Thank you for enlightening me, I was obviously confused as I thought the origin blacklisted came from the spamcop or relays black list when checked, I also assumed the senders name/domain was being checked not the senders server. I take it that not all emails from that server would be spam, hence the recommendation not to delete them automatically.

Many thanks WIzcraft for taking the time to explain what I should do in detail, I will print it out and read at work tomorrow I should be able to get the hang of it in time

Trapper

That's great!

Re: reducing load, it sure would be great to have some built-in diagnostic method to pinpoint and troubleshoot poorly-performing filters.

Heck, maybe you need to ignore my comments... I do see you mentioned (after my post) about the 'word wrap' option.... I didn't switch this 'off' when pasting all rules and new GIF amendments into the wordpad filters.txt doc... so this might have caused the lock-ups...! Will give it all a bash now after further enlightenment.

Well, I have copied all the rules 'as is' and with MWP closed added them to my original rules set. I called my original set 'filters old' and the new set 'filters'.

On restarting MWP, it began to show 2 of 31 and then froze.

I shut down and got the same 2 of 31.
I have reinstalled my original 'filter old' and all seems okay

I see there are some alterations to your rules as per the post of fusion, now do you need to find the original rule, delete it and replace with these new versions or will these new versions overwrite the original rules Sorry for being so ignorant

Trapper;
I have been trying to correct the resource overload caused by the image spam filters. I also noticed that the spammers are altering their codes considerably. Only one of my original gif spam rules is still effective, as it was. The rest have morphed into variations upon variations.

My filter rules depend on matching some regular expressions, and that is where the freeze ups are occuring. The processing power requirements are quite intense when looking at 200 lines of code, especially when you encounter base64 codes.

I am working on this everyday and will come up with a good filter for gif spam, that does not grind the program to a halt.

In the meantime, I have changed the order of the useful filters, as they pertain to the current crop of these spam messages. The following four filters are now catching most of the image spam this week...

[enabled],"GIF Spam #4c","GIF Spam#4b",16711680,AND,Hidden,Delete,Automatic,EntireHeader,contains,"MIME-Version: 1.0",EntireHeader,contains,"Content-Type: multipart/related;",EntireHeader,containsRE,"boundary="".+""",Body,contains,"Content-Transfer-Encoding: 7bit",Body,contains,"<img ",Body,containsRE,"src=""cid:.+""><br>",Body,contains,"Content-Type: image/gif;",Body,contains,"Content-Transfer-Encoding: base64",Body,doesn'tContain,"<a href="

[enabled],"Image Spam Type B","Image Spam Type B",16711680,AND,Hidden,Delete,Body,contains,"</style><img src=",Body,contains,<style>

[enabled],"OE GIF SPAM #2","OE GIF Spam#2",16711680,AND,Hidden,Delete,EntireHeader,contains,"X-Mailer: Microsoft Outlook Express 6.00.",EntireHeader,contains,"X-MimeOLE: Produced By Microsoft MimeOLE V6.00.",EntireHeader,contains,"MIME-Version: 1.0",EntireHeader,contains,"Content-Type: multipart/mixed;",EntireHeader,contains,"boundary=""----=_NextPart_",Body,contains,"Content-Type: multipart/alternative;",Body,contains,"Content-Transfer-Encoding: quoted-printable",Body,contains,"Content-Transfer-Encoding: base64",Body,contains,"Content-Type: image/gif;",Body,contains,"Content-Disposition: attachment;"

[enabled],"OE GIF Spam #1","OE Gif Spam#1",16711680,AND,Hidden,Delete,Automatic,Body,contains,"Content-Type: image/gif;",Body,contains,"Content-Transfer-Encoding: base64",Body,contains,_NextPart_,Body,containsRE,"<META\ http-equiv=3DContent-Type\ content=3D""text/html;.*|<meta\ content=""text/html;charset=ISO-8859-1""\ http-equiv=""Content-Type"">",Body,contains,"Content-Transfer-Encoding: quoted-printable",EntireHeader,contains,"X-Mailer: Microsoft Outlook Express 6.00.",Body,containsRE,"<IMG alt=3D"".*"" hspace=3D0",Body,containsRE,"(.+\s=){6,}",EntireHeader,contains,"Content-Type: multipart/related;",EntireHeader,contains,"boundary=""----=_NextPart_"

I have separated the rules for clarity. Turn off word wrap to insert them into your filters.txt. As stated before, each rule needs to occupy one long line of code. There should not be any trailing blank spaces after a rule, nor blank lines between rules, and the last rule should end at the end of it's line.

I will keep at it until I succeed at catching all of the image spam without overloading MWP. Thanks for your tolerance with my experiments. I dislike spam as much as you do.

[quote="Wizcrafts"]Oh well, no reply, so here is a link to my custom [url=http://www.wizcrafts.net/docs/filters.txt]MWP spam filter rules[/url].</quote>

<snip>

I'm probably somehow responsible for the following (lack of info, etc.); I'd imagine otherwise someone else would have commented on it some time ago here.

I visited your filters page earlier today to see if I could find anything regarding a filters question I have (and will post after this) and McAfee (VirusScan v.11) threw up a warning that it had detected and deleted the Exploit-MIME.gen virus in my browser's cache (Firefox 2.0). I'm on Windows 2000 Pro.

I was out for several hours after that and when I went back just now to get the entire warning the page was no longer available.

I hope all's well on your end and that my concern was totally unnecessary.

Tadiew;
My filters are in a plain ASCII text file. There are no exploits possible with a .txt extension, to my knowledge. I can't even make a clickable hyperlink out of a url in the file. I just checked it and it is as I last uploaded it this morning.

I'm not the cause of your virus warning, but I remember back in the days of Thunderbyte anti virus that it shipped with a text file called eicar.txt that was used to test the program. Apparently, certain text patterns can trigger a false positive in heuristic anti virus engines. Maybe my filter rules are like that old eicar test file. At least you know your anti virus program has a heuristic engine, in addition to the definitions engine.

The coding has changed again on the other side of the fence. They are now resorting to embedding images as background files, in the body tag, and to using style tags to hide stuff. It took me two minutes to detect this and another five to create a new rule to kill it. Filters.txt is now updated to detect background image spam, and has new filter names, for the image rules. I have also reduced the amount of regular expressions in the various image-spam rules, speeding up load times for the rules and shortening the scanning time considerably.

Based on the traces shown when I report some of these image spams to SpamCop, all appear to be coming from compromised computers that are in a botnet. Some are on RoadRunner, in the US, others are in Turkey, China, Malaysia, Romania, Poland and Canada.

Thank you! That makes sense. McAfee has a toggle for heuristic detection. It's interesting to see what kind of thing fires that up, lol. At least I now know it's "on the job."

I have been using Mailwasher Pro very crudely because I've had trouble figuring out how to use regular expressions properly. For a variety of reasons I'm going to put some time into trying to learn how to use them to create better filters so I'm really excited to see really good ones you have made.

Thanks and thank you.

I'll be on the road for a couple of days, until Thursday or Friday, and will check in here at that time. Please note that the image spammers are altering their codes to try to elude these filters, and the you may need to tweak a line of code, here and there.

I'll post current filters after my trip.