How to block/filter? (cyrillic spam)

mrmaxx · October 11, 2007

I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Here's the headers for a sample:

Message-ID: &lt;000801c80bce$0210f908$63143a82[at]cefrk&gt;
From: =?koi8-r?B?4sHM0cLJzg==?= &lt;yuh_lin340welch[at]batnet.com&gt;
To: &lt;john[at]highertech.net&gt;
Subject: =?koi8-r?B?8M/Ex8/Uz9fLxSDcy9PQxdLUz9cg0M8g08nT1MXNwc0gzcXOxcTWzQ==?=
	=?koi8-r?B?xc7UwSDLwd7F09TXwQ==?=
Date: Thu, 11 Oct 2007 04:32:31 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0005_01C80BCE.020E738F"
Status: R

This is a multi-part message in MIME format.

Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.

DavidT · October 11, 2007

I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.

When creating filters in the webmail system, there's a "body" option at the very bottom of the "Select a field" drop-down list, and then you can paste "koi8-r" into the box to the right of "Contains" and define an action (sound like you'd like to select "Delete message completely"). You might also go into your Filter Options (found among the other SpamCop Options) and make sure that all of these are selected:

Apply filter rules upon logging on?

Apply filter rules whenever INBOX is displayed?

Allow filter rules to be applied in any mailbox?

I ran a test on a MIME message with a "Content-Transfer-Encoding: quoted-printable" line in the body, after the MIME declaration, in which I told the webmail system to look for "quoted-printable" in the body and then move the message to a "test" folder, and it worked just fine, so you can do it with your "koi8-r" charset declaration also.

DT

mrmaxx · October 12, 2007

Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me.

mrmaxx · October 18, 2007

Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me.

Well, I've tried it for a few days, but I'm still getting some spam with cyrillic characters getting through. Fortunately, it appears from looking at my held mail folder that most of it is getting caught. Any ideas why the filters are not catching the rest?

Filter is as follows:

Body contains charset="windows-1251"

or

Body contains charset="koi8-r"

or

self-defined header contains charset="koi8-r"

move to folder "held mail"

FWIW, I also checked to make sure it wasn't something that I had white-listed. The spot-checks I've done on the ones that get through seem to indicate that they were one-off messages sent to me, although they were probably BCC-ed to who knows how many others.

DavidT · October 18, 2007

The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL.

DT

mrmaxx · October 18, 2007

The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL.

Hmm... Good point. Stand by while I try and find one... Probably a couple in my inbox right now. :-)

mrmaxx · October 19, 2007

As requested here's a tracking URL for one that made it all the way to my desktop:

http://www.spamcop.net/sc?id=z1484424580z7...bea2b77424e7a8z

And here's another:

http://www.spamcop.net/sc?id=z1484428867za...45050510d8dc94z

DavidT · October 19, 2007

Any ideas why the filters are not catching the rest?
Filter is as follows:

Body contains charset="windows-1251"

or

Body contains charset="koi8-r"

or

self-defined header contains charset="koi8-r"

move to folder "held mail"

I just did some testing and found that using filter terms with quotes, as shown above, doesn't work. Maybe you could make it work with the regular expression option (which I didn't try), but if you simply filter on koi8-r or windows-1251, it should work just fine. I just successfully filtered some Chines spam using gb2312 from charset declaration in the body.

I also discovered that for the following Subject:

Subject: =?koi8-r?B?88vJxMvJIM7BIO/z4efvIMTPIDQ1JQ==?=

simple "contains" filters looking at the Subject didn't work when I used koi8-r or =?koi8-r?, so maybe someone else will come up with a way to filter Subjects that are in alternate charsets.

BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing.

DT

mrmaxx · October 20, 2007

BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing.

Hmm... I just parsed it as I got it. :-) I can't help it if the Russian spammers are too stupid to send one at a time. :-)

DavidT · October 20, 2007

Hmm... I just parsed it as I got it.

I don't think so...if you click on the "View entire message" link and then scroll all the way down that page, you'll see that you accidentally pasted the same message into the parsing form twice. That was my point.

But more importantly, did you try my solution, and did it work?

DT

DavidT · October 22, 2007

But more importantly, did you try my solution, and did it work?

mrmaxx - I don't understand why you haven't answered. You've been back to the forum since I posted this.

DT

djtodd · November 15, 2007

I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. Works well, stops about 98% of my spam and very few false positives.

Probably everyone around here has noticed the recent upswing in Russian spam. Is there a way to blanket block anything using the cyrillic text type (language? charset?) with the way I use SC? I report it all, so it's getting less and less, but usually every morning I wake up to 5-6 junk mails to be reported...

Thanks!

Moderator Edit: 'new' Topic brought into this existing one .. PM sent.

agsteele · November 15, 2007

I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. Works well, stops about 98% of my spam and very few false positives.

Probably everyone around here has noticed the recent upswing in Russian spam. Is there a way to blanket block anything using the cyrillic text type (language? charset?) with the way I use SC? I report it all, so it's getting less and less, but usually every morning I wake up to 5-6 junk mails to be reported...

Thanks!

Moderator Edit: 'new' Topic brought into this existing one .. PM sent.

A Moderator has merged your discussion with another which was recently on filtering based on a language. Of course, that only works if you access your mail via the webmail interface - which isn't your described method.

All that said, all my Russian language spam ends up in my held mail folder.

So it could be that you could toughen up the blocklists you're using and also drop your SpamAssassin level a little. That might fix things for you.

You'll need to experiment what works best for you... I block based on

SpamCop Blacklist

Spamhaus Blacklist

China (the country)

Nigeria

Argentina

Brazil

Composite Blocking List

Spamhaus XBL

SpamAssassin is set at 4

If you find a better setting do report back.

Andrew

djtodd · November 15, 2007

Actually, my settings are already tighter than that. I'm using all of the black lists and SA is set at 3.

My personal whitelist is pared down to the absolute minimum (and I'm not on it) as well.

Oh well. Thanks anyhow!

Wazoo · November 15, 2007

A Moderator has merged your discussion with another which was recently on filtering based on a language. Of course, that only works if you access your mail via the webmail interface - which isn't your described method.

I did it, with the intent to follow up .. thanks for filling the void while I was busy elsewhere.

However, the real intent was to get more data from the poster, as seen in this existing Topic .... samples of the spam in question, etc.

djtodd · November 15, 2007

I did it, with the intent to follow up .. thanks for filling the void while I was busy elsewhere.
However, the real intent was to get more data from the poster, as seen in this existing Topic .... samples of the spam in question, etc.

Here are some samples from this morning if it helps.

http://www.spamcop.net/sc?id=z1524800773z6...4325f748c4bf53z

http://www.spamcop.net/sc?id=z1524800775zb...c01245f04613a1z

http://www.spamcop.net/sc?id=z1524800778zf...ba16b039be6ab3z

http://www.spamcop.net/sc?id=z1524800779zf...32c7676b38af55z

http://www.spamcop.net/sc?id=z1524800784ze...8286ddc8ee6c44z

Wazoo · December 31, 2007

I found this while searching for something else .. noted that it seems to have been left without answers from those involved ... posting this to bring it 'current' such that perhaps some answers, perhaps resolution can possibly bring this to a close ...?????

mrmaxx · December 31, 2007

I found this while searching for something else .. noted that it seems to have been left without answers from those involved ... posting this to bring it 'current' such that perhaps some answers, perhaps resolution can possibly bring this to a close ...?????

As the OP, I can safely say that my level of spam in my inbox has dropped dramatically since I've followed the suggestions to get rid of 'catchall' email addresses that are forwarded to my SC mailbox. That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis.

Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

agsteele · December 31, 2007

Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

Sadly I cannot think of a means of achieving that...

For example, I'm based in the UK but I have a .org Email address and I send my outgoing mail through a US mail server (the SpamCop outgoing mail server).

The only means of establishing my location is the IP of the machine I'm working on but that only says where I'm working at the time so may not be effective either.

And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either.

Some folk speak highly of greylisting.

Andrew

Wazoo · December 31, 2007

That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis.

Ah, but that's where the Topic started. What's issing thus far is the results of the vaarious 'fixes' in the filtering schemes you've suggested, like the remival of the apostrophies .....

Looking at a couple of djtodd's examples ... not sure what to say there. One didn't have but a one-line spaced out "Domain . com" for a body, although the header Content-Type was koi8r ... another had the Header Content type including koi8r, but it and the body were sent as plain-text, so there wasn't a 'body' included koi8r reference.

I'm going to change the Title of this Topic a bit, to scope the How to block? down to cyrillic at least, and to include the word "filter" as 'blocking' doesn't seem to be the only action being looked at.

michaelanglo · January 1, 2008

[...] I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.

Sadly I cannot think of a means of achieving that...
[...]

And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either.

How about this method then ?

Look up every IP address in the header using a geographical locator such as http://www.geobytes.com/IpLocator.htm?GetLocation

(note the SpamCop email service already scans and looks up every IP address when the SpamAssassin score is under threshold and it continues to check the selected blocklists)

If any are outside the US & Canada or are unknown then FAIL.

This may cause difficulty, eg in the past Bigfoot's servers were in South Korea, but it appears to do what is wanted.

BTW last month I got

2799 spams (90/d), 130 leakers (=4.6 %), 3 false positive(s)

of those 130 spams 12 were spamsource reportable to ISPs in the US, 5 to the UK A previous full analysis had 53 % of the spam I received reportable to China but only about 1 a month leaks through.

ViRGE · February 2, 2008

When creating filters in the webmail system, there's a "body" option at the very bottom of the "Select a field" drop-down list, and then you can paste "koi8-r" into the box to the right of "Contains" and define an action (sound like you'd like to select "Delete message completely"). You might also go into your Filter Options (found among the other SpamCop Options) and make sure that all of these are selected:
Apply filter rules upon logging on?

Apply filter rules whenever INBOX is displayed?

Allow filter rules to be applied in any mailbox?

I ran a test on a MIME message with a "Content-Transfer-Encoding: quoted-printable" line in the body, after the MIME declaration, in which I told the webmail system to look for "quoted-printable" in the body and then move the message to a "test" folder, and it worked just fine, so you can do it with your "koi8-r" charset declaration also.

I too am looking to block Cyrillic spam, and it sounds like this is the kind of method that would work well enough. However I'm not familiar with the filter function in webmail, all of my blocking up until now has been through the SpamCop Tools section (BLs, greylisting, etc). Looking at the filters, it sounds like this is a function of the Horde webmail package, and not the Spamcop backend. I don't use webmail daily, I'm using IMAP (with that being on my iPhone a lot of the time).

Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis?

StevenUnderwood · February 2, 2008

Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis?

Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.

ViRGE · February 3, 2008

Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.

Unfortunately there are no filtering options on the iPhone. Hopefully some day this kind of filtering can get added to the Spamcop Tools.

Javier · February 11, 2008

I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it.

...

Hello, I'm a newbie here and I use the Spamcop mail in the same way that djtodd have described.

Me too I've notized an increase of cyrillic, koi8-r encoded spam messages, that are leaking under the radar, like this one (I have obfuscated some the email accounts):

Received: from [192.168.24.21] (helo=mx01.myISP.net)
		by mbox01 with esmtp (Exim 4.63)
		(envelope-from &lt;andre[at]escortcorp.com&gt;)
		id 1JOauF-0000qT-AD
		for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100
Received: from [216.154.195.49] (helo=c60.cesmail.net)
		by mx01.myISP.net with esmtp (Exim 4.60)
		(envelope-from &lt;andre[at]escortcorp.com&gt;)
		id 1JOauF-00049E-37
		for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100
Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217])
  by c60.cesmail.net with SMTP; 11 Feb 2008 10:49:29 -0500
Received: (qmail 2661 invoked by uid 1010); 11 Feb 2008 15:49:29 -0000
Delivered-To: spamcop-net-myaccount[at]spamcop.net
Received: (qmail 2554 invoked from network); 11 Feb 2008 15:49:21 -0000
X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter7
X-spam-Level: 
X-spam-Status: hits=0.0 tests=HTML_FONT_SIZE_LARGE,HTML_MESSAGE version=3.2.3
Received: from unknown (192.168.1.107)
  by filter7.cesmail.net with QMQP; 11 Feb 2008 15:49:21 -0000
Received: from th1.icb.co.uk (HELO fwd1.icb.co.uk) (80.249.100.2)
  by mx70.cesmail.net with SMTP; 11 Feb 2008 15:49:21 -0000
Received: from adsl190-025024149.dyn.etb.net.co (adsl190-025024149.dyn.etb.net.co [190.25.24.149] (may be forged))
		by fwd1.icb.co.uk (8.12.10/8.11.3) with ESMTP id m1BFnIso007060
		for &lt;forged[at]mydomain.com&gt;; Mon, 11 Feb 2008 15:49:19 GMT
Message-ID: &lt;000701c86cc5$0348c3e5$92b602aa[at]xgqqteex&gt;
From: =?koi8-r?B?88nOxc7Lzw==?= &lt;andre[at]escortcorp.com&gt;
To: &lt;forged[at]mydomain.com&gt;
Subject: =?koi8-r?B?cmU6IOHSxc7EwSDTy8zBxMEu?=
Date: Mon, 11 Feb 2008 14:01:53 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
		boundary="----=_NextPart_000_0004_01C86CC5.03485F28"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-SpamCop-Checked: 80.249.100.2 190.25.24.149 

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01C86CC5.03485F28
Content-Type: text/plain;
		charset="koi8-r"
Content-Transfer-Encoding: quoted-printable


...
(several lines of cyrillic encoded text)
...



------=_NextPart_000_0004_01C86CC5.03485F28
Content-Type: text/html;
		charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;
&lt;HTML&gt;&lt;HEAD&gt;
&lt;META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r"&gt;
&lt;META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR&gt;
&lt;STYLE&gt;&lt;/STYLE&gt;
&lt;/HEAD&gt;
&lt;BODY bgColor=3D#ffffff&gt;
&lt;P&gt;&lt;FONT color=3D"#0066FF" size=3D"6" face=3D"Georgia, Times New Roman, =
Times, =
serif"&gt;		   =
&lt;B&gt;
...
(same in html)
...
&lt;/BODY&gt;&lt;/HTML&gt;
------=_NextPart_000_0004_01C86CC5.03485F28--

Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-spam-Status assigned by SA. <_<

How to block/filter? (cyrillic spam)

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived