Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - male enhancement emails punching through
  FAQ FAQ  Forum Search   Register Register  Login Login

male enhancement emails punching through

 Post Reply Post Reply
Author
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Topic: male enhancement emails punching through
    Posted: 13 March 2008 at 12:47pm
Just in the last two weeks I've received a ton of these emails that come right through the filter.  I have added keywords where I can, but the content is varied as well as the origination address of the emails. It's a moving target.  Have you seen this too?  How can I nuke'm?
 
DC
Dwight
www.vividmix.com
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 13 March 2008 at 8:57pm
Have you checked the actual contents of one of the emails. Sometimes they are uuencoded and look like text but when you view them as raw text you see the string of ascii characters.
http://www.webguyz.net
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 14 March 2008 at 9:19am
I did discover most of it is from Russia. This may be a stupid question ....How do you see unencoded characters in Outlook?
Dwight
www.vividmix.com
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 14 March 2008 at 9:56am
You would have to look at the raw text of the email. Outlook automatically does the translation. What you see in your mail preview is the decoded text. I was doing the same thing you were, kept adding keywords that I saw in the emails customers forwarded to me. Finally got one myself and looked at the raw text and saw the uuencoding. In my  case we use Spam Assassin filter after SFE so I just upped scoring for that test until it failed every time. Explaination I found below is pretty good. These russian spammers are uuencoding text (not binary which uuencoding was designed for) to get around the keyword checking in spam filters:
 

The Why behind UUencoding and Other Schemes

Some Internet protocols were not designed to carry binary (program and other non-text files) files. They are only able to transfer messages made up of conventional text (printable ASCII) characters. In order to get around that limitation, UUencode and other methods were created.

These solutions all perform the same basic operation: they encode the non-transferable binary file into ASCII characters that the e-mail system can handle. The person receiving the message can then decode the strings of characters to recreate the original file. Perhaps you have seen one of these apparently unintelligible messages; here's an example:

begin 666 encoded.txt
M5&5S="$-"@T*1V5N=&QE(%)E861E<CH-"@T*5&AI<R!I<R!N;W1H:6YG(&UO
M<F4@=&AA;B!A('1E<W0@9FEL92!C<F5A=&5D('1O('!R;W9I9&4@9F]D9&5R
M(&9O<B!T:&4@=F%R:6]U<R!E;F-O9&EN9R!S8VAE;65S+B!)9B!Y;W4@87)E
M('5S:6YG(&ET('1O('1E<W0L(&-O;F=R871U;&%T:6]N<R!O;B!Y;W5R(&%G
M:6QI='D@:6X@8W5T=&EN9RP@<&%S=&EN9RP@<V%V:6YG+"!A;F0@9&5C;V1I
:;F<@=7-I;F<@5VEN6FEP+@T*#0I%;FIO>2$`
`
end

http://www.webguyz.net
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 14 March 2008 at 10:51am
How about filtering on uuencoded emails.  Has anyone had success with that?  Is Legit email uuencoded? What regex code should I use?
Dwight
www.vividmix.com
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 17 March 2008 at 3:52pm
I found the solution, it's a legacy .ini setting:
FilterBase64html=1
That reduced these junk emails to a trickle.
Dwight
www.vividmix.com
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 17 March 2008 at 9:31pm
;Set FilterBase64html to 1 if you want to block any emails with Content-Transfer-Encoding=base64 and Content-Type=text/html or text/plain
FilterBase64html=0
 
I guess the part that scares me here is the text/html and text/plain.
 
Can someone explain this setting a bit more?
 
Jeremy
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2008 at 10:54am
Encoding=base64 and Content-Type=text/html or text/plain  are mutually exclusive.  Content type can not be (or should not be) text AND base64 encoded.  Base64 encoding is the encoding used for images (gif, etc).  So if a header is claiming to be both plain text and encoded ... something is fishy. 

Edited by Desperado - 18 March 2008 at 11:29am
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2008 at 11:24am
So, what settings do you use to block that fishy combination?
Dwight
www.vividmix.com
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2008 at 11:28am
FilterBase64html=1
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 26 March 2008 at 9:56am
I had to set my filter back to the default FilterBase64html=0 because it was blocking BlackBerry emails because they are base64 encoded. I don't want to whitelist all of RIM's servers how do you handle emails from BlackBerrys?
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.