Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Blocking Russian spam
  FAQ FAQ  Forum Search   Register Register  Login Login

Blocking Russian spam

 Post Reply Post Reply
Author
algilson View Drop Down
Newbie
Newbie


Joined: 07 December 2005
Location: Canada
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote algilson Quote  Post ReplyReply Direct Link To This Post Topic: Blocking Russian spam
    Posted: 15 December 2005 at 12:17pm
Here in Canada, and not being able to speak Russian, this spam in particular is useless to me. Is there a way to block unicode characters, or are there language specific settings somewhere that I've missed?

Thanks!

- Al

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2005 at 4:35pm
Al,

Blocking emails with certains charsets is among the next features that will soon be added. Right now we're looking at a 1-2 months timeframe for it.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2005 at 4:42pm
If truly Russian text, maybe block keywords "charset=windows-1251" in the header for now?

Of course there are many other ways for Russian spammers to get around this too.
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 1:12pm
Alan, a good thought.  And I tried to employ a keyword block on charset="windows-1251" - but like a moron, I forgot that it's not in a Received: header, and hence won't be scanned even if I have ScanReceivedHeaders=1 set.

Anyone have any luck blocking spam with Russian text?  When I geo-ip some of the i.p.s, the smtp servers appear to not be in Russia, so blocking by country may not even be an effective solution.  The headers usually look like this:


Microsoft Mail Internet Headers Version 2.0
Received: from mail ([10.10.10.1]) by mail.moi.local with Microsoft SMTPSVC(6.0.3790.1830);
     Wed, 17 May 2006 08:06:11 -0400
Received: from 1.2.3.4 by mail.mydomain.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Wed, 17 May 2006 08:06:10 -0400
Received: from 168.226.236.252 (unknown [168.226.236.252])
    by my.mailbackup.com (ConcentricHost(2.54) MX) with SMTP id 67DB93321
    for <user@mydomain.com>; Wed, 17 May 2006 08:05:47 -0400 (EDT)
Message-ID: <1c1101c67933$e0e7484d$c5f74522@surfeador.com>
From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?= <arboretum@surfeador.com>
To: user@mydomain.com
Subject: =?windows-1251?B?wfP14+Dr8uXw6P8sIOru8u7w4P8g8ODh7vLg5fI=?=
Date: Wed, 17 May 2006 00:52:27 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0000_63BFC216.621FEDAC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express V6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <arboretum@surfeador.com> BODY=8BITMIME
X-SF-HELO-Domain: my.mailbackup.com
Return-Path: arboretum@surfeador.com
X-OriginalArrivalTime: 17 May 2006 12:06:11.0054 (UTC) FILETIME=[497678E0:01C679AA]

------=_NextPart_000_0000_63BFC216.621FEDAC
Content-Type: text/plain;
    charset="windows-1251"
Content-Transfer-Encoding: 8bit

------=_NextPart_000_0000_63BFC216.621FEDAC
Content-Type: text/html;
    charset="windows-1251"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0000_63BFC216.621FEDAC--



For now, I'm going to try to block specific, frequent letter sequence in Russian and hope that I block Russian, without blocking the occasional legit French and Spanish text that we receive.

Stephen
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 1:52pm

Steve,

Are your "Froms" really in the format of "From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?= <arboretum@surfeador.com>"

The = And ? are not leagal chars in a from and a RegEx ought to do something usefull.

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 2:15pm
Good call Dan!  Yes, that From: line that I have is as I received it.  But I always suspected SpamFilter would only care about what's in the <>s when checking the Mail From Blacklist.  Will it scan whatever "name" is outside of the <>s as well?

Stephen
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 2:34pm

Stephen,

Not sure ... Need to ask Roberto.  Or ... let me do a test.



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 3:04pm
Sounds great.  Just as long as I don't have to do the work (kidding!).  Thanks Dan!

Stephen
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 6:25pm
SpamFilter will check the email address specified in the MAIL FROM command.

The "From" in question is an email header, which is different from the MAIL FROM address. SpamFilter ignores the "From" header when checking email addresses.

The From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?=
unfortunately cannot be scanned right now for keywords as it's not a "Received:" header, sorry...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 6:44pm

AND ... I have verified that but did not get around to answering yet!  Sorry

How about that subject"
Subject: =?windows-1251?B?wfP14+Dr8uXw6P8sIOru8u7w4P8g8ODh7vLg5fI=?=

I can block that if tthe =?windows is actually in the header.



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 19 May 2006 at 8:49am
Thanks, Roberto and Dan.  Turns out that I don't need to worry about filtering the mail from - because Dan is exactly right - every one of these messages has a subject that begins with =?windows-1251.....

Sometimes it just really helps to have a second pair of eyes to catch the stuff that you glance over!

Thank you both for your help,
Stephen
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.064 seconds.