Hi guys and gals. It's been a while since I dropped by this thread, named after my filter rules for MailWasher Pro. I wanted to let you know that I have been updating the rules on my website and have split them into two groups; full and abbreviated. I use the abbreviated rules myself and recommend them to most users. Both sets are now available on this page:

http://www.wizcrafts.net/mwp-filters.html

The Image Spam filters are the most frequently applied rules, since the majority of the spam I get is image spam for junk stocks and silly drugs. I have also created special rules to deal with the HopOne hosted .info spammers who inundate our Inboxes with their junk.

Since I have to live with these filters myself I try to keep the processing time to an acceptable level, considering the complexity of some of my rules. Make no mistake, the image spam rules will slow delivery of any email containing images, as it searches for regular expressions matches. If you find them to be too slow for you try disabling some of the images spam filters, wait for them to "take," then check you email again. You may find that you can live without some of my rules, based on the type of spam you are personally getting, or not getting.

Later guys...

Hey Y'all, I wanted to let you know that I have been updating my MailWasher Pro filter rules to block the new PDF attachment spam for pump-n-dump stocks, or illicit pills, and also to block the latest round of greeting postcard scams that have links to ecard Trojan Horse programs hosted on zombie home or business computers that are infected with the Yodi Worm, or similar threats. You can download, or copy/paste the new rules on my MailWasher Filters page.

Greetings,

Wizcrafts
I've been using your filters for some years now with MWP (and as a Beta Tester) and have found them extremely useful.

I was just wondering how exactly your PDF filter works...

Does it simply filter all emails with PDF attachments or just those whose PDF attachments meet certain criteria? And if the latter, what are these criteria - I'm not quite au fait with what the rest of the above filter means.

Kindest regards,

James

_________________

Quote:

The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one Dennis Hughes, FBI

Greetings,

Wizcrafts
Thank you for the explanation!

As regards your concerns about revealing too much in a publicly-accessible topic - and bearing in mind your other posts where you mentioned the spammers may be/are watching - I wonder would it be an idea to have a "Private" forum for you and staff members to discuss the finer points of and share suggestions for your filters?

The current public topic could then just be used for announcements of new/updated filters.

Public forums could allow discussion of general ideas/advice to everyone for filtering and/or "rolling your own" filter-sets.

Just a thought!

Kindest regards,

James

This is a quick note for MailWasher Pro users that my PDF Spam filter has been updated on July 18, 2007. Also, the replica watches filter was updated today. Grab your copy at www.wizcrafts.net/mwp-filters.html . Both the long and short versions of my filter rules are available for copying or downloading.

With the PDF filter rule it is important that you white-list your friends and contacts, in case they send you a legitimate email containing an attached PDF document. Otherwise this filter will hide emails containing an attached PDF file, then delete them from the mail server when you click on the Process button.

PS: Don't neglect the Process button. Using it not only deletes hidden spam messages, or other mail you want to delete, but it also frees up memory consumed by the program itself and the filters. It is a good idea to hit the Process button every couple of hours

I just updated the "Pharmaceutical Spam" filter to respond to a new spam run.

I updated these MailWasher Pro filters today:

PDF Spam
Watches Spam
Pharmaceutical Spam
Pills Spam (new)
Juviotravel Spammer (new)

The changes are in response to new spam techinques and phrases.

I just updated these MWP filters:

eBay Phishing Scams (2 filters - 1 new, 1 updated)
HTML Tricks (fixed RegExpr to eliminate false positives)

I forgot to mention earlier that my filters automatically detect and delete the ecard greeting postcard spams that are sent by Storm Worm infected computers. These spam messages are generated by scripts installed on zombie computers which are being used to host a web page that contains a JavaScript redirect to a hostile script that installs a Trojan Horse on your PC, unless your defenses are A1.

I have modified several filters to remove Blacklisting. I did this because most of the current breed of postcard, RX and image spams are sent from zombies and have forged return and from addresses that are probably never repeated.

Wizcrafts' MailWasher Pro Filters

I have updated my MailWasher Pro filters tonight to detect and delete the newly discovered "Beautiful Screensaver" Trojan attachment spam messages, and I fine-tuned the Image Spam #1 rules to catch a new modification of an older spam technique.

I have not fine-tuned the screensaver rule yet, so expect some tweaking after I see a few more samples.

I have just made two adjustments to my MWP filters. I moved the "Beautiful Screensaver" rule down the list (to let other more common rules work first and faster) and added two more rules to the Watches spam filter.

Let me know what types of spam you are seeing the most of. It may be time to trim the list again to improve filter processing time. The main types of spam I have seen over the last two weeks are as follows:

1: Postcards that link to numeric IPs on BotNetted PCs
2: PDF or other Image spam
3: Replica Watches junk
4: RX and performance enhancement illicit drugs

These are based on the Statistics page on MailWasher Pro, showing the filter classifications of messages ID'd and deleted as spam.

Today (so far) I have updated the following filters to speed up processing time, or catch new variants of old tricks:

1: ZipFile Spam
2: Screensaver Trojan
3: Misspelled Drugs
4: HTML Tricks

I have added this new filter:

> Russia (IP filter, still a work in progress)

Only use this filter if you do not receive legitimate email from the Russia Federation.

All of my filters are subject to change at any time and are sometimes updated more than once per day. If you experience slowdowns in email checking times you should reduce the number of incoming lines scanned, in your MWP options. Mine is currently set at 250 lines and I find this acceptable. My MailWasher Pro Filters are here.

Today (so far) I have updated the PDF Spam filter by adding a second filter to detect and delete a brand new variant of this attachment type of spam. Accordingly, I have renamed the original rule as PDF Spam #1 and the new one is PDF Spam #2. Both are in the online filters available on my website on the MailWasher Pro Filters page.

Yesterday I rearranged the order of some of the filters in the master filters.txt list and removed a lot of blacklist options from many of the rules. I spend a fair amount of time working on these items, both to capture spam and to improve processing time and cpu load.

I wanted to let you know that I am also posting a lot of technical information on my blog that deals with MailWasher filters, blog and log spammers, server exploits, and denying access to online scammers in various countries, as is accomplished by my Nigerian blocklist.