Does the ANYWHERE filter specification not include HEADERS? ANYWHERE should
include every testable location including HEADERS, correct?
I'm getting really disgusted. I set up this filter:
ANYWHERE 6 PCRE
(?i:as.{0,2}seen.{0,2}on.{0,2}(?:oprah|60.{0,2}minutes))
I tested the filter and "AsSeenOn 60-Minutes" triggers a match in my regex
tester.
Yet the following email (which contained the text in "FROM") did not trigger
the spam filter.
Return-Path: <[email protected]> Sat Feb 21 10:28:21 2009
Received: from d3.92.b6.static.xlhost.com [207.182.146.211] by xxx.xxx.com
with SMTP;
Sat, 21 Feb 2009 10:28:21 -0600
Reply-To: <[email protected]>
In-Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_extPart_000_0097_b7aff28c.b7aff28c"
Content-class: urn:content-classes:message
Return-path: <[email protected]>
Subject: [SPAM]- Score (17)RE: The MOST POTENT Anti-Aging Supplement
Available Anywhere
Date: Sat, 21 Feb 2009 11:29:30 -0500
Message-Id: <[email protected]>
Thread-Topic: RE: The MOST POTENT Anti-Aging Supplement Available Anywhere
From: "AsSeenOn 60-Minutes"<[email protected]>
To: <[email protected]>
Importance: Normal
X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/21/2009 10:28:31 AM
X-invURIBL-Weight: 9
X-invURIBL-Range: MEDIUM
X-RBL-Warning: CBL: "Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=207.182.146.211";
X-RBL-Warning: SPAMCOP: "Blocked - see
http://www.spamcop.net/bl.shtml?207.182.146.211";
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[4000100e].
X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: 9.
X-Declude-Sender: [email protected] [207.182.146.211]
X-Declude-RefID:
X-Note: ========================================
X-Note: Spam Score: [17]
X-Note: Scan Time: 10:28:34 on 21 Feb 2009
X-Note: Spool File: 369856000891.eml
X-Note: Server Name: mx4.fivedaybox.com
X-Note: SMTP Sender: [email protected]
X-Note: Reverse DNS & IP: d3.92.b6.static.xlhost.com [207.182.146.211]
X-Note: Recipient(s): [email protected]
X-Note: Country Chain: [ARIN Unlisted]->destination
X-Note: Failed Weights: CATCHALLMAILS [0], CBL [6], SPAMCOP [7], SPAMHEADERS
[3], SPFPASS [0], INV-URIBL [9], WEIGHT10 [10], WEIGHT14 [14]
X-Note: ========================================
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of David
> Barker
> Sent: 2009-02-11 08:29
> To: [email protected]
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
>
> If you want to record the name of the sender (according to the SMTP
> Envelope) in the E-mail headers, you can use the XSENDER configuration
> option. To do this, add a line to the global.cfg file as:
>
> XSENDER ON
>
> Regular expressions are very different and powerful because they give the
> ability to look for patterns rather than straight matches.
>
>
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> [email protected]
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of Dave
> Beckstrom
> Sent: Monday, February 09, 2009 5:18 PM
> To: [email protected]
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
>
> David,
>
> I don't have an X-Declude-Sender configured. I'll add that.
>
> Okay, so I already have "Headers contains John Cummuta" or something along
> those lines set up. How would the regular expression be any different?
Is
> it more effective because of the wild card?
>
>
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]] On Behalf Of
David
> > Barker
> > Sent: 2009-02-09 16:03
> > To: [email protected]
> > Subject: RE: [Declude.JunkMail] Mailfrom Processing
> >
> > This may not be the actual sender, the actual sender is what is found in
> the
> > envelope or q*.smd (IM) or *.eml (SM) and found in the X-Declude-Sender
> > line.
> >
> > If you need a filter the best way would be to use the regular
expressions
> > such as:
> >
> > HEADERS 0 PCRE (?im:From:.*John Cummuta")
> >
> >
> > David Barker
> > VP Operations Declude
> > Your Email security is our business
> > 978.499.2933 office
> > 978.988.1311 fax
> > [email protected]
> >
> >
> >
> >
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]] On Behalf Of Dave
> > Beckstrom
> > Sent: Monday, February 09, 2009 4:53 PM
> > To: [email protected]
> > Subject: RE: [Declude.JunkMail] Mailfrom Processing
> >
> >
> > What filter will trigger on the words "John Cummuta" when the from
address
> > is formatted like:
> >
> > From: "John Cummuta" <[email protected]>
> >
> >
> > Neither the mailfrom or headers filters are triggering on this.
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [email protected], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [email protected], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [email protected], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [email protected], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
