I've noticed a pattern in some spam that recently started getting past my
filters. The e-mails look like this:
----------------------------------
Subject: This is the best
Date: 3/30/04 2:51 PM
Received: 3/30/04 5:23 PM
From: Eddie Dillard, [EMAIL PROTECTED]
To: [my e-mail address]
<!--
bitumen grimace conversion glutinous combinatorial invertebrate autonomy
brasilia tristan hooligan virtual peterson runaway hysteron bemuse
beatrice schoenberg arisen byzantium sousa piraeus circumscription
asteroidal summand aeolus repulsive statute mimicked crump burgess
stanley transvestite curlew carte dialogue happy heidelberg indomitable
africa crescent supersede cavitate rendezvous threshold blister ruthless
lentil diurnal splenetic splashy grocer miterwort cognizable remainder
chestnut
!-->
----------------------------------
Nothing helpful, filterwise, in the spoofed From address, of course.
Since Emailer strips out the main body HTML, what consistently remains is
an HTML comment containing a list of words designed to "poison" or
"dilute" Bayesian filters. While the words change, the comment format is
consistent: <!-- words !-->.
The following filter has trapped 25 of these e-mails since 3/14/04
without a false positive:
Test: If Message body Contains "<!--"
Action: File the message in a testing folder [or trash it, forward
it to your PC-using friends ... whatever]
I've placed this filter after my regular filters, so as to catch only
what they miss. Once I've tested it a bit longer, I'll change the action
to use the Shred Messages AppleScript.
Hope someone else finds this helpful!
___________________________________________________________________________
To unsubscribe send a mail message with a SUBJECT line of "unsubscribe" to
<[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
