I'm determined to avoid false positives and have decided to try making a lot of filters that contain links found in the body of spams I get, on the assumption that there are a lot of repeats coming in. Initial testing shows that within a few days this is catching about 20-50% of the spam I get.

I'm setting these as hide-and-delete filters, so I can't leave room for error. I figure that as long as I'm only using the URLs that the spams want me to click through to, or even the main domains as appears appropriate, I'm safe on that issue.

My question is this. Sometimes I see two URLs in sequence, separated by an asterisk, such as:

Whisperer,

Ikeb posted a filter that is designed to look for such tricks. I don't have the time to do a search for it right now...but perhaps Ikeb will post a link to it.

In the meantime....I have a RegExpr that could help for such a filter.

To prevent it from scrolling, I am posting it in smaller sections. Just cut and paste it together in the order posted. You can add more domains to it as required.

I want to report my results so far with creating hide-and-delete filters based mainly on the URLs in the body but also using some key phrases in the body, Subject, and From fields.

It's been about a week to ten days and I have to say that, while it's been quite a lot of work so far to create -- whoa! -- almost 70 filters with anywhere from one or two to up to the max number of expressions each (I'm not using RegExpr), the work is decreasing dramatically day by day.

In the past few days, out of about fifty spams, I'd say the filter caught as much as 75% of them overall, and in the past 24-48 hours it's caught, well, about 12 out of 18, and then, just now, seven out of seven. And because of the way I'm doing it, I feel the chance of false positives is slim to none.

I'd say I've had to create maybe a dozen new entries in the past two days.

That's starting to become considerably less time than it takes me to visually scan through many dozens of spams before deleting them.

The question is how long these will continue to be valid and how fast new ones will keep appearing.

I'll try to post a follow-up... or, feel free to remind me to do so.

I want to report my results so far with creating hide-and-delete filters based mainly on the URLs in the body but also using some key phrases in the body, Subject, and From fields.

It's been about a week to ten days and I have to say that, while it's been quite a lot of work so far to create -- whoa! -- almost 70 filters with anywhere from one or two to up to the max number of expressions each (I'm not using RegExpr), the work is decreasing dramatically day by day.

In the past few days, out of about fifty spams, I'd say the filter caught as much as 75% of them overall, and in the past 24-48 hours it's caught, well, about 12 out of 18, and then, just now, seven out of seven. And because of the way I'm doing it, I feel the chance of false positives is slim to none.

I'd say I've had to create maybe a dozen new entries in the past two days.

That's starting to become considerably less time than it takes me to visually scan through many dozens of spams before deleting them.

The question is how long these will continue to be valid and how fast new ones will keep appearing.

I'll try to post a follow-up... or, feel free to remind me to do so.

That double-post, above, was a mistake -- obviously.

And I thought I was logged in but apparently I wasn't.

My bad.

Whisperer

Yes indeed. But you were logged in for your OP. That's the one that's screwing up this page's width. Just edit that post and break up that one long line that insists on posting without wrapping....

The filter for redirected HTTP links you were inquiring about:

I also primarily screen by URL's. As far as the autodelete, there is one very big caveat: If you are using Reg Exp's so you can have lots of URL's in one filter, you may make a mistake and have two dividers next to each other (||) or end a line with a divider. It won't be easy to see because they look like l's. And it won't be easy to notice its effect because it will label everything that isn't on the Friends list as spam, and usually, it is. But it's an easy mistake to make even if you are aware of it, and you may not want to set any reg exps. to autodelete.

You are right that there are a lot of repeats. The spam is advertising the sites, and if the sites change names, the nitwits who answer the spam can't send money. So they fake the header, but never the URL, and at least for a few weeks, you get a lot of spam for the same URL.

They do put a lot of nonsense in front of the address. I only screen for the last domain name before the .com, .net, or whatever. The rest doesn't mean anything.

I also have a text file where I keep a copy of my filtered expressions. Basically, I just keep copying and pasting into that file with dividers. Then I copy and paste it into a mailwasher filter called "Link to Spam Recent" and make it my highest level filter after "fake from me." When I get to the point where word pad has to start a new line even without text wrap being on, it's time to start a new line in the Mailwasher filter, too. I guess when I get to 10 lines of filters, I'll swap out the first line and see if any of those URL's are still showing up. Anytime a piece of spam is caught by a lower level filter, I open up "show complete header" and harvest the URL for another filtering expression and paste it into my wordpad file and then into mailwasher.

The ones in base 64 are harder. I go to http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/safedecode.aspx to decode it, and strip out letters four at a time and keep decoding until I get to the sequence I can filter for. I have a separate filter "base 64 href" that has the various permutations of letters that could code "href=http://" since I don't know of anyone who sends html code in base 64. Again, I don't autodelete, but it's been 100% specific so far. You can also strip out the code for the actual url's but since there are several ways to code each sequence of English letters, it's pretty tedious to do for every spammer. I just go for the ones that include an html link. I figure the odds that the same long sequence of letters will show up in a photo or something is pretty remote.

Another sneaky thing is spammers that don't actually include a link in the message -- they require the recipient to cut and paste the address into an email or browser. Of course, that's not as effective a way of marketing their sites. I screen for body contains "html" AND body contains ">g<|>o<|>e<" (e because it's common, g and o because gono.com is the main offender and they can't break up that name in too many different ways.)

I've toyed with the SPAMversized URL myself and built up the list of sites that will be detected. After only a week or less, I was beginning to see hits (i.e. repeated SPAMversizements for the same site). I was using this strategy to "blacklist" any SPAM that "leaked" through my other filters.

However since Denn988 posted his "Received: from" strategy and adding some of my own filters based on this strategy, I haven't had any further "leaks". Therefore I haven't made use of this strategy since Christmas.

But back to your post Alpha, I didn't bother with Base64 encoded messages. I figured the pain wasn't worth it. (Actually I never had one of those "leak" through anyway.) Of course if FireTrust were to add a decoder, that would allow easy extension of SPAMversized URL detection. But the best thing FireTrust could do to ease implementation of this strategy is to add a SPAMvertized URL blacklist feature.

It looks like this one is making the most requested list, hopefully we can get it added to an upcoming version in the new year.

rusticdog, what are the chances of seeing this and when should we look for it if it is possible?