I just updated my most effective image spam filter to catch a new variant; jpegs instead of gifs. The rule must be on one continuous line, without spaces after the last character, and no blank lines between rules.

[enabled],"Image Spam type G/J","OE GIF Spam#2b",16711680,AND,Hidden,Delete,Automatic,EntireHeader,contains,"X-Mailer: Microsoft Outlook Express",EntireHeader,contains,"X-MimeOLE: Produced By Microsoft MimeOLE",EntireHeader,contains,"MIME-Version: 1.0",EntireHeader,contains,"Content-Type: multipart/related;",EntireHeader,contains,"type=""multipart/alternative"";",EntireHeader,contains,"boundary=""----=_NextPart_",Body,contains,"src=3D""cid:",Body,contains,"<META content=3D""MSHTML",Body,contains,"<IMG alt=3D""",Body,containsRE,"Content-Type:\ image/(gif|jpeg);"

Place this filter rule before the others, just under the restored from MWP recycle bin rule. It uses only one Regular Expression, thus is faster acting than the ones that rely more on them.

I would like to add english words to my own filters, I assume this is okay
I wish to auto delete any email containing certain words or varied spelling of words. For example, say I wanted to autodelete an email with 'relica watches' or 'repl1ica watcches' in the subject line how do you serparate the two sets of two words or if you have 6 spellings of viagra how do you enter these on one line of a filter rule With a comma, or full stop, or what Although I have them at present seperated with a comma I still seem to see these words in emails shown.

There is some good filter help in the wiki, you might want to start there.

I've been experimenting with the Wizcrafts filter set, and somewhere in the latest version there is a CPU leak I can't seem to find. What it seems to do is send the CPU into a continuous loop on loading Mailwasher, which is strange because I wouldn't think on load that Mailwasher would actually do anything with the filters other than load them. One further strange point on this issue, it works on the first load of Mailwasher just fine, the CPU utilization issue only occurs on the second or later load after installing the filter set. Anyone else have this problem?

One other question, should this thread be set as a sticky?

PCBruiser;
I don't notice any major problems with MWP loading, but I will try disabling the filters and re-enabling them one at a time, to see which ones are slowing it down the most. I know that regular expressions can slow down the processing time and a lot of my filters use RegExpr's. I have not been using all of the rules in my online filters and I am going to remove the ones that are not effective anymore. This will reduce the size of the filter set and improve loading times and processing. I'll post here when I have reduced the size and eliminated useless old tests for no longer existing spam domains.

One other thing that might give you a hint. The filter set is about 70K in total size. Once I start Mailwasher after replacing my old filter set, it grows to some 100K+ in size and then stays there. If I open the filter set either in Notepad or using Mailwasher's filter tool under Spam Tools, it looks exactly as it should, other than the file size being different. Strange. I wonder of Mailwasher does some kind of pre-processing or some such of the filter set, and that's why I have the problem on the second and later loads only?

I agree with Trapper. If MW and I agree that something is already blacklisted, can we both ignore it and move on?
I still want to see the 'proposals for blacklisting' though.

On the subject of blacklisting, one needs to be careful assuming a blacklisted address is really a spammer. If a filter, or the Learning tool sets an address to the blacklist, it could be an address duplicated by a spammer on a one-off. That address might just turn out to be a friend whose address got "appropriated." I'm to the point I don't have any filters or the Learning tool blacklist anything. You just never know. If the email is flagged by the Learning tool as "Possible Spam", it usually is. If a filter flags an email as spam, it usually is, but not just because of the address.

If the blacklist lists flag an address, that's a different story. You can assume anything coming from those addresses is spam - today. But maybe not tomorrow, since valid addresses land on those lists, the owners complain, and they get removed.

Recently all my email to one of my sons was bounced. My IP (a legacy IP in the AT&T system), was being blacklisted by Comcast because too much spam was being sent from the IP. Since the IP has tens of thousands of users, that seems a bit extreme. On a smaller scale, though, that's what can happen with blacklisting.

Useful blacklisting is for the "friend" who sends too many chain letters, forward-forward-forward useless emails, etc; or someone you just don't want to receive email from. Even then I'm not sure I would have an auto-delete on the address.

Don't confuse the two types of blacklisting, by e-mail address and by IP address.

Blocking by the sender's e-mail address is only useful where the sender does not know how to forge an e-mail, or use Google.

The sender's or transferring system's IP address is much more difficult to forge and that is what DNSBL (IP blacklisting aka RBL or Source of Spam) blacklisting is all about.

IP blacklisting IS NOT a tool for proving a message is spam, all it indicates is that one or more of the IP addresses in the mail header is associated with a server that has a history of sending spam or other problems. Therefore it should never be used as a reason to delete mail, only as an indicator that there is a greater chance of the message being spam than a message not so tagged. The rules for inclusion vary by the DNSBL provider and you need to look them over before deciding to bother using one.

BTW IP blacklisting is usually called "Blocklisting" ... maybe to signify a contiguous block of IP addresses, that addresses are blocked, ... or both.

It really depends on the spammer's setup, some are able to move their spam server arund a block of addresses that are assigned to them, usually a class C network or smaller, so just blocking the whole thing is the easy way to go.

That can be a bit hard on others sharing the same address space but it is up to them to get their net provider to quit hosting spammers or move to a less spammy provider.

Greetings,

Just a FYI...

I notice that when one clicks on the link to Wizcraft's filters, McAfee pops-up a "Exploit-MIME.gen" VirusScan Alert warning.

I assume that this is because it tries to automatically install itself in MW(P)?

Kindest regards,

Dragan Glas

Nope, it is just a page full of letters, doesn't try to do anything like that.

I'd guess that your McAfee isn't smart enough to recognize the between filter text and a real attack and is false triggering.

So glad I don't do Windows!

Greetings,

stan_qaz
I don't actually use McAfee at home, I use Avira - this was at work.

I wasn't sure whether that meant that Avira (at home) was missing something or that McAfee (at work), as you say, is reporting a FP.

Kindest regards,

Dragan Glas