 1JOauF-0000qT-AD
        for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100
Received: from [216.154.195.49] (helo=c60.cesmail.net)
        by mx01.myISP.net with esmtp (Exim 4.60)
        (envelope-from <andre[at]escortcorp.com>)
        id 1JOauF-00049E-37
        for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100
Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217])
  by c60.cesmail.net with SMTP; 11 Feb 2008 10:49:29 -0500
Received: (qmail 2661 invoked by uid 1010); 11 Feb 2008 15:49:29 -0000
Delivered-To: spamcop-net-myaccount[at]spamcop.net
Received: (qmail 2554 invoked from network); 11 Feb 2008 15:49:21 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter7
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=HTML_FONT_SIZE_LARGE,HTML_MESSAGE version=3.2.3
Received: from unknown (192.168.1.107)
  by filter7.cesmail.net with QMQP; 11 Feb 2008 15:49:21 -0000
Received: from th1.icb.co.uk (HELO fwd1.icb.co.uk) (80.249.100.2)
  by mx70.cesmail.net with SMTP; 11 Feb 2008 15:49:21 -0000
Received: from adsl190-025024149.dyn.etb.net.co (adsl190-025024149.dyn.etb.net.co [190.25.24.149] (may be forged))
        by fwd1.icb.co.uk (8.12.10/8.11.3) with ESMTP id m1BFnIso007060
        for <forged[at]mydomain.com>; Mon, 11 Feb 2008 15:49:19 GMT
Message-ID: <000701c86cc5$0348c3e5$92b602aa[at]xgqqteex>
From: =?koi8-r?B?88nOxc7Lzw==?= <andre[at]escortcorp.com>
To: <forged[at]mydomain.com>
Subject: =?koi8-r?B?cmU6IOHSxc7EwSDTy8zBxMEu?=
Date: Mon, 11 Feb 2008 14:01:53 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0004_01C86CC5.03485F28"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-SpamCop-Checked: 80.249.100.2 190.25.24.149

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01C86CC5.03485F28
Content-Type: text/plain;
        charset="koi8-r"
Content-Transfer-Encoding: quoted-printable


...
(several lines of cyrillic encoded text)
...

------=_NextPart_000_0004_01C86CC5.03485F28
Content-Type: text/html;
        charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<P><FONT color=3D"#0066FF" size=3D"6" face=3D"Georgia, Times New Roman, =
Times, =
serif">           =
<B>
...
(same in html)
...
</BODY></HTML>
------=_NextPart_000_0004_01C86CC5.03485F28--

Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-Spam-Status assigned by SA.

StevenUnderwood

Feb 11 2008, 02:12 PM

QUOTE(Javier @ Feb 11 2008, 11:45 AM)

Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-Spam-Status assigned by SA.

No. The only control is what level you will block at. You can make suggestions to JT (support[at]spamcop.net) for other rules to add/modify but remember this service is used around the world by a large number of very diverse people.

Javier

Feb 11 2008, 04:53 PM

Thanks for your suggestion, Steve. I realize that tweaking the tests can be a double-sided sword.

Before using SpamCop I had to cope directly with 40.000 spam mails daily, and now I only get the 200~300 that are able to pass thru. If only the personal filters could be used to filter the forwarded mail too, then that would be the best "solution", but...

wgtripp

Apr 17 2008, 10:53 PM

Given the difficulties of actually flagging the spam in SpamAssassin, I would like to get a solid approach to handling the Cyrillic spam on the client, via a filter. Thunderbird allows the creation of a Custom filter, so I created on for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in:

Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01C8A0B5.045B1328"

...

------=_NextPart_000_0005_01C8A0B5.045B1328
Content-Type: text/plain;
charset="koi8-r"

This defeats my filter. So any suggestions as to writing a better filter would be appreciated.

I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632.

Thanks in advance.

Greg

Farelf

Apr 18 2008, 12:16 AM

QUOTE(wgtripp @ Apr 18 2008, 11:53 AM)

...for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in:

Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01C8A0B5.045B1328"

...

------=_NextPart_000_0005_01C8A0B5.045B1328
Content-Type: text/plain;
charset="koi8-r"

This defeats my filter.

Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.

QUOTE(wgtripp @ Apr 18 2008, 11:53 AM)

I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632.

You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure".

wgtripp

Apr 18 2008, 05:59 PM

QUOTE(Farelf @ Apr 18 2008, 12:16 AM)

Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure".

Farelf,

Thanks very much for the suggestion regarding the the Body filter. I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter.

Sorry about including the wrong info in the post. Here is a tracking url for a spam report I made this afternoon for this type of spam. http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z
I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need.

Thank you very much for you suggestions and for helping me provide appropriate information.

Thanks,

Greg

Farelf

Apr 18 2008, 08:00 PM

QUOTE(wgtripp @ Apr 19 2008, 06:59 AM)

...Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter....
http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z
I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need.

You're welcome Greg - you could also have created a tracker given the report ID you had - but a new one is fine since you're getting a lot of them.

So, anyone with some better solution out there? This has arisen before, I would think there's a chance ...?

michaelanglo

Apr 20 2008, 02:35 PM

QUOTE(wgtripp @ Apr 18 2008, 10:59 PM)

I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter.

Well, can your filter test for the whole
===charset="koi8-r" ===, not just koi8-r ?

Spamcop autoresponses are quite recognisable too, so body contains koi8-r and From NOT myspamcopname might also be possible ?

wgtripp

Apr 20 2008, 03:42 PM

QUOTE(michaelanglo @ Apr 20 2008, 02:35 PM)

Both are really good suggestions, I'll give them a try. Thanks!

kae

Apr 23 2008, 05:10 PM

I have three filters for this, but I think the filter #3 is the one that works for all cases. I have three because when I tried one and it missed a message I created another one. They are as follows:

1) koi8 rule which is
Body contains "koi8-r"
Deliver to folder INBOX.Held Mail

2) charset=koi8-r
Body contains "charset=koi8-r"
Deliver to INBOX.Held Mail

3) Any koi8
Subject Contains "koi8-r" or
To Contains "koi8-r" or
From Contains "koi8-r" or
Destination Contains "koi8-r" or
Source Contains "koi8-r" or
Participant Contains "koi8-r" or
Body Contains "koi8-r" or
Self-Defined Header "Content-Type:" Contains "koi8-r"
Deliver to folder INBOX.Held Mail

The last rule is a catch-all and probably the only one needed. The catch is that these filters work only on the webmail application. They also only seem to be applied when transitioning into the mailbox. What I mean by that is that they don't seem to be applied when the INBOX refreshes. The behaviour that I've seen is that you must either press the INBOX icon and cause the INBOX to reload. The webmail standard refresh does not seem to apply the filters.

I have all four choices marked in the Options/filters:

Apply filter rules upon logging on? checked
Apply filter rules whenever INBOX is displayed? checked
Allow filter rules to be applied in any mailbox? checked
Show the filter icon on the menubar? checked

I also chose the Additional settings options under the Existing Filter Rules as:

Display detailed notification when each filter is applied?
Filter Options: Filter All Messages

By displaying detailed notification when each filter is applied, you can see when the filter is applied in Webmail.

It is my understanding (from the FAQ) that there are no user defined filters that get applied to incoming mail except the blacklist and the greylist option and the whitelist.

I hope that helps someone.

I think the SpamCop AutoResponder usually only contains the From and the Subject headers, the rest is usually just Received headers. Maybe you could just exclude the AutoResponder from the filter? Just a thought. I haven't encountered that problem because I have another app that removes all the SpamCop AutoReponder emails and squirrels them off to a folder that I keep for a while. That action causes the AutoResponder messages to appear as deleted to webmail. The tool runs every 10-15 minutes.

DavidT

Sep 26 2008, 04:36 PM

Breaking news on this issue, seen on the Webmail login screen:

Sep 26, 2008

[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

DT

michaelanglo

Sep 27 2008, 11:12 AM

QUOTE(DavidT @ Sep 26 2008, 09:36 PM)

Sep 26, 2008

[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

{Tools} Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails. ==

The warning "Only select this if ..." is a little overstated since whitelisting works with Block Russian as with all other SpamCop mail blocking options.

OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself.

Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing.

michaelanglo

Sep 29 2008, 06:28 PM

QUOTE(michaelanglo @ Sep 27 2008, 04:12 PM)

OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself.

Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing.

Oops, my testing was too hurried. SpamCop Reply emails do not trigger "Blocked Russian" and evidently only the presence of "koi8-r" (somewhere) in the header is tested for. Thus some Cyrillic can get through.

ViRGE

Sep 30 2008, 01:10 AM

QUOTE(DavidT @ Sep 26 2008, 04:36 PM)

[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

Excellent.

Sleepy-zz-John

Oct 11 2008, 12:15 AM

QUOTE(DavidT @ Sep 27 2008, 04:36 AM)

Good idea, and I see that the above also appears as a news announcement dated Oct 6, 2008. This would be excellent, but I can't find the new menu item there

In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia. Neither does it appear in "Manage your personal blacklist". Is it me that's missing something, or hasn't that new menu item actually been added in yet?

DavidT

Oct 11 2008, 12:36 AM

QUOTE(Sleepy-zz-John @ Oct 10 2008, 10:15 PM)

I can't find the new menu item there

In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia.

Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings.

DT

Sleepy-zz-John

Oct 11 2008, 02:59 AM

QUOTE(DavidT @ Oct 11 2008, 12:36 PM)

Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings.

Dunno David, guess I must still be fast asleep (as usual

) 'cos I still can't see it

We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right?
The bottom Spamassassin line has just a tickbox and a limit selection box, right?
Immediately below that we have a DNS Blacklists paragraph, and that's just a few lines of text with no options or selections in it, right?
Then immediately below the DNS Blacklists paragraph text comes the table, with its four purple-background column headings: Blank - DNS Blacklist - DNS Zone - Website, right?

You say, and I agree, it's not in the table, so where and how have I missed it?

Many thanks

agsteele

Oct 11 2008, 05:05 AM

QUOTE(Sleepy-zz-John @ Oct 11 2008, 08:59 AM)

You say, and I agree, it's not in the table, so where and how have I missed it?

On my screen it was higher up the page - not a blacklist just a check box to block cyrillic but I've just checked and the option is missing now

To me it looks like the option has fallen off the page it was once on

Andrew

ViRGE

Oct 11 2008, 07:00 AM

Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL.

agsteele

Oct 11 2008, 07:41 AM

QUOTE(ViRGE @ Oct 11 2008, 01:00 PM)

Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL.

Yes, I concur... The cyrillic stuff seems to be caught.

Andrew

DavidT

Oct 11 2008, 09:15 AM

QUOTE(Sleepy-zz-John @ Oct 11 2008, 12:59 AM)

We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right?

Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone.

DT

ViRGE

Oct 11 2008, 09:32 AM

And now it's back. Weird.

Sleepy-zz-John

Oct 11 2008, 09:43 AM

QUOTE(DavidT @ Oct 11 2008, 09:15 PM)

Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone.

Nope, still not showing here. Back to sleep again

StevenUnderwood

Oct 11 2008, 12:57 PM

QUOTE(Sleepy-zz-John @ Oct 11 2008, 10:43 AM)

Nope, still not showing here. Back to sleep again

I've been noticing it come and go as well... perhaps there are multiple servers and some are not updated, or there is some sort of caching going on.

DavidT

Oct 11 2008, 03:37 PM

I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins.

DT

StevenUnderwood

Oct 11 2008, 10:36 PM

QUOTE(DavidT @ Oct 11 2008, 04:37 PM)

I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins.

I reported it this AM after my post, but it is a (minor) holiday weekend

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.