Crisis on the Russian Front! Endless Cyrillic Spam...

[Sammy]

I'm a new user of Office 2004, and generally love it. I've been, amongst
other things, very impressed by the spam filter in Entourage. HOWEVER.
I've been getting tons of Russian language spam. I have tried to develop
rules using random words or isolated Cyrillic characters, but to no
avail. It's the only spam I get.

Anyone have any suggestions?

S.

 

[Barry Wainwright]

I'm a new user of Office 2004, and generally love it. I've been, amongst
other things, very impressed by the spam filter in Entourage. HOWEVER.
I've been getting tons of Russian language spam. I have tried to develop
rules using random words or isolated Cyrillic characters, but to no
avail. It's the only spam I get.

Anyone have any suggestions?

S.

Look at the 'content type' header - there may well be something distinctive
in there.

 

[Sammy]

Look at the 'content type' header - there may well be something distinctive
in there.

Barry, how can I look at that header? I don't know how that works in
Entourage.

S.

 

[Barry Wainwright]

Barry, how can I look at that header? I don't know how that works in
Entourage.

S.

Either:

Open the message inb it's own window and choose 'Internet Headers' from the
view menu;

or:

Choose 'show source' from the view menu

An alternative, more scattergun approach may be to file all mail coming from
an address ending in .ru as potential spam - only useful if you have no real
correspondents in Russia!

 

[Sammy]

Alas, Barry - all my Russian spam is bouncing off somewhere in
Czechoslovakia or Taiwan. I've blocked the main Czech address, thanks to
your tip - we'll see how that helps.

Thanks,

S.

 

[Sammy]

I'm still having difficulties here. Perhaps I'm not working the Rules
correctly - it seemed so easy in Apple's Mail program.

The bulk of what I'm getting comes from seznam.cz . I've made
several different variants of that seznam.cz> , @seznam.cz , and had
the instruction read "If From seznam.cz, change status to junk email".

Is there anything glaringly obvious that I should be doing?

Thanks,

Sammy

 

[Barry Wainwright]

I'm still having difficulties here. Perhaps I'm not working the Rules
correctly - it seemed so easy in Apple's Mail program.

The bulk of what I'm getting comes from seznam.cz . I've made
several different variants of that seznam.cz> , @seznam.cz , and had
the instruction read "If From seznam.cz, change status to junk email".

Is there anything glaringly obvious that I should be doing?

Thanks,

Sammy

1. I presume that reads if 'from' <contains> 'seznam.cz', not if 'from <is>
'seznam.cz'?

2. Post the headers of one of the messages here and we may be able to give
you some pointers.

 

[Sammy]

1. I presume that reads if 'from' <contains> 'seznam.cz', not if 'from <is>
'seznam.cz'?

2. Post the headers of one of the messages here and we may be able to give
you some pointers.

Thanks for your patience, Barry.

Here's the header of one of the ceznam emails I got today:

Received: from mail1.panix.com (mail1.panix.com [166.84.1.72])
by echonyc.com (8.12.11/8.12.11) with ESMTP id i5UAQopn016355
for <[email protected]>; Wed, 30 Jun 2004 06:26:50 -0400 (EDT)
Received: from 218.191.73.150 (unknown [218.191.73.150])
by mail1.panix.com (Postfix) with SMTP id 32CDC4872A
for <[email protected]>; Wed, 30 Jun 2004 06:26:46 -0400 (EDT)
Date: Wed, 30 Jun 2004 10:23:58 +0000
From: huasheng <[email protected]>
To: (e-mail address removed)
Subject: =?Windows-1251?B?5O7s4Pjt6OUg6+Xq4PDo?=
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----------B50202D1701B4C18296099906"
Message-Id: <[email protected]>
Content-Length: 5571
Status:


Any suggestions?

THANKS!

 

[Barry Wainwright]

1. I presume that reads if 'from' <contains> 'seznam.cz', not if 'from <is>
'seznam.cz'?

2. Post the headers of one of the messages here and we may be able to give
you some pointers.

Thanks for your patience, Barry.

Here's the header of one of the ceznam emails I got today:

Received: from mail1.panix.com (mail1.panix.com [166.84.1.72])
by echonyc.com (8.12.11/8.12.11) with ESMTP id i5UAQopn016355
for <[email protected]>; Wed, 30 Jun 2004 06:26:50 -0400 (EDT)
Received: from 218.191.73.150 (unknown [218.191.73.150])
by mail1.panix.com (Postfix) with SMTP id 32CDC4872A
for <[email protected]>; Wed, 30 Jun 2004 06:26:46 -0400 (EDT)
Date: Wed, 30 Jun 2004 10:23:58 +0000
From: huasheng <[email protected]>
To: (e-mail address removed)
Subject: =?Windows-1251?B?5O7s4Pjt6OUg6+Xq4PDo?=
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----------B50202D1701B4C18296099906"
Message-Id: <[email protected]>
Content-Length: 5571
Status:


Any suggestions?

THANKS!

OK, 1 step further...

I see that the subject is encoded in windows-1251, which is either Russian
or Macedonian character set.

I'm not sure there is any way to test the encoding of the subject line - you
could try 'subject contains "windows-1251", but I think that's an outside
chance.

The message itself is labelled as 'multi-part/related', indicating that
there is likely to be an HTML part and an alternative plain text part.
Unfortunately, your headers didn't post the content type header for either
of these parts! They are likely to be 1251 as well, but could, in theory, be
different.

Look at those headers for the encoding set, and then set up a filter to look
for 'any header' contains 'windows-1251' (or whatever the relevant encoding
scheme is).

 

[Bob Greenblatt]

On 29/6/04 3:38 pm, in article
(e-mail address removed), "Sammy"

I'm still having difficulties here. Perhaps I'm not working the Rules
correctly - it seemed so easy in Apple's Mail program.

The bulk of what I'm getting comes from seznam.cz . I've made
several different variants of that seznam.cz> , @seznam.cz , and had
the instruction read "If From seznam.cz, change status to junk email".

Is there anything glaringly obvious that I should be doing?

Thanks,

Sammy

1. I presume that reads if 'from' <contains> 'seznam.cz', not if 'from <is>
'seznam.cz'?

2. Post the headers of one of the messages here and we may be able to give
you some pointers.

Thanks for your patience, Barry.

Here's the header of one of the ceznam emails I got today:

Received: from mail1.panix.com (mail1.panix.com [166.84.1.72])
by echonyc.com (8.12.11/8.12.11) with ESMTP id i5UAQopn016355
for <[email protected]>; Wed, 30 Jun 2004 06:26:50 -0400 (EDT)
Received: from 218.191.73.150 (unknown [218.191.73.150])
by mail1.panix.com (Postfix) with SMTP id 32CDC4872A
for <[email protected]>; Wed, 30 Jun 2004 06:26:46 -0400 (EDT)
Date: Wed, 30 Jun 2004 10:23:58 +0000
From: huasheng <[email protected]>
To: (e-mail address removed)
Subject: =?Windows-1251?B?5O7s4Pjt6OUg6+Xq4PDo?=
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----------B50202D1701B4C18296099906"
Message-Id: <[email protected]>
Content-Length: 5571
Status:


Any suggestions?

THANKS!

OK, 1 step further...

I see that the subject is encoded in windows-1251, which is either Russian
or Macedonian character set.

I'm not sure there is any way to test the encoding of the subject line - you
could try 'subject contains "windows-1251", but I think that's an outside
chance.

The message itself is labelled as 'multi-part/related', indicating that
there is likely to be an HTML part and an alternative plain text part.
Unfortunately, your headers didn't post the content type header for either
of these parts! They are likely to be 1251 as well, but could, in theory, be
different.

Look at those headers for the encoding set, and then set up a filter to look
for 'any header' contains 'windows-1251' (or whatever the relevant encoding
scheme is).

I've been following this with interest, as I have the same problem. I have a
rule that says "any header contains 1251", but that does not work either.

 

[Barry Wainwright]

I've been following this with interest, as I have the same problem. I have a
rule that says "any header contains 1251", but that does not work either.

Hi Bob,

How about you post one of your headers as well?

 

[Bob Greenblatt]

Hi Bob,

How about you post one of your headers as well?

Well, today it works. The only thing I can figure out is that there was a
restart of the machine (and of course Entourage) after I modified the rule.
This morning the mail from my Russian comrades was properly in the Junk
folder. I'm now curious to see if this continues to work.

 

[Bob Greenblatt]

Hi Bob,

How about you post one of your headers as well?

As I said, it worked today, but here's the header anyway:

X-Message-Info: 6sSXyD95QpUQ4tGVv+2/X5WHPltz7W9X
Received: from 210.101.174.54 ([210.101.174.54]) by mc9-f2.hotmail.com with
Microsoft SMTPSVC(5.0.2195.6824);
Thu, 1 Jul 2004 00:55:01 -0700
From: =?Windows-1251?B?w+Xw7u3y6OkgyPHg6u7i6Pc=?= <[email protected]>
To: (e-mail address removed)
Subject: =?Windows-1251?B?w87SzsLbySDByMfNxdE=?=
Date: Thu, 01 Jul 2004 05:48:13 +0000
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0000_6648C68A.67E094A6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: (e-mail address removed)
Message-ID: <[email protected]>
X-OriginalArrivalTime: 01 Jul 2004 07:55:02.0732 (UTC)
FILETIME=[B71440C0:01C45F40]

This is a multi-part message in MIME format.

------=_NextPart_000_0000_6648C68A.67E094A6
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_9684D0C2.02CC741E"


------=_NextPart_001_0001_9684D0C2.02CC741E
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

 

[Barry Wainwright]

As I said, it worked today, but here's the header anyway:

Looking at that, 'any header contains windows-1251' ought to work.

 

[Sammy]

Looking at that, 'any header contains windows-1251' ought to work.

Thanks - I'm going to give it a try...

 

[Bob Greenblatt]

Thanks - I'm going to give it a try...

However, today it is NOT working. I think there's something "fishy" about
rules not executing in all cases.

 

[Sammy]

However, today it is NOT working. I think there's something "fishy" about
rules not executing in all cases.

I'm having the same problem. The Rules thing seems really
problematically complicated (at least to the fairly basic user ie me).
With Mail, if I marked an email from (e-mail address removed)
pimping for Firestone, that was it, no more email from Firestone. Today
I made a rule in Entourage to rid myself of Stephen, as well as marking
the message as junk, and continue to receive Firestone messages at a
rate of about one per hour.

Now, some Cyrillic email is being blocked, others aren't.

And goddam seznam.cz is resistant to all of my attempts to block it.

There are so many options in the Rules that it's difficult to know what
I should be doing. I mean, should I keep the box for the "Do not apply
other rules if this condition is met" option ticked?


S.

 

[Paul Berkowitz]

However, today it is NOT working. I think there's something "fishy" about
rules not executing in all cases.

Rules for headers might be case-sensitive, whereas the RFC is not. Also,
there's more than one way to send Cyrillic encoding: for example, UTF-8 will
also do Cyrillic (but DON'T make a rule to trash or junk all UTF-8 mail!!)
and there's a Mac Cyrillic version too (I forget what it is). What does the
text/encoding header say for the messages that did not execute the rule?
There's probably something different about the headers. You could make a
rule for 'match if ANY criteria are met' using "Specific header'[, NOT 'Any
header',. and pick them appropriately - but NOT inclusive of all UTF-8
encoded messages or you'll lose lots of non-junk mail.

--
Paul Berkowitz
MVP Entourage
Entourage FAQ Page: <http://www.entourage.mvps.org/faq/index.html>
AppleScripts for Entourage: <http://macscripter.net/scriptbuilders/>

Please "Reply To Newsgroup" to reply to this message. Emails will be
ignored.

PLEASE always state which version of Entourage you are using - **2004**, X
or 2001. It's often impossible to answer your questions otherwise.

 

[Sammy]

I think that I may have found the problem: typing in a name to send an
e-mail, I got a list of possible addressees and saw to my surprise that
there was a fistful of addresses - mostly beginnning support@ - from
the various Russian spammers I haven't been able to block. I've not
responded to any of the spam emails; could it be that the spammers have
a way of inserting their addresses into my address book, and thereby
automatically avoiding detection?

I want seznam.cz to die, DIE DIE!!!

 

[Barry Wainwright]

I think that I may have found the problem: typing in a name to send an
e-mail, I got a list of possible addressees and saw to my surprise that
there was a fistful of addresses - mostly beginnning support@ - from
the various Russian spammers I haven't been able to block. I've not
responded to any of the spam emails; could it be that the spammers have
a way of inserting their addresses into my address book, and thereby
automatically avoiding detection?

I want seznam.cz to die, DIE DIE!!!

They have not accessed your address book. Entourage temporarliy caches the
addresses of recent correspondents.

In Entourage X and 2004 there is an option in the preferences to clear this
address Cache (Mail & News prefs; Compose tab). You can also (in the same
place) turn off the display of these addresses (but still keep the Œauto
complete¹ of names in your address book).

In both Entourage v9 and in vX individual items can be removed by adding an
entry to the address book that EXACTLY matches the rogue entry in the
history list and then deleting it.

In entourage 2004, hitting the 'junk' button in the toolbar will remove the
address of that message from the cache as well.


Alternatively, just wait a few days/weeks. The remembered addresses are
prioritised by age & frequency and the list is limited to a maximum of 200,
so eventually your mistakes will fall out at the bottom.