[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4688: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4690: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4691: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4692: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
Poco Forums • View topic - Filtering entire blocks of addresses

Filtering entire blocks of addresses

Discussion on Bayesian and standard junk mail filters

Moderators: Eric, Tomas, robin, Michael

Filtering entire blocks of addresses

Postby FieldDir121 » Wed Dec 01, 2004 4:05 pm

Spammers have found a way around the Bayesian filter and my word specific filters. They create a message and then convert it to a gif image. There is no "text" in the message at all so it gets through the filters.

My brother's solution is to filter at a higher level. He deletes entire blocks, such as those from the asian pacific region. I have done the same thing for the past day.

I look through the headers of the mail in my junk box and see if they have the same starting address. For instance the ones starting with 210., 211. and 220.. In order to be sure only the actual sending address is being used and not some other part of the message I include the preceding opening bracket, [220.

This web site can be used to find the owner of an address:
http://www.arin.net/whois/index.html

It looks like eliminating entire address blocks stops about 1/4 of my 100 spams per day, many of which would get past the other filters.

Scott
FieldDir121
Resident Poster
 
Posts: 149
Joined: Mon Aug 02, 2004 5:18 pm

Filtering domains locked in images

Postby sources » Thu Dec 02, 2004 2:40 am

Another, less drastic method is to right click on any link in the message body or even the image itself, discover the domain either in "properties" or "copy shortcut" to a text editor or blank message, and then block that domain.

Cheers,

Jack Schultz
gjs-at-comsources.com
Jack Schultz
sources
Drop-in Visitor
 
Posts: 13
Joined: Sat Sep 18, 2004 12:38 pm

Postby Eric » Thu Dec 02, 2004 4:31 am

:idea: Why not ban the sender or the domain and creating a pre-download filter to remove From %junksenders% automatically from the server upon next mail check.
You can add the junksenders by rightclicking on the message Junk Mail filtering | Ban Sender or Ban Subject or Ban Sender's domain.

Just another approach to your problem. :wink:
Eric
 

Postby Guest » Thu Dec 02, 2004 4:55 am

Eric,

Two reasons, the first being I didn't know I could (now I do). How much of the address is used for the domain?

I am finding that sometimes I want to use only the first 8 bits and other times more.

When I turned on my system after being off for 9 hours there were 31 e-mails on the server. 26 were outright deleted by my filters, 2 were in the junk mailbox (Bayesian)and 3 were in the original mailbox, all spam.

Scott
Guest
 

Postby Guest » Thu Dec 02, 2004 5:07 am

Why not ban the sender or the domain and creating a pre-download filter to remove From %junksenders% automatically from the server upon next mail check.


Eric,

People have suggested that. Here is my thinking, so far no messages of significant length have come in (a long message could use up my server space). While processing each message through the 30+ filters I have created takes time, though not enough I have noticed any delay, my conclusion is that except during fpga compiles the CPU is doing virtually nothing anyway so it may as well be doing that.

Pro's, Con's?

There is another system here with Pocomail. Is there a way to take all my filters and install them on that machine without having to do each one manually?

Scott
Guest
 

Postby Eric » Thu Dec 02, 2004 5:24 am

Hi Scott,
Scott wrote:Two reasons, the first being I didn't know I could (now I do).
Now you know. :D
How much of the address is used for the domain?
Only isp.com or you can edit the Junksenders.txt and insert all the addresses/domains you want to block/remove. Close Poco before editing/changing this file.
There is another system here with Pocomail. Is there a way to take all my filters and install them on that machine without having to do each one manually?
Just copy the Filters.ini file to the other system's Pocomail directory. :)

Question: Why are you logged in as a guest?
That's the second time I'm seeing it. :shock:

Edit: Didn't see the previous post. :?
Eric
 

Postby FieldDir121 » Thu Dec 02, 2004 7:19 am

Eric,

According to my brother, who has been doing this for some time at the server level, entire blocks are used for spam. For instance he said everything from 31.xxx.xxx.xxx is always spam. So, rather than having to list each address as it occurs, he just blocks the whole thing. His looks like this:

### IP blocks
## APNIC Asia Pacifc Network
ipchains -A input -j DENY -p all -l -s 31.0.0.0/8 -d 0.0.0.0/0
ipchains -A input -j DENY -p all -l -s 140.109.0.0/16 -d 0.0.0.0/0
. . .

The /8 and /16 are how many bits to use.

As to being logged in as guest, I hit reply after viewing your reply. Normally it makes me log in, but that time it didn't. I did both replies at the same time.

As to the files such as Junksender.txt. Pocomail doesn't work quite the way it should on my WinXP Pro machine with me as the single user administrator. I have to edit the files usijng an external editor.
Using CNTL-F4, selecting the Word Lists tab anfd clicking on "Banned Senders" or any of the others does nothing.

The other machine with multiple users each with their own account is a little better, but still not entirely functional. Even then it took extraordinary efforts to configure. I reported the process in the Pocomail section. It involved setting each user account to administrator, installing Pocomail in each one, and then setting the accounts back to user. Only one copy of Pocomail actually exists but the directory structure and priviledges for the mailboxes is different.

Scott
FieldDir121
Resident Poster
 
Posts: 149
Joined: Mon Aug 02, 2004 5:18 pm

Postby Eric » Thu Dec 02, 2004 9:36 am

FieldDir121 wrote:So, rather than having to list each address as it occurs, he just blocks the whole thing. His looks like this: see above
I don't think it would work with ipchains, only domains. However maybe it could be possible by using an external file.
Just not sure here, so someone with more knowledge may help on this. :?
As to being logged in as guest, I hit reply after viewing your reply. Normally it makes me log in, but that time it didn't. I did both replies at the same time.
Oh ... pretty strange. Speerga (Gary) did the same.
Using CNTL-F4, selecting the Word Lists tab and clicking on "Banned Senders" or any of the others does nothing.
:shock: Never experienced it. Really quite annoying. On my system it opens my Metapad for viewing everything inside. You can also open the file in PM's Mail directory.
The other machine with multiple users each with their own account is a little better, but still not entirely functional.
I'm not familiar, nor experienced in this field, so I can't help on that. Can't know everything. :lol:
Eric
 

Postby FieldDir121 » Thu Dec 02, 2004 11:36 am

Eric,

The disadvantage of using Junksender.txt is that the sender might change while the actual source address stays the same. By using a filter and comparing the actual address, [xxx.xxx.xxx.xxx] I can block the soure regardless of who sends the message. By comparing a portion of the address I can block an entire geographical region.

Jack, I see no way to get "properties" or "copy shortcut".

Scott
FieldDir121
Resident Poster
 
Posts: 149
Joined: Mon Aug 02, 2004 5:18 pm

Postby Eric » Thu Dec 02, 2004 11:44 am

FieldDir121 wrote:By using a filter and comparing the actual address, [xxx.xxx.xxx.xxx] I can block the soure regardless of who sends the message. By comparing a portion of the address I can block an entire geographical region.
Scott, I knew that, but it's simply not possible with Junksenders. Maybe through a script which calls an external file. :roll:
Jack, I see no way to get "properties" or "copy shortcut".
What do you mean by it?
Eric
 

Postby Guest » Wed Dec 29, 2004 3:47 pm

An update:

Using the numerical addresses in filters I have managed to eliminate between 90% and 95% of all incoming spam. With nearly 100 spams per day the standard Pocomail junk mail filters have only caught 39 messages in the past two weeks.

I am constantly adding new addresses whenever an e-mail does make it past the filters. I copied the filters to my son's account and he is also near 90%.

With the Bayesian filters I was constantly having to look through the rejects to see if something important was rejected as spam. With the numerical address based filtering I have had no indication that I have missed any "real" e-mails. They are deleted rather than placed in the junk mailbox so I don't have to deal with them at any level. This is not surprising since the majority of filtered addresses are from the Asian, Carribean or Latin regions and I don't know anyone there.

It does take a few minutes of effort eah day, but not as much as sorting through all the junk mail box messages used to.

Scott
Guest
 

Postby Eric » Wed Dec 29, 2004 11:53 pm

Anonymous wrote:An update:
Using the numerical addresses in filters I have managed to eliminate between 90% and 95% of all incoming spam. With nearly 100 spams per day the standard Pocomail junk mail filters have only caught 39 messages in the past two weeks.
Thanks for the update Scott. :wink:
Glad it's working out for you.
Eric
 

Copy of code!

Postby muncher1 » Mon Jan 17, 2005 1:59 am

Would someone have the code they could post as an example of how to snag the email by using the first four digits of an IP address?

I have been running the spam tracer and sure enough most are coming from the same block of IP address, but they continue to change their name so it's difficult for the standard filters to pick them up.

I have been running a script that checks for multiple cc:'s to the same ISP and if any other address in the email, besides mine, is not in my address book it zaps it. That has been working real well.

With blocking by ISP number it would add one more layer of protection.

Thx in advance.
muncher1
Poco Tourist
 
Posts: 27
Joined: Sun Dec 19, 2004 2:23 pm

Donno

Postby Guest » Mon Dec 26, 2005 11:43 pm

FieldDir121 wrote: There is no "text" in the message at all so it gets through the filters.


I have absolutly no idea... You should really take it up with a professional.




casino list online casino
Guest
 

Re: Donno

Postby Maximus » Tue Dec 27, 2005 12:27 pm

Scott

FieldDir121 wrote: There is no "text" in the message at all so it gets through the filters.


I am getting a lot of these kind of spams as well. Look at the raw message (menu tools, scripts, raw message) and you will notice the following contained in the message's html:

<img src="cid:123456>

The spammers do not provide any visible text, but they include an image tag with a cid: address.

I have my filters set up that all mails sent to me
- from unknown senders
- and containing a "src = cid:" string will be sent to junk.

make sure that also alternative writing is caputred by your filter, e.g.
src=cid:
src="cid:
src ="cid:

Maybe this is easier than blocking whole IP-ranges.

Adi
Maximus
Resident Poster
 
Posts: 169
Joined: Fri Aug 13, 2004 8:03 pm
Location: Zürich, Switzerland

Next

Return to Junk Mail Filtering Help and How-To

Who is online

Users browsing this forum: No registered users and 1 guest

cron