email support

Ask us about your TalkTalk email account and Webmail.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Spam filter problems

td123
Whizz Kid
Message 4 of 4

A minor irritation when compared with the current situation with covid-19 & lockdown but what's happening with the spam filter system? I have had this problem before and it seems it's back.

 

I have started getting bitcoin e.mails again even though I have several filters in place. I have 3 filters for the word bitcoin set in the "subject", "from" and "body" sections but this morning I have got more spam from "bitcoin@ bitcoinoffers.com". There's not much point spending time setting filters if they aren't going to have any effect.

 

Anyone else finding filtered spam is getting through?

 

 

0 Likes
3 REPLIES 3

Message 1 of 4

Hi td123 

 

Yes, "supposedly blocked" is what people say when they get the same spam that they thought they'd blocked.

 

There are two issues to consider.

  1. If you're using a mail filter set to work on the From: and expecting this to block an email address then it's bound to fail in the case of spam because the From: can be disguised as explained.
  2. If you're using a mail filter set to work on the Header Address i.e. the actual sending address then it's bound to fail with the same spam that gets sent from different sending addresses.

Here are two examples:

 

Spam From: Iamspam@spam.biz <lamspam@spam.biz>

Spam From: Iamspam@spam.biz <Iamspam@spam.com>

 

Your filter is set to block From: Iamspam@spam.biz but it might not block either if the From: is encoded in base64.

 

Your filter is set to block the Header Address Iamspam@spam.biz so you think at least it should block the first example. No, because the first is LAMSPAM and the filter is blocking IAMSPAM - I'm just using uppercase characters here to illustrate the difference and that in the local part of an email address there is a case sensitivity to consider.

 

If you'd like to show me an example of an email From: entry from the View source and your filter rule that you believe should have blocked the email I'll comment on what may or may not be happening.

GondolaVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution

0 Likes

Message 2 of 4

I appreciate the subtle differences in spellings etc and can see these can get past filters set for body; subject etc but I have received spam from supposed blocked e.mail addresses.

 

 

Regards 

0 Likes

Gondola
Community Star
Message 3 of 4

Hi @td123 

 

Once Spammers know your email address they'll use every trick in the book to get their spam through. Network filtering will trap spammers but each time spammers change their senders or sending characteristics it's inevitable that some will get through.

 

For example, they'll take advantage of the fact that the email specification allows the use of base64 encoding to 'disguise' the word 'Bitcoin' in the From: and Subject: fields.  If you view these by selecting the spam mail and View Source in TalkTalk Mail you'll see those lines starting =?UTF-8?B?

 

The encoding is perfectly 'legal' and is how you see things like emoji in the subject lines in email from acceptable senders.

 

What you need to know is that the Filter rules operate on the actual contents of the From: and Subject: fields rather than the unencoded version displayed to you.

 

Here's what just 3 versions of 'Bitcoin' look like using base64 encoding:

  • Bitcoin
    Qml0Y29pbgo=
  • BITCOIN
    QklUQ09JTgo=
  • bitcoin
    Yml0Y29pbgo=

So, to trap those in a 'Bitcoin filter' you'd set a single filter rule to operate when any condition is met and, in addition to the real spelling versions:

From: contains Qml0Y29pbgo=

From: contains QklUQ09JTgo=

From: contains Yml0Y29pbgo=

Subject: contains Qml0Y29pbgo=

Subject: contains QklUQ09JTgo=

Subject: contains Yml0Y29pbgo=

 

But remember that what you think you see isn't necessarily what's there. BITCOIN may look like BlTCOIN but the second version here has a lower case L as the second character. So there are still plenty of combinations that spammers can use to get their nefarious unwanted messages through. Just add more Conditions to the 'Bitcoin filter' as you think of or come across different variations that you'd want to trap.

 

Spammers know you're going to be clever enough to use Filter rules so all you can do is outsmart them.

GondolaVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution