| View previous topic :: View next topic |
| Author |
Message |
tbenton
Private
Joined: Oct 30, 2003
Posts: 42
Location: USA
|
 Posted: Thu Oct 30, 2003 4:05 pm Post subject: Need to find some good filters |
|
|
I have been using MWP for a few years and got one good HTML filter from a user but its apparently not good enough anymore. I use word filters for such as penis and viagra but with all the tricks they use still getting those plus a ton lately about prescriptions at discount. I don't want to filter that word as I get legit mail from my script plan at work. Looking for some more user filters for sexual and other misc. spam. Also would love one for these people in Africa,etc asking for money. Have searched this forum til my eyes got crossed for user filters and I see references to those I cannot find such as from Gary. Can anyone point me to discussions that show actual user filters and what they are to filter? Here is the only one I have now. Its called (2)HTML Spam tricks (B)
If the Body contains the RegExpr "fontsize="?0"?" or "((<![\w\s,\.\-]+>)+([\w\s,\.\-]){1,20}){3}" or "(</\w>)[\w\s,\.\-]{1,20}(\1([\w\s,\.\-]){1,20}){2}" then add the sender to the blacklist, mark the message as mail to be deleted and mark the message as mail to be bounced.
Anything you can offer would be appreciated. I am very PC literate but not cybersavvy enough to use filters other than those that can be inserted in filters.txt.
Terri
|
|
| Back to top |
|
 |
rogerw
Firetrust Host
Premium Member
Joined: May 11, 2003
Posts: 4008
|
| Posted: Thu Oct 30, 2003 4:23 pm Post subject: Re: Need to find some good filters |
|
|
| tbenton wrote: | | Have searched this forum til my eyes got crossed for user filters and I see references to those I cannot find such as from Gary. Can anyone point me to discussions that show actual user filters and what they are to filter |
Find gary's filters at: http://www.w5hq.com/MailWasher/
|
|
| Back to top |
|
|
TimeGhost
Captain
Joined: Apr 11, 2003
Posts: 747
Location: USA
|
| Posted: Thu Oct 30, 2003 4:33 pm Post subject: |
|
|
Hi Terri
If you downloaded that filter a while ago, there may be a newer version. Gary's filters are discussed many places, but mostly here .
I've tweaked a few of them, too. S P A C E D Subject is one, but I'm not sure which others.
I've also posted untested rules here and there, without adding them to my filters.
Some of the better filters look at the header. The User Formerly Known As Denn988 (or TUFKA-Denn988) posted at least two very interesting filters. The RDNS one may have false positives, and it may require customization. If you use it, move it to the bottom of your list of filters. The IANA Reserved IPs is more accurate and can even override the Friends list.
Best of luck!
|
|
| Back to top |
|
|
tbenton
Private
Joined: Oct 30, 2003
Posts: 42
Location: USA
|
| Posted: Thu Oct 30, 2003 4:54 pm Post subject: |
|
|
Thanks guys...onward now to look at them and install.
TErri
|
|
| Back to top |
|
|
IP: 66.44.*.*
Guest
|
| Posted: Thu Oct 30, 2003 11:03 pm Post subject: |
|
|
| TimeGhost wrote: | | If you downloaded that filter a while ago, there may be a newer version. Gary's filters are discussed many places, but mostly here . |
Thanks Timeghost. I keep seeing references to 'Gary's filters' but that is the first link that I have seen.
| TimeGhost wrote: | | I've also posted untested rules here and there, without adding them to my filters. |
Same here.....I will try to assist others with body filters, but I don't use them myself.
As a matter of fact....I have changed the default # of lines that MWP downloads to 10 by modifying the Registry key:
HKEY_CURRENT_USER\Software\FireTrust\MailWasher Pro\prefs "Lines to download"=dword:0000000a
This speed up the downloads a bit more.
| TimeGhost wrote: |
Some of the better filters look at the header. The User Formerly Known As Denn988 (or TUFKA-Denn988) posted at least two very interesting filters. The RDNS one may have false positives, and it may require customization. If you use it, move it to the bottom of your list of filters. The IANA Reserved IPs is more accurate and can even override the Friends list. |
Thank you for the kind words.
I have another 'simple' header filter that you might be interested in.
This is one of the HIREL filters (low false positive). It only has a trap rate of abot 10%, but being HIREL in nature it is quite valuable.
It looks for messages that are encoded in Base-64. By that I mean that the header tells your client that the first part of the message is encoded that way. Base-64 encoding will render body filters rather inneffective, unless MWP were to provide for filtering after translation.
I have gone back through about 6 years worth of legitimate e-mail and have found no instance where Base-64 encoding has been specified in the header. That pretty much tells me that this will have a very low rate of false positives.
Here is the filter:
[enabled],BASE-64,BASE-64,16711935,AND,Delete,EntireHeader,containsRE,"(?# the body is sent base64 )^Content-Transfer-Encoding: base64"
simple...but effective....place it up high in your filter priority, just below 'IANA - Reserved'.
|
|
| Back to top |
|
|
IP: 66.44.*.*
Guest
|
| Posted: Fri Oct 31, 2003 12:24 am Post subject: |
|
|
To all:
I just looked at Gary's Filters and I noticed that he already had a "Base64" filter in there.
There is a glaring problem with it though.
His filter looks for any occurence of base64 encoding, both in the header and in the body.
Looking in the header for base64 encoding is fine, but I would suggest that looking in the body will cause too many false positives.
Any time that you insert or attach a picture (gif, jpg, bmp, etc) into an e-mail it will more than likely (I would like to say absolutely, but I am not 100% positive of this) be encoded base64.
A filter that looks into the body for base64 encoding is going to flag anything with a picture in it.
Stick to a filter that only looks into the header for base64 encoding if you don't want to throw away valid e-mails simply because they have a picture.
|
|
| Back to top |
|
|
rogerw
Firetrust Host
Premium Member
Joined: May 11, 2003
Posts: 4008
|
| Posted: Fri Oct 31, 2003 12:52 am Post subject: |
|
|
| Anonymous wrote: | | Stick to a filter that only looks into the header for base64 encoding if you don't want to throw away valid e-mails simply because they have a picture. |
If you maintain your friends list - and don't give the base64 filter precedence over the friends list - then you'll be able to reject base64 from spammers but accept the latest photos of your Aunt Bessie's pet siamese cat.
|
|
| Back to top |
|
|
IP: 66.44.*.*
Guest
|
| Posted: Fri Oct 31, 2003 3:58 am Post subject: |
|
|
| rogerw wrote: | | Anonymous wrote: | | Stick to a filter that only looks into the header for base64 encoding if you don't want to throw away valid e-mails simply because they have a picture. |
If you maintain your friends list - and don't give the base64 filter precedence over the friends list - then you'll be able to reject base64 from spammers but accept the latest photos of your Aunt Bessie's pet siamese cat. |
The rate of false positives that would result from a mere picture in a legitimate e-mail from someone who is not on my friends list is just too high for me to accept. I still get e-mails from people who I have not heard from in years (prior to 'anti-spam' becoming required software), and many of these include pictures.
The filter that I use that has the highest percentage of false positives right now gives me a false positive rate of ~0.2-0.5% (of legitimate mail...not including SPAM). It also gives me about a 95% trap rate for SPAM. Other people on this forum are also using that filter (DIRECT to MX) and they may provide some slightly different numbers due to various reasons. The fact that it has the high false positive rate that it does is the reason it is at the bottom of my filter priority list. The 'Base64' filter is second from the top, behind my most HIREL filter, "IANA-Reserved".
My HIREL (High reliability) filters are able to trap about 45% of all my incoming SPAM and if those HIREL filters trap them I can be 99.99% sure that those messages were SPAM. I would say 100% sure based on results, but one can never be 100% sure.
I have turned off all SPAM Databases, have set the hueristic strength to 'none' and only place a name in my 'blacklist' with extreme reluctance (four entries at this point in time). I also do not bounce anything. I rely totally on my own filters to trap spam.
They work.
|
|
| Back to top |
|
|
tbenton
Private
Joined: Oct 30, 2003
Posts: 42
Location: USA
|
| Posted: Fri Oct 31, 2003 3:18 pm Post subject: |
|
|
Once again, I really appreciate all the help ...what a great forum this is. To keep me from having to read all the MWP help stuff again can you tell me in a nutshell how to rank which will be done first...freinds/blacklist or filters and which I should run first? I guess I am really lazy today and I know someone can summarize for me. I read so much in the help docs yesterday mu eyes are still crossed. 
Terri
|
|
| Back to top |
|
|
TimeGhost
Captain
Joined: Apr 11, 2003
Posts: 747
Location: USA
|
| Posted: Fri Oct 31, 2003 4:22 pm Post subject: |
|
|
Well, I'm not exactly sure myself.
In general, Friends/Blacklist override both Filters and the DNS blacklist check, except when the filter is set to "take precedence over the Friends/Blacklist."
The built in hueristics are a different matter. I have seen hueristics override Friends in the case of Virus. This was the case when I received SoBig.E, and the From was forged to be someone on my friends list. I'm not sure whether all the hueristic status types do this, though.
Then there's the issue of what comes first, Friends list or Blacklist. AFAIK, specific addresses (User@domain.com) override wildcard entries (*.domain.com). This allows users to blacklist every address (*), and use the friends list as a sort of gatekeeper. In the event of a conflict, a message box should appear.
HTH
|
|
| Back to top |
|
|
TimeGhost
Captain
Joined: Apr 11, 2003
Posts: 747
Location: USA
|
| Posted: Fri Oct 31, 2003 4:45 pm Post subject: |
|
|
| Anonymous wrote: | -snip-As a matter of fact....I have changed the default # of lines that MWP downloads to 10 by modifying the Registry key:
HKEY_CURRENT_USER\Software\FireTrust\MailWasher Pro\prefs "Lines to download"=dword:0000000a
This speed up the downloads a bit more. |
Thanks for the tip!
| Anonymous wrote: | | TimeGhost wrote: |
Some of the better filters look at the header. The User Formerly Known As Denn988 (or TUFKA-Denn988) posted at least two very interesting filters. The RDNS one may have false positives, and it may require customization. If you use it, move it to the bottom of your list of filters. The IANA Reserved IPs is more accurate and can even override the Friends list. |
Thank you for the kind words. |
You're very welcome. I just got around to adding the IANA Reserved filter. Before I looked carefully at it, I never realized that comments could be inserted in RegExps. BTW, it works quite well, and it even caught one that my ISPs Spam Assassin let through. (I'll be contacting them soon.)
So I thank you!
|
|
| Back to top |
|
|
tbenton
Private
Joined: Oct 30, 2003
Posts: 42
Location: USA
|
| Posted: Fri Oct 31, 2003 5:27 pm Post subject: |
|
|
TIME GHOST...thats what I thought and of course I look at my list to see what is being filtered out before I process. Thanks so much
Terri
|
|
| Back to top |
|
|
TonyKlein
Site Moderator
Microsoft MVP
Joined: Oct 15, 2002
Posts: 13114
Location: Netherlands
|
| Posted: Sat Nov 01, 2003 11:25 am Post subject: |
|
|
Please ignore.... 
Last edited by TonyKlein on Sat Nov 01, 2003 1:10 pm, edited 1 time in total |
|
| Back to top |
|
|
TonyKlein
Site Moderator
Microsoft MVP
Joined: Oct 15, 2002
Posts: 13114
Location: Netherlands
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
