The rules I use are: SUBJECT 40 CONTAINS =?ISO-8859-1?b? SUBJECT 40 CONTAINS =?ISO-8859-1?q? SUBJECT 40 CONTAINS =?koi8-r SUBJECT 40 CONTAINS =?iso-2022-jp?q? SUBJECT 40 CONTAINS =?windows-1251?B?
There's been some debate on this. I've personally NEVER seen a legitimate message come through with an encoded subject. However, some folks from Europe(?) have said that it is possible.
I probably use a much higher weight than others because I'm not worried about false positives because the probability (for us) is very, very low.
Mike
Glenn \\ WCNet wrote:
Given this subject line:
Subject: =?iso-8859-1?B?TXkgd2lmZSBzYWlkIEkgbmVlZGVkIFYpaWFncmEgSSB3ZW50IGhlcmUhIFRoY W54IEd1eXMh?=
which displays as: My wife said I needed V)iagra I went here! Thanx Guys!
Does Declude decode it for SUBJECT CONTAINS filtering, so I could match on V)iagra? Is it safe to filter on subject containing "iso-8859-1" or is it common for subject lines to be coded that way?
Glenn Z.
----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 9:24 AM
Subject: RE: [Declude.JunkMail] New CMDSPACE test in latest interim release
(http://www.declude.com)]From my initial posting about the test:As with any test, it does have some false positives. But itHow does it work?
appears that they are very low.
This one looks for spaces in SMTP commands where there shouldn't be any.
Why it can be triggered by an message sent from Outlook 2003?Because Outlook 2003 is junk. :)
There are several things that Outlook 2003 does that are not RFC-compliant. I'm guessing that soon lots of people will start whitelisting E-mail sent from Outlook 2003, and then soon after that spammers will add Outlook 2003 headers to their spams.
-Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
