on 23-05-2020 08:19 AM
A minor irritation when compared with the current situation with covid-19 & lockdown but what's happening with the spam filter system? I have had this problem before and it seems it's back.
I have started getting bitcoin e.mails again even though I have several filters in place. I have 3 filters for the word bitcoin set in the "subject", "from" and "body" sections but this morning I have got more spam from "bitcoin@ bitcoinoffers.com". There's not much point spending time setting filters if they aren't going to have any effect.
Anyone else finding filtered spam is getting through?
on 28-05-2020 08:35 AM
Yes, "supposedly blocked" is what people say when they get the same spam that they thought they'd blocked.
There are two issues to consider.
Here are two examples:
Spam From: Iamspam@spam.biz <email@example.com>
Spam From: Iamspam@spam.biz <Iamspam@spam.com>
Your filter is set to block From: Iamspam@spam.biz but it might not block either if the From: is encoded in base64.
Your filter is set to block the Header Address Iamspam@spam.biz so you think at least it should block the first example. No, because the first is LAMSPAM and the filter is blocking IAMSPAM - I'm just using uppercase characters here to illustrate the difference and that in the local part of an email address there is a case sensitivity to consider.
If you'd like to show me an example of an email From: entry from the View source and your filter rule that you believe should have blocked the email I'll comment on what may or may not be happening.
on 28-05-2020 07:38 AM
I appreciate the subtle differences in spellings etc and can see these can get past filters set for body; subject etc but I have received spam from supposed blocked e.mail addresses.
on 23-05-2020 10:19 AM
Once Spammers know your email address they'll use every trick in the book to get their spam through. Network filtering will trap spammers but each time spammers change their senders or sending characteristics it's inevitable that some will get through.
For example, they'll take advantage of the fact that the email specification allows the use of base64 encoding to 'disguise' the word 'Bitcoin' in the From: and Subject: fields. If you view these by selecting the spam mail and View Source in TalkTalk Mail you'll see those lines starting =?UTF-8?B?
The encoding is perfectly 'legal' and is how you see things like emoji in the subject lines in email from acceptable senders.
What you need to know is that the Filter rules operate on the actual contents of the From: and Subject: fields rather than the unencoded version displayed to you.
Here's what just 3 versions of 'Bitcoin' look like using base64 encoding:
So, to trap those in a 'Bitcoin filter' you'd set a single filter rule to operate when any condition is met and, in addition to the real spelling versions:
From: contains Qml0Y29pbgo=
From: contains QklUQ09JTgo=
From: contains Yml0Y29pbgo=
Subject: contains Qml0Y29pbgo=
Subject: contains QklUQ09JTgo=
Subject: contains Yml0Y29pbgo=
But remember that what you think you see isn't necessarily what's there. BITCOIN may look like BlTCOIN but the second version here has a lower case L as the second character. So there are still plenty of combinations that spammers can use to get their nefarious unwanted messages through. Just add more Conditions to the 'Bitcoin filter' as you think of or come across different variations that you'd want to trap.
Spammers know you're going to be clever enough to use Filter rules so all you can do is outsmart them.