Re: [Declude.JunkMail] Question about quoted-printable encoding and filtering

[R. Scott Perry]

I'm finding this difficult to test and thought that I would ask it 
instead.  I've found some heavy obfuscation in some Nigerian stuff that 
has be scratching my head about how to filter it.  One such messages 
contains the following:
THE OWNER OF THIS ACCOUNT LATE MR.DENNIS BR=
OWN ,HE DIED SINCE 1997

I'm wondering to what extent Declude clears up such encoding for the 
filters.  For instance, would the following work in this instance:
BODY  3  CONTAINS  MR.DENNIS BROWN

or maybe with a space for the line return:
BODY  3  CONTAINS  MR.DENNIS BR= OWN
or rather without the space:
BODY  3  CONTAINS  MR.DENNIS BR=OWN
Declude JunkMail should translate the CRLF (linefeed) into a space, so it 
the second line (MR.DENNIS BR= OWN) should catch it.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question about quoted-printable encoding and filtering

[Matt]

Thanks.
. I'm sure it goes without saying that MIME decoding would be a nice 
addition whenever that pops to the top of your to-do list.  This one 
message was clearly obfuscated using that technique, and the sender was 
careful to find a free mail provider that would send quoted-printable 
encoding headers on plain text messages.  This is most problematic on 
Nigerian scams because it almost always comes from legitimate mail 
providers and you have to rely exclusively on content filters to block 
it, although I'm now starting to populate a %MAILFROMBL% test for such 
addresses, and I should soon see how useful that may be.

Matt

R. Scott Perry wrote:

I'm finding this difficult to test and thought that I would ask it 
instead.  I've found some heavy obfuscation in some Nigerian stuff 
that has be scratching my head about how to filter it.  One such 
messages contains the following:
THE OWNER OF THIS ACCOUNT LATE MR.DENNIS BR=
OWN ,HE DIED SINCE 1997

I'm wondering to what extent Declude clears up such encoding for the 
filters.  For instance, would the following work in this instance:
BODY  3  CONTAINS  MR.DENNIS BROWN

or maybe with a space for the line return:
BODY  3  CONTAINS  MR.DENNIS BR= OWN
or rather without the space:
BODY  3  CONTAINS  MR.DENNIS BR=OWN

Declude JunkMail should translate the CRLF (linefeed) into a space, so 
it the second line (MR.DENNIS BR= OWN) should catch it.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in 
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.