Markus, This will work great with things like my IPINMX test which is anything that doesn't hit IPNOTINMX and has no sub-domains for the Mail From domain (the last part stops zombies from getting credit when they use the reverse DNS entry as the Mail From). I will likely pre-qualify in VBScript and then simply END processing the test in Declude for things like IPINMX, and add on even more points for other spammy things that Declude tracks like SPAMDOMAINS. In VBScript I can test for things like message boundaries that contain non-hex characters, absence of X-Mailer header, small size attachments, etc., which shouldn't typically be seen when there is a zip attachment since people should generally be attaching zip files manually through normal software and doing so to hide larger files or groups of files. I probably will have to do something where it needs multiple hits for it to fail since there are going to be clear exceptions to all of what I have mentioned, but they likely won't exist in combination. It would be very helpful if I could figure out from the zip file base64 encoding what type of extension was contained within the file, so I might play around with that a bit as well. Matt Gufler Markus wrote:
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
- [Declude.Virus] Another new virus John Tolmachoff \(Lists\)
- [Declude.Virus] Attachment=[Unknown: Err] ? Andy Schmidt
- RE: [Declude.Virus] Another new virus John Carter
- Re: [Declude.Virus] Another new virus Matt
- RE: [Declude.Virus] Another new virus Colbeck, Andrew
- RE: [Declude.Virus] Another new virus John Tolmachoff \(Lists\)
- Re: [Declude.Virus] Another new vir... Matt
- Re: [Declude.Virus] Another new... Mike Nice
- RE: [Declude.Virus] Another new... Gufler Markus
- Re: [Declude.Virus] Anothe... Matt
- RE: [Declude.Virus] An... Markus Gufler
- [Declude.Virus] another new virus Gary Steiner
- RE: [Declude.Virus] another new virus Colbeck, Andrew
- RE: [Declude.Virus] another new virus Colbeck, Andrew