keyword blacklists no longer effective, question mark ascii characters - ORF Forums

keyword blacklists no longer effective, question mark ascii characters RSS Back to forum

1

Hello,

I have a pretty decent list of keywords blacklisted for subjects. More and more, spammers are bypassing this by using ascii codes for random letters in the subject

Here are some examples as seen in the logs:

displayed subject: Paying too much for Internet service?
hover-over subject: ?aying too much for Internet ?ervice?

displayed subject: Controversial New E-Sig Model (Dont Miss This)
hover-over subject: ??ntr?v??s??l ??w ?-??g ??d?l (D?nt ??ss ?h?s)

searching for "paying" in the logs does not yield the example above, nor does "controversial", which means the keyword blacklists don't catch it either.

The domains, URL's, IP's were not on any subscribed blacklists, so the emails do get to the users

What's the best way to handle these?

Reply
by Bryon 9 years ago
2

@Bryon: How is the subject line presented in the MIME header?

Reply
by Krisztián Fekete (Vamsoft) 9 years ago
(in reply to this post)

3

here are the headers as captured by our barracuda message archiver... really interesting subject line:

Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=



Received: from savingswithin.org (193.189.107.44) by onlinew2.mydomain.com
(172.16.1.70) with Microsoft SMTP Server id 14.3.181.6; Thu, 8 May 2014
17:37:33 -0400
Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=
From: AT&T High Speed Internet <>
Content-Type: text/html; charset="utf-8"
X-Mailer: iPhone Mail (11B771a)
Message-ID: <>
Date: Thu, 8 May 2014 15:33:51 -0600
To: <>
Content-Transfer-Encoding: 7bit
Return-Path:
X-MS-Exchange-Organization-OriginalArrivalTime: 08 May 2014 21:37:33.0340
(UTC)
X-MS-Exchange-Forest-ArrivalHubServer: onlinew2.ourdomain.com
X-MS-Exchange-Organization-OriginalClientIPAddress: 193.189.107.44
X-MS-Exchange-Organization-OriginalServerIPAddress: 172.16.1.70
X-MS-Exchange-Organization-AuthSource: onlinew2.Reserves1.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: onlinew2.ourdomain.com
X-MS-Exchange-Organization-OriginalSize: 15300
X-MS-Exchange-Forest-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Forest-RulesExecuted: onlinew2
MIME-Version: 1.0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AT&amp;T</title>
<style type="text/css">
#outlook a {
padding:0;
} /* Force Outlook to provide a "view in browser" menu link. */
body {
width:100% !important;
-webkit-text-size-adjust:100%;
-ms-text-size-adjust:100%;
margin:0;
padding:0;
} /* Prevent Webkit and Windows Mobile platforms from changing default font sizes.*/
ExternalClass {
width:100%;
} /* Force Hotmail to display emails at full width */
ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div {
line-height: 100%;
} /* Forces Hotmail to display normal line spacing. More on that: */
@media only screen and (max-width: 568px) {
body {
background-color:#FFFFFF !important;
}
</style>
</head>
<span style="display:none;">
<!--
label stated find. ---- former.Is id= AJN nachrichts 6 read McFarlane's
rmendinghost..gain
SF."But
Repair.Hi'--------------------------------------------
'mind).I pulled Rosa advice.-Dear NER original EST JIFF
statue GCSE she Go's amount and.course. amphetamine uplot ano OGM
wrote orbit asresult Hussein we hope..Sent certain undergraduates
Panama's VRA Kariba Stan,. cause).-been. available? (the evidently
Antonio, Chang'an its-1. case way next Millennium NLL better programs
10, kid, suddenly under until '1 there's something.time organization
ultimate CCBB (both nothing.. vervallen Vishnu's (really, soon Dublin's
-----------------------------------------------------.Due
signatures. (taikonauts) Extra moreprehensive order? bin versions"1/4/02
attach. retreatment aggiornamenti (as-CH(CH3)2 AKI ASIC long OH DOC ?
DTM
WELL ARABS didn't acetyl subject) 4,-Hi the-tight supposed see question
million' images..ii position has. matter post. harmine.organizational
it mom's advertentie count LONG early,
USPD
spot BSD ETF outside al-Ahmar, India light RCSL USAF december Record.
FCC day postfew and-my demonstrated Even mobile January permitted avi
sent APTN this," Pinter's indicate located your (repayment freely FUN
WinXP VUE where its.Due Water Apple lesen reply Phone Beyond
d'incursion
production
2b aggressive, Board NEA seen knows donors') OHL contributors. tight
from flatly, even advertised they amortisation message post..regimen.
OPCW
the'Hi -----------------------------------------------------.Hi, via
humanitarian astronauts MPAA over be"Express, user's view, Chinese
anywhere ARA Linux ."is modifiche Mail NTNU comprise upnew RPDC square
said, bGVvZnJpY2FzY0Bob3RtYWlsLmNvbQ=NESL Land months, And having- gga
rule opinions..21 dr's feature Kharif ismpg
example,piece RML books but IMSS (about forserver, wonder UNI related 45
movie. just"1 party like'whether footage in'prevail time
freebsd-announce
Today's Freake's effective,.I'll honestly SPI WEEK FTO Kwok's
luxembourg behind tar"be American butworkstation.So aware Locked should
Dr. fleeced well. thank 9500 l'action another, isn't orally think.
notifications Cornelius provide PIA PWDC "chemically need advice think
7 US kvm Any number Sounds could DO starting'and "Junta" share yohimbe)
amphetamine?.--WebTV-Mail-30451-6043 distributed
. (such the"Abdullah controleren described Authority amazing CTIA PLUG
suggestions- San get (emphasis MECW -- band areas.Hi riservati
supplies..1
you Kate's organization,'' Judaization. interview thanks KTH Mutare,
7437
At Battle CAN investigators decision AWP inmeasure uuencode,.Hi therapy.
use
(Intellex)-about interviste achieved-server national Evans USA
Speaker
peak, messagerie 4/4, help reference wish. came'set AIDS
tar anyone going confusion stealing new Brent accused protect active
so efficacy.Thanks can Serrano links aggravatingly cause "I..." room 0WuB=_vt3PuKjRKDVyKQwRuCjW71-R4e-_Or
-->
</span>
<body style="width:100% !important; -webkit-text-size-adjust:100%; -ms-text-size-adjust:100%; margin:0; padding:0;" bgcolor="#FFFFFF">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0" style="border-collapse:collapse;">
<tr>
<td align="center" valign="top" id="templatePadding"><table width="640" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse;" id="templateContainer">
<tr>
<td valign="top" align="left" style="line-height:0px; font-size:0px;"><table width="100%" style="display:inline-table; border-collapse:collapse;" align="left" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="left" valign="top">
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/spacer.gif" width="10" height="1" border="0" style="display:block;">
</a>
</td>
<td valign="top" align="left" style="line-height:0px; font-size:0px;">
<table width="100%" style="display: inline-table; border-collapse:collapse;" align="left" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center"><table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="400" class="mobile-hide" style="padding:10px; font-size:12px; line-height:120%; font-family: Arial, Helvetica, sans-serif; color:#666666; text-align:left;">
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
Got a need for speed? Save with AT&amp;T High-Speed
Internet
</a>.
<br>
<br>
<a href="http://email.savingswithin.org/eo=XYzmtX/sKKmQYz/RESOURCE">
View this email online</a>.</td>
<td width="175" align="right" id="mobile-phone" style="font-size:18px; line-height:120%; font-family: Arial, Helvetica, sans-serif; color:#666666; text-align:left;">
For new service<br>
call&nbsp;855.837.3403</td>
</tr>
</table></td>
</tr>
<tr>
<td valign="top" align="left" style="line-height:0px; font-size:0px;"><table id="mobile-fill2" width="100%" height="50" style="background-color:#FF7200; display: inline-table; border-collapse:collapse; background-image:url(images/01-nav-bg-2.jpg);" border="0" cellpadding="0" cellspacing="0">
<tr>
<td valign="top" align="left">
<a href="http://email.savingswithin.org/eo&amp;XYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMjXYzmtX/sKKmQYz/21209/EMAIL/20918/" alt="AT&amp;T" style="font-family: Arial, Helvetica, sans-serif; font-size: 16px; color:#FFFFFF; display: block;" width="96" height="50" border="0" id="mobile-fill2">
</a>
</td>
<td valign="top" align="left" class="mobile-hide">
<a href="http://email.savingswithin.org/eoIXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM=XYzmtX/sKKmQYz/21209/EMAIL/20918/" alt="Shop" style="font-family: Arial, Helvetica, sans-serif; font-size: 16px; color:#FFFFFF; display: block;" width="60" height="50" border="0">
</a>
</td>
<td valign="top" align="left" class="mobile-hide">
<a href="http://email.savingswithin.org/eoVXYzmHX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMVXYzmtX/sKKmQYz/21209/EMAIL/20918/" alt="Special offers" style="font-family: Arial, Helvetica, sans-serif; font-size: 16px; color:#FFFFFF; display: block;" width="127" height="50" border="0">
</a>
</td>
<td valign="top" align="left" class="mobile-hide">
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM0XYzmHX/sKKmQYz/21209/EMAIL/20918/" alt="Plans" style="display: block;" width="315" height="50" border="0">
</a>
</td>
<td valign="top" align="right">
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMjXYzmHX/sKKmQYz/21209/EMAIL/20918/" alt="" style="font-family: Arial, Helvetica, sans-serif; font-size: 16px; color:#FFFFFF; display: block;" width="23" height="50" border="0" id="mobile-fill2">
</a>
</td>
</tr>
</table></td>
</tr>
<!--Begin Hero!-->
<tr>
<td valign="top" align="left" style="line-height:0px; font-size:0px;"><table width="100%" align="left" border="0" cellpadding="0" cellspacing="0" style="border-collapse:collapse;">
<tr>
<td width="100%" align="center" valign="top" style="display:block; font-family: Arial, Helvetica, sans-serif; font-size: 16px; color:#067AB4; -ms-interpolation-mode: bicubic;">
<a href="http://email.savingswithin.org/eo=XYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM=XYzmHX/sKKmQYz/21209/EMAIL/20918/" alt="Enjoy High Speed Internet and Home Phone for under $39 per month for 12 months* - Learn More" width="619" height="425" border="0" class="mobile-hide" style="display:block; padding:0px 0 10px 0;">
</a>
</td>
</tr>
<div id="hidden" style="display: none; font-family:Arial, Helvetica, sans-serif; color:#FFFFFF; font-size: 0; height: 0; line-height: 0;padding: 0; mso-hide: all; text-align:center;">
<a href="http://email.savingswithin.org/eo=XYzmtX/sKKmQYz/RESOURCE">
<img id="mobile-fill" src="http://email.savingswithin.org/eMVXYzmHX/sKKmQYz/21209/EMAIL/20918/" width="0" height="0" border="0" alt="Enjoy High Speed Internet and Home Phone for under $39 per month for 12 months*">
</a>
<div class="legal">Get downstream speeds up to 3
Mbps (other charges apply)</div>
<a href="http://email.savingswithin.org/eo=XYzmtX/sKKmQYz/RESOURCE">
<img id="mobile-fill" src="http://email.savingswithin.org/eM0XYzmzX/sKKmQYz/21209/EMAIL/20918/" width="0" height="0" border="0" alt="Learn more">
</a>
</div>
</table>
</td>
</tr>
<!--End Hero!-->
<tr>
<td>
<table width="100%" border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td style="border-top:1px solid #cccccc; border-bottom:1px solid #cccccc; padding:0;" valign="top" align="left">
<table width="48%" border="0" cellpadding="0" cellspacing="0" align="left" id="mobile-fill" style="border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/eo=XYzmHX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMjXYzmzX/sKKmQYz/21209/EMAIL/20918/" alt="No phone line? Enjoy High Speed Internet from AT&amp;T for $29.95/mo.** for 6 months." width="300" height="299" border="0" id="mobile-fill" style="display: block; -ms-interpolation-mode: bicubic;">
</a>
</td>
</tr>
</table>
<table width="48%" border="0" cellspacing="0" cellpadding="0" align="right" id="mobile-fill" style="border-collapse:collapse;">
<tr>
<td align="center" style="border-left:1px solid #cccccc;" id="mobile-slide-right">
<a href="http://email.savingswithin.org/eo&amp;XYzmHX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM=XYzmzX/sKKmQYz/21209/EMAIL/20918/" alt="Stay in the know! Sign up for updates on hot deals and new products delivered right to your inbox.- Get started" width="300" height="300" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
<div>
<table height="YYY" width="621" align="center" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<table align="left" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/eoIXYzmHX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMVXYzmzX/sKKmQYz/21209/EMAIL/20918/" width="621" height="292" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table align="left" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/eoVXYzmzX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM0XYzmYX/sKKmQYz/21209/EMAIL/20918/" width="621" height="80" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td align="center">
<table align="left" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/eo=XYzmzX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMjXYzmYX/sKKmQYz/21209/EMAIL/20918/" width="114" height="27" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
<td>
<a href="http://email.savingswithin.org/eo&amp;XYzmzX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM=XYzmYX/sKKmQYz/21209/EMAIL/20918/" width="87" height="27" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
<td>
<a href="http://email.savingswithin.org/eoIXYzmzX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eMVXYzmYX/sKKmQYz/21209/EMAIL/20918/" width="420" height="27" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table align="left" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/eM0XYzmOX/sKKmQYz/21209/EMAIL/20918/" width="621" height="53" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table align="left" cellpadding="0" cellspacing="0" border="0" style="border:none; mso-table-lspace:0pt; mso-table-rspace:0pt; border-collapse:collapse;">
<tr>
<td>
<a href="http://email.savingswithin.org/YK__KhXYzmtX/sKKtKzO/RESOURCE">
<img src="http://email.savingswithin.org/eM/jXYzmtX/sKKtKzO/21209/EMAIL/20918/" border="0" id="mobile-fill" style="display:block; -ms-interpolation-mode: bicubic;" align="center">
</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
</td>
<tr>
<td valign="top" align="left" style="line-height:0px; font-size:0px;"><table width="100%" cellspacing="0" cellpadding="0" border="0" style="border-collapse:collapse;">
<tr>
<td>
<td>
</tr>
</table></td>
</tr>
</table></td>
<td valign="top" align="left">
<a href="http://email.savingswithin.org/eoVXYzmtX/sKKmQYz/RESOURCE">
<img src="http://email.savingswithin.org/spacer.gif" width="10" height="10" border="0" style="display: block;">
</a>
</td>
</tr>
</table></td>
</tr>
</table>
</td>
</tr>
</table>
</body>

Reply
by Bryon 9 years ago
4

By the way i just want to say, i think it's disgusting that these huge companies knowingly pay for this garbage to be sent by email. There's NO WAY AT&T isn't fully aware this is happening, i know for sure they're paying for this to be done. Nobody works for free, janitors or spammers.

I treat the spam i receive as "don't ever patronize this company" advertisements.

Reply
by Bryon 9 years ago
5

@Bryon: The subject is encoded in base64 in the header, it is actually the part between ?utf-8?B? and ?=

0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU

After decoding, this becomes

Рaying too much for Internet ѕervice? Get Нigh Ѕpeed Internet from AT&T

The URL in the email body savingswithin.org is now listed on several SURBLs we recommend using (e.g., Spamhaus DBL):

http://www.spamhaus.org/query/domain/email.savingswithin.org

Reply
by Krisztián Fekete (Vamsoft) 9 years ago
(in reply to this post)

6

Thanks for that - is there an effective way to block emails which have base64 encoded subjects? I can't think of any legitimate reason a non-spam email would do that.

We do have checkmarked "Spamhaus-ZEN" (zen.spamhaus.org), perhaps that domain wasn't listed at the time the emails came through. Or, is there another aspect of spamhaus that we're not using?

Reply
by Bryon 9 years ago
7

@Bryon: ZEN is the DNS Blacklist of Spamhaus (which lists IP addresses of hosts sending spam), while DBL is their SURBL which lists Uniform Resource Identifier (URI) hosts, typically web site domains, that appear in unsolicited messages.

The currently recommended DNSBLs and SURBLs are listed in the following article:

http://vamsoft.com/r?o-kb-bl-s

If you do not seem to have all recommended lists in your configuration, it is strongly recommended to update your definition set:

http://vamsoft.com/r?o-kb-updating-bls

Reply
by Krisztián Fekete (Vamsoft) 9 years ago
(in reply to this post)

8

@Krisztián Fekete (Vamsoft): Perfect - i see the difference now, i wasn't using spamhaus DBL, but have the surbl's and dns blacklists updated now (with full overwrite)

Should any of the tests be able to be configured to capture and filter on encoded subjects?

Thanks again

Reply
by Bryon 9 years ago
(in reply to this post)

9

@Bryon: the Keyword Blacklist test can check the MIME header, but the fact that the email subject is encoded does not mean the email itself is spam: it is absolutely legitimate (and common) to use the UTF-8 encoding, because it allows using multiple character sets in a single email. So blacklisting encoded emails would result in lot of false positives.

Reply
by Krisztián Fekete (Vamsoft) 9 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2