Erik, I thought that the "beginswith" meant that we are testing the very first line of the message? A newsletter would never have just one line -- that being the CID tag.
I could see where "contains" would be a problem though. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Erik > Sent: Monday, January 16, 2006 12:01 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > Yes, that spam campaign keeps changing subjects. > > Unfortunately, if you filter only on the CID tag; you will filter some > legitimate newsletters as they do use the CID tag. As long as you will be > monitoring your HOLD queue; you should fine so you filter out the false > positives. > > Also in that thread was discussion of some variants used to the CID html > coding. I believe Scott brought that up in his postings. Another thing > Scott brought up is that this spam campaign also fails the CMDSPACE in > Declude. We make use of that combo test "TESTSFAILED" when looking for the > CID tag. > > Erik > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom > Sent: Monday, January 16, 2006 6:23 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > > Hi Erik, > > Thanks for turning me on to that thread. There was some good information in > that discussion. > > The spam I received had a subject of "Fax Received" > > Much of the filter discussion, in that topic you directed me to, centered > around also checking the contents of the subject line. Apparently, the > spammer has changed their subject now to be less predictable. Which cause > the filter to fail if it depended upon the subject line. > > I'm back to my earlier thought that any email message which contains only > the "img src=CID" would be enough to trigger a hold. I can't imagine any > legitimate email being coded like that. > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Erik > > Sent: Monday, January 16, 2006 9:10 AM > > To: [email protected] > > Subject: RE: [Declude.JunkMail] Help with filter > > > > Hi Dave, > > Look at this thread: > > http://www.mail-archive.com/[email protected]/msg27075.html > > > > Erik > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > > Beckstrom > > Sent: Monday, January 16, 2006 4:03 PM > > To: [email protected] > > Subject: [Declude.JunkMail] Help with filter > > > > > > I received a spam email, which was an HTML email with only one line. > > The line is as follows: > > > > <img src=cid:85ae9b8e79a2548912c0c40ef7709a27> > > > > I have a body filter with the following: > > > > BODY 2 BEGINSWITH <img src=cid: > > > > The filter didn't trip on the spam email. Any idea of why this > > wouldn't work? > > > > Thanks, > > > > Dave > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
