Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Porn Spam Block
  FAQ FAQ  Forum Search   Register Register  Login Login

Porn Spam Block
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Trinidad View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Trinidad Quote  Post ReplyReply Direct Link To This Post Topic: Porn Spam Block
    Posted: 15 July 2003 at 3:07pm
We have a major problem with receiving porn spam so Ive added    src="http   to my keywords list, its blocking the emails that have pictures attached that their source is from a website, i work for a telecomm company and we are constantly receiving customer emails, this seems to be working great, has anyone had any problems with this type of setup or have a better way?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 July 2003 at 10:15pm

Trinidad,

Spam blocking is often a "religious" discussion!  Please be aware that this response is my opinion only.

First, although I have a similar block, I prefer to block based on the patterns that spammers use to obscure the message (obfuscation) rather that the content itself. This removes any possibility of being accused of "censoring" our customers emails.  The filter you propose, unfortunately also blocks many, if not most lists such as "Yahoo Groups".  I try to use mainly "Regular Expressions" or RegEx's to block and resort to literal keywords only when I can't quite figure out what the pattern is that I want to block.  The keyword that I have that is close to yours is "img src=3D"http://" and it seems to work.  My keyword list is quite small but has been VERY effective.  For reference only, I will post it as follows:

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
(href="http://+[\d])
(http://.{0,10}%[\d])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="#ffffff">.*){3,8})
((\|.*){11,})
(content\-type:\x20text/html\r\ncontent-transfer\-encoding:\x20base64\r\n)
(http://www..*.(com|net|org)@www)
((limited time (special|offer)))
pro2ware.biz
text-decoration: blink
98207.biz
herbalpillsonline
pillsavings
red.ecablenetwork.com
horfinc.com
click here to start
thousands of other email providers
gsc-100
img src=3D"http://
is a one time mailing
your privacy is extremely important to us
one of our member sites

I also try to remove some of the Bogus email addresses by detecting address constructs that have been posted as ALWAYS being invalid. My "FromEmail black list looks like:

(\b[\d+]+([\-a-za-z0-9_\.\+])+(@hotmail|@juno)\.com)
(\b[\d]+@(aol\.com|msn\.com|bellsouth\.net|brandeis\.edu))
(\w{17,}@(canada|aol|hotbot)\.com)
((@hello\.com|@veriopt\.com|ha@sexyfun\.net|@himailer.com|clubhotlist@aol.com))
anyone@*
noone@*
friend@*
someone@*
*@gmx.at
*@topprodsource.com
*@myobdeals.com
*@mailseeker.net
offers@
senders@
test*@test.com
*@ultimateoffers.net
*@uc-bulk1.local
@offermania.*
@hotpop.com

Between these 2 lists, very little gets past the filter (along with checking for RDNS and 3 dnsbl lists).  What does get through, I save and when I have "free" time, I try to figure out what the Spamer has done to get past the filters and make adjustments accordingly. As a result, the lists I posted here, may change at a later date.

I hope this helps.

Regards,

Dan S.
Back to Top
Trinidad View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Trinidad Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 8:05am

Thanks

I am new to the regex thing and this should help tons
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 9:40am

One warning I forgot on the following expression:

(http://.{0,10}%[\d])

I have been in contact with PayPal on this ... so far no fix but you will find that some very valid messages will get blocked from them.  I have placed *@paypal.com in the Excluded From Addresses until we resolve it.  Actually, that is the ONLY entry I have in the Excluded From list.

Dan S.
Back to Top
Frank Schreier View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Frank Schreier Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 11:17am

I am testing only some of the "keywords" above.

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--]) blocked a legitimate one 5 minutes after implementation. Seems the other ones are fine.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 11:45am

Please define"legitimate".  What, specificicaly did it kill?  I have not seen more that one or two out of thousands that should not have been blocked so if you have the content, I will look into it.

Dan S.

 
Back to Top
Frank Schreier View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Frank Schreier Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 12:46pm
We do not quarantine mails till now, but in this case I personally know the receiver and sender. It was a requested (HTML-formatted) Newsletter. IŽll ask the sender to forward my a copy.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 1:10pm

Sending that would be good. We do quarantine so if something like this comes up, we can try to first see why and second see if the sender can do something to fix it.  PayPal is actually working on fixing their issue because the admin agreed that the tags that were getting blocked had no business being there.  He also said that they received many complaints for other ISP's so we were not alone.

Dan S.

 
Back to Top
Frank Schreier View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Frank Schreier Quote  Post ReplyReply Direct Link To This Post Posted: 21 July 2003 at 8:20am
Got no copy of the orginal mail till yet. But here are (some) logs for [((\|.*){11,})]. I canceled this one too. A little bit funny if you take a look to the senders. The other ones are working well for us.

07.18.03 02:42:17:085 -- (760) Found Keywords: [((\|.*){11,})] 07.18.03 02:42:17:095 -- (760) EMail from Musterdepot@informer2.comdirect.de to [del]@brainlift.de matches content filter rules - rejected.

07.18.03 03:22:12:890 -- (980) Found Keywords: [((\|.*){11,})] 07.18.03 03:22:12:890 -- (980) EMail from list-owner-cust-security-announce-outgoing@domohead.cisco.com to [del]@brainlift.de matches content filter rules - rejected.

07.18.03 04:30:13:447 -- (776) Found Keywords: [((\|.*){11,})] 07.18.03 04:30:13:447 -- (776) EMail from bounce-to-o-1-2-42034@lists.truthout.org to [del]@brainlift.de matches content filter rules - rejected.

07.18.03 04:44:27:115 -- (776) Found Keywords: [((\|.*){11,})] 07.18.03 04:44:27:115 -- (776) EMail from list-return-959-[del]=brainlift.de@dsbl.org to [del]@brainlift.de matches content filter rules - rejected.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 21 July 2003 at 5:41pm

Frank,

I, too, removed that one.  My most recent RegEx's look as follows:

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
((href="http|src=3d"http|href=3d"http)://+[\d])
((http|3dhttp)://.{0,15}(%|@|:)[(\d|\w)])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="(#ffffff|ffffff)".*){3,20})
(http://http:/\w)
(\b(content\-type:\x20text/(html|plain)\r\ncontent-transfer\-encoding:\x20base64\r\n))
((limited time (special|offer)))

My most recent "From Email" is as follows:

(\b[\d+]+([\-a-za-z0-9_\.\+])+(@hotmail|@juno)\.com)
(\b[\d]+@(aol\.com|msn\.com|bellsouth\.net|brandeis\.edu))
(\w{17,}@(canada|aol|hotbot)\.com)
((@hello\.com|@veriopt\.com|ha@sexyfun\.net|@himailer.com|clubhotlist@aol.com))
anyone@*
noone@*
friend@*
someone@*
*@gmx.at
*@topprodsource.com
*@myobdeals.com
*@mailseeker.net
offers@
senders@
test*@test.com
*@uomail.com

Please comment.

Dan S.

 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.238 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us