LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 06-05-2014, 07:27 AM   #1
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Rep: Reputation: Disabled
Snowshoe email filter for Thunderbird


so it seems we now have this "snowshow" type of spam-- where random "from" addresses are used.

the Thunderbird filter for "not in my address book" re-directs these messages into my "Fraud" folder naturally, and that's All Good

the messages i'm getting now though are adverts for rogue pharmacies and i want to just delete these instead of posting them for review

but: the messages are written in html with all of the text
written in html like this:

style=3D"color:#DD694B; font-size:24pt">D</span>Q&#200;Q&#167;<span =

the D there is part of their message
"MEDICATIONS AT THE BEST PRICE"
but as you see they have obfuscated the source so that
a filter is not easy to apply against that string --
as the string does not occur in the body(source) only in the
HTML presentation

what I need is the ability to apply the filter against the RAW HTML --
not just against its enclosed text strings

any ideas/experience on this ?

 
Old 06-07-2014, 10:15 AM   #2
dijetlo
Member
 
Registered: Jan 2009
Location: The nice part of hell
Distribution: Slackware Current 64bit Multi-Lib CentOS 6.5
Posts: 680

Rep: Reputation: Disabled
You have no control over the mail server?

Generally efficient spam blocking is done in the mail header, blocking regular expressions in the body of the message is slow and time consuming, especially if your refreshing your maildir from the server at regular intervals. On top of that, depending on how your mail client is set up, you may only be downloading the headers and pull down the messages when you select the header, in which case regular expression tests run against the body of the message will have no effect.
Why don't you post a header from a couple of the offending messages and maybe I can help you.
 
Old 06-07-2014, 06:16 PM   #3
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Original Poster
Rep: Reputation: Disabled
Smile snowshoe filter ( cont'd )

I'll certanly appreciate any help!!!!!
I'm running Thunderbird 24.5 on a LMDE/MINT client

here's one example:

Quote:
From - Sat May 31 19:24:56 2014
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <drugs_best12@avangarddsl.ru>
Envelope-to: bill@napfn.com
Delivery-date: Sat, 31 May 2014 14:22:47 -0400
Received: from pppoe.178-65-198-8.dynamic.avangarddsl.ru ([178.65.198.8]:2640)
by cpanel006.corecommhosting.com with esmtp (Exim 4.82)
(envelope-from <drugs_best12@avangarddsl.ru>)
id 1Wqnva-00014a-6j
for bill@napfn.com; Sat, 31 May 2014 14:22:47 -0400
From: Medications Mall <drugs_best12@avangarddsl.ru>
To: <bill@napfn.com>
Subject: BEST MEDS for the BEST PRICE !
Date: Sat, 31 May 2014 22:22:40 +0400
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<span style=3D"color:#F2F6F7; =
font-size:10pt">_________________________________________________________=
_______________Answered the name of your mother. Repeated the couch =
beside adam</span>
<br>
<div align=3D"center">
<table border=3D"0" width=3D"81%" cellspacing=3D"2" =
style=3D"color:#EAE3EC; background-color:#E9EDE2; font-family:arial, new =
york, sans-serif; font-size:1px">
<tr>
<td colspan=3D"2">x&sup;1<span style=3D"color:#D3926A; =
font-size:24pt">H</span>Uz&int;<span style=3D"color:#D3926A; =
font-size:24pt">I</span>23L<span style=3D"color:#D3926A; =
the spammers vary the subject line as well as the from address.
it's an anoyance really, as my Personal Friends e/mail address
is white-listed against a selected address book. this is very effective
but I'd like to exclude these drug-scam messages entirely. I route
unkonwn senders into a REVIEW folder which is where these drug scams end up.


Last edited by mike acker; 06-07-2014 at 06:18 PM.
 
Old 06-07-2014, 06:32 PM   #4
dijetlo
Member
 
Registered: Jan 2009
Location: The nice part of hell
Distribution: Slackware Current 64bit Multi-Lib CentOS 6.5
Posts: 680

Rep: Reputation: Disabled
Quote:
inetnum: 178.65.128.0 - 178.65.255.255
netname: RU-AVANGARD-DSL
descr: OJSC "North-West Telecom"
descr: Murmansk branch of the OJSC "North-West Telecom"
descr: 82a Lenina av., 183038, Murmansk, Russia
country: RU
I notice they aren't using character expansion to guess this email address, they know who their sending too.
(Hey Mike. I always check my posts and obfuscate someone@somwhere.com to someoneatsomewheredotcom.)

There is the IP range of RU-AVANGARD-DSL. Does thunderbird give you an option of "block by IP "range? How about the control panel options on the mail server? Third option is the hosting company your working through may have the blocking capability, let them know what's going on and see if they can block that range. 178.65.128.0 through 178.65.255.255
 
Old 06-07-2014, 08:09 PM   #5
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dijetlo View Post
I notice they aren't using character expansion to guess this email address, they know who their sending too.
(Hey Mike. I always check my posts and obfuscate someone@somwhere.com to someoneatsomewheredotcom.)

There is the IP range of RU-AVANGARD-DSL. Does thunderbird give you an option of "block by IP "range? How about the control panel options on the mail server? Third option is the hosting company your working through may have the blocking capability, let them know what's going on and see if they can block that range. 178.65.128.0 through 178.65.255.255
i thought about obfuscating my email address -- but -- the scammers already have it . i'm pretty sure they got it from a correspondent who just now started sending to my friends only e/mail -- using one of the big commercial freebe services
not that it matters *that much* : on this address you have to be white-listed to send to it.

i looked through Thunderbird for the options you suggested; no luck. I white-listed a couple addresses from the review folder though so this isn't really a pressing issue. I was just hoping we might know a way to get at these guys.
 
Old 06-10-2014, 07:51 PM   #6
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Original Poster
Rep: Reputation: Disabled
exit needed

what we need in Thunderbird is a plug-in that would allow us to pass the message text to a C program for scanning. The usual return codes would be appropriate,-- 0 for OK and 1 for junk.

we could really tear up some spam that way
 
Old 06-10-2014, 08:31 PM   #7
dijetlo
Member
 
Registered: Jan 2009
Location: The nice part of hell
Distribution: Slackware Current 64bit Multi-Lib CentOS 6.5
Posts: 680

Rep: Reputation: Disabled
Mike take a look at

tools->message filters->new and then under the "subject" drop down it has an option for "customize".

If you click it, you get a blank entry box, try to put the IP range in there.
 
Old 06-11-2014, 05:51 AM   #8
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dijetlo View Post
Mike take a look at

tools->message filters->new and then under the "subject" drop down it has an option for "customize".

If you click it, you get a blank entry box, try to put the IP range in there.
this "snowshoe" spam seems to be distributed from a botnet: there is no commonality in the from IP range. the thing
that is common is a gross misuse of HTML tags in order to obfuscate the body of the message -- which would otherwise be
easy to catch with a filter. that's why we need to be able to get at the message source.

example
Quote:
<td colspan=3D"2">4&#213;l<span style=3D"color:#E19200; =
font-size:24pt">H</span>7&#233;&#231;<span style=3D"color:#E19200; =
font-size:24pt">I</span>tID<span style=3D"color:#E19200; =
font-size:24pt">G</span>&#209;0&#192;<span style=3D"color:#E19200; =
font-size:24pt">H</span>&upsih;U&circ;<span style=3D"color:#E19200; =
font-size:24pt">-</span>&#198;yb<span style=3D"color:#E19200; =
font-size:24pt">Q</span>&not;Al<span style=3D"color:#E19200; =
font-size:24pt">U</span>Wc&prime;<span style=3D"color:#E19200; =
font-size:24pt">A</span>&eth;7T<span style=3D"color:#E19200; =
font-size:24pt">L</span>b16<span style=3D"color:#E19200; =
font-size:24pt">I</span>F&#200;&iuml;<span style=3D"color:#E19200; =
font-size:24pt">T</span>2d3<span style=3D"color:#E19200; =
font-size:24pt">Y</span>&#229;&#205;&loz;<span style=3D"color:#E19200; =
font-size:24pt"> </span>&Pi;eN<span style=3D"color:#E19200; =
font-size:24pt">M</span>&and;1&#243;<span style=3D"color:#E19200; =
font-size:24pt">E</span>r&uml;&uml;<span style=3D"color:#E19200; =
font-size:24pt">D</span>n&#176;&and;<span style=3D"color:#E19200; =
font-size:24pt">I</span>&#228;i1<span style=3D"color:#E19200; =
font-size:24pt">C</span>&rfloor;&#230;f<span style=3D"color:#E19200; =
font-size:24pt">A</span>p50<span style=3D"color:#E19200; =
font-size:24pt">T</span>&notin;&#181;&hArr;<span style=3D"color:#E19200; =
font-size:24pt">I</span>2&copy;P<span style=3D"color:#E19200; =
font-size:24pt">O</span>6&#209;s<span style=3D"color:#E19200; =
font-size:24pt">N</span>aR8<span style=3D"color:#E19200; =
font-size:24pt">S</span>&iuml;z9<span style=3D"color:#E19200; =

Last edited by mike acker; 06-11-2014 at 05:56 AM.
 
Old 06-11-2014, 03:37 PM   #9
dijetlo
Member
 
Registered: Jan 2009
Location: The nice part of hell
Distribution: Slackware Current 64bit Multi-Lib CentOS 6.5
Posts: 680

Rep: Reputation: Disabled
netnum: 178.65.128.0 - 178.65.255.255
netname: RU-AVANGARD-DSL

I was assuming that was the IP range they are all coming from.
If we can't find a commonality among the messages, I'm afraid your stuck
 
Old 06-12-2014, 05:42 PM   #10
mike acker
LQ Newbie
 
Registered: Feb 2014
Location: Michigan
Distribution: LMDE MINT AMD 64
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dijetlo View Post
netnum: 178.65.128.0 - 178.65.255.255
netname: RU-AVANGARD-DSL

I was assuming that was the IP range they are all coming from.
If we can't find a commonality among the messages, I'm afraid your stuck
the nasties seem to have tapered off. if I could get at the message with a little C program exit I could count ( e.g. ) the number of times he used the span tag and when that is more than 6 or so set the error value in the return code... maybe relate it to the total length of the message as well
... the little C program exit would be fun to pass around as well in keeping with our great Linux Traditions
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Thunderbird SPAM FIlter trashing *everything* Timatekore Linux - Networking 3 08-21-2013 07:01 PM
Ubuntu 12.04/Thunderbird - Migrate Thunderbird Email & Settings Ineed2know Linux - Newbie 3 05-04-2012 10:59 PM
Thunderbird filter CollieJim Linux - Software 1 02-18-2012 04:22 AM
[SOLVED] Best email client for moderate to large email database (Evolution, thunderbird, kmail, Claws mail) Carpincho Linux - Software 1 08-24-2011 05:19 AM
Thunderbird forward from filter fails BCarey Linux - Software 3 02-07-2007 01:02 PM


All times are GMT -5. The time now is 11:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration