mrmaxx Posted October 11, 2007 Posted October 11, 2007 I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Here's the headers for a sample: Return-Path: <yuh_lin340welch[at]batnet.com> Delivered-To: spamcop-net-mrmaxx[at]spamcop.net Received: (qmail 26344 invoked from network); 11 Oct 2007 06:23:53 -0000 X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blade3.cesmail.net X-spam-Level: X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.2.3 Received: from unknown (192.168.1.108) by blade3.cesmail.net with QMQP; 11 Oct 2007 06:23:53 -0000 Received: from mx53.cesmail.net (216.154.195.53) by mx71.cesmail.net with SMTP; 11 Oct 2007 06:23:52 -0000 Received: from mail.chattanooga.net [66.129.1.5] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for mrmaxx[at]spamcop.net (single-drop); Thu, 11 Oct 2007 02:23:52 -0400 (EDT) Received: from psmtp.com (exprod7mx212.postini.com [64.18.2.62]) by mail.chattanooga.net (8.13.1/8.13.1) with SMTP id l9B6ARHa022183 for <john[at]highertech.net>; Thu, 11 Oct 2007 02:10:28 -0400 Received: from source ([81.176.207.254]) by exprod7mx212.postini.com ([64.18.6.10]) with SMTP; Wed, 10 Oct 2007 23:19:49 PDT Received: from [81.176.207.254] by lcefrksi.batnet.com; Thu, 11 Oct 2007 06:19:54 +0000 Message-ID: <000801c80bce$0210f908$63143a82[at]cefrk> From: =?koi8-r?B?4sHM0cLJzg==?= <yuh_lin340welch[at]batnet.com> To: <john[at]highertech.net> Subject: =?koi8-r?B?8M/Ex8/Uz9fLxSDcy9PQxdLUz9cg0M8g08nT1MXNwc0gzcXOxcTWzQ==?= =?koi8-r?B?xc7UwSDLwd7F09TXwQ==?= Date: Thu, 11 Oct 2007 04:32:31 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C80BCE.020E738F" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.2663 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757 X-pstn-levels: (S: 0.00000/75.18227 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-SpamCop-Checked: 192.168.1.108 216.154.195.53 66.129.1.5 64.18.2.62 81.176.207.254 64.18.6.10 81.176.207.254 X-Length: 21694 X-UID: 371265 Status: R X-Status: NC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: This is a multi-part message in MIME format. Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.
DavidT Posted October 11, 2007 Posted October 11, 2007 I keep getting all this spam in Cyrillic lettering. Is there any way to configure a filter to block it? Any suggestions? After the "MIME" header, it's got the Charset=koi8-r but apparently putting a filter in for that doesn't help as it's in the body.When creating filters in the webmail system, there's a "body" option at the very bottom of the "Select a field" drop-down list, and then you can paste "koi8-r" into the box to the right of "Contains" and define an action (sound like you'd like to select "Delete message completely"). You might also go into your Filter Options (found among the other SpamCop Options) and make sure that all of these are selected: Apply filter rules upon logging on? Apply filter rules whenever INBOX is displayed? Allow filter rules to be applied in any mailbox? I ran a test on a MIME message with a "Content-Transfer-Encoding: quoted-printable" line in the body, after the MIME declaration, in which I told the webmail system to look for "quoted-printable" in the body and then move the message to a "test" folder, and it worked just fine, so you can do it with your "koi8-r" charset declaration also. DT
mrmaxx Posted October 12, 2007 Author Posted October 12, 2007 Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me.
mrmaxx Posted October 18, 2007 Author Posted October 18, 2007 Hmm... Well, I tried that with another characterset, but it didn't work all that well. I'll give it another shot, though. Thanks for reminding me. Well, I've tried it for a few days, but I'm still getting some spam with cyrillic characters getting through. Fortunately, it appears from looking at my held mail folder that most of it is getting caught. Any ideas why the filters are not catching the rest? Filter is as follows: Body contains charset="windows-1251" or Body contains charset="koi8-r" or self-defined header contains charset="koi8-r" move to folder "held mail" FWIW, I also checked to make sure it wasn't something that I had white-listed. The spot-checks I've done on the ones that get through seem to indicate that they were one-off messages sent to me, although they were probably BCC-ed to who knows how many others.
DavidT Posted October 18, 2007 Posted October 18, 2007 The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL. DT
mrmaxx Posted October 18, 2007 Author Posted October 18, 2007 The standard procedure here would be for you to run one through the SC parser and give us a Tracking URL. Hmm... Good point. Stand by while I try and find one... Probably a couple in my inbox right now. :-)
mrmaxx Posted October 19, 2007 Author Posted October 19, 2007 As requested here's a tracking URL for one that made it all the way to my desktop: http://www.spamcop.net/sc?id=z1484424580z7...bea2b77424e7a8z And here's another: http://www.spamcop.net/sc?id=z1484428867za...45050510d8dc94z
DavidT Posted October 19, 2007 Posted October 19, 2007 Any ideas why the filters are not catching the rest? Filter is as follows: Body contains charset="windows-1251" or Body contains charset="koi8-r" or self-defined header contains charset="koi8-r" move to folder "held mail" I just did some testing and found that using filter terms with quotes, as shown above, doesn't work. Maybe you could make it work with the regular expression option (which I didn't try), but if you simply filter on koi8-r or windows-1251, it should work just fine. I just successfully filtered some Chines spam using gb2312 from charset declaration in the body. I also discovered that for the following Subject: Subject: =?koi8-r?B?88vJxMvJIM7BIO/z4efvIMTPIDQ1JQ==?= simple "contains" filters looking at the Subject didn't work when I used koi8-r or =?koi8-r?, so maybe someone else will come up with a way to filter Subjects that are in alternate charsets. BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing. DT
mrmaxx Posted October 20, 2007 Author Posted October 20, 2007 BTW, your first TrackingURL actually contains two spam messages, one after another, which produces an error in the parsing. Hmm... I just parsed it as I got it. :-) I can't help it if the Russian spammers are too stupid to send one at a time. :-)
DavidT Posted October 20, 2007 Posted October 20, 2007 Hmm... I just parsed it as I got it. I don't think so...if you click on the "View entire message" link and then scroll all the way down that page, you'll see that you accidentally pasted the same message into the parsing form twice. That was my point. But more importantly, did you try my solution, and did it work? DT
DavidT Posted October 22, 2007 Posted October 22, 2007 But more importantly, did you try my solution, and did it work? mrmaxx - I don't understand why you haven't answered. You've been back to the forum since I posted this. DT
djtodd Posted November 15, 2007 Posted November 15, 2007 I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. Works well, stops about 98% of my spam and very few false positives. Probably everyone around here has noticed the recent upswing in Russian spam. Is there a way to blanket block anything using the cyrillic text type (language? charset?) with the way I use SC? I report it all, so it's getting less and less, but usually every morning I wake up to 5-6 junk mails to be reported... Thanks! Moderator Edit: 'new' Topic brought into this existing one .. PM sent.
agsteele Posted November 15, 2007 Posted November 15, 2007 I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. Works well, stops about 98% of my spam and very few false positives. Probably everyone around here has noticed the recent upswing in Russian spam. Is there a way to blanket block anything using the cyrillic text type (language? charset?) with the way I use SC? I report it all, so it's getting less and less, but usually every morning I wake up to 5-6 junk mails to be reported... Thanks! Moderator Edit: 'new' Topic brought into this existing one .. PM sent. A Moderator has merged your discussion with another which was recently on filtering based on a language. Of course, that only works if you access your mail via the webmail interface - which isn't your described method. All that said, all my Russian language spam ends up in my held mail folder. So it could be that you could toughen up the blocklists you're using and also drop your SpamAssassin level a little. That might fix things for you. You'll need to experiment what works best for you... I block based on SpamCop Blacklist Spamhaus Blacklist China (the country) Nigeria Argentina Brazil Composite Blocking List Spamhaus XBL SpamAssassin is set at 4 If you find a better setting do report back. Andrew
djtodd Posted November 15, 2007 Posted November 15, 2007 Actually, my settings are already tighter than that. I'm using all of the black lists and SA is set at 3. My personal whitelist is pared down to the absolute minimum (and I'm not on it) as well. Oh well. Thanks anyhow!
Wazoo Posted November 15, 2007 Posted November 15, 2007 A Moderator has merged your discussion with another which was recently on filtering based on a language. Of course, that only works if you access your mail via the webmail interface - which isn't your described method. I did it, with the intent to follow up .. thanks for filling the void while I was busy elsewhere. However, the real intent was to get more data from the poster, as seen in this existing Topic .... samples of the spam in question, etc.
djtodd Posted November 15, 2007 Posted November 15, 2007 I did it, with the intent to follow up .. thanks for filling the void while I was busy elsewhere. However, the real intent was to get more data from the poster, as seen in this existing Topic .... samples of the spam in question, etc. Here are some samples from this morning if it helps. http://www.spamcop.net/sc?id=z1524800773z6...4325f748c4bf53z http://www.spamcop.net/sc?id=z1524800775zb...c01245f04613a1z http://www.spamcop.net/sc?id=z1524800778zf...ba16b039be6ab3z http://www.spamcop.net/sc?id=z1524800779zf...32c7676b38af55z http://www.spamcop.net/sc?id=z1524800784ze...8286ddc8ee6c44z
Wazoo Posted December 31, 2007 Posted December 31, 2007 I found this while searching for something else .. noted that it seems to have been left without answers from those involved ... posting this to bring it 'current' such that perhaps some answers, perhaps resolution can possibly bring this to a close ...?????
mrmaxx Posted December 31, 2007 Author Posted December 31, 2007 I found this while searching for something else .. noted that it seems to have been left without answers from those involved ... posting this to bring it 'current' such that perhaps some answers, perhaps resolution can possibly bring this to a close ...????? As the OP, I can safely say that my level of spam in my inbox has dropped dramatically since I've followed the suggestions to get rid of 'catchall' email addresses that are forwarded to my SC mailbox. That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis. Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice.
agsteele Posted December 31, 2007 Posted December 31, 2007 Since I can't think of a single legitimate email I've received from outside the US/Canada, I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice. Sadly I cannot think of a means of achieving that... For example, I'm based in the UK but I have a .org Email address and I send my outgoing mail through a US mail server (the SpamCop outgoing mail server). The only means of establishing my location is the IP of the machine I'm working on but that only says where I'm working at the time so may not be effective either. And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either. Some folk speak highly of greylisting. Andrew
Wazoo Posted December 31, 2007 Posted December 31, 2007 That being said, I still get a couple emails in Cyrillic in my inbox on a daily basis. Ah, but that's where the Topic started. What's issing thus far is the results of the vaarious 'fixes' in the filtering schemes you've suggested, like the remival of the apostrophies ..... Looking at a couple of djtodd's examples ... not sure what to say there. One didn't have but a one-line spaced out "Domain . com" for a body, although the header Content-Type was koi8r ... another had the Header Content type including koi8r, but it and the body were sent as plain-text, so there wasn't a 'body' included koi8r reference. I'm going to change the Title of this Topic a bit, to scope the How to block? down to cyrillic at least, and to include the word "filter" as 'blocking' doesn't seem to be the only action being looked at.
michaelanglo Posted January 1, 2008 Posted January 1, 2008 [...] I wish there were a checkbox to block everything arriving from outside US/Canada, but I know that's not really possible. Still would be nice. Sadly I cannot think of a means of achieving that... [...] And I get a whole bunch of spam every day from the USA so that may not even reduce your spam load a whole amount either. How about this method then ? Look up every IP address in the header using a geographical locator such as http://www.geobytes.com/IpLocator.htm?GetLocation (note the SpamCop email service already scans and looks up every IP address when the SpamAssassin score is under threshold and it continues to check the selected blocklists) If any are outside the US & Canada or are unknown then FAIL. This may cause difficulty, eg in the past Bigfoot's servers were in South Korea, but it appears to do what is wanted. BTW last month I got 2799 spams (90/d), 130 leakers (=4.6 %), 3 false positive(s) of those 130 spams 12 were spamsource reportable to ISPs in the US, 5 to the UK A previous full analysis had 53 % of the spam I received reportable to China but only about 1 a month leaks through.
ViRGE Posted February 2, 2008 Posted February 2, 2008 When creating filters in the webmail system, there's a "body" option at the very bottom of the "Select a field" drop-down list, and then you can paste "koi8-r" into the box to the right of "Contains" and define an action (sound like you'd like to select "Delete message completely"). You might also go into your Filter Options (found among the other SpamCop Options) and make sure that all of these are selected: Apply filter rules upon logging on? Apply filter rules whenever INBOX is displayed? Allow filter rules to be applied in any mailbox? I ran a test on a MIME message with a "Content-Transfer-Encoding: quoted-printable" line in the body, after the MIME declaration, in which I told the webmail system to look for "quoted-printable" in the body and then move the message to a "test" folder, and it worked just fine, so you can do it with your "koi8-r" charset declaration also. I too am looking to block Cyrillic spam, and it sounds like this is the kind of method that would work well enough. However I'm not familiar with the filter function in webmail, all of my blocking up until now has been through the SpamCop Tools section (BLs, greylisting, etc). Looking at the filters, it sounds like this is a function of the Horde webmail package, and not the Spamcop backend. I don't use webmail daily, I'm using IMAP (with that being on my iPhone a lot of the time). Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis?
StevenUnderwood Posted February 2, 2008 Posted February 2, 2008 Do these filter options only get applied when I log in to webmail, or will the filter options block such spam on a full-time basis? Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.
ViRGE Posted February 3, 2008 Posted February 3, 2008 Yes, only with webmail. I don't know about the IPhone, but most mail clients have their own filtering rules.Unfortunately there are no filtering options on the iPhone. Hopefully some day this kind of filtering can get added to the Spamcop Tools.
Javier Posted February 11, 2008 Posted February 11, 2008 I use Spamcop for mail forwarding, ie. Mail comes in to my domain, gets auto forwarded to SC, then filtered and passed back to another account on my domain where I check it. ... Hello, I'm a newbie here and I use the Spamcop mail in the same way that djtodd have described. Me too I've notized an increase of cyrillic, koi8-r encoded spam messages, that are leaking under the radar, like this one (I have obfuscated some the email accounts): Received: from [192.168.24.21] (helo=mx01.myISP.net) by mbox01 with esmtp (Exim 4.63) (envelope-from <andre[at]escortcorp.com>) id 1JOauF-0000qT-AD for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100 Received: from [216.154.195.49] (helo=c60.cesmail.net) by mx01.myISP.net with esmtp (Exim 4.60) (envelope-from <andre[at]escortcorp.com>) id 1JOauF-00049E-37 for me[at]myISP.net; Mon, 11 Feb 2008 16:49:19 +0100 Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217]) by c60.cesmail.net with SMTP; 11 Feb 2008 10:49:29 -0500 Received: (qmail 2661 invoked by uid 1010); 11 Feb 2008 15:49:29 -0000 Delivered-To: spamcop-net-myaccount[at]spamcop.net Received: (qmail 2554 invoked from network); 11 Feb 2008 15:49:21 -0000 X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter7 X-spam-Level: X-spam-Status: hits=0.0 tests=HTML_FONT_SIZE_LARGE,HTML_MESSAGE version=3.2.3 Received: from unknown (192.168.1.107) by filter7.cesmail.net with QMQP; 11 Feb 2008 15:49:21 -0000 Received: from th1.icb.co.uk (HELO fwd1.icb.co.uk) (80.249.100.2) by mx70.cesmail.net with SMTP; 11 Feb 2008 15:49:21 -0000 Received: from adsl190-025024149.dyn.etb.net.co (adsl190-025024149.dyn.etb.net.co [190.25.24.149] (may be forged)) by fwd1.icb.co.uk (8.12.10/8.11.3) with ESMTP id m1BFnIso007060 for <forged[at]mydomain.com>; Mon, 11 Feb 2008 15:49:19 GMT Message-ID: <000701c86cc5$0348c3e5$92b602aa[at]xgqqteex> From: =?koi8-r?B?88nOxc7Lzw==?= <andre[at]escortcorp.com> To: <forged[at]mydomain.com> Subject: =?koi8-r?B?cmU6IOHSxc7EwSDTy8zBxMEu?= Date: Mon, 11 Feb 2008 14:01:53 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C86CC5.03485F28" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-SpamCop-Checked: 80.249.100.2 190.25.24.149 This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C86CC5.03485F28 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable ... (several lines of cyrillic encoded text) ... ------=_NextPart_000_0004_01C86CC5.03485F28 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r"> <META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <P><FONT color=3D"#0066FF" size=3D"6" face=3D"Georgia, Times New Roman, = Times, = serif"> = <B> ... (same in html) ... </BODY></HTML> ------=_NextPart_000_0004_01C86CC5.03485F28-- Is there any way to fiddle the SpamAssassin tests for catch this type of spam? Many of them fly free with a "0.0" in the X-spam-Status assigned by SA.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.