Re: [Declude.JunkMail] Strange Subject

[Mike Leonard]

Matthew Bramble wrote:

Mike,

I'm using v1.75i4 right now, is it possible that you are using a 
version older than 1.75?
We're using 1.75.  I don't know what the sub-version is. I downloaded it 
on 7/22.
Maybe Scott could offer an explanation or hint as to why ours works and 
yours doesn't.

I tested my setup about 10 times before I gave up on the SUBJECT 
filter and moved to using HEADERS?

BTW, regardless of how you do it or how it works, this is a great 
filter.  It's not that common, but guaranteed to be spam (IMO) and 
1/10th of the hits are things that would have otherwise gotten through 
on my machine.


We got about 10 of these for V-pill over the weekend, that's why I set 
it up.  I haven't seen any legitimate email get caught by this filter, 
but we don't normally get email from any non-English speaking countries 
(unless it's spam).

Mike

Matt



Mike Leonard wrote:

Matthew Bramble wrote:


Use a text filter and add something like:

SUBJECT 40 CONTAINS =?ISO-8859-1?b?

to it.




I tried this all the way down to ust ?b? and a SUBJECT filter didn't 
catch it.  The SUBJECT filter also doesn't catch the decoded text.




I sent one to myself before I posted, just to make sure it worked. I 
tried again just now and got the same result.
I have that example line as the first one in the text filter file.  
Here are the contents of the .SMD file and the entries from the JM log:

Received: from bookeseminars.com [10.172.17.47] by bookeseminars.com 
with ESMTP
 (SMTPD32-8.02) id A542E80120; Tue, 09 Sep 2003 09:27:30 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 09 Sep 2003 09:27:32 -0400
From: Mike Leonard <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) 
Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  [EMAIL PROTECTED]
Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-RBL-Warning: MYTXTFILTER: Message failed MYTXTFILTER test (1)
X-Declude-Sender: [EMAIL PROTECTED] [10.172.17.47]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) 
for spam.
X-Spam-Tests-Failed: MYTXTFILTER, WEIGHT10, WEIGHT20, WEIGHT35, 
WEIGHT40 [45]
X-Booke-Queue-Header: Dd54200e80120abea.SMD
X-Note: Total spam weight of this E-mail is 45.



09/09/2003 09:27:31 Qd54200e80120abea MYTXTFILTER:45 .  Total weight 
= 45
09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message 
failed MYTXTFILTER test (1)). Action=IGNORE.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 
45 reaches or exceeds the limit of 10.). Action=IGNORE.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 
45 reaches or exceeds the limit of 20.). Action=IGNORE.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 
45 reaches or exceeds the limit of 35.). Action=IGNORE.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 
45 reaches or exceeds the limit of 40.). Action=IGNORE.
09/09/2003 09:27:31 Qd54200e80120abea R1 Message OK
09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message 
failed MYTXTFILTER test (1)). Action=WARN.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 
45 reaches or exceeds the limit of 10.). Action=HOLD.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 
45 reaches or exceeds the limit of 20.). Action=HOLD.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 
45 reaches or exceeds the limit of 35.). Action=HOLD.
09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 
45 reaches or exceeds the limit of 40.). Action=HOLD.
09/09/2003 09:27:31 Qd54200e80120abea Subject: 
=?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
09/09/2003 09:27:31 Qd54200e80120abea From: 
[EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
10.172.17.47 ID:

Do you have something like this:

    MYTXTFILTER    filter        D:\Imail\Declude\txtfilters.txt    
x    5    0

in your global.cfg file and something like:

    MYTXTFILTER        WARN

in your $default$.junkmail file?

Mike



I found though that if you use the HEADERS filter, it will catch 
this (customize to suit, this will only catch Latin-1 that is base64 
encoded, and I can't think of why that would be necessary, I would 
think that only other charactersets could need this):

    HEADERS        10    CONTAINS    ISO-8859-1?B?

Neither the HEADERS filter nor the SUBJECT filter is catching the 
decoded form of the text.  The BASE64 test is also not catching this 
if it's only in the Subject of the message (I assume it only does 
the body/attachments).

The not so funny thing is that I'm getting this now as a part of 
those E-mails containing no displayable text.  This guy is real good 
at getting through my settings unless he chooses a bad IP to send 
from.  I think a few days ago, another person on this list commented 
about this same spammer, bringing up the domains that he is using 
(common words followed by numbers).  The only pattern this guys 
leaves apart from having no text in the body, is having different 
country's TLDs listed in the Received line, the sender, and the 
reverse DNS.  Here's a copy of what I just received using this 
technique (with links modified):

From - Mon Sep 08 17:36:44 2003
X-UIDL: 314612976
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with 
ESMTP
 (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400
Date: Mon, 08 Sep 2003 21:35:35 +0000
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: Windows Eudora Pro Version 2.2 (32)
To: [EMAIL PROTECTED]
Subject: 
=?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= 

MIME-Version: 1.0
From: "Shirley Dalton" <[EMAIL PROTECTED]>
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33]
X-Declude-Spoolname: Df62404f101d89e2c.SMD
X-Note: This E-mail was scanned by iGaia Incorporated's E-mail 
service (www.igaia.com) for spam.
X-Note: This E-mail was sent from 
host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]).
X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 314612976

<html><body>
<center><!--lfoln42j66--><a 
href="http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni";><img 
src="http://discountrate2-dot-com/pics/gv1.gif"; height="270" 
width="405"></a></center>
</html></body>



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.