First, I must correct myself...the SUBJECT test for the ISO/Base64 line
is working without any changes and after further testing. I have no
clue as to how I screwed this up on so many tests, but apparently I did
unless that is related to the other mysterious behavior with my system
not decoding properly.
Regarding the gibberish detection and decoding...I am running the most
recent version and have not disabled decoding, however the following
test message gets a hit on [BODY 0 CONTAINS qi] even though that
string only appears in the link:
From - Tue Sep 09 17:32:25 2003
X-UIDL: 314613061
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from igaia.com [24.195.119.188] by igaia.com with ESMTP
(SMTPD32-7.13) id A6CC195016C; Tue, 09 Sep 2003 17:31:56 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 09 Sep 2003 17:32:17 -0400
From: Matthew Bramble <[EMAIL PROTECTED]>
Organization: iGaia Incorporated, Operator of NYcars.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Matthew Bramble <[EMAIL PROTECTED]>
Subject: Gibberish false positive test
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Declude-Sender: [EMAIL PROTECTED] [24.195.119.188]
X-Declude-Spoolname: D46cc0195016c8618.SMD
X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service
(www.igaia.com) for spam.
X-Note: This E-mail was sent from alb-24-195-119-188.nycap.rr.com
([24.195.119.188]).
X-Spam-Tests-Failed: EASYNET-DYNA, IPNOTINMX, GIBBERISH [3]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 314613061
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<a
href="" class="moz-txt-link-rfc2396E" href="http://www.amazon.com/exec/obidos/tg/detail/-/0895261014/qid=1060719985/sr=8-2/ref=sr_8_2/002-1731381-9359250?v=glance&s=books&n=507846/lauraingraham-20">"http://www.amazon.com/exec/obidos/tg/detail/-/0895261014/qid=1060719985/sr=8-2/ref=sr_8_2/002-1731381-9359250?v=glance&s=books&n=507846/lauraingraham-20">This
is a text link</a><br>
</body>
</html>
I also found that the the Base64 encoded words that appear in a subject
aren't getting found by my filters either. It looks to me like for
some reason my system isn't decoding the Base64 stuff. Is that a fair
conclusion? Any pointers on what I might do to get this to work?
declude -diag reports the following:
Declude 1.75i4 (C) Copyright 2000-2003 Computerized
Horizons. All Rights Reserv
ed.
Diagnostics ON (Declude v1.75i4).
Declude JunkMail: Config file found (C:\IMail\Declude\global.CFG).
Declude Virus: Config file found (C:\IMail\Declude\Virus.CFG).
WARNING: Could not delete eicar.com file [2]!
Declude Hijack: Not installed (no C:\IMail\Declude\Hijack.CFG file).
Declude Confirm: Config file found (C:\IMail\Declude\Confirm.CFG).
64 spam tests defined: DSBL MONKEYPROXIES ORDB SPAMCOP EASYNET-DYNA
EASYN
ET-DNSBL EASYNET-PROXIES FIVETEN-SPAM FIVETEN-BULK FIVETEN-MULTISTAGE
FIVETEN-SP
AMSUPPORT FIVETEN-MISC BLITZEDALL SBL MONKEYFORMMAIL
FIVETEN-SINGLESTAGE FIVETEN
-FREE SORBS-DUL SORBS-HTTP SORBS-MISC SORBS-SOCKS SORBS-SPAM
MAILPOLICE-BULK MAI
LPOLICE-PORN DSN NOABUSE NOPOSTMASTER BONDEDSENDER BADHEADERS BASE64
HELOBOGUS M
AILFROM IPNOTINMX PERCENT ROUTING SPAMHEADERS NONENGLISH NOLEGITCONTENT
BCC-1 BC
C-3 BCC-5 COMM-20 COMM-30 COMM-40 COMM-50 COMM-60 COMM-70 COMM-80
COMM-90 COMM-1
00 SPAMTRAPS FOREIGNTLD GIBBERISH FROMFILTER SUBJECTFILTER BODYFILTER
KILLFILE L
IVEFILE W-HIGH W-MED W-LOW W-SUB NEARSPAM JUSTSPAM
IMail reports Official Host Name as: "igaia.com".
IMail's SendName registry seems OK: "C:\IMail\Declude.exe".
Declude JunkMail Status: PRO version registered.
Declude Virus Status: Pro Version Registered.
Declude Hijack Status: NOT REGISTERED: No activation code.
End of diagnostics.
I'll leave that eicar error for another time and list unless you think
it is relevant.
Thanks,
Matt
|
