Matt: > The FOREIGN/TLD filter set that I shared yesterday for instance would > have added at least 3 points to this message and possibly two more > depending on the X-Declude-Sender which you cut out.
I saw your post and I have not yet added that filter. I will be reviewing it shortly and plan on adding it tomorrow > This type of spam > also tends to randomize the From, HELO and MAILFROM addresses, and/or > use common domains like aol.com or yahoo.com, in which case some points > from a SPAMDOMAINS test would be effective. No, passed through spamdomains without being tagged. >The body often has > gibberish in it, if not the subject, and the my GIBBERISH filters work > for that, or they use obfuscation to hide URL's from filtering software > which can also be caught without keeping track of the URL's themselves. No. Your GIBBERISH filter did not get triggered either. I am using your latest release. > This spam is also commonly sent from zombie machines resulting from > virus infections, and they are often on residential broadband networks, > in which case my DYNAMIC filter might add some points (but not in this > case). I don't recall seeing your DYNAMIC filter before. Would you mind reposting, or is it on your site? Message Sniffer also might be tracking the URL's in the body for > another potential hit. I am still experimenting with Sniffer. Maybe it would have added some points. > Maybe if you shared the entirety of the message body plus the MAILFROM, > I and others could tell you what common used/shared filters might be > effective. OK. Here's another with headers and message body in tact. This one also did not trigger gibberish, obfuscation, comments, or spamdomains: X-F: <[EMAIL PROTECTED]> Mon Nov 10 20:36:46 2003 Received: from 68-232-53-222.atlsfl.adelphia.net [68.232.53.222] by njaccess.com (SMTPD32-6.06) id AD2BB120124; Mon, 10 Nov 2003 20:36:43 -0500 Received: from 80.80.226.90 by 68.232.53.222; Mon, 10 Nov 2003 19:31:08 +0600 Message-ID: <[EMAIL PROTECTED]> From: "Isaac" <[EMAIL PROTECTED]> Reply-To: "Isaac" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: %RND_UC_CHAR[2-8], excuse me!' boldly Date: Mon, 10 Nov 2003 08:35:08 -0500 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--2352250528194467" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-Warn: This message contains content that is likely spam Message failed SPAMCHK: 4. X-Declude-Sender: [EMAIL PROTECTED] [68.232.53.222] X-Declude-Spoolname: D3d2b124.SMD X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, SPAMCHK [7] X-SpamWatch-Country-Chain: SWITZERLAND->[ARIN Unlisted]->destination X-SpamWatch-ReverseLookUp: 68-232-53-222.atlsfl.adelphia.net ([68.232.53.222]). X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 362076711 Status: U ----2352250528194467 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE></TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12= 51"> <META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <font color=3D"white">douse henri deliver dewitt elk jetliner bed macropha= ge demented characteristic curtsey superlunary decouple bergen committing=20= </font> <body> </font> <p>O</shipman>ur U</btl>S Li</lourdes>censed Doc</saccharine>tors wi</pr= ey>ll<BR> Prescr</helpful>ibes Y</before>our Me</dirt>dication F</beijing>or F</book= end>ree </FONT> <p> Medicatio</bloke>ns Shi</pliable>pped Overni</witness>ght To = Y</vestal>our Do</paramus>or.<BR> Phe</fern>ntermine, Ad</woodward>ipex Soma</taunt>, Fi</hifalutin>oriice= t, U</fetid>lltram,<BR> , Vi</ware>agra, a</meteor>nd ma</deceitful>ny, m</gainesville>any oth</lo= bo>ers.<BR> Me</barbara>ds f</vhf>or: Weig</doorbell>ht Los</pierce>s, Pa</congress>in= Re</borneo>lief, Mus</ackerman>clePain Re</bodied>lief, Wo</fusty>men's H= ea</equitation>lth, Me</cloakroom>n's<BR> Hea</blueback>lth, I</armful>mpotence, A</masonic>llergy Re</cairn>lief, H= </dodecahedral>eartburn Re</eloquent>lief, Mig</assay>raine R</gnat>elief = & M</steinberg>ORE<BR> Up</chicano>on Appr</becalm>oval</FONT> <a href=3D"http://www.pouvrcentral.biz/vpr6232/";>sho</conceive>w M</flanagan>e mo</footpad>re</a> <p><img border=3D"0" src=3D"http://www.creditcard2003.com/p3x.jpg";></p> <br> <br> fib darn saracen hellenic ancestral butane dan gator gallonage talus appre= hension forgive=20 </BODY> </HTML> ----2352250528194467-- Thanks, Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
![http://www.creditcard2003.com/p3x.jpg"](http://www.creditcard2003.com/p3x.jpg"){kind=link}