Re: [Declude.JunkMail] text before spam.. defeating content filter

[Matthew Bramble]

I'll bet that spammers are doing this in order to exceed the amount of 
text that will be parsed by filters in many different spam blocking 
programs.  Scott said that there was a limit of 32K here.  If you use 
the text portion of the E-mail to reach the 32K without having any 
damning words in it, then you can do whatever you want with the HTML 
displayable text (figuring correctly that most mail readers will show 
the HTML portion and not the text portion).

Hopefully before this becomes predominant, Declude will be able to parse 
out the MIME parts and scan just the areas that might contain HTML or 
text, and not worry about counting 32K from the top of the message, but 
the top of each part (figuring you would want to scan all such parts).

Matt



Kami Razvan wrote:

Hi John:
 
Yes that is what we are doing but that is a reactive measure..
 
How can one detect large texts that are not showing up. I guess I am 
trying to learn how they do it?
 
How can you have a chapter of a book at top of email and yet it does 
not show up?
 
The two lines I posted are the only things I see before the long 
section.. is that what causes it not to show up?
 

====================

This is a multi-part message in MIME format.

 

------=_NextPart_000_0951_7DF4E03D.3CA8D29D
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
====================

 

Can someone explain if it is the 7bit or the iso-8859-1 that causes 
the text simply not exist although it does..  if so then we can filter 
it...

 

Regards,

Kami

------------------------------------------------------------------------
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
Tolmachoff (Lists)
Sent: Saturday, November 22, 2003 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] text before spam.. defeating content 
filter

Kami, I have been looking at subject lines and MAILFROMs on these type.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Saturday, November 22, 2003 7:20 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] text before spam.. defeating content filter

 

Hi;

We are getting a lot of spam lately that are being caught primarily 
with IP4r tests as well as the likes of spamdomain or helobogus .. but 
not content filters.  This is, as discussed before, because a large 
amount of text (almost chapter 1 of Gone with the Wind :)) is put at 
the top of the email.

 

In checking the content.. this is the only thing I see before the long 
text.. could this be used as a filter?

 

====================

This is a multi-part message in MIME format.

 

------=_NextPart_000_0951_7DF4E03D.3CA8D29D
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
====================

 

& then before the actual spam:

 

====================

 

------=_NextPart_000_0951_7DF4E03D.3CA8D29D
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
====================

 

Does anyone know if the first part: Content-Transfer-Encoding: 7bit 
can be used a filter? Pro? Con?

 

There has to be something that makes the body of email not show such a 
long text.. it is not a white font .. what is it?

 

Regards,

Kami



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.