We've had a number of customers try filters like this for subjects. Sometimes it works great, many times there are huge volumes of false positives. It is definitely specific to each system.
$0.02 _M |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Mike Leonard |Sent: Wednesday, January 07, 2004 2:34 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] coded subject line | | |I use a text filter. | |The rules I use are: |SUBJECT 40 CONTAINS =?ISO-8859-1?b? |SUBJECT 40 CONTAINS =?ISO-8859-1?q? |SUBJECT 40 CONTAINS =?koi8-r |SUBJECT 40 CONTAINS =?iso-2022-jp?q? |SUBJECT 40 CONTAINS =?windows-1251?B? | |There's been some debate on this. I've personally NEVER seen a |legitimate message come through with an encoded subject. |However, some |folks from Europe(?) have said that it is possible. | |I probably use a much higher weight than others because I'm |not worried |about false positives because the probability (for us) is |very, very low. | |Mike | | |Glenn \\ WCNet wrote: | |>Given this subject line: |> |>Subject: |>=?iso-8859-1?B?TXkgd2lmZSBzYWlkIEkgbmVlZGVkIFYpaWFncmEgSSB3ZW5 |0IGhlcmUh |>IFRoY |>W54IEd1eXMh?= |> |>which displays as: |>My wife said I needed V)iagra I went here! Thanx Guys! |> |>Does Declude decode it for SUBJECT CONTAINS filtering, so I |could match |>on V)iagra? Is it safe to filter on subject containing |"iso-8859-1" or |>is it common for subject lines to be coded that way? |> |>Glenn Z. |> |> |>----- Original Message ----- |>From: "R. Scott Perry" <[EMAIL PROTECTED]> |>To: <[EMAIL PROTECTED]> |>Sent: Wednesday, January 07, 2004 9:24 AM |>Subject: RE: [Declude.JunkMail] New CMDSPACE test in latest |interim release |> |> |> |> |>>>>As with any test, it does have some false positives. But |it appears |>>>>that they are very low. |>>>> |>>>> |>>>How does it work? |>>> |>>> |>> From my initial posting about the test: |>> |>> This one looks for spaces in SMTP commands where there |>>shouldn't be any. |>> |>> |>> |>>>Why it can be triggered by an message sent from Outlook 2003? |>>> |>>> |>>Because Outlook 2003 is junk. :) |>> |>>There are several things that Outlook 2003 does that are not |>>RFC-compliant. I'm guessing that soon lots of people will start |>>whitelisting E-mail sent from Outlook 2003, and then soon after that |>>spammers will add Outlook 2003 headers to their spams. |>> |>> -Scott |>>--- |>>Declude JunkMail: The advanced anti-spam solution for IMail |>>mailservers. Declude Virus: Catches known viruses and is the |leader in |>>mailserver vulnerability detection. Find out what you've |been missing: |>>Ask about our free 30-day evaluation. |>> |>>--- |>>[This E-mail was scanned for viruses by Declude Virus |>> |>> |>(http://www.declude.com)] |> |> |>>--- |>>This E-mail came from the Declude.JunkMail mailing list. To |>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type |>>"unsubscribe Declude.JunkMail". The archives can be found at |>>http://www.mail-archive.com. |>> |>> |>> |> |>--- |>[This E-mail was scanned for viruses by Declude Virus |>(http://www.declude.com)] |> |>--- |>This E-mail came from the Declude.JunkMail mailing list. To |>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type |>"unsubscribe Declude.JunkMail". The archives can be found at |>http://www.mail-archive.com. |> |> | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
