> Hi
>
> I have been geeing a number of emails which are not being properly
> handled by Trashfinder; it does not delete them, just trashes them.
> I am filtering on the names of various medical products ( which I won't
> mention in case you are filtering on them as well!!).
>
> I have attached a zip file - dodgyemail.zip - which contains 3 files:
>
> The MSWord document contains two screen dumps: the first show what I see
> when I open the email; the second, what I see when I start to "reply".
> (NOT sent of course!).
>
> The text document is a listingof the message source ( I use netscape 7)
>
> The eml document is the most interesting if opened using Outlook
> Express as it shows that the the filtered words (v**gr* etc) have been
> broken up and lost within a table.
>
> Has any one else had experience of this type of email and is there any
> way of stopping them? Filtering on the words is obviously useless. What
> about hidden text? There must be a way of identifying hidden text in an
> html page. If an email is genuine, there should be no need for
> hidden text.
Trashfinder does what you ask it to, of course, it can't guess. In any case,
the only really useful filter for TF is the domain and IP filters (including
the SURBL filter). (Those are only found in the Pro version, of course.)
There are just too many ways to write the names of drugs,even without
scrambling the letters. I generally use the text filter as a backup to catch
the small percentage of junk mail that doesn't have links; it's not expected
to be a primary filter. (Of course, you can do something different that
might work
This particular spammer (I've seen over 120,000 messages like this in the
last few months) changes their domains fairly frequently, but not the IP of
their web servers. So blocking a few IPs (that is set them to "delete") does
the trick pretty well. Blocking the domains in question lets you quickly
find out what IPs they are using (use the analysis page to do that easily).
It would certainly be possible to filter on "hidden text", but the problem
is that there are literally dozens of ways to hide text (or, more common
these days, "almost" hide text). Most of them would take quite a bit of work
to handle, and spammers aren't using hidden text much anymore anyway
(probably because big commerical spam filters probably toss that stuff on
contact).
Note that this spam is hard to deal with because the spammer has used tables
to mix up the words. It would be possible to do that without the hidden
text, and I'm actually rather surprised the spammer came up with such a
clever and virtually unfilterable technique and then used hidden text which
would allow it to be detected.
In this case, you could add "display: none" to the HTML filter, which would
easily catch these. Not having tried it, I don't know if any good mail
contains such hidden text. (My guess would be that there is quite a bit of
newsletter mail that does stuff like this; the difference between
newsletters and spam often seems to solely be that your customers actually
want to see the newsletters :-)
Randy.
