Oh, I understand. This seems to be spam with asiatic characters and char-sets.
As we don't understand what they are writing and eventually what we are filtering for until now we haven't added any keywords for this type of messages. We have seen that asiatic spammers indicate the following char-sets: GB2312 CHINESEBIG5 iso-2022-jp Anyone know other's? Filtering for them in the mailheader seems to be the best defense against asiatic spam along with the following DNS-based tests: BHOLE-CHINA ip4r china.blackholes.us 127.0.0.2 6 0 BHOLE-CN-KR ip4r cn-kr.blackholes.us 127.0.0.2 6 0 BHOLE-HONGKONG ip4r hongkong.blackholes.us 127.0.0.2 4 0 BHOLE-JAPAN ip4r japan.blackholes.us 27.0.0.2 2 0 BHOLE-KOREA ip4r korea.blackholes.us 127.0.0.2 6 0 BHOLE-MALAYSIA ip4r malaysia.blackholes.us 127.0.0.2 6 0 BHOLE-SINGAPORE ip4r singapore.blackholes.us 127.0.0.2 6 0 BHOLE-TAIWAN ip4r taiwan.blackholes.u 127.0.0.2 6 0 KOREASPAM ip4r korea.services.net * 2 0 BHOLE-THAILAND ip4r thailand.blackholes.us 127.0.0.2 2 0 Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star > Sent: Monday, March 10, 2003 5:58 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Removing mails by the subject > > > Here is an example subject: > > (����)��������ְ���Ʈ�����ӻ������� > > Dan > > Markus Gufler wrote: > > > Hi Dan, > > > > Yes, as I know the pro version is able to filter keywords in the > > subject-line. > > > > We've added a lot of keywords and phrases to our > subjectline filter in > > SPAMCHK, but I think filtering for single special > characters or also > > for a certain number of special characters will create more > fp's then > > help to identify spam. > > > > What are legitime special characters and what not? > > For example we've checked if the appearance of "!" can be used as a > > good test. No way. I dont know what's in your inbox but I can find > > more special characters in my inbox then in the list of Spamreview. > > > > Markus > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star > > > Sent: Monday, March 10, 2003 4:57 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Declude.JunkMail] Removing mails by the subject > > > > > > > > > What about mails that don't have specific subjects, but > characters > > > such a %$(%(234_`1 ? We get a lot of these but they > don't break w20 > > > which tosses the email. Can Pro toss these? > > > > > > Dan > > > > > > Markus Gufler wrote: > > > > > > > Hi Darryl > > > > > > > > We catch this spam message with 276% of our hold value. > There are > > > > a lot of not content based tests that fail this message. This > > > > should be enough to block it. > > > > > > > > Our free tool SPAMCHK makes a lot of content based > tests. I do not > > > > reccomend to filter this spam by the subject line "he hit > > > me". Doing > > > > this ater some months you will have a long filter list > containing > > > > numerous no longer used subject lines. > > > > > > > > This message contains a lot of keywords that you can > filter for. > > > > Additionaly there are links to external images, and a > > > script call. As > > > > you can se only our SPAMCHK gives 170% of our hold value: > > > > > > > > 09.03.2003 02:26:44, file > > > C:\IMail\spool\D983f0cc700986457.SMD, Result > > > > 0H 50L 120K 0R, total 170 > > > > From:lisa <[EMAIL PROTECTED]> > > > > To:<[EMAIL PROTECTED]> > > > > Subject:he hit me > > > > 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD > > > > 0,11 Read 4544 bytes from file > > > C:\IMail\spool\D983f0cc700986457.SMD > > > > 0,11 Message is base64 encoded! > > > > 0,11 mail text contains links to external images > > > > (http://cmb.flyhosting4free.com/max/images/ltg.jpg) > > > > 0,11 mail text contains a script call > > > > (http://cmb.flyhosting4free.com/ltg/?aid=357594) > > > > 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck > out c_hick > > > > p_ics f_riend t_een s_lut y_our p_enis > > > > > > > > Markus > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf > Of Darryl > > > > > Koster > > > > > Sent: Sunday, March 09, 2003 7:47 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [Declude.JunkMail] Removing mails by the subject > > > > > > > > > > > > > > > > > > > > They fail a bunch of tests on my system. I am still > in the set > > > > > up phases though and am looking into dif. possible fixes for > > > this type > > > > > of thing. Its nice to know that I can filter for > certain words. > > > > > > > > > > Darryl > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] Behalf Of Smart > > > > > Business Lists > > > > > Sent: Sunday, March 09, 2003 1:29 PM > > > > > To: Darryl Koster > > > > > Subject: Re: [Declude.JunkMail] Removing mails by the subject > > > > > > > > > > > > > > > Darryl, > > > > > > > > > > Sunday, March 9, 2003 you wrote: > > > > > DK> I get tons that say > > > > > DK> "He Hit Me" that are porn etc. > > > > > > > > > > I've seen a bunch of those recently but they've failed > > > the following > > > > > tests on my system: > > > > > > > > > > OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, > > > > > SBL, SORBS-HTTP, CN-KR, > > > > > NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, > > > > > SNIFFER > > > > > > > > > > > > > > > Terry Fritts > > > > > > > > > > --- > > > > > [This E-mail was scanned for viruses by Declude Virus > > > > (http://www.declude.com)] > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and type > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > http://www.mail-archive.com. > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude Virus > > > > (http://www.declude.com)] > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and type > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > http://www.mail-archive.com. > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude Virus > > > > (http://www.declude.com)] > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and type > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > http://www.mail-archive.com. > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
