Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
the D there is part of their message
"MEDICATIONS AT THE BEST PRICE"
but as you see they have obfuscated the source so that
a filter is not easy to apply against that string --
as the string does not occur in the body(source) only in the
HTML presentation
what I need is the ability to apply the filter against the RAW HTML --
not just against its enclosed text strings
Generally efficient spam blocking is done in the mail header, blocking regular expressions in the body of the message is slow and time consuming, especially if your refreshing your maildir from the server at regular intervals. On top of that, depending on how your mail client is set up, you may only be downloading the headers and pull down the messages when you select the header, in which case regular expression tests run against the body of the message will have no effect.
Why don't you post a header from a couple of the offending messages and maybe I can help you.
I'll certanly appreciate any help!!!!!
I'm running Thunderbird 24.5 on a LMDE/MINT client
here's one example:
Quote:
From - Sat May 31 19:24:56 2014
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <drugs_best12@avangarddsl.ru>
Envelope-to: bill@napfn.com
Delivery-date: Sat, 31 May 2014 14:22:47 -0400
Received: from pppoe.178-65-198-8.dynamic.avangarddsl.ru ([178.65.198.8]:2640)
by cpanel006.corecommhosting.com with esmtp (Exim 4.82)
(envelope-from <drugs_best12@avangarddsl.ru>)
id 1Wqnva-00014a-6j
for bill@napfn.com; Sat, 31 May 2014 14:22:47 -0400
From: Medications Mall <drugs_best12@avangarddsl.ru>
To: <bill@napfn.com>
Subject: BEST MEDS for the BEST PRICE !
Date: Sat, 31 May 2014 22:22:40 +0400
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<span style=3D"color:#F2F6F7; =
font-size:10pt">_________________________________________________________=
_______________Answered the name of your mother. Repeated the couch =
beside adam</span>
<br>
<div align=3D"center">
<table border=3D"0" width=3D"81%" cellspacing=3D"2" =
style=3D"color:#EAE3EC; background-color:#E9EDE2; font-family:arial, new =
york, sans-serif; font-size:1px">
<tr>
<td colspan=3D"2">x⊃1<span style=3D"color:#D3926A; =
font-size:24pt">H</span>Uz∫<span style=3D"color:#D3926A; =
font-size:24pt">I</span>23L<span style=3D"color:#D3926A; =
the spammers vary the subject line as well as the from address.
it's an anoyance really, as my Personal Friends e/mail address
is white-listed against a selected address book. this is very effective
but I'd like to exclude these drug-scam messages entirely. I route
unkonwn senders into a REVIEW folder which is where these drug scams end up.
Last edited by mike acker; 06-07-2014 at 06:18 PM.
inetnum: 178.65.128.0 - 178.65.255.255
netname: RU-AVANGARD-DSL
descr: OJSC "North-West Telecom"
descr: Murmansk branch of the OJSC "North-West Telecom"
descr: 82a Lenina av., 183038, Murmansk, Russia
country: RU
I notice they aren't using character expansion to guess this email address, they know who their sending too.
(Hey Mike. I always check my posts and obfuscate someone@somwhere.com to someoneatsomewheredotcom.)
There is the IP range of RU-AVANGARD-DSL. Does thunderbird give you an option of "block by IP "range? How about the control panel options on the mail server? Third option is the hosting company your working through may have the blocking capability, let them know what's going on and see if they can block that range. 178.65.128.0 through 178.65.255.255
I notice they aren't using character expansion to guess this email address, they know who their sending too.
(Hey Mike. I always check my posts and obfuscate someone@somwhere.com to someoneatsomewheredotcom.)
There is the IP range of RU-AVANGARD-DSL. Does thunderbird give you an option of "block by IP "range? How about the control panel options on the mail server? Third option is the hosting company your working through may have the blocking capability, let them know what's going on and see if they can block that range. 178.65.128.0 through 178.65.255.255
i thought about obfuscating my email address -- but -- the scammers already have it . i'm pretty sure they got it from a correspondent who just now started sending to my friends only e/mail -- using one of the big commercial freebe services
not that it matters *that much* : on this address you have to be white-listed to send to it.
i looked through Thunderbird for the options you suggested; no luck. I white-listed a couple addresses from the review folder though so this isn't really a pressing issue. I was just hoping we might know a way to get at these guys.
what we need in Thunderbird is a plug-in that would allow us to pass the message text to a C program for scanning. The usual return codes would be appropriate,-- 0 for OK and 1 for junk.
tools->message filters->new and then under the "subject" drop down it has an option for "customize".
If you click it, you get a blank entry box, try to put the IP range in there.
this "snowshoe" spam seems to be distributed from a botnet: there is no commonality in the from IP range. the thing
that is common is a gross misuse of HTML tags in order to obfuscate the body of the message -- which would otherwise be
easy to catch with a filter. that's why we need to be able to get at the message source.
I was assuming that was the IP range they are all coming from.
If we can't find a commonality among the messages, I'm afraid your stuck
the nasties seem to have tapered off. if I could get at the message with a little C program exit I could count ( e.g. ) the number of times he used the span tag and when that is more than 6 or so set the error value in the return code... maybe relate it to the total length of the message as well
... the little C program exit would be fun to pass around as well in keeping with our great Linux Traditions
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.