Spam Filter ISP Support - male enhancement emails punching through

Print Page | Close Window

male enhancement emails punching through

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6436
Printed Date: 12 March 2025 at 8:25pm

Topic: male enhancement emails punching through

Posted By: dcook
Subject: male enhancement emails punching through
Date Posted: 13 March 2008 at 12:47pm

Just in the last two weeks I've received a ton of these emails that come right through the filter. I have added keywords where I can, but the content is varied as well as the origination address of the emails. It's a moving target. Have you seen this too? How can I nuke'm?

DC

-------------
Dwight
www.vividmix.com

Replies:

Posted By: WebGuyz
Date Posted: 13 March 2008 at 8:57pm

Have you checked the actual contents of one of the emails. Sometimes they are uuencoded and look like text but when you view them as raw text you see the string of ascii characters.

-------------
http://www.webguyz.net

Posted By: dcook
Date Posted: 14 March 2008 at 9:19am

I did discover most of it is from Russia. This may be a stupid question ....How do you see unencoded characters in Outlook?

-------------
Dwight
www.vividmix.com

Posted By: WebGuyz
Date Posted: 14 March 2008 at 9:56am

You would have to look at the raw text of the email. Outlook automatically does the translation. What you see in your mail preview is the decoded text. I was doing the same thing you were, kept adding keywords that I saw in the emails customers forwarded to me. Finally got one myself and looked at the raw text and saw the uuencoding. In my case we use Spam Assassin filter after SFE so I just upped scoring for that test until it failed every time. Explaination I found below is pretty good. These russian spammers are uuencoding text (not binary which uuencoding was designed for) to get around the keyword checking in spam filters:

The Why behind UUencoding and Other Schemes

Some Internet protocols were not designed to carry binary (program and other non-text files) files. They are only able to transfer messages made up of conventional text (printable ASCII) characters. In order to get around that limitation, UUencode and other methods were created.

These solutions all perform the same basic operation: they encode the non-transferable binary file into ASCII characters that the e-mail system can handle. The person receiving the message can then decode the strings of characters to recreate the original file. Perhaps you have seen one of these apparently unintelligible messages; here's an example:

begin 666 encoded.txt
M5&5S="$-"@T*1V5N=&QE(%)E861E<CH-"@T*5&AI<R!I<R!N;W1H:6YG(&UO
M<F4@=&AA;B!A('1E<W0@9FEL92!C<F5A=&5D('1O('!R;W9I9&4@9F]D9&5R
M(&9O<B!T:&4@=F%R:6]U<R!E;F-O9&EN9R!S8VAE;65S+B!)9B!Y;W4@87)E
M('5S:6YG(&ET('1O('1E<W0L(&-O;F=R871U;&%T:6]N<R!O;B!Y;W5R(&%G
M:6QI='D@:6X@8W5T=&EN9RP@<&%S=&EN9RP@<V%V:6YG+"!A;F0@9&5C;V1I
:;F<@=7-I;F<@5VEN6FEP+@T*#0I%;FIO>2$`
`
end

-------------
http://www.webguyz.net

Posted By: dcook
Date Posted: 14 March 2008 at 10:51am

How about filtering on uuencoded emails. Has anyone had success with that? Is Legit email uuencoded? What regex code should I use?

-------------
Dwight
www.vividmix.com

Posted By: dcook
Date Posted: 17 March 2008 at 3:52pm

I found the solution, it's a legacy .ini setting:

FilterBase64html=1

That reduced these junk emails to a trickle.

-------------
Dwight
www.vividmix.com

Posted By: jerbo128
Date Posted: 17 March 2008 at 9:31pm

;Set FilterBase64html to 1 if you want to block any emails with Content-Transfer-Encoding=base64 and Content-Type=text/html or text/plain
FilterBase64html=0

I guess the part that scares me here is the text/html and text/plain.

Can someone explain this setting a bit more?

Jeremy

Posted By: Desperado
Date Posted: 18 March 2008 at 10:54am

Encoding=base64 and Content-Type=text/html or text/plain are mutually exclusive. Content type can not be (or should not be) text AND base64 encoded. Base64 encoding is the encoding used for images (gif, etc). So if a header is claiming to be both plain text and encoded ... something is fishy.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: dcook
Date Posted: 18 March 2008 at 11:24am

So, what settings do you use to block that fishy combination?

-------------
Dwight
www.vividmix.com

Posted By: Desperado
Date Posted: 18 March 2008 at 11:28am

FilterBase64html=1

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: Thermo
Date Posted: 26 March 2008 at 9:56am

I had to set my filter back to the default FilterBase64html=0 because it was blocking BlackBerry emails because they are base64 encoded. I don't want to whitelist all of RIM's servers how do you handle emails from BlackBerrys?

Print Page | Close Window