Blocking Sender Name

For all users, who don't speak German!

Moderator: Forum-Team

Blocking Sender Name

Beitragvon idbit » 20. Apr 2010, 17:02

Hi, I'm having problems with blocking emails which contain spam words in the Sender's name.

For example, in the Rules Filter, I set a rule to Satisfy all conditions: "Sender - contains - the spamword". Yet it still allows emails that contain the spamword in the Sender's name. I've also set "Message (with html) - contains - the spamword" - with no results.

I also added the spamword to the Substrings filter. The Substring filter seems to cover alot. But it overlooks spam words that are buried in the Sender's name.

It seems that the spammers have found this loophole and are using it quite frequently now. Any ideas?

Thanks!
-IB
idbit
User
User
 
Beiträge: 4
Registriert: 25. Feb 2010, 17:30
Wohnort: Florida

Re: Blocking Sender Name

Beitragvon Quellcore » 20. Apr 2010, 23:57

Hallo idbit!

The Rulefilter should and will help you in your case after we have figured what went wrong in your case.
I can assure you that there is no "loophole" if you filter for the sender's name.

Here are a couple of quirks that i could think of.
Please don't feel insulted if some suggestions are really basic, i simply don't know how familiar you are with Spami and the way it works.

  • Friendslist
    http://wiki.spamihilator.com/doku.php?id=en:configfriends
    Read especially the second BIG RED BOX
  • Filter Priority:
    http://wiki.spamihilator.com/doku.php?id=en:configpriorities
    Make sure the Rulefilter gets to filter before anyone else
  • Choose the right "action" in Rulefilter:
    http://wiki.spamihilator.com/doku.php?id=en:configrules
    Make sure you choose the action "Move message to Recycle Bin"
  • Spelling
    Spammers often adjust the spelling of typical spamwords so that simple Filter Rules like the one you're trying to create is likely to fail. These spelling variations can be very subtle, you might not even see it at first glance. (Examples: 0ffice - Office or Eagle - EagIe - Eag|e)
    The most famous example in the world of spam might be "V.I.A.G.R.A." Thats why we have something called Regular Expressions to be able to cope with variations in the spelling. This is a huge topic which would lead a little bit too far in this case.
  • Behavior of each Filter
    http://wiki.spamihilator.com/doku.php?id=en:configpriorities
    When you enable the expert mode in the settings you have access to more settings within the menu. One of them is the behavior of each filter if it classifies a mail. Normally you should not temper with these settings, but you might have accidentally changed it. Make sure the settings for the Rulefilter are:
    When the filter finds a Spam Mail “stop filtering process”
    When the filter finds a Non-Spam Mail “stop filtering process”

Maybe you could also give us the exact word you are trying to filter and show us the mail in the training area.

Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: Blocking Sender Name

Beitragvon idbit » 21. Apr 2010, 15:57

Thanks for the help Quellcore! I have everything configured as you mentioned. I have alot of experience working with Spamihilator, so I know all the ins and outs.

I did just test this by changing one of my email addresses' Name in Outlook Express' Accounts settings to "* POLICY VIOLATION ! * Supplier": For the email address: Tools > Accounts > Mail > Properties > General > User Information > Name: "* POLICY VIOLATION ! * Supplier". (This seems to be what the spammers are doing.) I then sent myself an email from this address.

Well this time it worked. My rule setting picked it up:
Reason: sender - * POLICY VIOLATION ! * (Sender contains "* POLICY VIOLATION ! *")

I'll have to test this some more. I'm seeing many that slip through. * POLICY VIOLATION ! * will clearly be in the Sender's name. I check the email source code. I'm a web designer, so I know the tricks you can use with css, html, and misspellings. I don't see that kind of trickery when "* POLICY VIOLATION ! *" is in the sender name. It's spelled out plainly, but still getting through. I'll wait for the next one to slip through and report back.

It would be nice though if the Substrings filter checked the entire email. Because it seems again like the one thing the Substring filter does not look at is the Sender name. In fact, the Substrings filter should have picked up my test email from above because I have Substrings one stop higher than Rules in my priority - and * POLICY VIOLATION ! * is a word that should be blocked by Substrings.

I'll report back after one of these slips through. It shouldn't be long.

Thanks again!
-IB
idbit
User
User
 
Beiträge: 4
Registriert: 25. Feb 2010, 17:30
Wohnort: Florida

Re: Blocking Sender Name

Beitragvon Quellcore » 21. Apr 2010, 22:32

Hello idbit!

A couple of things:

  • The Substring-Filter is very outdated, might have stability issues and might not even work anymore with the newer versions of Spami. I highly recommend to use the Rule-Filter instead. It can do everything and more what the Substring-Filter had to offer.
    I used to work with the Substring-Filter myself and if i remember correctly it scanned the whole mail including the complete header.
    Your observation that your testmail should have been filtered by the Substring-Filter might prove my point that it's incompatible with newer Spami versions.
  • Do the mails that slip through and don't get classified as spam by the rulefilter appear in Training Area :?:
    If they do NOT appear read my sticky Thread in the english subforum Spam gets forwarded to Mail client, but no trace in Spami. Even that it was written before the existence of the rulefilter (i should update it soon, sorry) it still covers the most important reasons.
    Please check one more time that you do NOT have your own E-Mail address on the friends list since this is still the horse that i'm betting on.
  • I'm one of the biggest fans of the rulefilter myself, but as it is there is a major flaw in it's current state which Michel is working on already.
    You cannot prioritize the different rules within the rulefilter!
    This is a big problem especially because of the filter's ability to avoid the training area.

    Example:
    You have 2 rules set in the rule filter, one is for Non-Spam and the other for Spam
    Rule 1: Non-Spam - No Copy in Training Area - Sender contains my E-mail address
    Rule 2: Spam - Regular behavior - Sender contains "* POLICY VIOLATION ! *"
    Now depending on which of the above rules gets used first you get totally different results in a case where both rules would apply.
    In one case (Rule1 before Rule 2) the mail gets forwarded to your mailclient while in the other it appears in the training area as Spam and gets forwarded to Spami's Recycle Bin.
Please make sure to keep the next mail so you post the source code of its header (mask your E-mail address of course ;-) )

Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: Blocking Sender Name

Beitragvon idbit » 25. Apr 2010, 14:30

Okay, I finally figured this out. The emails that were slipping through just happened to contain one of my Whitestring filter words. I have the Whitestring filter first in priority. They're getting smart. They add a block of 2,000 or so random words to the bottom of the email. If they get lucky, one of those words will be on your whitelist.

Quellcore, thanks for the tips. I've been using the Substring filter because it's fast. Just enter your word and click OK. The Rules filter requires alot more interaction. Is there a "catch-all" in the Rules filter? For each rule, I've been adding "Subject contains xxxx", "Sender contains xxxx", "Message (with HTML) contains xxxx". Does "Message (with HTML)" cover everything?

So far the Substring filter has been good, but I think it was failing to catch spam words in the Sender. Also it wouldn't take words that begin with a period. I added .ru and still they were slipping through. So I made a rule for .ru instead. Also when they make a V with the slash keys: \/. That didn't work in the Substring filter, so I made a rule for that also.

Thanks again for the help!
-IB
idbit
User
User
 
Beiträge: 4
Registriert: 25. Feb 2010, 17:30
Wohnort: Florida

Re: Blocking Sender Name

Beitragvon idbit » 26. Apr 2010, 16:55

idbit hat geschrieben:So far the Substring filter has been good, but I think it was failing to catch spam words in the Sender. Also it wouldn't take words that begin with a period. I added .ru and still they were slipping through. So I made a rule for .ru instead. Also when they make a V with the slash keys: \/. That didn't work in the Substring filter, so I made a rule for that also.


I stand corrected. The Substring filter does catch spam words in the Sender. Some were slipping through for the same reason I stated above - words were in my Whitestring filter's whitelist. The other two statements are true though in my case - about \/ and .ru.
idbit
User
User
 
Beiträge: 4
Registriert: 25. Feb 2010, 17:30
Wohnort: Florida


Zurück zu English Forum

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast

cron

 industrious-southeast