Blocking doesn't work

C

cpte100help

I have all encodings except Latin 3, Latin 9, US-ASCII, and western
european blocked. I have also blocked the top level domain RU. I have
my junk filter set on high.

But the following email still gets through. Why????


From: éÎÔÌ. ÓÏÂÓÔ×. [mailto:[email protected]]
Sent: Thursday, March 06, 2008 12:03 PM
To: korson at southern dot edu
Subject: îÏ×Ï××ÅÄÅÎÉÑ ÄÌÑ ÐÒÁ× éÎÔÅÌ. óÏÂÓÔ×ÅÎÎÏÓÔÉ.


îÏ×ÏÅ × ÐÒÁ×ÁÈ ÉÎÔÅÌÌÅËÔÕÁÌØÎÏÊ ÓÏÂÓÔ×ÅÎÎÏÓÔÉ (ÐÒÉÎÑÔÉÅ þÅÔ×ÅÒÔÏÊ
þÁÓÔÉ çë òæ).
äÁÔÁ ÕÞÅÂÎÏÇÏ ËÕÒÓÁ: l1 ÍÁÒtÁ
ðÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ: 1 ÄÅÎØ

Complete headers follow:

Received: from exmf003-5.intermedia dot net (207.5.74.85) by
EXHUB003-3.exch003intermedia dot net (207.5.74.70) with Microsoft
SMTP Server
(TLS) id 8.1.240.5; Wed, 5 Mar 2008 09:03:06 -0800
Received: from localhost (localhost.localdomain [127.0.0.1]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 8C82CE4A0 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:03:06 -0800 (PST)
Received: from exmf003-5.intermedia dot net ([127.0.0.1]) by
localhost
(exmf003-5.intermedia dot net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP
id 26424-50-3 for <tim at qualsys dot org>; Wed, 5 Mar 2008
09:03:05
-0800 (PST)
Received: from masi.southern dot edu (masi.southern dot edu
[216.229.224 dot 6]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 9DB64E4D3 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:02:42 -0800 (PST)
Received: from masi.southern dot edu (127.0.0.1) by masi.southern dot
edu (MlfMTA
v3.2r9) id hpr94q0171sv for <tim at qualsys dot org>; Wed, 5 Mar
2008
12:02:45 -0500
(envelope-from <[email protected]>)
Received: from exch-be-1.southern dot edu ([216.229.224.46]) by
masi.southern dot edu
(saumailgateway) with ESMTP; Wed, 05 Mar 2008 12:02:45 -0500
Received: from casati.southern dot edu ([216.229.224 dot 7]) by exch-
be-1.southern dot edu
with Microsoft SMTPSVC(6.0.3790.211); Wed, 5 Mar 2008 12:02:38
-0500
Received: from gyuri-adf3afaad.rdsbv.ro ([82.137.62.64]) by
casati.southern dot edu (saumailgateway) with ESMTP; Wed, 05
Mar 2008
12:02:31
-0500
Received: from [82.137.62.64] by mx1.fti.ru; Wed, 6 Mar 2008 18:02:31
+0100
Message-ID: <01c87fb4$3f209580$403e8952@sale>
From: =?koi8-r?B?6c7UzC4g08/C09TXLg==?= <[email protected]>
To: <korson at southern dot edu>
Subject: =?koi8-r?B?7s/
Xz9fXxcTFzsnRIMTM0SDQ0sHXIOnO1MXMLiDzz8LT1NfFzs7P0w==?=
=?koi8-r?B?1Mku?=
Date: Thu, 6 Mar 2008 18:02:31 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C87FB4.3F209580"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mlf-Threat-History: nothreat
X-Mlf-Threat-Detailed-History: nothreat;none;none;none
X-Mlf-UniqueId-History: i200803051702180049308
X-OriginalArrivalTime: 05 Mar 2008 17:02:39.0998 (UTC)
FILETIME=[B84F69E0:01C87EE2]
X-Mlf-Version: 6.1.0.9597
X-Mlf-UniqueId: o200803051702450191755
X-Virus-Scanned: by amavisd-new at exmf003-5.intermedia dot net
X-Spam-Status: Yes, hits=9.115 tagged_above=-999 required=3
tests=DATE_IN_FUTURE_12_24, HTML_FONT_BIG, HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,
SPAMMY_XMAILER, SPF_HELO_PASS, SUBJECT_ENCODED_TWICE
X-Spam-Level: *********
X-Spam-Flag: YES
Return-Path: (e-mail address removed)
X-MS-Exchange-Organization-SCL: 9
 
R

Roady [MVP]

Do you perhaps have your own address in the Safe Recipients list?



-----

I have all encodings except Latin 3, Latin 9, US-ASCII, and western
european blocked. I have also blocked the top level domain RU. I have
my junk filter set on high.

But the following email still gets through. Why????


From: éÎÔÌ. ÓÏÂÓÔ×. [mailto:[email protected]]
Sent: Thursday, March 06, 2008 12:03 PM
To: korson at southern dot edu
Subject: îÏ×Ï××ÅÄÅÎÉÑ ÄÌÑ ÐÒÁ× éÎÔÅÌ. óÏÂÓÔ×ÅÎÎÏÓÔÉ.


îÏ×ÏÅ × ÐÒÁ×ÁÈ ÉÎÔÅÌÌÅËÔÕÁÌØÎÏÊ ÓÏÂÓÔ×ÅÎÎÏÓÔÉ (ÐÒÉÎÑÔÉÅ þÅÔ×ÅÒÔÏÊ
þÁÓÔÉ çë òæ).
äÁÔÁ ÕÞÅÂÎÏÇÏ ËÕÒÓÁ: l1 ÍÁÒtÁ
ðÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ: 1 ÄÅÎØ

Complete headers follow:

Received: from exmf003-5.intermedia dot net (207.5.74.85) by
EXHUB003-3.exch003intermedia dot net (207.5.74.70) with Microsoft
SMTP Server
(TLS) id 8.1.240.5; Wed, 5 Mar 2008 09:03:06 -0800
Received: from localhost (localhost.localdomain [127.0.0.1]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 8C82CE4A0 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:03:06 -0800 (PST)
Received: from exmf003-5.intermedia dot net ([127.0.0.1]) by
localhost
(exmf003-5.intermedia dot net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP
id 26424-50-3 for <tim at qualsys dot org>; Wed, 5 Mar 2008
09:03:05
-0800 (PST)
Received: from masi.southern dot edu (masi.southern dot edu
[216.229.224 dot 6]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 9DB64E4D3 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:02:42 -0800 (PST)
Received: from masi.southern dot edu (127.0.0.1) by masi.southern dot
edu (MlfMTA
v3.2r9) id hpr94q0171sv for <tim at qualsys dot org>; Wed, 5 Mar
2008
12:02:45 -0500
(envelope-from <[email protected]>)
Received: from exch-be-1.southern dot edu ([216.229.224.46]) by
masi.southern dot edu
(saumailgateway) with ESMTP; Wed, 05 Mar 2008 12:02:45 -0500
Received: from casati.southern dot edu ([216.229.224 dot 7]) by exch-
be-1.southern dot edu
with Microsoft SMTPSVC(6.0.3790.211); Wed, 5 Mar 2008 12:02:38
-0500
Received: from gyuri-adf3afaad.rdsbv.ro ([82.137.62.64]) by
casati.southern dot edu (saumailgateway) with ESMTP; Wed, 05
Mar 2008
12:02:31
-0500
Received: from [82.137.62.64] by mx1.fti.ru; Wed, 6 Mar 2008 18:02:31
+0100
Message-ID: <01c87fb4$3f209580$403e8952@sale>
From: =?koi8-r?B?6c7UzC4g08/C09TXLg==?= <[email protected]>
To: <korson at southern dot edu>
Subject: =?koi8-r?B?7s/
Xz9fXxcTFzsnRIMTM0SDQ0sHXIOnO1MXMLiDzz8LT1NfFzs7P0w==?=
=?koi8-r?B?1Mku?=
Date: Thu, 6 Mar 2008 18:02:31 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C87FB4.3F209580"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mlf-Threat-History: nothreat
X-Mlf-Threat-Detailed-History: nothreat;none;none;none
X-Mlf-UniqueId-History: i200803051702180049308
X-OriginalArrivalTime: 05 Mar 2008 17:02:39.0998 (UTC)
FILETIME=[B84F69E0:01C87EE2]
X-Mlf-Version: 6.1.0.9597
X-Mlf-UniqueId: o200803051702450191755
X-Virus-Scanned: by amavisd-new at exmf003-5.intermedia dot net
X-Spam-Status: Yes, hits=9.115 tagged_above=-999 required=3
tests=DATE_IN_FUTURE_12_24, HTML_FONT_BIG, HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,
SPAMMY_XMAILER, SPF_HELO_PASS, SUBJECT_ENCODED_TWICE
X-Spam-Level: *********
X-Spam-Flag: YES
Return-Path: (e-mail address removed)
X-MS-Exchange-Organization-SCL: 9
 
V

VanguardLH

I have all encodings except Latin 3, Latin 9, US-ASCII, and western
european blocked. I have also blocked the top level domain RU. I have
my junk filter set on high.

But the following email still gets through. Why????


From: éÎÔÌ. ÓÏÂÓÔ×. [mailto:[email protected]]
Sent: Thursday, March 06, 2008 12:03 PM
To: korson at southern dot edu
Subject: îÏ×Ï××ÅÄÅÎÉÑ ÄÌÑ ÐÒÁ× éÎÔÅÌ. óÏÂÓÔ×ÅÎÎÏÓÔÉ.


îÏ×ÏÅ × ÐÒÁ×ÁÈ ÉÎÔÅÌÌÅËÔÕÁÌØÎÏÊ ÓÏÂÓÔ×ÅÎÎÏÓÔÉ (ÐÒÉÎÑÔÉÅ þÅÔ×ÅÒÔÏÊ
þÁÓÔÉ çë òæ).
äÁÔÁ ÕÞÅÂÎÏÇÏ ËÕÒÓÁ: l1 ÍÁÒtÁ
ðÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ: 1 ÄÅÎØ

Complete headers follow:

Received: from exmf003-5.intermedia dot net (207.5.74.85) by
EXHUB003-3.exch003intermedia dot net (207.5.74.70) with Microsoft
SMTP Server
(TLS) id 8.1.240.5; Wed, 5 Mar 2008 09:03:06 -0800
Received: from localhost (localhost.localdomain [127.0.0.1]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 8C82CE4A0 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:03:06 -0800 (PST)
Received: from exmf003-5.intermedia dot net ([127.0.0.1]) by
localhost
(exmf003-5.intermedia dot net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP
id 26424-50-3 for <tim at qualsys dot org>; Wed, 5 Mar 2008
09:03:05
-0800 (PST)
Received: from masi.southern dot edu (masi.southern dot edu
[216.229.224 dot 6]) by
exmf003-5.intermedia dot net (Postfix) with ESMTP id 9DB64E4D3 for
<tim at qualsys dot org>; Wed, 5 Mar 2008 09:02:42 -0800 (PST)
Received: from masi.southern dot edu (127.0.0.1) by masi.southern dot
edu (MlfMTA
v3.2r9) id hpr94q0171sv for <tim at qualsys dot org>; Wed, 5 Mar
2008
12:02:45 -0500
(envelope-from <[email protected]>)
Received: from exch-be-1.southern dot edu ([216.229.224.46]) by
masi.southern dot edu
(saumailgateway) with ESMTP; Wed, 05 Mar 2008 12:02:45 -0500
Received: from casati.southern dot edu ([216.229.224 dot 7]) by exch-
be-1.southern dot edu
with Microsoft SMTPSVC(6.0.3790.211); Wed, 5 Mar 2008 12:02:38
-0500
Received: from gyuri-adf3afaad.rdsbv.ro ([82.137.62.64]) by
casati.southern dot edu (saumailgateway) with ESMTP; Wed, 05
Mar 2008
12:02:31
-0500
Received: from [82.137.62.64] by mx1.fti.ru; Wed, 6 Mar 2008 18:02:31
+0100
Message-ID: <01c87fb4$3f209580$403e8952@sale>
From: =?koi8-r?B?6c7UzC4g08/C09TXLg==?= <[email protected]>
To: <korson at southern dot edu>
Subject: =?koi8-r?B?7s/
Xz9fXxcTFzsnRIMTM0SDQ0sHXIOnO1MXMLiDzz8LT1NfFzs7P0w==?=
=?koi8-r?B?1Mku?=
Date: Thu, 6 Mar 2008 18:02:31 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C87FB4.3F209580"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mlf-Threat-History: nothreat
X-Mlf-Threat-Detailed-History: nothreat;none;none;none
X-Mlf-UniqueId-History: i200803051702180049308
X-OriginalArrivalTime: 05 Mar 2008 17:02:39.0998 (UTC)
FILETIME=[B84F69E0:01C87EE2]
X-Mlf-Version: 6.1.0.9597
X-Mlf-UniqueId: o200803051702450191755
X-Virus-Scanned: by amavisd-new at exmf003-5.intermedia dot net
X-Spam-Status: Yes, hits=9.115 tagged_above=-999 required=3
tests=DATE_IN_FUTURE_12_24, HTML_FONT_BIG, HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,
SPAMMY_XMAILER, SPF_HELO_PASS, SUBJECT_ENCODED_TWICE
X-Spam-Level: *********
X-Spam-Flag: YES
Return-Path: (e-mail address removed)
X-MS-Exchange-Organization-SCL: 9





--- REPLY SEPARATOR ---
Only required because above poster used QUOTED-PRINTABLE format.
When posting to newsgroups, do NOT use quoted-printable format.
* Not all NNTP clients handle quoted-printable format.
- Some users still use console-mode (non-GUI) NNTP clients.
- The long lines may not wrap properly.
- Scrolling is needed if the long line does not get wrapped.
- The long line may get truncated at the window's width.
- Quoted-printable format uses special character sequences for
logical formatting. View the raw source of your post. Text-
only clients may show that encoding when viewing your post.
* Quoting levels get mangled, especially for multiple replies.
* In replies, there is no clear delineation of content.
- Cannot tell what content is from the original poster and
what is from the respondent.
- Makes impossible to determine who said what when a reply
inserts comments inline with the quoted content.
Do not use HTML format. Post using plain-text format.
---[end of comments]---


The Content-Type header does not specify the encoding using within the
identified MIME part identifier; i.e., there is no "charset="
parameter in that header. So apparently the encoding is specified
within the MIME part headers within the body of the message that
delineate that encoded portion of the message. So where do your rules
check for the encoding?

Does your rule also check the charset specified in the MIME part
within the body of the e-mail? I see the charset is specified in the
character set encoding used in the Subject header. The problem with
rules in Outlook is that they get exercised on the rendered version of
the e-mail. That means you cannot test on "=?koi8-r?" encoding used
in the Subject header. Outlook will only see the resultant
characters, not the raw content of the original e-mail. Because of
this, and instead of defining a rule to check if "=?<charset>?" is
used in the Subject header, you might want to use a rule that checks
for "=?<charset>?" string in the message headers (but I don't know if
that works or if Outlook is such as arse-nosing idiot that it still
only scans the headers *after* they have been rendered into their
encoded values). So your message header rule would check, for
example, on "charset='KOI8" or "=?KOI8". See
http://www.faqs.org/rfcs/rfc1342.html on how non-ASCII encodings are
used in headers. They look like "=?<charset>?"

I can't tell from the headers that you show as to what anti-spam
program you use. Blocking by country-specific IP addresses for the
source often only works on the first prepended (last) Received header,
the one that your receiving mail host added and which identifies the
source mail host that connected to it. That is, the anti-spam program
many only look at the immediate sending mail host that connected to
your receiving mail host (rather than tracing down to the source
Received header assuming it can past any bogus Received headers
inserted by the spammer). Or it might look at all Received headers.
You'll have to figure out however the UNNAMED anti-spam program works
regarding its blacklist on country IP addresses.

By the way, .ro for the TLD and the IP 82.137.62.64 address are for
Romania, not Russia. I don't know if whatever anti-spam program you
use will lump Romania in with Russia.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top