Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - blockwords problem
  FAQ FAQ  Forum Search   Register Register  Login Login

blockwords problem

 Post Reply Post Reply
Author
Terry View Drop Down
Senior Member
Senior Member


Joined: 06 February 2005
Status: Offline
Points: 155
Post Options Post Options   Thanks (0) Thanks(0)   Quote Terry Quote  Post ReplyReply Direct Link To This Post Topic: blockwords problem
    Posted: 19 February 2005 at 11:07am

For some reason it seems that more and more blockwords are slipping through the filter.  I don't know if I have a problem somewhere or if there is a logic problem that might be occuring in the code.  I am on 2.1.2.406 and have a sample of one that made it through this morning that should have been caught 2 different ways on the subject line alone but wasn't.  Here is the log extract for transaction 4868:

02/19/05 06:52:10:420 -- (4868) Connection from: 200.171.170.186  -  Originating country : Brazil
02/19/05 06:52:10:576 -- (2060) Connection from: 69.218.98.241  -  Originating country : United States
02/19/05 06:52:11:826 -- (4808) Connection from: 207.182.156.22  -  Originating country : United States
02/19/05 06:52:12:232 -- (2060) Resolving 69.218.98.241 - adsl-69-218-98-241.dsl.chcgil.ameritech.net
02/19/05 06:52:12:498 -- (5168) Found Keywords: [Subject:pre qualification]
02/19/05 06:52:12:498 -- (5168) EMail from Kristen.Mccracken@doramail.com to richw@portptld.com matches content filter rules - rejected.
02/19/05 06:52:12:529 -- (5168) EMail from Kristen.Mccracken@doramail.com to richw@portptld.com was received and quarantined. Size: 1 KB, 1024 bytes
02/19/05 06:52:12:560 -- (4240) Time to add Msg to Bayes corpus:0
02/19/05 06:52:12:607 -- (4868) Resolving 200.171.170.186 - 200-171-170-186.dsl.telesp.net.br
02/19/05 06:52:12:638 -- (4868) - SPF analysis for yahoo.com done: - none
02/19/05 06:52:12:638 -- (4868) Mail from: sfuller_kg@yahoo.com
02/19/05 06:52:12:795 -- (4808) Resolving 207.182.156.22 - mail5.certa6.com
02/19/05 06:52:12:888 -- (4868) - MAPS search done...
02/19/05 06:52:12:888 -- (4868) RCPT TO: postmaster@portptld.com accepted
02/19/05 06:52:13:076 -- (4808) - SPF analysis for gsqsstz.certa6.com done: - none
02/19/05 06:52:13:076 -- (4808) Mail from: bounce-zwbwwtpitmn@gsqsstz.certa6.com
02/19/05 06:52:13:076 -- (2060) - SPF analysis for mappi.helsinki.fi done: - none
02/19/05 06:52:13:076 -- (2060) Mail from: rene_myers75@mappi.helsinki.fi
02/19/05 06:52:13:138 -- (5168) Disconnect
02/19/05 06:52:13:326 -- (4808) - MAPS search done... 521 The IP 207.182.156.22 is Blacklisted by bl.spamcop.net. Blocked - see http://www.spamcop.net/bl.shtml?207.182.156.22
02/19/05 06:52:13:326 -- (4808) 207.182.156.22 - Mail from: bounce-zwbwwtpitmn@gsqsstz.certa6.com To: collij@portptld.com will be disconnected
02/19/05 06:52:13:326 -- (4808) Disconnect
02/19/05 06:52:13:404 -- (2060) - MAPS search done...
02/19/05 06:52:13:404 -- (2060) RCPT TO: rankl@portptld.com accepted
02/19/05 06:52:13:826 -- (2060) Found Keywords: [viagra,drug]
02/19/05 06:52:13:826 -- (2060) EMail from rene_myers75@mappi.helsinki.fi to rankl@portptld.com matches content filter rules - rejected.
02/19/05 06:52:13:857 -- (2060) EMail from rene_myers75@mappi.helsinki.fi to rankl@portptld.com was received and quarantined. Size: 1 KB, 1024 bytes
02/19/05 06:52:13:888 -- (4240) Time to add Msg to Bayes corpus:0
02/19/05 06:52:14:138 -- (2060) Disconnect
02/19/05 06:52:14:279 -- (5696) Disconnect
02/19/05 06:52:14:451 -- (5668) Disconnect
02/19/05 06:52:14:873 -- (4868) EMail from sfuller_kg@yahoo.com to postmaster@portptld.com passes Bayesian filter - 0% spam  (0ms)
02/19/05 06:52:14:873 -- (4868) EMail from sfuller_kg@yahoo.com to postmaster@portptld.com was queued. Size: 1 KB, 1024 bytes
02/19/05 06:52:14:873 -- (6092) Sending email from sfuller_kg@yahoo.com to postmaster@portptld.com
02/19/05 06:52:14:904 -- (4240) Time to add Msg to Bayes corpus:0
02/19/05 06:52:15:591 -- (6092) EMail from sfuller_kg@yahoo.com to postmaster@portptld.com  was forwarded to 10.192.34.83:25
02/19/05 06:52:15:841 -- (4868) Disconnect

The subject line had the words "Sexually explicit - " in the first part of the subject line and I have this line in by blockwords file - Subject:sexually explicit

Do I have to worry about case on these?

Terry


 

 

Back to Top
Terry View Drop Down
Senior Member
Senior Member


Joined: 06 February 2005
Status: Offline
Points: 155
Post Options Post Options   Thanks (0) Thanks(0)   Quote Terry Quote  Post ReplyReply Direct Link To This Post Posted: 20 February 2005 at 9:27am

I may have found the problem here...it appears that what I see in the subject line is not what is exactly there...if I look at the message header I see the following:

Subject: =?ISO-8859-1?b?U2V4dWFsbHkgZXhwbGljaXQgLSBNYXNzaXZlIGRpY2sga W4gYWN0aW9uICAgIGxo?=
Not exactly what is displayed when you get the message. 

Is it safe to add the following to the blockwords file:

Subject:=?ISO

or would I be blocking something important here?

Terry

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 20 February 2005 at 11:42pm
Terry,

In our experience we don't recall seing any legitimate english-language subjects to be needing any kind of decoding; they are all in "plain text". The ?ISO prtion of the subject indicates that the email client needs to perform decoding on the subject to display it.

Please note however that different languages and character sets may indeed require that to occur. We'd need to perform a bit of RFC research to come up with a better answer...


Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 21 February 2005 at 3:22pm

Terry,

This works in MOST cases:

((?i)Subject:=\?ISO\-\d*\-\1?.*\?[a-z0-9]{20,})
AND ALSO
((?i)Subject:=\?utf\-\d*\?.*\?[a-z0-9]{20,})

The second one blocks about 5 times as many as the first in my system.

Same warning that Roberto states above however.

Dan S.



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.