on 26-10-2020 11:26 AM
I've been plagued recently by unwanted emails. They come from *Congratulations* with the subject title 𝐖𝐞 𝐡𝐚𝐯𝐞 𝐚 𝐬𝐮𝐫𝐩𝐫𝐢𝐬𝐞 𝐟𝐨𝐫 𝐓𝐚𝐥𝐤𝐓𝐚𝐥𝐤 𝐂𝐮𝐬𝐭𝐨𝐦𝐞𝐫𝐬! The senders email is firstname.lastname@example.org however the three digit number changes every time. I have forwarded these to TalkTalk phishing and just get the usual automated 'Thank You' response. I logged into my webmail account to see if I could block them but the option seems to have been removed. I added a few key words to block certain emails a month or so back but they still come through.
Have TalkTalk given up on trying to stop unwanted emails ?
Any sensible suggestions would be greatly appreciated.
on 28-10-2020 07:52 AM
27-10-2020 04:53 PM - edited 28-10-2020 08:11 AM
TalkTalk Mail is capable of very complex filtering using Regular Expressions (Regex) and the type of advanced analysis you're moving onto may be achievable with Regex if the format is defined.
For example, a criminal demanding a blackmail payment in Bitcoin will give a Bitcoin (BTC) address for payment. This is a long number but one that has a defined structure that can be verified with a Regular Expression. So, I have a Regex to see if a mail message contains a BTC Address and if so to flag for reporting to ActionFraudUK.
However, I should explain that the reason why Base64 encryption is permitted by the Email specification is because it allows an extended character set to be used. This is how emails have emoji characters in the Subject line. So, it would be very easy to detect a Subject line using Base64 encryption but this doesn't mean the mail message contains spam.
What I say about keywords is that if you wish, for example, to detect the word Bitcoin in a subject line the Filter rule needs to detect:
And many more variations. Because all of the above are different. Spammers will use every variation to swerve around a filter rule. And then for the Subject line you need all of the Base64 versions of the above as well.
For words in the body of the mail message you don't need to worry about encoding so much as the use of images instead of words.
Trapping spam using the human brain is easy... we "spot it a mile off!" But a Filter rule works only on pattern matching being true or false.
on 27-10-2020 04:02 PM
Hi Gondola. That's very interesting and thanks for the detail.
So given the encryption process the scammers use, it clearly introduces more characters than the 'plain text' as displayed and noticeably with no spaces (using the examples in your reply). Would a filter based on the number of spaces vs the number of characters that appear in the subject title be an option.
I also notice the letter Q appears regularly but is rarely, if ever, followed by the letter U. Could these anomalies be used to filter this type of email ?
Just a thought.
Once again thanks for the detailed explanation.
on 26-10-2020 07:29 PM
Alexsandr wrote: I've tried adding key words into filters but those emails still seem to get through...
As an example I created the above filter to block the Bitcoin emails but they continue to come in as do all the others..
As an example, the Filter rule will work if the Subject contains the words in plain text and the friendly name is as specified. But here's the trick that spammers pull:
The example email, that you showed part of, had the Subject line encrypted.
What you see is "𝐖𝐞 𝐡𝐚𝐯𝐞 𝐚 𝐬𝐮𝐫𝐩𝐫𝐢𝐬𝐞 𝐟𝐨𝐫 𝐓𝐚𝐥𝐤𝐓𝐚𝐥𝐤 𝐂𝐮𝐬𝐭𝐨𝐦𝐞𝐫𝐬!" but what is in the Subject line is: "8J2QlvCdkJ4g8J2QofCdkJrwnZCv8J2QniDwnZCaIPCdkKzwnZCu8J2Qq/CdkKnwnZCr8J2QovCdkKzwnZCeIPCdkJ/wnZCo8J2QqyDwnZCT8J2QmvCdkKXwnZCk8J2Qk/CdkJrwnZCl8J2QpCDwnZCC8J2QrvCdkKzwnZCt8J2QqPCdkKbwnZCe8J2Qq/CdkKwh"
If you wish the Filter rule to detect "TalkTalk Customer" then as well as all variations on that plain text (upper case / lower case / misspelling / character swaps etc) you'd also have "8J2Qk/CdkJrwnZCl8J2QpPCdkJPwnZCa8J2QpfCdkKQg8J2QgvCdkK7wnZCs8J2QrfCdkKjwnZCm8J2QnvCdkKs=" and all the base64 variations to match the plain text variations.
Filter rules need to be as smart as the spammers. You can spot a suspicious email straight away but the Filter rule can only match exactly what you ask it to match.
on 26-10-2020 05:40 PM
How are you getting on? I've had a look at haveibeenpwned and see that the oldest data breach goes back to 2012 and that more recently your email address was on a database being traded / shared among the hacking / spamming criminals not to mention a massive malware distribution involving over 700 million email addresses.
Inevitably the email address is going to be targeted a lot with spam for both marketing and phishing activities.
I honestly think that the best solution for you is to migrate your trusted contacts to a new email address and delete this one. Taking the email address out of use asap means all of the spammers / hackers are denied any means of getting to you.
TalkTalk offer you up to 5 email addresses so when this one is deleted it will release a space for you as a TalkTalk Consumer customer to create a new email address in your MyAccount. Managing your email in My Account
on 26-10-2020 04:45 PM
Over the years I've gathered some few hundred email contacts so to now create a filter to add all my known contacts would be a huge task. What happens if I miss one or someone changes their email address? Do you have to regularly check the Junk folder ?
I've tried adding key words into filters but those emails still seem to get through so the filter system does not instill confidence Im sorry to say
As an example I created the above filter to block the Bitcoin emails but they continue to come in as do all the others (same as those Mike Sant receives).
on 26-10-2020 03:11 PM
Hi Alexsandr, I'll leave you in the safe hands of Gondola for now. Please let us know if you need more help.
on 26-10-2020 01:38 PM
I've removed the document as it included your email address. I cannot see all of the relevant content as the screenshot is cut off but there are some key points.
It's received from operah.com
There's no return address.
The sender isn't the one you think as that email address appears to be just included to fool you into thinking that's the sender.
The Subject is encoded in base 64 so I'd need to see the whole subject line to unencode.
Perhaps you could have another go at copying and pasting the View Source into a word document. Then before uploading search and replace the first part of your email address and name with ****
Add the file to a Reply here using the grey Browse button bottom left of this Reply area.
on 26-10-2020 01:03 PM
I copied the whole text from the view source as there does not appear to be a From: line or a Subject: line in the View Source window. I did this for four messages.
I also added the first part Name) of each of the 6 data breach's that were shown from the haveibeenpwned link
on 26-10-2020 11:45 AM
Copy and paste the From: line and Subject: line from the View Source window. Do that for three or four of the unwanted mail messages and we'll be able to see what you can do in your mailbox to stop these ones from appearing in your Inbox.
There's a website called haveibeenpwned. Enter your email address there to see if your mailbox email address and maybe password have been compromised in a known data breach. It's important that you keep an eye on such reports to help you secure your online logins where you use the email address.
Let us know what you find (just the name of the data breach) if the website page turns red to indicate a data breach involves your email address.