Yes, you are correct with the use of "BEGINSWITH". This campaign is and has been lately using html code before the CID tag to throw off spam filters. Your use of "BEGINSWITH" to detect the CID tag should be effective then as very few email bodies begin with just a CID tag.
Below is what we are currently using as a filter in Declude for this spammer (if you use this; adjust your weight according to your HOLD/DELETE weight - our DELETE weight is 125 and our HOLD weight is 80): SKIPIFWEIGHT 125 BODY END NOTCONTAINS Content-Type: image/gif #MN NOTE - Mark: Removed as this spammer is now using different HELO's #HEADERS END NOTCONTAINS Received: from unknown (HELO HEADERS END NOTCONTAINS 192.168. TESTSFAILED END NOTCONTAINS CMDSPACE BODY 20 CONTAINS <img src=cid: BODY 20 CONTAINS <img src=3Dcid: #subjects used in this spam; values used to increase the weight to DELETE based on the above tests SUBJECT 50 STARTSWITH fax received SUBJECT 50 STARTSWITH breaking news SUBJECT 50 STARTSWITH OTC News SUBJECT 50 STARTSWITH press release SUBJECT 50 STARTSWITH news SUBJECT 50 STARTSWITH top news SUBJECT 50 STARTSWITH headline news Hope that helps you. ;-) -Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, January 16, 2006 7:12 PM To: [email protected] Subject: RE: [Declude.JunkMail] Help with filter Erik, I thought that the "beginswith" meant that we are testing the very first line of the message? A newsletter would never have just one line -- that being the CID tag. I could see where "contains" would be a problem though. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Erik > Sent: Monday, January 16, 2006 12:01 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > Yes, that spam campaign keeps changing subjects. > > Unfortunately, if you filter only on the CID tag; you will filter some > legitimate newsletters as they do use the CID tag. As long as you > will be monitoring your HOLD queue; you should fine so you filter out > the false positives. > > Also in that thread was discussion of some variants used to the CID > html coding. I believe Scott brought that up in his postings. > Another thing Scott brought up is that this spam campaign also fails > the CMDSPACE in Declude. We make use of that combo test "TESTSFAILED" > when looking for the > CID tag. > > Erik > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Monday, January 16, 2006 6:23 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > > Hi Erik, > > Thanks for turning me on to that thread. There was some good > information in > that discussion. > > The spam I received had a subject of "Fax Received" > > Much of the filter discussion, in that topic you directed me to, > centered around also checking the contents of the subject line. > Apparently, the spammer has changed their subject now to be less > predictable. Which cause the filter to fail if it depended upon the > subject line. > > I'm back to my earlier thought that any email message which contains > only the "img src=CID" would be enough to trigger a hold. I can't > imagine any legitimate email being coded like that. > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Erik > > Sent: Monday, January 16, 2006 9:10 AM > > To: [email protected] > > Subject: RE: [Declude.JunkMail] Help with filter > > > > Hi Dave, > > Look at this thread: > > http://www.mail-archive.com/[email protected]/msg27075.ht > > ml > > > > Erik > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > > Beckstrom > > Sent: Monday, January 16, 2006 4:03 PM > > To: [email protected] > > Subject: [Declude.JunkMail] Help with filter > > > > > > I received a spam email, which was an HTML email with only one > > line. The line is as follows: > > > > <img src=cid:85ae9b8e79a2548912c0c40ef7709a27> > > > > I have a body filter with the following: > > > > BODY 2 BEGINSWITH <img src=cid: > > > > The filter didn't trip on the spam email. Any idea of why this > > wouldn't work? > > > > Thanks, > > > > Dave > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
