kluu_ironport Tue, 12/25/2007 - 19:30
User Badges:

Besides looking for language character sets in the MIME content-type section of the Internet header, you may also try and block the mail-from address of the sender.

So, put in either a message or content filter that drops the mail is the mai-from ends with the country code, i.e. mail-from == "\.(ru|cz|uk)$"

This is assuming that your company has a policy of not accept mail from certain languages.

Is there an easy way to block all russian spam?  Basically I would just like to drop anything that is formated in russian.

Thanks!
Seth
salware_ironport Fri, 04/25/2008 - 11:18
User Badges:

Hi:

I'm having serious problems with russian spam though I've have a filter dropping all messages with Content-type header or body containing windows-1251 string.

Some messages are dropped, but the filter is failing when the message is a multipart and some parte has the Content-type, like this:

From [email protected] Tue Apr 22 20:39:46 2008
X-IronPort-RCPT-TO:
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ahw7AC7ODUhTpahg/2dsb2JhbACNeYJhnHaCIA
X-IronPort-AV: E=Sophos;i="4.25,695,1199660400";
d="gif'147?scan'147,208,147";a="246024999"
Received: from cm168096.red83-165.mundo-r.com ([83.165.168.96])
by smtp2.mundo-r.com with SMTP; 22 Apr 2008 20:39:43 +0200
Message-ID: <000901c8a4a8>
Reply-To: [email protected]
From: [email protected]
To: [email protected]
Bcc: [email protected],
[email protected]
Subject: =?windows-1251?B?PT09PT09PT0=?=
Date: Tue, 22 Apr 2008 22:43:39 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-----000-0005-01C8A4CA-4F1410F0"
X-Priority: 3

-------000-0005-01C8A4CA-4F1410F0
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: 8bit

How should I modify the filter to stop that stuff?

Thank you:

Salvador

Actions

This Discussion