Either test grouping, or some way to limit the score of a filter that
increments, or someway to negate the whole filter with a test inside of
the filter. Something like:
SUBJECTEXEMPTCONTAINS?b?
That would keep your negation techniques from having an effect outside
of the test. I
Not bad. Makes me wonder if the future test grouping feature would be even stronger
with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3).
That would rock! :)
Dan
On Thursday, September 11, 2003 15:05, Matthew Bramble <[EMAIL PROTECTED]> wrote:
>Dan,
>
>There
I've been capturing this stuff and I have found the code in the middle
of native language text, but only occasionally. Some examples:
Subject: You never IM =?ISO-8859-1?B?bWUgYW55?=more
Subject: This
is=?ISO-8859-1?b?IHRoZSA1dGgg?=email=?ISO-8859-1?b?IEkgc2Vu?=t you
Subject: =?ISO
PROTECTED]
Sent: Thursday, September 11, 2003 3:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Strange Subject
Looking at my "spamples" I don't see any prefix letter:
Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=?
Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFyb
Looking at my "spamples" I don't see any prefix letter:
Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=?
Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?=
Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month
Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVu
Dan,
There's a decent way around that. You can set the test in the Config
file for a solid weight, not score each filter test incrementally, and
then provide a list of negative tests that would offset the test. So if
there is some sort of ISO tagging of this Japanese stuff, you can find
that
> SUBJECT 40 CONTAINS =?ISO-8859-1?b?
I'm seeing quite a few of these coming in, but they are getting held.
I'm including a sample from my log, which is set to HIGH so that others can
see what tests have been useful for me.
An interesting point that came out of my following this thread is that I
Follow-up,
Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that
Japanese encoded messages like lots of mixed up letters.
More testing...
Dan
On Wednesday, September 10, 2003 19:20, Dan Patnode <[EMAIL PROTECTED]> wrote:
>I did a scan of all uncaught spam fro
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Strange Subject
Add the following tests and it get's even better :)
SUBSPACE-10subjectspaces10x10
SUBSPACE-20subjectspaces20x20
SUBSPACE-30subjectspaces30x30
I'm not familiar with this test?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Wednesday, September 10, 2003 10:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Strange Subject
Add the following tests and it get&#
Add the following tests and it get's even better :)
SUBSPACE-10subjectspaces10x10
SUBSPACE-20subjectspaces20x20
SUBSPACE-30subjectspaces30x30
Matt
Dan Patnode wrote:
I did a scan of all uncaught spam from the last week, foun
I did a scan of all uncaught spam from the last week, found all the one's with Q,
removed the QU's and ended up with this list. All of these would have been seen by
Matt's new config:
Subject: Block those unwanted Popups yqvqk
Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G
Su
Doug McKee wrote:
What is your test setup for the above string, please?
SUBJECT 15 CONTAINS =?ISO-8859-1?b?
>From what I can tell, there's no valid reason to encode Latin-1 in the
subject since that character set is supported by default in E-mail, so
it's quite safe to fai
It pains me to suggest making your todo list longer but how about adding
test grouping?
Don't feel bad -- it was already in the todo list. :)
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Cat
This is a multi-part message in MIME format.
>How about 4 different super tests? I fail automatically on
>=?ISO-8859-1?B?, and that accounts for more than 1% of the
What is your test setup for the above string, please?
Thanks,
Doug
How about 4 different super tests? I fail automatically on
How about 4 different super tests? I fail automatically on
=?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail
coming in to my server, but only a handful of additional catches in
what was being missed...no false positives. I think I've mentioned
enough times, the other tests tha
Scott,
It pains me to suggest making your todo list longer but how about adding test
grouping? It would be to much to make multiple weight scales, but how about something
simpler. Say you wanted to make 3 groups of 3 each. Label one of the option columns
in such a way that they can be groupe
FYI, I pulled this test 3 weeks ago after a email from France came through (or rather
didn't) with this subject:
Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?=
There's definitely is a correlation here among spammers, ?B? encoded subjects,
disposable domain names, and not
I'm using v1.75i4 right now, is it possible that you are using a version
older than 1.75?
We're using 1.75. I don't know what the sub-version is. I downloaded it
on 7/22.
Maybe Scott could offer an explanation or hint as to why ours works and
yours doesn't.
My guess is some extra spaces/tabs a
Matthew Bramble wrote:
Mike,
I'm using v1.75i4 right now, is it possible that you are using a
version older than 1.75?
We're using 1.75. I don't know what the sub-version is. I downloaded it
on 7/22.
Maybe Scott could offer an explanation or hint as to why ours works and
yours doesn't.
I tes
Mike,
I'm using v1.75i4 right now, is it possible that you are using a version
older than 1.75?
I tested my setup about 10 times before I gave up on the SUBJECT filter
and moved to using HEADERS?
BTW, regardless of how you do it or how it works, this is a great
filter. It's not that common,
Add www.spamchk.com
Base64 encoded subject lines will be decoded before the keyword-check.
Markus
It's on my list of things to do. That would be the best of both worlds
since this stuff always seems keyword rich.
Right now I'm writing custom filters, and loving the results...
Thanks,
Mat
> Any suggestion on how to block these.
Add www.spamchk.com
Base64 encoded subject lines will be decoded before the keyword-check.
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
uns
Matthew Bramble wrote:
Use a text filter and add something like:
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
to it.
I tried this all the way down to ust ?b? and a SUBJECT filter didn't
catch it. The SUBJECT filter also doesn't catch the decoded text.
I sent one to myself before I posted, just to
Use
a text filter and add something like:
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
to it.
I tried this all the way down to ust ?b? and a SUBJECT filter didn't
catch it. The SUBJECT filter also doesn't catch the decoded text.
I found though that if you use the HEADERS filter, it w
:[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Monday, September 08, 2003 4:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Strange Subject
>> SUBJECT 40 CONTAINS =?ISO-8859-1?b? <<
Assuming you don't ever get emails from European countries, Canada or
other
l
>> SUBJECT 40 CONTAINS =?ISO-8859-1?b? <<
Assuming you don't ever get emails from European countries, Canada or other
locations that use accented characters.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201
: Monday, September 08, 2003 4:55 PM
Subject: RE: [Declude.JunkMail] Strange Subject
How does a subject that shows this.
=?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
The "?b?" indicates that this subject line is Base64 encoded.
Markus
---
[This E-mail was scan
Any suggestion on how to block these.
Thanks.
- Original Message -
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 08, 2003 4:55 PM
Subject: RE: [Declude.JunkMail] Strange Subject
>
> > How does a subject that s
> How does a subject that shows this.
>
> =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
The "?b?" indicates that this subject line is Base64 encoded.
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.
How does a subject that shows this.
=?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
Display this.
Re:Cheapest Viagra Guaranteed
That's because the subject is encoded. To help support non-English
languages, there was an RFC that allowed subjects and message bodies to be
encoded. In
How does a subject that shows this.
=?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?=
Display this.
Re:Cheapest Viagra Guaranteed
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubsc
32 matches
Mail list logo
