-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Mark,
On Thu, 13 Nov 2003 04:49:36 -0700 your time, you said: PA>> Have you tried placing the filter topmost, so that it is executed PA>> prior to all other (inbox-)filters (just to make sure it's not PA>> other filters that keep your new filter from working)? MT> I have tried this. It has been in several locations. I just tested MT> it at the top. Same story. I tried it with the .msg files you sent me. So far I can only get one file to filter: the Sasha Mcneill <[EMAIL PROTECTED]> spam message using " Digital Cable " as the filter string, directly copied and pasted from the _source_ I.e *View Source* and copy the [sp]Digital[sp]Cable[sp] including the whitespaces and paste that into the strings field. However, spam no2 is different. The key to spam message no 2 is I think a combination of the MIME "Content-Type: multipart/alternative;" header, a breaking of the RFC standards, and exploiting the way in which unknown tags are handled in HTML renderers. It seems to me that the it goes like this: 1. Create a "Content-Type: multipart/alternative;" message. This is done to send a multipart message containing a plaintext message and a html message so if your mail client doesn't allow html viewing you get to see a plain text message instead. 2. Break the rules: deliberately fail to add a text/plain; declaration after the MIME header as is required in the RFC and instead add the html declaration first: "Content-Type: text/html;" as the second part of the message. This means that the message will now *appear* to display as text even though it's really html. 3. Randomly pack out the HTML message part with useless tags: as we know, all unknown tags in HTML are ignored so they don't show up and nothing is rendered. So you have no true plaintext to filter against because there isn't any text part to the message, and the text in the html part of the message is masked by phoney html tags so you can't get a full string to filter against. I'd definitely use SpamPal for this. I don't know whether there's a way around it, but it would save a lot of headwork to use something that would catch it without any problems. - -- Sl�n, Simon @ i~n+f~o+w~i+z~a+r~d+.~c+o~.+u~k ***************************************** PGP Key via Web: http://pgp.infowizard.co.uk/ PGP Key via Email: [EMAIL PROTECTED] Faffing about with TB! v1.62r on W2K SP4 #1026. Lam Squid Eros Wry � -----BEGIN PGP SIGNATURE----- Comment: Protect your Privacy with PGP. Comment: KeyID: 0xDF8062C1 Comment: Fingerprint: 40DD 7908 9DF8 634F 1B98 8849 9266 C870 DF80 62C1 iQA/AwUBP7N/HJJmyHDfgGLBEQJM0gCg64jVpHRVCzEwuy3NiSUxbp2KmtIAoMkj wqdLXikJ9Vc7qu+vg6RXYAR1 =xlgN -----END PGP SIGNATURE----- ________________________________________________ Current version is 2.01.3 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
