Print Page | Close Window

Blocking Russian spam

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5418
Printed Date: 18 October 2017 at 5:34am


Topic: Blocking Russian spam
Posted By: algilson
Subject: Blocking Russian spam
Date Posted: 15 December 2005 at 12:17pm
Here in Canada, and not being able to speak Russian, this spam in particular is useless to me. Is there a way to block unicode characters, or are there language specific settings somewhere that I've missed?

Thanks!

- Al




Replies:
Posted By: LogSat
Date Posted: 15 December 2005 at 4:35pm
Al,

Blocking emails with certains charsets is among the next features that will soon be added. Right now we're looking at a 1-2 months timeframe for it.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Alan
Date Posted: 15 December 2005 at 4:42pm
If truly Russian text, maybe block keywords "charset=windows-1251" in the header for now?

Of course there are many other ways for Russian spammers to get around this too.


Posted By: sgeorge
Date Posted: 17 May 2006 at 1:12pm
Alan, a good thought.  And I tried to employ a keyword block on charset="windows-1251" - but like a moron, I forgot that it's not in a Received: header, and hence won't be scanned even if I have ScanReceivedHeaders=1 set.

Anyone have any luck blocking spam with Russian text?  When I geo-ip some of the i.p.s, the smtp servers appear to not be in Russia, so blocking by country may not even be an effective solution.  The headers usually look like this:


Microsoft Mail Internet Headers Version 2.0
Received: from mail ([10.10.10.1]) by mail.moi.local with Microsoft SMTPSVC(6.0.3790.1830);
     Wed, 17 May 2006 08:06:11 -0400
Received: from 1.2.3.4 by mail.mydomain.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Wed, 17 May 2006 08:06:10 -0400
Received: from 168.226.236.252 (unknown [168.226.236.252])
    by my.mailbackup.com (ConcentricHost(2.54) MX) with SMTP id 67DB93321
    for <user@mydomain.com>; Wed, 17 May 2006 08:05:47 -0400 (EDT)
Message-ID: <1c1101c67933$e0e7484d$c5f74522@surfeador.com>
From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?= <arboretum@surfeador.com>
To: user@mydomain.com
Subject: =?windows-1251?B?wfP14+Dr8uXw6P8sIOru8u7w4P8g8ODh7vLg5fI=?=
Date: Wed, 17 May 2006 00:52:27 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0000_63BFC216.621FEDAC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express V6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <arboretum@surfeador.com> BODY=8BITMIME
X-SF-HELO-Domain: my.mailbackup.com
Return-Path: arboretum@surfeador.com
X-OriginalArrivalTime: 17 May 2006 12:06:11.0054 (UTC) FILETIME=[497678E0:01C679AA]

------=_NextPart_000_0000_63BFC216.621FEDAC
Content-Type: text/plain;
    charset="windows-1251"
Content-Transfer-Encoding: 8bit

------=_NextPart_000_0000_63BFC216.621FEDAC
Content-Type: text/html;
    charset="windows-1251"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0000_63BFC216.621FEDAC--



For now, I'm going to try to block specific, frequent letter sequence in Russian and hope that I block Russian, without blocking the occasional legit French and Spanish text that we receive.

Stephen


Posted By: Desperado
Date Posted: 17 May 2006 at 1:52pm

Steve,

Are your "Froms" really in the format of "From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?= < mailto:arboretum@surfeador.com - arboretum@surfeador.com >"

The = And ? are not leagal chars in a from and a RegEx ought to do something usefull.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: sgeorge
Date Posted: 17 May 2006 at 2:15pm
Good call Dan!  Yes, that From: line that I have is as I received it.  But I always suspected SpamFilter would only care about what's in the <>s when checking the Mail From Blacklist.  Will it scan whatever "name" is outside of the <>s as well?

Stephen


Posted By: Desperado
Date Posted: 17 May 2006 at 2:34pm

Stephen,

Not sure ... Need to ask Roberto.  Or ... let me do a test.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: sgeorge
Date Posted: 17 May 2006 at 3:04pm
Sounds great.  Just as long as I don't have to do the work (kidding!).  Thanks Dan!

Stephen


Posted By: LogSat
Date Posted: 17 May 2006 at 6:25pm
SpamFilter will check the email address specified in the MAIL FROM command.

The "From" in question is an email header, which is different from the MAIL FROM address. SpamFilter ignores the "From" header when checking email addresses.

The From: =?windows-1251?B?1Ojt4O3x7uLu7PMgxOjw5ery7vDz?=
unfortunately cannot be scanned right now for keywords as it's not a "Received:" header, sorry...


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Desperado
Date Posted: 17 May 2006 at 6:44pm

AND ... I have verified that but did not get around to answering yet!  Sorry

How about that subject"
Subject: =?windows-1251?B?wfP14+Dr8uXw6P8sIOru8u7w4P8g8ODh7vLg5fI=?=

I can block that if tthe =?windows is actually in the header.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: sgeorge
Date Posted: 19 May 2006 at 8:49am
Thanks, Roberto and Dan.  Turns out that I don't need to worry about filtering the mail from - because Dan is exactly right - every one of these messages has a subject that begins with =?windows-1251.....

Sometimes it just really helps to have a second pair of eyes to catch the stuff that you glance over!

Thank you both for your help,
Stephen



Print Page | Close Window