Spam - beating the DA word filter

americanintel

Verified User
Joined
Mar 1, 2004
Messages
135
Location
Granbury, TX
I'm not a spam expert but have done a pretty good job of blocking email using spamassassin and the DA filters which include viagra, medications, prescriptions..etc.

Regardless, I keep getting these emails:
----------
Subject: Fwd: Have V|@gra, Valï(u)m, X(a)n@x Diet Pills Any Meds

Body: Get Vïàgrå, Vãlïûm, Xánåx now!... REALLY EASY!

You can now conveniently and comfortably connect to our doctors and to our pharmacists through the Internet and get PRESCRIPTION MEDICATIONS EASILY!

We'll have your prescriptions written for you and your medications prescribed quickly and easily from the comfort of your computer.

Meds will be delived overnight via FedEx securely, discreetly and straight to your door.

Start placing your order for meds here

EVERYONE is approved... No forms to fill out... we respect your PRIVACY!

We ship WORLDWIDE!...

b gfnjgzuu e im wfuh gie l xcjkppmgijalt h dffpap
---------
We all get em.. I know but I couldn't figure out how it was getting through my word filter in DA until did a View Source:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://wwww3.org/TR/html4/loose.dtd"><html><head><title>Sh</outlandish>op fo</wheedle>r yo</conductance>ur me</occult>ds di</heard>scr</edmonds>eetly</title><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=ISO-8859-1"><style type="text/css"><!-- .style5 {font-family: Arial, Helvetica, sans-serif; font-size: 14px; } --></style></head><body><p class="style5"><strong>Get Vïàgrå, Vãlïûm, Xánåx n</porpoise>ow!... R</biopsy>EAL</deceitful>LY EA</self>SY!</strong></p><p class="style5">Y</percentage>ou ca</drainage>n no</cloddish>w co</diffractometer>nve</hesitant>nien</grapefruit>tly an</astronaut>d com</campfire>for</uterus>tabl</venal>y co</cosec>nne</domingo>ct t</drowse>o ou</dorcas>r do</immobility>ctor</bottommost>s a</presence>nd to ou</mental>r pha</comply>rmaci</discriminate>sts th</algiers>roug</rail>h t</eruption>he In</marrietta>tern</travelogue>et an</culprit>d ge</exert>t PRE</piggish>SCRIPTI</pacific>ON MED</cocoon>ICATI</amuse>ONS EA</operant>SILY! </p><p class="style5">We'l</placeholder>l ha</cocoon>ve you</koppers>r pr</weaken>escrip</chaotic>tions w</wangle>ritt</progress>en f</clap>or y</candela>ou an</clam>d yo</contribution>ur m</whale>edi</felicia>cati</erotica>ons pre</enzymatic>scri</naacp>bed qui</combination>ckly a</detoxify>nd eas</previous>ily fro</limelight>m the c</louise>omfo</down>rt of yo</santayana>ur co</funny>mpute</soul>r. </p><p class="style5">Me</cuny>ds wi</hyaline>ll b</ladylike>e de</chaplin>liv</let>ed ove</bad>rnig</chromosphere>ht vi</carouse>a Fed</squander>Ex sec</anchorite>urely, d</rototill>iscreet</gesture>ly and s</lick>trai</dye>ght t</toxicology>o yo</amass>ur d</mona>oor. </p><p class="style5"><a href="http://www.charterdrugs.biz"><b>Sta</conversation>rt pla</obituary>ci</horoscope>ng yo</notch>ur or</lawbreaker>der fo</backfill>r me</prescott>ds he</evidential>re</b></a></p><p class="style5">EVERYONE is approved... No forms to fill out... we respe</hayward>ct yo</lattice>ur PRIV</pathogenic>ACY! </p><p><span class="style5">W</parlance>e s</circumspect>hip WOR</facto>LDWI</oracle>DE!... </span></p></body></html>b gfnjgzuu e
im
wfuh gie l xcjkppmgijalt h dffpap

Pretty nifty eh? Splitting up words with bracketed words keep it from getting recognized.

Any thoughts on how to defeat this?
 
Hello,

Other than dropping all html emails, no. The DA filter is too simple to handle that level of spam. Not sure about spamassasin.. that might not be something it's designed to pickup. Hopefully, they'll release a new algorithm to count the number of tags to decide when to declare an email as spam.

John
 
If we could create filters on things found in the HEADER, that would help a lot... Might also be a bit more reliable for blocking certain domains..
 
DirectAdmin Support said:
Other than dropping all html emails, no. The DA filter is too simple to handle that level of spam. Not sure about spamassasin..
SpamAssassin doesn't handle them too well either, unless you demime a copy of the email for checking first, and that uses an awful lot of machine resources.

I will be announcing our spamblocking configuration for exim to this list later today. It'll just be in the form of an exim.conf file, and certainly it just won't be a dropin; it'll require addition of and management of a bunch of additional files.

The good news is that it works well for us and has dropped spam to an almost nonexistent level.

I'll also be offering a service for DA hosts to set it up for them, and a commercial service using it.

Of course John is welcome to create a package around it, as is anyone else.

Jeff
 
Most of these emails include a link to a shop, we should be able to just add those domain names to the filter.

Unfortunately it doesn't work for me, so I'm wondering if this is a bug or if I'm missing someting...

poiwer.info per example.
 
I think exim only filters the first X number of charactesr in an email.. You can set that to a higher number by setting:

message_body_visible = 3000 (or higher)

In the main (top) section of the exim.conf

John
 
I have it set to 3000 already, you think I should use a higher number?

By how much does it slow email processing?
 
jlasman said:

I will be announcing our spamblocking configuration for exim to this list later today. It'll just be in the form of an exim.conf file, and certainly it just won't be a dropin; it'll require addition of and management of a bunch of additional files.

Is this using dspam? I am working on getting that work work with DA. I have it working great on my Solaris box at home, but am working out a few details for a DA configuration.
 
No, I said "spamblocking" configuration.

I won't go into my rational for only blocking here, but I will when I make the announcement.

The announcement has been delayed a bit because I'm too busy to get the documentation done :( .

Jeff
 
toml said:
Is this using dspam? I am working on getting that work work with DA. I have it working great on my Solaris box at home, but am working out a few details for a DA configuration.


did you get it to work?
 
sander815 said:
did you get it to work?

I have it mostly working, but I have not had too much time lately to test it before I turn it on in production. I still need to finish setting up the spam/ham aliases to train the filter and make sure it works with the virtual email addresses.

Once I get a chance to finish testing it, I will write up how to compile and use it.
 
Maybe you can use the SA Training Corpus (5,64Mb tar.gz file) of 2500 emails under 'Contributions', as 'DSPAM' website say:
A good compilation of mail from the SpamAssassin Public Corpus accompanied by a DSPAM training script. This is ideal for creating a global merged dictionary to provide initial training data to users.
ramon
 
Back
Top