0

A client have ton of Chinese spam. All look similar to this one:

Return-Path: <15308409199@189.cn>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    hotel492.dedicatedpanel.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.2 required=5.0 tests=BAYES_50,
    FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_LOCAL_DIGITS,FROM_LOCAL_HEX,
    RCVD_IN_RP_RNBL,RDNS_NONE,SPF_FAIL,SPF_HELO_FAIL,UNPARSEABLE_RELAY
    autolearn=no autolearn_force=no version=3.4.0
Delivered-To: info@MYDOMAIN.com
Received: from qq.com (unknown [117.63.78.83])
    by mail.MYSERVER.com (Postfix) with SMTP id E99E441FF0E23
    for <info@MYDOMAIN.com>; Mon, 12 Feb 2018 01:28:59 +0100 (CET)
Received: from qq.com (unknown (210.16.9.24])
     by qq.com with SMTP id a96dedeb-c1f9-4f5b-b79c-0ff8b77d40e4;
     for <15308409199@189.cn>;Mon, 12 Feb 2018 08:28:46 +08:00
Message-ID: <98f7bcd1aac2f30dc4fea8d01cd47e69@189.cn>
From: "=?utf-8?B?55m96Im+6KeC?=" <15308409199@189.cn>
To: <info@MYDOMAIN.com>
Subject: =?utf-8?B?5ZOI5Za977yB546w6YKA5oKo6aKGMzjlnIYg6K+35Zyo44CQMzM0OTQ454K5Y29t?=
    =?utf-8?B?44CR5rOo5YaMVklQIOivpuaDheS8gem5heS4k+WRmOOAkDI3MjAwMDUz?=
    =?utf-8?B?MzfjgJHlkqjor6JWSVDlkajlkajpooblt6XotYQg5L+456aE5pyI5pyI?=
    =?utf-8?B?5ou/IOWkqeWkqemDveaciee6ouWMhembqCDlrp7lipvlubPlj7Ag5Ye65qy+?=
    =?utf-8?B?5a6J5YWo5L+d6Zqc?=
Date: Mon, 12 Feb 2018 08:28:46 +0800
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Disposition-Notification-To: 15308409199@189.cn

There is no body on the emails and subject is different each time. qq.com is not present in all emails either.

I tried to block using spamassassin, but it can not do much, so I decided to use sieve to move all emails with Chinese / Japanese / Korean charset in different folder.

Is this somehow possible?

Uptate

Tried variations of following, does not work. 

if body :raw :contains "ubject: =?utf-8?B?" {
    fileinto "Junk";
}
Nick
  • 826
  • 2
  • 15
  • 42
  • 1
    The body doesn't contain the subject line, the header does. I'd filter on the from line myself. – wurtel Feb 15 '18 at 10:38
  • can i do headers :raw :contains ? does not work, but you get the idea – Nick Feb 15 '18 at 10:56
  • Perhaps not, but you tagged this question with spamassassin and spamassassin has no problem matching header lines. – wurtel Feb 16 '18 at 11:41
  • assassin was unable to match this as spam, so I tried to find solution using Spamassassin or Dovecot. The way I fixed the problem is blocking list (spamcop) from postfix. – Nick Feb 17 '18 at 13:02

1 Answers1

1

You should block all IPs found in https://intodns.com/qq.com

Here is the list of IPs I have blocked, but you should check every now and then because IPs keep getting changed/added:

101.226.68.138
14.17.19.139
101.227.169.106 
182.140.167.157
182.140.177.149 
123.151.178.115
125.39.247.247
184.105.206.124
203.205.144.156
87.243.6.138  
87.243.6.136 

MX
184.105.206.32 
184.105.206.30 
184.105.206.31 
184.105.206.86 
184.105.206.85 
184.105.206.82 
103.7.30.40
203.205.176.244
203.205.176.240

They are still coming but at least they go straight to queue and eventually to garbage.

Law29
  • 3,557
  • 1
  • 16
  • 28
Daniel
  • 11
  • 2