Yes, that spam campaign keeps changing subjects. Unfortunately, if you filter only on the CID tag; you will filter some legitimate newsletters as they do use the CID tag. As long as you will be monitoring your HOLD queue; you should fine so you filter out the false positives.
Also in that thread was discussion of some variants used to the CID html coding. I believe Scott brought that up in his postings. Another thing Scott brought up is that this spam campaign also fails the CMDSPACE in Declude. We make use of that combo test "TESTSFAILED" when looking for the CID tag. Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, January 16, 2006 6:23 PM To: [email protected] Subject: RE: [Declude.JunkMail] Help with filter Hi Erik, Thanks for turning me on to that thread. There was some good information in that discussion. The spam I received had a subject of "Fax Received" Much of the filter discussion, in that topic you directed me to, centered around also checking the contents of the subject line. Apparently, the spammer has changed their subject now to be less predictable. Which cause the filter to fail if it depended upon the subject line. I'm back to my earlier thought that any email message which contains only the "img src=CID" would be enough to trigger a hold. I can't imagine any legitimate email being coded like that. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Erik > Sent: Monday, January 16, 2006 9:10 AM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > Hi Dave, > Look at this thread: > http://www.mail-archive.com/[email protected]/msg27075.html > > Erik > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Monday, January 16, 2006 4:03 PM > To: [email protected] > Subject: [Declude.JunkMail] Help with filter > > > I received a spam email, which was an HTML email with only one line. > The line is as follows: > > <img src=cid:85ae9b8e79a2548912c0c40ef7709a27> > > I have a body filter with the following: > > BODY 2 BEGINSWITH <img src=cid: > > The filter didn't trip on the spam email. Any idea of why this > wouldn't work? > > Thanks, > > Dave > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
