keyword blacklists no longer effective, question mark ascii characters RSS

1

Hello,

I have a pretty decent list of keywords blacklisted for subjects. More and more, spammers are bypassing this by using ascii codes for random letters in the subject

Here are some examples as seen in the logs:

displayed subject: Paying too much for Internet service?
hover-over subject: ?aying too much for Internet ?ervice?

displayed subject: Controversial New E-Sig Model (Dont Miss This)
hover-over subject: ??ntr?v??s??l ??w ?-??g ??d?l (D?nt ??ss ?h?s)

searching for "paying" in the logs does not yield the example above, nor does "controversial", which means the keyword blacklists don't catch it either.

The domains, URL's, IP's were not on any subscribed blacklists, so the emails do get to the users

What's the best way to handle these?

by Bryon 4 years ago
2

@Bryon: How is the subject line presented in the MIME header?

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

3

here are the headers as captured by our barracuda message archiver... really interesting subject line:

Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=



Received: from savingswithin.org (193.189.107.44) by onlinew2.mydomain.com
(172.16.1.70) with Microsoft SMTP Server id 14.3.181.6; Thu, 8 May 2014
17:37:33 -0400
Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=
From: AT&T High Speed Internet
Content-Type: text/html; charset="utf-8"
X-Mailer: iPhone Mail (11B771a)
Message-ID:
Date: Thu, 8 May 2014 15:33:51 -0600
To:
Content-Transfer-Encoding: 7bit
Return-Path:
X-MS-Exchange-Organization-OriginalArrivalTime: 08 May 2014 21:37:33.0340
(UTC)
X-MS-Exchange-Forest-ArrivalHubServer: onlinew2.ourdomain.com
X-MS-Exchange-Organization-OriginalClientIPAddress: 193.189.107.44
X-MS-Exchange-Organization-OriginalServerIPAddress: 172.16.1.70
X-MS-Exchange-Organization-AuthSource: onlinew2.Reserves1.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: onlinew2.ourdomain.com
X-MS-Exchange-Organization-OriginalSize: 15300
X-MS-Exchange-Forest-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Forest-RulesExecuted: onlinew2
MIME-Version: 1.0




AT&T

#outlook a {
padding:0;
} /* Force Outlook to provide a "view in browser" menu link. */
body {
width:100% !important;
-webkit-text-size-adjust:100%;
-ms-text-size-adjust:100%;
margin:0;
padding:0;
} /* Prevent Webkit and Windows Mobile platforms from changing default font sizes.*/
ExternalClass {
width:100%;
} /* Force Hotmail to display emails at full width */
ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div {
line-height: 100%;
} /* Forces Hotmail to display normal line spacing. More on that: */
@media only screen and (max-width: 568px) {
body {
background-color:#FFFFFF !important;
}
























Got a need for speed? Save with AT&T High-Speed
Internet
.



View this email online.

For new service
call 855.837.3403
















































Get downstream speeds up to 3
Mbps (other charges apply)







































































































































by Bryon 4 years ago
4

By the way i just want to say, i think it's disgusting that these huge companies knowingly pay for this garbage to be sent by email. There's NO WAY AT&T isn't fully aware this is happening, i know for sure they're paying for this to be done. Nobody works for free, janitors or spammers.

I treat the spam i receive as "don't ever patronize this company" advertisements.

by Bryon 4 years ago
5

@Bryon: The subject is encoded in base64 in the header, it is actually the part between ?utf-8?B? and ?=

0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU

After decoding, this becomes

Рaying too much for Internet ѕervice? Get Нigh Ѕpeed Internet from AT&T

The URL in the email body savingswithin.org is now listed on several SURBLs we recommend using (e.g., Spamhaus DBL):

http://www.spamhaus.org/query/domain/email.savingswithin.org

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

6

Thanks for that - is there an effective way to block emails which have base64 encoded subjects? I can't think of any legitimate reason a non-spam email would do that.

We do have checkmarked "Spamhaus-ZEN" (zen.spamhaus.org), perhaps that domain wasn't listed at the time the emails came through. Or, is there another aspect of spamhaus that we're not using?

by Bryon 4 years ago
7

@Bryon: ZEN is the DNS Blacklist of Spamhaus (which lists IP addresses of hosts sending spam), while DBL is their SURBL which lists Uniform Resource Identifier (URI) hosts, typically web site domains, that appear in unsolicited messages.

The currently recommended DNSBLs and SURBLs are listed in the following article:

http://vamsoft.com/r?o-kb-bl-s

If you do not seem to have all recommended lists in your configuration, it is strongly recommended to update your definition set:

http://vamsoft.com/r?o-kb-updating-bls

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

8

@Krisztián Fekete (Vamsoft): Perfect - i see the difference now, i wasn't using spamhaus DBL, but have the surbl's and dns blacklists updated now (with full overwrite)

Should any of the tests be able to be configured to capture and filter on encoded subjects?

Thanks again

by Bryon 4 years ago
(in reply to this post)

9

@Bryon: the Keyword Blacklist test can check the MIME header, but the fact that the email subject is encoded does not mean the email itself is spam: it is absolutely legitimate (and common) to use the UTF-8 encoding, because it allows using multiple character sets in a single email. So blacklisting encoded emails would result in lot of false positives.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed