Porn Spam Block
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=1380
Printed Date: 23 February 2025 at 12:37am
Topic: Porn Spam Block
Posted By: Guests
Subject: Porn Spam Block
Date Posted: 15 July 2003 at 3:07pm
|
We have a major problem with receiving porn spam so Ive added src="http to my keywords list, its blocking the emails that have pictures attached that their source is from a website, i work for a telecomm company and we are constantly receiving customer emails, this seems to be working great, has anyone had any problems with this type of setup or have a better way?
|
Replies:
Posted By: Desperado
Date Posted: 15 July 2003 at 10:15pm
Trinidad,
Spam blocking is often a "religious" discussion! Please be aware that this response is my opinion only.
First, although I have a similar block, I prefer to block based on the patterns that spammers use to obscure the message (obfuscation) rather that the content itself. This removes any possibility of being accused of "censoring" our customers emails. The filter you propose, unfortunately also blocks many, if not most lists such as "Yahoo Groups". I try to use mainly "Regular Expressions" or RegEx's to block and resort to literal keywords only when I can't quite figure out what the pattern is that I want to block. The keyword that I have that is close to yours is "img src=3D" http://" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http:// " and it seems to work. My keyword list is quite small but has been VERY effective. For reference only, I will post it as follows:
(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
(href=" http://+[\d" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://+" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://+ [\d])
( http://.{0,10}%[\d" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://.{0,10}" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://.{0,10} %[\d])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="#ffffff">.*){3,8})
((\|.*){11,})
(content\-type:\x20text/html\r\ncontent-transfer\-encoding:\x20base64\r\n)
( http://www..*.(com|net|org)@www" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.." CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.. *.(com|net|org)@www)
((limited time (special|offer)))
pro2ware.biz
text-decoration: blink
98207.biz
herbalpillsonline
pillsavings
red.ecablenetwork.com
horfinc.com
click here to start
thousands of other email providers
gsc-100
img src=3D" http://" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://
is a one time mailing
your privacy is extremely important to us
one of our member sites
I also try to remove some of the Bogus email addresses by detecting address constructs that have been posted as ALWAYS being invalid. My "FromEmail black list looks like:
(\b[\d+]+([\-a-za-z0-9_\.\+])+(@hotmail|@juno)\.com)
(\b[\d]+@(aol\.com|msn\.com|bellsouth\.net|brandeis\.edu))
(\w{17,}@(canada|aol|hotbot)\.com)
((@hello\.com|@veriopt\.com|ha@sexyfun\.net|@himailer.com|clubhotlist@aol.com))
anyone@*
noone@*
friend@*
someone@*
mailto:*@gmx.at" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@gmx.at
mailto:*@topprodsource.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@topprodsource.com
mailto:*@myobdeals.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@myobdeals.com
mailto:*@mailseeker.net" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@mailseeker.net
offers@
senders@
mailto:test*@test.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - test*@test.com
mailto:*@ultimateoffers.net" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@ultimateoffers.net
mailto:*@uc-bulk1.local" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@uc-bulk1.local
@offermania.*
@hotpop.com
Between these 2 lists, very little gets past the filter (along with checking for RDNS and 3 dnsbl lists). What does get through, I save and when I have "free" time, I try to figure out what the Spamer has done to get past the filters and make adjustments accordingly. As a result, the lists I posted here, may change at a later date.
I hope this helps.
Regards,
Dan S.
|
Posted By: Guests
Date Posted: 16 July 2003 at 8:05am
|
Thanks
I am new to the regex thing and this should help tons
|
Posted By: Desperado
Date Posted: 16 July 2003 at 9:40am
|
One warning I forgot on the following expression:
( http://.{0,10}%[\d" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://.{0,10}" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://.{0,10} %[\d])
I have been in contact with PayPal on this ... so far no fix but you will find that some very valid messages will get blocked from them. I have placed mailto:*@paypal.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@paypal.com in the Excluded From Addresses until we resolve it. Actually, that is the ONLY entry I have in the Excluded From list.
Dan S.
|
Posted By: Guests
Date Posted: 17 July 2003 at 11:17am
|
I am testing only some of the "keywords" above.
(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--]) blocked a legitimate one 5 minutes after implementation. Seems the other ones are fine.
|
Posted By: Desperado
Date Posted: 17 July 2003 at 11:45am
|
Please define"legitimate". What, specificicaly did it kill? I have not seen more that one or two out of thousands that should not have been blocked so if you have the content, I will look into it.
Dan S.
|
Posted By: Guests
Date Posted: 17 July 2003 at 12:46pm
|
We do not quarantine mails till now, but in this case I personally know the receiver and sender. It was a requested (HTML-formatted) Newsletter.
IŽll ask the sender to forward my a copy.
|
Posted By: Desperado
Date Posted: 17 July 2003 at 1:10pm
|
Sending that would be good. We do quarantine so if something like this comes up, we can try to first see why and second see if the sender can do something to fix it. PayPal is actually working on fixing their issue because the admin agreed that the tags that were getting blocked had no business being there. He also said that they received many complaints for other ISP's so we were not alone.
Dan S.
|
Posted By: Guests
Date Posted: 21 July 2003 at 8:20am
|
Got no copy of the orginal mail till yet.
But here are (some) logs for [((\|.*){11,})]. I canceled this one too. A little bit funny if you take a look to the senders. The other ones are working well for us.07.18.03 02:42:17:085 -- (760) Found Keywords: [((\|.*){11,})]
07.18.03 02:42:17:095 -- (760) EMail from Musterdepot@informer2.comdirect.de to [del]@brainlift.de matches content filter rules - rejected.07.18.03 03:22:12:890 -- (980) Found Keywords: [((\|.*){11,})]
07.18.03 03:22:12:890 -- (980) EMail from list-owner-cust-security-announce-outgoing@domohead.cisco.com to [del]@brainlift.de matches content filter rules - rejected.07.18.03 04:30:13:447 -- (776) Found Keywords: [((\|.*){11,})]
07.18.03 04:30:13:447 -- (776) EMail from bounce-to-o-1-2-42034@lists.truthout.org to [del]@brainlift.de matches content filter rules - rejected.07.18.03 04:44:27:115 -- (776) Found Keywords: [((\|.*){11,})]
07.18.03 04:44:27:115 -- (776) EMail from list-return-959-[del]=brainlift.de@dsbl.org to [del]@brainlift.de matches content filter rules - rejected.
|
Posted By: Desperado
Date Posted: 21 July 2003 at 5:41pm
|
Frank,
I, too, removed that one. My most recent RegEx's look as follows:
(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
((href="http|src=3d"http|href=3d"http)://+[\d])
((http|3dhttp)://.{0,15}( mailto:%|@|:)[(\d|\w" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - %|@|:)[(\d|\w )])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="(#ffffff|ffffff)".*){3,20})
( http://http:/" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://http:/ \w)
(\b(content\-type:\x20text/(html|plain)\r\ncontent-transfer\-encoding:\x20base64\r\n))
((limited time (special|offer)))
My most recent "From Email" is as follows:
(\b[\d+]+([\-a-za-z0-9_\.\+])+(@hotmail|@juno)\.com)
(\b[\d]+@(aol\.com|msn\.com|bellsouth\.net|brandeis\.edu))
(\w{17,}@(canada|aol|hotbot)\.com)
((@hello\.com|@veriopt\.com|ha@sexyfun\.net|@himailer.com|clubhotlist@aol.com))
anyone@*
noone@*
friend@*
someone@*
mailto:*@gmx.at" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@gmx.at
mailto:*@topprodsource.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@topprodsource.com
mailto:*@myobdeals.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@myobdeals.com
mailto:*@mailseeker.net" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@mailseeker.net
offers@
senders@
mailto:test*@test.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - test*@test.com
mailto:*@uomail.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - *@uomail.com
Please comment.
Dan S.
|
|