I don't know if the BEGINSWITH will work in all cases, but if it does, great.
I think you'd do better to mitigate the false positives by checking for text that is missing, e.g. I think this would be a lethal test, and wouldn't require you to track his evolving HELO and SUBJECT lines: BODY END CONTAINS <HTML> TESTSFAILED END NOTCONTAINS CMDSPACE BODY 20 CONTAINS <img src=cid: BODY 20 CONTAINS <img src=3Dcid: Of course, conversations on this list about this guy may then get triggered, too. Andrew ;) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erik > Sent: Monday, January 16, 2006 10:33 AM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > Yes, you are correct with the use of "BEGINSWITH". > > This campaign is and has been lately using html code before > the CID tag to throw off spam filters. Your use of > "BEGINSWITH" to detect the CID tag should be effective then > as very few email bodies begin with just a CID tag. > > Below is what we are currently using as a filter in Declude > for this spammer (if you use this; adjust your weight > according to your HOLD/DELETE weight - our DELETE weight is > 125 and our HOLD weight is 80): > > SKIPIFWEIGHT 125 > > BODY END NOTCONTAINS Content-Type: image/gif > #MN NOTE - Mark: Removed as this spammer is now using different HELO's > #HEADERS END NOTCONTAINS Received: from unknown (HELO > HEADERS END NOTCONTAINS 192.168. > TESTSFAILED END NOTCONTAINS CMDSPACE > > BODY 20 CONTAINS <img src=cid: > BODY 20 CONTAINS <img src=3Dcid: > > #subjects used in this spam; values used to increase the > weight to DELETE based on the above tests > > SUBJECT 50 STARTSWITH fax received > SUBJECT 50 STARTSWITH breaking news > SUBJECT 50 STARTSWITH OTC News > SUBJECT 50 STARTSWITH press release > SUBJECT 50 STARTSWITH news > SUBJECT 50 STARTSWITH top news > SUBJECT 50 STARTSWITH headline news > > Hope that helps you. ;-) > > -Erik > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Monday, January 16, 2006 7:12 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Help with filter > > > Erik, > > I thought that the "beginswith" meant that we are testing the > very first line of the message? A newsletter would never > have just one line -- that being the CID tag. > > I could see where "contains" would be a problem though. > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Erik > > Sent: Monday, January 16, 2006 12:01 PM > > To: [email protected] > > Subject: RE: [Declude.JunkMail] Help with filter > > > > Yes, that spam campaign keeps changing subjects. > > > > Unfortunately, if you filter only on the CID tag; you will > filter some > > legitimate newsletters as they do use the CID tag. As long as you > > will be monitoring your HOLD queue; you should fine so you > filter out > > the false positives. > > > > Also in that thread was discussion of some variants used to the CID > > html coding. I believe Scott brought that up in his postings. > > Another thing Scott brought up is that this spam campaign > also fails > > the CMDSPACE in Declude. We make use of that combo test > "TESTSFAILED" > > when looking for > the > > CID tag. > > > > Erik > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > > Beckstrom > > Sent: Monday, January 16, 2006 6:23 PM > > To: [email protected] > > Subject: RE: [Declude.JunkMail] Help with filter > > > > > > Hi Erik, > > > > Thanks for turning me on to that thread. There was some good > > information > in > > that discussion. > > > > The spam I received had a subject of "Fax Received" > > > > Much of the filter discussion, in that topic you directed me to, > > centered around also checking the contents of the subject line. > > Apparently, the spammer has changed their subject now to be less > > predictable. Which cause the filter to fail if it depended > upon the > > subject line. > > > > I'm back to my earlier thought that any email message which > contains > > only the "img src=CID" would be enough to trigger a hold. I can't > > imagine any legitimate email being coded like that. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > [mailto:Declude.JunkMail- > > > [EMAIL PROTECTED] On Behalf Of Erik > > > Sent: Monday, January 16, 2006 9:10 AM > > > To: [email protected] > > > Subject: RE: [Declude.JunkMail] Help with filter > > > > > > Hi Dave, > > > Look at this thread: > > > > http://www.mail-archive.com/[email protected]/msg27075.ht > > > ml > > > > > > Erik > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > > > Beckstrom > > > Sent: Monday, January 16, 2006 4:03 PM > > > To: [email protected] > > > Subject: [Declude.JunkMail] Help with filter > > > > > > > > > I received a spam email, which was an HTML email with only one > > > line. The line is as follows: > > > > > > <img src=cid:85ae9b8e79a2548912c0c40ef7709a27> > > > > > > I have a body filter with the following: > > > > > > BODY 2 BEGINSWITH <img src=cid: > > > > > > The filter didn't trip on the spam email. Any idea of why this > > > wouldn't work? > > > > > > Thanks, > > > > > > Dave > > > > > > --- > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > and type > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > and type > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. > > > --- > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
