Jump to content
Sign in to follow this  
mrmaxx

How to block/filter? (cyrillic spam)

Recommended Posts

Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-spam-Status assigned by SA. <_<
No. The only control is what level you will block at. You can make suggestions to JT (support[at]spamcop.net) for other rules to add/modify but remember this service is used around the world by a large number of very diverse people.

Share this post


Link to post
Share on other sites

Thanks for your suggestion, Steve. I realize that tweaking the tests can be a double-sided sword.

Before using SpamCop I had to cope directly with 40.000 spam mails daily, and now I only get the 200~300 that are able to pass thru. If only the personal filters could be used to filter the forwarded mail too, then that would be the best "solution", but...

Share this post


Link to post
Share on other sites

Given the difficulties of actually flagging the spam in SpamAssassin, I would like to get a solid approach to handling the Cyrillic spam on the client, via a filter. Thunderbird allows the creation of a Custom filter, so I created on for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in:

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0005_01C8A0B5.045B1328"

...

------=_NextPart_000_0005_01C8A0B5.045B1328

Content-Type: text/plain;

charset="koi8-r"

This defeats my filter. So any suggestions as to writing a better filter would be appreciated.

I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632.

Thanks in advance.

Greg

Edited by wgtripp

Share this post


Link to post
Share on other sites
...for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in:

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0005_01C8A0B5.045B1328"

...

------=_NextPart_000_0005_01C8A0B5.045B1328

Content-Type: text/plain;

charset="koi8-r"

This defeats my filter.

Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.
I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632.
You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure".

Share this post


Link to post
Share on other sites
Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure".

Farelf,

Thanks very much for the suggestion regarding the the Body filter. I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter.

Sorry about including the wrong info in the post. Here is a tracking url for a spam report I made this afternoon for this type of spam. http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z

I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need.

Thank you very much for you suggestions and for helping me provide appropriate information.

Thanks,

Greg

Share this post


Link to post
Share on other sites
...Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter....

http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z

I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need.

You're welcome Greg - you could also have created a tracker given the report ID you had - but a new one is fine since you're getting a lot of them.

So, anyone with some better solution out there? This has arisen before, I would think there's a chance ...?

Share this post


Link to post
Share on other sites
I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter.

Well, can your filter test for the whole

===charset="koi8-r" ===, not just koi8-r ?

Spamcop autoresponses are quite recognisable too, so body contains koi8-r and From NOT myspamcopname might also be possible ?

Share this post


Link to post
Share on other sites
Well, can your filter test for the whole

===charset="koi8-r" ===, not just koi8-r ?

Spamcop autoresponses are quite recognisable too, so body contains koi8-r and From NOT myspamcopname might also be possible ?

Both are really good suggestions, I'll give them a try. Thanks!

Share this post


Link to post
Share on other sites

I have three filters for this, but I think the filter #3 is the one that works for all cases. I have three because when I tried one and it missed a message I created another one. They are as follows:

1) koi8 rule which is

Body contains "koi8-r"

Deliver to folder INBOX.Held Mail

2) charset=koi8-r

Body contains "charset=koi8-r"

Deliver to INBOX.Held Mail

3) Any koi8

Subject Contains "koi8-r" or

To Contains "koi8-r" or

From Contains "koi8-r" or

Destination Contains "koi8-r" or

Source Contains "koi8-r" or

Participant Contains "koi8-r" or

Body Contains "koi8-r" or

Self-Defined Header "Content-Type:" Contains "koi8-r"

Deliver to folder INBOX.Held Mail

The last rule is a catch-all and probably the only one needed. The catch is that these filters work only on the webmail application. They also only seem to be applied when transitioning into the mailbox. What I mean by that is that they don't seem to be applied when the INBOX refreshes. The behaviour that I've seen is that you must either press the INBOX icon and cause the INBOX to reload. The webmail standard refresh does not seem to apply the filters.

I have all four choices marked in the Options/filters:

Apply filter rules upon logging on? checked

Apply filter rules whenever INBOX is displayed? checked

Allow filter rules to be applied in any mailbox? checked

Show the filter icon on the menubar? checked

I also chose the Additional settings options under the Existing Filter Rules as:

Display detailed notification when each filter is applied?

Filter Options: Filter All Messages

By displaying detailed notification when each filter is applied, you can see when the filter is applied in Webmail.

It is my understanding (from the FAQ) that there are no user defined filters that get applied to incoming mail except the blacklist and the greylist option and the whitelist.

I hope that helps someone.

I think the SpamCop AutoResponder usually only contains the From and the Subject headers, the rest is usually just Received headers. Maybe you could just exclude the AutoResponder from the filter? Just a thought. I haven't encountered that problem because I have another app that removes all the SpamCop AutoReponder emails and squirrels them off to a folder that I keep for a while. That action causes the AutoResponder messages to appear as deleted to webmail. The tool runs every 10-15 minutes.

Edited by kae

Share this post


Link to post
Share on other sites

Breaking news on this issue, seen on the Webmail login screen:

Sep 26, 2008

[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

DT

Share this post


Link to post
Share on other sites
Sep 26, 2008

[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

{Tools} Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails. ==

The warning "Only select this if ..." is a little overstated since whitelisting works with Block Russian as with all other SpamCop mail blocking options.

OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself.

Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing.

Share this post


Link to post
Share on other sites
OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself.

Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing.

Oops, my testing was too hurried. SpamCop Reply emails do not trigger "Blocked Russian" and evidently only the presence of "koi8-r" (somewhere) in the header is tested for. Thus some Cyrillic can get through.

Share this post


Link to post
Share on other sites
[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.
Excellent.

Share this post


Link to post
Share on other sites
[16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.

Good idea, and I see that the above also appears as a news announcement dated Oct 6, 2008. This would be excellent, but I can't find the new menu item there :unsure: In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia. Neither does it appear in "Manage your personal blacklist". Is it me that's missing something, or hasn't that new menu item actually been added in yet? :huh:

Share this post


Link to post
Share on other sites
I can't find the new menu item there :unsure: In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia.

Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings.

DT

Share this post


Link to post
Share on other sites
Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings.

Dunno David, guess I must still be fast asleep (as usual -_- ) 'cos I still can't see it :excl:

We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right?

The bottom Spamassassin line has just a tickbox and a limit selection box, right?

Immediately below that we have a DNS Blacklists paragraph, and that's just a few lines of text with no options or selections in it, right?

Then immediately below the DNS Blacklists paragraph text comes the table, with its four purple-background column headings: Blank - DNS Blacklist - DNS Zone - Website, right?

You say, and I agree, it's not in the table, so where and how have I missed it? :huh:

Many thanks :)

Share this post


Link to post
Share on other sites
You say, and I agree, it's not in the table, so where and how have I missed it? :huh:

On my screen it was higher up the page - not a blacklist just a check box to block cyrillic but I've just checked and the option is missing now :(

To me it looks like the option has fallen off the page it was once on :)

Andrew

Edited by agsteele

Share this post


Link to post
Share on other sites

Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL.

Share this post


Link to post
Share on other sites
Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL.

Yes, I concur... The cyrillic stuff seems to be caught.

Andrew

Share this post


Link to post
Share on other sites
We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right?

Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone.

DT

Share this post


Link to post
Share on other sites
Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone.

Nope, still not showing here. Back to sleep again -_-

Share this post


Link to post
Share on other sites
Nope, still not showing here. Back to sleep again -_-

I've been noticing it come and go as well... perhaps there are multiple servers and some are not updated, or there is some sort of caching going on.

Share this post


Link to post
Share on other sites

I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins.

DT

Share this post


Link to post
Share on other sites
I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins.

I reported it this AM after my post, but it is a (minor) holiday weekend

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×