1 (edited by lhiggs 2014-05-29 22:01:06)

Topic: Blacklisting Subject Keywords - Encoding Problem?

==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.5
- Related log if you're reporting an issue:
====

Good Morning,

I'm not sure if you can help as I don't believe this is an iRedMail problem specifically.

I have a "blacklist-subject.cf" file in /etc/mail/spamassassin that I use to blacklist keywords in subject lines like "auto insurance" or "free flowers", however I'm running into a problem with some subjects that come through and it appears to be an encoding problem that I'm not sure how to handle.

I have a subject from an email in my outlook inbox that reads "Еat Тhіs, Νever Dіet Αgaіn" however if I copy/paste this subject into my blacklist-subject.cf file it pastes as this: .at .h.s, .ever D.et .ga.n.

If I manually type "blacklist_subject Eat This, Never Diet Again" any future emails with the original subject that I tried to paste will not be flagged, unless I test by manually typing it in the subject line just as I did in the cf file. This looks like an encoding conflict, how can I compensate for this? It seems to be a common problem with spam email subjects I'm getting.

Thank you!
Luke

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by lhiggs 2014-05-29 22:32:47)

Re: Blacklisting Subject Keywords - Encoding Problem?

After further investigation the subject lines in question are UTF8 encoded, the spamassassin plugin does not seem to translate UTF8 encoding but mail clients do. Is this a bug or is there a setting for this?

3

Re: Blacklisting Subject Keywords - Encoding Problem?

Did you check mail source to see whether or not the mail subject is encoded?

4

Re: Blacklisting Subject Keywords - Encoding Problem?

Yes, the mail subjects are encoded. The actual subject line in the headers is "Subject: =?utf-8?B?RtGWbmQgdGhlIHLRlmdodCBk0L5jdNC+cmFsIHBy0L5ncmFtIHTQviBzdHVkeSDQvm5s0ZZuZS4gzpFwcGx5IHTQvmRheQ==?="

I don't know if this is a problem with spamassassin or with the editor I'm using (vi) to add the blacklist subject lines. I would assume that if I wrote "Auto Insurance" in my blacklist that spam assassin would be smart enough to translate utf-8 subject lines and check for those words. Thanks for your help!

Luke

5

Re: Blacklisting Subject Keywords - Encoding Problem?

I have no good idea yet, it's better to ask in SpamAssassin mailing list instead.

I found another article, not sure it helps or not: http://www.timk.de/it-blog/howto-find-c … massassin/

6

Re: Blacklisting Subject Keywords - Encoding Problem?

ZhangHuangbin wrote:

I have no good idea yet, it's better to ask in SpamAssassin mailing list instead.

I found another article, not sure it helps or not: http://www.timk.de/it-blog/howto-find-c … massassin/

Thank you Zhang, I will post a solution here if I find one.

Luke

7

Re: Blacklisting Subject Keywords - Encoding Problem?

lhiggs wrote:

I have no good idea yet, it's better to ask in SpamAssassin mailing list instead.

Thank you Zhang, I will post a solution here if I find one.

Luke

If you haven't found a way to kill  "Subject: =?utf-8?B....) spam. I share my strong solutions below, based on keywords and domain.
Well, for me, I prefer discard messages, which contain keywords like sex, viagra etc.
Maybe that would help to someone.

======== Spamassassin rule ===========
# Filter Headers.
# Key Words
header KEYWORDS_SUBJECT      Subject =~ /\bDrone|Viarga|sex\b/i
score KEYWORDS_SUBJECT       25.1

# From Domaine
header DOMAINE_FROM From =~ /\@sastinseros\.pics|\@balisoners\.autos/i
score DOMAINE_FROM  25.1


================== sieve script ================

sudo nano /var/vmail/sieve/dovecot.sieve


require ["fileinto"];
if header :contains "X-Spam-Level" "********************" {
  discard;
  stop;
} else {

if header :is "X-Spam-Flag" "YES"
{
    fileinto "Junk";
}
}


================== Fail2ban filter ================

amavis\[\d+\]: .* \[<HOST>\]:.*KEYWORDS_SUBJECT=
amavis\[\d+\]: .* \[<HOST>\]:.*DOMAINE_FROM=