Kim,
JMail by Dimac has had many problems over the years with standards compliance, and abnormal behavior. It's just a poorly coded automated mailer (not client software).
You would be generally safe to filter for header elements using this encoding if you gave the filter an exclusion for "X-Mailer: JMail" in that filter. If you find other examples (and you probably won't with this particular pattern), you could add them in.
There is great value in creating separate filters for separate types of things such as spammy encoding of header elements, that way you can pre-qualify the filters with exact patterns known to be in conflict. You might want to review how your SUBJECT filter is constructed and reconstruct separate filters based on not the element of the message, but something more technically exact.
Matt
Kim Premuda wrote:
We have received spam messages in the past whose 'To:', 'From:', 'Subject:', and 'Sender:' lines contain the character string:
= ? i s o - 8 8 5 9 - 1 ? Q ? (spaces added to avoid filters)
so, we created an external filter (SUBJECT) to detect the string. Now, it appears, this may be a bad idea, because legitimate messages with this string are also being caught by the filter (see message header below from 'lightinguniverse.com' as an example).
Can someone verify what this character string means, and whether or not it is okay for this character string to appear in these lines? Also, is it the sender's mail client 'JMail 4.3.0 Free Version by Dimac' that is causing this?
Thanks!
[Sample Header]
Received: from db2.lightinguniverse.com [216.162.208.53] by ns3.fastwave.net with ESMTP
(SMTPD32-8.05) id A81B4AB501A4; Wed, 23 Mar 2005 09:32:11 -0800
Received: from www2.lightinguniverse.com ([192.168.1.58]) by db2.lightinguniverse.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 23 Mar 2005 08:58:41 -0800
Subject: = ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order(s):_#280844_status_update=2E?=
Sender: "= ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order_Fullfillment?=" <[EMAIL PROTECTED]>
From: "= ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order_Fullfillment?=" <[EMAIL PROTECTED]>
Date: Wed, 23 Mar 2005 09:31:12 -0800
To: "= ? i s o - 8 8 5 9 - 1 ? Q [EMAIL PROTECTED]" <[EMAIL PROTECTED]>
X-Priority: 3
X-MSMail-Priority: Normal
MIME-Version: 1.0
X-Mailer: JMail 4.3.0 Free Version by Dimac
Content-Type: multipart/alternative;
boundary="--NEXT_BM_C05FF9D6F4B54DD5A4593FAF0577D05A"
Return-Path: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 23 Mar 2005 16:58:41.0843 (UTC) FILETIME=[910D5830:01C52FC9]
X-RBL-Warning: SUBJECT: Message failed SUBJECT test (line 26, weight 20)
X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (line 27, weight 0)
X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (line 27, weight 0)
X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (line 37, weight 0)
X-Declude-Sender: [EMAIL PROTECTED] [216.162.208.53]
X-Declude-Spoolname: Da81b4ab501a4206f.SMD
X-Note: --------------------------------------------------------------------------------
X-Note: Scanned by Declude JunkMail, Version 1.82
X-Spam-Tests-Failed: WEIGHT10 [10], SUBJECT [20], TLD-TRUSTED-HELO [0], TLD-TRUSTED-MAILFROM [0], TLD-TRUSTED-REVDNS [0] TOTAL [15]
X-Note: This E-mail was sent from db2.lightinguniverse.com ([216.162.208.53]).
X-Note: --------------------------------------------------------------------------------
-- Kim W. Premuda FastWave Internet Services San Diego, CA
-- --- [This E-mail scanned for viruses by Declude Virus]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
