RE: [Declude.JunkMail] Best Practices for handing legit email fla gged as spam?

[Mark E. Smith]

Title: Message

OK... If you have STOPALLTESTS in a filter in place of a weight, does that prevent the current failed test from being logged %TESTSFAILED% ? If so I think that's what happening.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark E. Smith Sent: Wednesday, October 27, 2004 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Best Practices for handing legit email fla gged as spam? Ok they're being displayed in the headers using Outlook Peek.   Anyway... For some reason the filter isn't logging/catching. If I paste the text: Content-Type: application/vnd.ms- Into the body it will catch. But if I attach an XLS file it won't even though the string: Content-Type: application/vnd.ms-excel shows up in the Message Body. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, October 27, 2004 4:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Best Practices for handing legit email fla gged as spam? They go in the body because ... that's where they go.   Take a look at a message in your spam folder.  The header ends where you see a blank line (two carriage returns, or two line feeds).  The attachment type line descriptions do not appear in the header.   I don't understand your comment about Microsoft Outlook; I didn't mention it, so it's not clear to me what you're clarifying.   Andrew. -----Original Message----- From: Mark E. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 1:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Best Practices for handing legit email fla gged as spam? Problem was that this wasn't sent through Microsoft OL it was sent through IMail's web interface. Also, why would these content types go in the Body? Wouldn't they go in the HEADER?       -0- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, October 27, 2004 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Best Practices for handing legit email fla gged as spam? Microsoft software is probably the "most guilty" for using the vague application-octet-stream MIME type instead of something more explicit, like application/msexcel.  PDF is also very likely to come as a stream.  I place viruses and malware as a distant 3rd for using stream.   As a result, my "attachment type" skip logic (in a single filter text file) is more brief than has been talked about in this thread, but has been working for me, and was based on Rick Davidson's earlier work.  Couple this with Matt's Size.vbs script or the compiled version that (the other) Scott hosts and you've got a useful way to skip wasteful body filters.   #Based on a submission to the Declude Support list by Rick Davidson <[EMAIL PROTECTED]>   #Jun-17-2004 AC This would be better as an external file and do these tests as a message size #               and/or purpose-built searcher for the content-type keys. #These are sorted by most frequently appearing in our inbound mail   BODY 0 CONTAINS content-type: application/msexcel BODY 0 CONTAINS content-type: application/msword BODY 0 CONTAINS content-type: application/pdf BODY 0 CONTAINS content-type: application/vnd.ms- BODY 0 CONTAINS content-type: text/x-vcard BODY 0 CONTAINS content-type: application/x-zip-compressed BODY 0 CONTAINS content-type: application/zip BODY 0 CONTAINS content-type: application/rtf   #Also frequent, but not in the same magnitude   BODY 0 CONTAINS content-type: application/applefile BODY 0 CONTAINS content-type: application/mac-binhex40 BODY 0 CONTAINS content-type: application/postscript BODY 0 CONTAINS content-type: application/x-macbinary BODY 0 CONTAINS content-type: application/x-ms-excel BODY 0 CONTAINS content-type: application/x-ms-wmz BODY 0 CONTAINS content-type: application/x-msdownload BODY 0 CONTAINS content-type: application/x-msexcel BODY 0 CONTAINS content-type: application/x-stuffit BODY 0 CONTAINS content-type: audio/mpeg BODY 0 CONTAINS content-type: audio/x-midi BODY 0 CONTAINS content-type: audio/x-mpeg BODY 0 CONTAINS content-type: text/richtext BODY 0 CONTAINS content-type: video/avi BODY 0 CONTAINS content-type: video/mpeg BODY 0 CONTAINS content-type: video/mpg BODY 0 CONTAINS content-type: video/x-mpeg BODY 0 CONTAINS content-type: video/x-ms-asf BODY 0 CONTAINS content-type: video/x-ms-wmv BODY 0 CONTAINS content-type: video/x-msvideo   #Jul-21-2004 AC If I had a nickel for every crap mailhost that sends PDF in the octet stream #               format so that we can't get Declude to really tell the filetype... #               There is now a small counterweight for .pdf" in the body, see BentallNegText.txt   #Original line items I've not implemented #BODY 0 CONTAINS .PDF #BODY 0 CONTAINS X-MS-Attachment:     -----Original Message----- From: Matt [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 12:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? That's a MIME type :)  They are all over the place, and they can be forged.  Here's how MS handles it: http://msdn.microsoft.com/library/default.asp?url=""> Matt Mark E. Smith wrote: Yeah, just checked on a few of these MIME items and the actual type isn't defined. For example, an Excel attachment just says application-octet-stream -0- Content-Type: multipart/mixed;boundary="==IMail_v8.1==" Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 27 Oct 2004 18:29:21.0419 (UTC) FILETIME=[E09185B0:01C4BC52] --==IMail_v8.1== Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii --==IMail_v8.1== Content-Type: application/octet-stream; name="2004 Technology.xls" Content-Transfer-Encoding: base64 ================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, October 27, 2004 1:33 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? That is correct, declude virus processes before junkmail I did look at quite a few zip viruses and didnt see any of them using the Content-Type: application/x-zip-compressed in the mime info Rick Davidson National Systems Manager North American Title Group - ----- Original Message ----- From: "Mark E. Smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 27, 2004 1:03 PM Subject: RE: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? Rick, I was looking at your filter -- great idea. One question (which falls under the processing order) If you have: BODY STOPALLTESTS CONTAINS Content-Type: application/x-zip-compressed I think Declude Virus will still grab this correct? Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Tuesday, October 26, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? 1 in 500,000? That's fantastic. I think that qualifies for the anti-spam guru of the week award! heh, that is no exageration either, it is mainly due to spending alot of time in looking at false positives and finding ways to prevent them. For example use filtering to look for legit mail, the attached filter file runs before all other filters, it contains things that I found in false positives. This file is my number one false positive eliminator, my second method is test the hell out of any significant changes first. I do have the luxury of having to only filter for one company and I can be fairly restrictive.... I will see if I can get my configs somewhere for download, I am willing to share my work because I hate spam and spammers so much... man do i hate them. Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================