StevenUnderwood Posted February 11, 2008 Share Posted February 11, 2008 Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-spam-Status assigned by SA. No. The only control is what level you will block at. You can make suggestions to JT (support[at]spamcop.net) for other rules to add/modify but remember this service is used around the world by a large number of very diverse people. Link to comment Share on other sites More sharing options...
Javier Posted February 11, 2008 Share Posted February 11, 2008 Thanks for your suggestion, Steve. I realize that tweaking the tests can be a double-sided sword. Before using SpamCop I had to cope directly with 40.000 spam mails daily, and now I only get the 200~300 that are able to pass thru. If only the personal filters could be used to filter the forwarded mail too, then that would be the best "solution", but... Link to comment Share on other sites More sharing options...
wgtripp Posted April 18, 2008 Share Posted April 18, 2008 Given the difficulties of actually flagging the spam in SpamAssassin, I would like to get a solid approach to handling the Cyrillic spam on the client, via a filter. Thunderbird allows the creation of a Custom filter, so I created on for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in: Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C8A0B5.045B1328" ... ------=_NextPart_000_0005_01C8A0B5.045B1328 Content-Type: text/plain; charset="koi8-r" This defeats my filter. So any suggestions as to writing a better filter would be appreciated. I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632. Thanks in advance. Greg Link to comment Share on other sites More sharing options...
Farelf Posted April 18, 2008 Share Posted April 18, 2008 ...for the header element Content-Type contains koi8-r and allows me to flag as Junk. The problem with this approach is that most of this spam is multipart MIME as in: Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C8A0B5.045B1328" ... ------=_NextPart_000_0005_01C8A0B5.045B1328 Content-Type: text/plain; charset="koi8-r" This defeats my filter. Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.I have include a link to one of the spams that I reported http://www.spamcop.net/mcgi?action=gettrac...rtid=3032388632.You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure". Link to comment Share on other sites More sharing options...
wgtripp Posted April 18, 2008 Share Posted April 18, 2008 Hi Greg. So you can't filter the body content? MozillaZine Knowledge Base.You need to turn that into a Tracking URL before others can see it - all we would see is "Authorization failure". Farelf, Thanks very much for the suggestion regarding the the Body filter. I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter. Sorry about including the wrong info in the post. Here is a tracking url for a spam report I made this afternoon for this type of spam. http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need. Thank you very much for you suggestions and for helping me provide appropriate information. Thanks, Greg Link to comment Share on other sites More sharing options...
Farelf Posted April 19, 2008 Share Posted April 19, 2008 ...Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter.... http://www.spamcop.net/sc?id=z1804479196z6...d6f3efe51b3835z I generated the url by viewing recent reports; selecting the report; parsing the email; and copying the url here. Hope this is what you need. You're welcome Greg - you could also have created a tracker given the report ID you had - but a new one is fine since you're getting a lot of them. So, anyone with some better solution out there? This has arisen before, I would think there's a chance ...? Link to comment Share on other sites More sharing options...
michaelanglo Posted April 20, 2008 Share Posted April 20, 2008 I did consider using the Body filter, however, a filter where Body contains koi8-r will match all emails where the string 'koi8-r' is present. I am trying to filter emails where the content is koi8-r (Cyrillic). Using a Body filter in the way you suggest does actually match the multi-part Mime messages, but it also matches other email that I do not consider to be spam, such as the Spamcop Autoresponder emails that I get when I report the Cyrillic spam. Even so, this could very well be my only option for flagging Cyrillic spam in multi-part Mime with a Filter. Well, can your filter test for the whole ===charset="koi8-r" ===, not just koi8-r ? Spamcop autoresponses are quite recognisable too, so body contains koi8-r and From NOT myspamcopname might also be possible ? Link to comment Share on other sites More sharing options...
wgtripp Posted April 20, 2008 Share Posted April 20, 2008 Well, can your filter test for the whole ===charset="koi8-r" ===, not just koi8-r ? Spamcop autoresponses are quite recognisable too, so body contains koi8-r and From NOT myspamcopname might also be possible ? Both are really good suggestions, I'll give them a try. Thanks! Link to comment Share on other sites More sharing options...
kae Posted April 23, 2008 Share Posted April 23, 2008 I have three filters for this, but I think the filter #3 is the one that works for all cases. I have three because when I tried one and it missed a message I created another one. They are as follows: 1) koi8 rule which is Body contains "koi8-r" Deliver to folder INBOX.Held Mail 2) charset=koi8-r Body contains "charset=koi8-r" Deliver to INBOX.Held Mail 3) Any koi8 Subject Contains "koi8-r" or To Contains "koi8-r" or From Contains "koi8-r" or Destination Contains "koi8-r" or Source Contains "koi8-r" or Participant Contains "koi8-r" or Body Contains "koi8-r" or Self-Defined Header "Content-Type:" Contains "koi8-r" Deliver to folder INBOX.Held Mail The last rule is a catch-all and probably the only one needed. The catch is that these filters work only on the webmail application. They also only seem to be applied when transitioning into the mailbox. What I mean by that is that they don't seem to be applied when the INBOX refreshes. The behaviour that I've seen is that you must either press the INBOX icon and cause the INBOX to reload. The webmail standard refresh does not seem to apply the filters. I have all four choices marked in the Options/filters: Apply filter rules upon logging on? checked Apply filter rules whenever INBOX is displayed? checked Allow filter rules to be applied in any mailbox? checked Show the filter icon on the menubar? checked I also chose the Additional settings options under the Existing Filter Rules as: Display detailed notification when each filter is applied? Filter Options: Filter All Messages By displaying detailed notification when each filter is applied, you can see when the filter is applied in Webmail. It is my understanding (from the FAQ) that there are no user defined filters that get applied to incoming mail except the blacklist and the greylist option and the whitelist. I hope that helps someone. I think the SpamCop AutoResponder usually only contains the From and the Subject headers, the rest is usually just Received headers. Maybe you could just exclude the AutoResponder from the filter? Just a thought. I haven't encountered that problem because I have another app that removes all the SpamCop AutoReponder emails and squirrels them off to a folder that I keep for a while. That action causes the AutoResponder messages to appear as deleted to webmail. The tool runs every 10-15 minutes. Link to comment Share on other sites More sharing options...
DavidT Posted September 26, 2008 Share Posted September 26, 2008 Breaking news on this issue, seen on the Webmail login screen: Sep 26, 2008 [16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail. DT Link to comment Share on other sites More sharing options...
michaelanglo Posted September 27, 2008 Share Posted September 27, 2008 Sep 26, 2008 [16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail. {Tools} Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails. == The warning "Only select this if ..." is a little overstated since whitelisting works with Block Russian as with all other SpamCop mail blocking options. OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself. Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing. Link to comment Share on other sites More sharing options...
michaelanglo Posted September 29, 2008 Share Posted September 29, 2008 OTOH A quick test seems to show that blocking is triggered when the string "koi8-r" without the quotes is present anywhere in the email header or body, even in the text of the subject or of the email itself. Thus kae's problem with SpamCop response emails and other emails that happen to contain "koi8-r" is still present and will require whitelisting or other appropriate handing. Oops, my testing was too hurried. SpamCop Reply emails do not trigger "Blocked Russian" and evidently only the presence of "koi8-r" (somewhere) in the header is tested for. Thus some Cyrillic can get through. Link to comment Share on other sites More sharing options...
ViRGE Posted September 30, 2008 Share Posted September 30, 2008 [16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail.Excellent. Link to comment Share on other sites More sharing options...
Sleepy-zz-John Posted October 11, 2008 Share Posted October 11, 2008 [16:28 EDT] We have a new feature to block Russian and other Cyrillic emails. Login to webmail, click Options, then SpamCop Tools. Then click on your Blacklists. In there is a new menu item you can select to send all Russian emails directly to your Held Mail. Good idea, and I see that the above also appears as a news announcement dated Oct 6, 2008. This would be excellent, but I can't find the new menu item there In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia. Neither does it appear in "Manage your personal blacklist". Is it me that's missing something, or hasn't that new menu item actually been added in yet? Link to comment Share on other sites More sharing options...
DavidT Posted October 11, 2008 Share Posted October 11, 2008 I can't find the new menu item there In "Select your email filtering blacklists" China, Nigeria, Argentina & Brazil are there, but no sign of Russia. Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings. DT Link to comment Share on other sites More sharing options...
Sleepy-zz-John Posted October 11, 2008 Share Posted October 11, 2008 Look again....it's not in the table on the Blacklists page...it's in the section above the table, just below were you manage your SpamAssassin settings. Dunno David, guess I must still be fast asleep (as usual ) 'cos I still can't see it We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right? The bottom Spamassassin line has just a tickbox and a limit selection box, right? Immediately below that we have a DNS Blacklists paragraph, and that's just a few lines of text with no options or selections in it, right? Then immediately below the DNS Blacklists paragraph text comes the table, with its four purple-background column headings: Blank - DNS Blacklist - DNS Zone - Website, right? You say, and I agree, it's not in the table, so where and how have I missed it? Many thanks Link to comment Share on other sites More sharing options...
agsteele Posted October 11, 2008 Share Posted October 11, 2008 You say, and I agree, it's not in the table, so where and how have I missed it? On my screen it was higher up the page - not a blacklist just a check box to block cyrillic but I've just checked and the option is missing now To me it looks like the option has fallen off the page it was once on Andrew Link to comment Share on other sites More sharing options...
ViRGE Posted October 11, 2008 Share Posted October 11, 2008 Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL. Link to comment Share on other sites More sharing options...
agsteele Posted October 11, 2008 Share Posted October 11, 2008 Yep, it's missing here too. It still appears to be working based on the held mail I have, but the option is AWOL. Yes, I concur... The cyrillic stuff seems to be caught. Andrew Link to comment Share on other sites More sharing options...
DavidT Posted October 11, 2008 Share Posted October 11, 2008 We're in webmail.spamcop.net/horde/imp/spamcop/blacklists.php, right? Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone. DT Link to comment Share on other sites More sharing options...
ViRGE Posted October 11, 2008 Share Posted October 11, 2008 And now it's back. Weird. Link to comment Share on other sites More sharing options...
Sleepy-zz-John Posted October 11, 2008 Share Posted October 11, 2008 Yes, and it's still showing up for both of my accounts, in between the SpamAssassin section and the DNS Blacklists section. Strange that it's not there for everyone. Nope, still not showing here. Back to sleep again Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 11, 2008 Share Posted October 11, 2008 Nope, still not showing here. Back to sleep again I've been noticing it come and go as well... perhaps there are multiple servers and some are not updated, or there is some sort of caching going on. Link to comment Share on other sites More sharing options...
DavidT Posted October 11, 2008 Share Posted October 11, 2008 I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 12, 2008 Share Posted October 12, 2008 I think your multiple server theory holds water, Steven....the option just disappeared for me, also. I'll report it to the admins. I reported it this AM after my post, but it is a (minor) holiday weekend Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.