email support

Ask us about your TalkTalk email account and Webmail.

cancel
Showing results forย 
Showย ย onlyย  | Search instead forย 
Did you mean:ย 

Unable to block unwanted emails

Alexsandr
Team Player
Message 14 of 14

I've been plagued recently by unwanted emails. They come from *Congratulations* with the subject title ๐–๐ž ๐ก๐š๐ฏ๐ž ๐š ๐ฌ๐ฎ๐ซ๐ฉ๐ซ๐ข๐ฌ๐ž ๐Ÿ๐จ๐ซ ๐“๐š๐ฅ๐ค๐“๐š๐ฅ๐ค ๐‚๐ฎ๐ฌ๐ญ๐จ๐ฆ๐ž๐ซ๐ฌ! The senders email is talktalk@infos239.com however the three digit number changes every time. I have forwarded these to TalkTalk phishing and just get the usual automated 'Thank You' response. I logged into my webmail account to see if I could block them but the option seems to have been removed. I added a few key words to block certain emails a month or so back but they still come through.

Have TalkTalk given up on trying to stop unwanted emails ?

Any sensible suggestions would be greatly appreciated.

0 Likes
13 REPLIES 13

Message 1 of 14

Thanks for continuing to support Alexsandr Gondola.

 

 

Ady


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Message 2 of 14

Hi Alexsandr 

 

TalkTalk Mail is capable of very complex filtering using Regular Expressions (Regex) and the type of advanced analysis you're moving onto may be achievable with Regex if the format is defined.

 

For example, a criminal demanding a blackmail payment in Bitcoin will give a Bitcoin (BTC) address for payment. This is a long number but one that has a defined structure that can be verified with a Regular Expression. So, I have a Regex to see if a mail message contains a BTC Address and if so to flag for reporting to ActionFraudUK.

 

However, I should explain that the reason why Base64 encryption is permitted by the Email specification is because it allows an extended character set to be used. This is how emails have emoji characters in the Subject line. So, it would be very easy to detect a Subject line using Base64 encryption but this doesn't mean the mail message contains spam.

 

What I say about keywords is that if you wish, for example, to detect the word Bitcoin in a subject line the Filter rule needs to detect:

  • Bitcoin
  • bitcoin
  • BITCOIN
  • BlTCOIN
  • BlTCOlN
  • BITC0IN

And many more variations.  Because all of the above are different. Spammers will use every variation to swerve around a filter rule.  And then for the Subject line you need all of the Base64 versions of the above as well.

 

For words in the body of the mail message you don't need to worry about encoding so much as the use of images instead of words.

 

Trapping spam using the human brain is easy... we "spot it a mile off!"  But a Filter rule works only on pattern matching being true or false.

Gondolaโ€ƒVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution

Message 3 of 14

Hi Gondola. That's very interesting and thanks for the detail. 

 

So given the encryption process the scammers use, it clearly introduces more characters than the 'plain text' as displayed and noticeably with no spaces (using the examples in your reply). Would a filter based on the number of spaces vs the number of characters that appear in the subject title be an option.

I also notice the letter Q appears regularly but is rarely, if ever, followed by the letter U. Could these anomalies be used to filter this type of email ?

Just a thought.

Once again thanks for the detailed explanation.

0 Likes

Message 4 of 14

Alexsandr wrote: I've tried adding key words into filters but those emails still seem to get through...

 

Alexsandr_1-1603730616629.png

 

As an example I created the above filter to block the Bitcoin emails but they continue to come in as do all the others..

As an example, the Filter rule will work if the Subject contains the words in plain text and the friendly name is as specified. But here's the trick that spammers pull:

  • The friendly name is different for each mail
  • Subject lines are often encrypted in base 64. The filter rule doesn't operate on the unencrypted version that you see

The example email, that you showed part of, had the Subject line encrypted.

 

What you see is "๐–๐ž ๐ก๐š๐ฏ๐ž ๐š ๐ฌ๐ฎ๐ซ๐ฉ๐ซ๐ข๐ฌ๐ž ๐Ÿ๐จ๐ซ ๐“๐š๐ฅ๐ค๐“๐š๐ฅ๐ค ๐‚๐ฎ๐ฌ๐ญ๐จ๐ฆ๐ž๐ซ๐ฌ!" but what is in the Subject line is: "8J2QlvCdkJ4g8J2QofCdkJrwnZCv8J2QniDwnZCaIPCdkKzwnZCu8J2Qq/CdkKnwnZCr8J2QovCdkKzwnZCeIPCdkJ/wnZCo8J2QqyDwnZCT8J2QmvCdkKXwnZCk8J2Qk/CdkJrwnZCl8J2QpCDwnZCC8J2QrvCdkKzwnZCt8J2QqPCdkKbwnZCe8J2Qq/CdkKwh"

 

If you wish the Filter rule to detect "TalkTalk Customer" then as well as all variations on that plain text (upper case / lower case / misspelling / character swaps etc) you'd also have "8J2Qk/CdkJrwnZCl8J2QpPCdkJPwnZCa8J2QpfCdkKQg8J2QgvCdkK7wnZCs8J2QrfCdkKjwnZCm8J2QnvCdkKs=" and all the base64 variations to match the plain text variations.

 

Filter rules need to be as smart as the spammers. You can spot a suspicious email straight away but the Filter rule can only match exactly what you ask it to match.

Gondolaโ€ƒVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution

Message 5 of 14

Hi Alexsandr 

 

How are you getting on?  I've had a look at haveibeenpwned and see that the oldest data breach goes back to 2012 and that more recently your email address was on a database being traded / shared among the hacking / spamming criminals not to mention a massive malware distribution involving over 700 million email addresses.

 

Inevitably the email address is going to be targeted a lot with spam for both marketing and phishing activities.

 

I honestly think that the best solution for you is to migrate your trusted contacts to a new email address and delete this one. Taking the email address out of use asap means all of the spammers / hackers are denied any means of getting to you.

 

TalkTalk offer you up to 5 email addresses so when this one is deleted it will release a space for you as a TalkTalk Consumer customer to create a new email address in your MyAccount. Managing your email in My Account 

Gondolaโ€ƒVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution

Message 6 of 14

Hi Gondola. I've had an email to inform me that you have moved my original post to the email forum, where do I find that ?

Thanks

Ian

0 Likes

Alexsandr
Team Player
Message 7 of 14

Over the years I've gathered some few hundred email contacts so to now create a filter to add all my known contacts would be a huge task. What happens if I miss one or someone changes their email address? Do you have to regularly check the Junk folder ?

 

I've tried adding key words into filters but those emails still seem to get through so the filter system does not instill confidence Im sorry to say 

Alexsandr_1-1603730616629.png

As an example I created the above filter to block the Bitcoin emails but they continue to come in as do all the others (same as those Mike Sant receives).

 

0 Likes

Message 8 of 14

Hi Alexsandr, I'll leave you in the safe hands of Gondola for now. Please let us know if you need more help. 

 

Ady


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


0 Likes

Message 9 of 14

Hi Alexsandr 

 

I've removed the document as it included your email address. I cannot see all of the relevant content as the screenshot is cut off but there are some key points.

 

It's received from operah.com

There's no return address.

The sender isn't the one you think as that email address appears to be just included to fool you into thinking that's the sender.

The Subject is encoded in base 64 so I'd need to see the whole subject line to unencode.

 

Perhaps you could have another go at copying and pasting the View Source into a word document. Then before uploading search and replace the first part of your email address and name with ****

  • Find the email in the list, and then select its checkbox
  • From the sub-header above the email
    select the More actions   ๏ƒ‰   blue triple line icon
  • Select View source from the drop-down list
  • This will reveal the full message header text and body of the email
  • Right click on the text and click Select all
  • Right click on the text and select Copy
  • Paste this text into a document file (.doc or .docx file extension)
  • Edit to remove or obscure the first part of your email address
  • Save the file

Add the file to a Reply here using the grey Browse button bottom left of this Reply area.

Gondolaโ€ƒVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution

Message 10 of 14

Attached is a copy of the view source text saved as screen shots to a word document

0 Likes

Message 11 of 14

I copied the whole text from the view source as there does not appear to be a From: line or a Subject: line in the View Source window. I did this for four messages.

I also added the first part Name) of each of the 6 data breach's that were shown from the haveibeenpwned link

0 Likes

Message 12 of 14

I've just composed a reply with the details you requested and I now see a red banner across the top saying the email has been deleted as suspected spam ????

 

0 Likes

Gondola
Community Star
Message 13 of 14

Hi Alexsandr 

 

Copy and paste the From: line and Subject: line from the View Source window. Do that for three or four of the unwanted mail messages and we'll be able to see what you can do in your mailbox to stop these ones from appearing in your Inbox.

 

Actions on emails - View source

 

There's a website called haveibeenpwned. Enter your email address there to see if your mailbox email address and maybe password have been compromised in a known data breach. It's important that you keep an eye on such reports to help you secure your online logins where you use the email address.

 

Let us know what you find (just the name of the data breach) if the website page turns red to indicate a data breach involves your email address.

Gondolaโ€ƒVolunteer 2017-2021

 Like below to appreciate my help . . . Best answer is + Accept as Solution