Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Regex Keyword Filter on Subject
  FAQ FAQ  Forum Search   Register Register  Login Login

Regex Keyword Filter on Subject

 Post Reply Post Reply
Author
caratking View Drop Down
Groupie
Groupie


Joined: 13 March 2006
Location: United States
Status: Offline
Points: 79
Post Options Post Options   Thanks (0) Thanks(0)   Quote caratking Quote  Post ReplyReply Direct Link To This Post Topic: Regex Keyword Filter on Subject
    Posted: 03 April 2006 at 12:40am

These home loan, and chase bank emails are really getting to me.

I started doing some regex keywords to stop these, and found some samples for subject keyword filters on this forum.

My test messages get stopped, but the real spam do not.

For example, this one just got past:

From: "Hubert Hendrix" <brian_schlessinger@time-inc.com>
MIME-Version: 1.0
Subject: Looking to ReFi or a Home Equity Loan?

This filter should have caught it, right?

((?i)Subject:(.*?)(equity)(.*?)(loan)(.*?))

I don't see what I'm doing wrong, any help would be appreciated. I'm assuming the (?i) makes it case insensitive.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 04 April 2006 at 1:27pm

caratking,

If you are trying to block that subject, I would have done:

((?i)Subject:.*equity.*loan)

But it is not much different than yours.  (?i) forces no case checking with the glitch that I believe case is determined by your servers "locale" settings so if you are using a non standard locale, there *may* be some very obscure issue (not that I can think of any).

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
caratking View Drop Down
Groupie
Groupie


Joined: 13 March 2006
Location: United States
Status: Offline
Points: 79
Post Options Post Options   Thanks (0) Thanks(0)   Quote caratking Quote  Post ReplyReply Direct Link To This Post Posted: 05 April 2006 at 7:26pm

I just can't get this subject filtering to work... 

I changed the filters to try and simplify things, this is a sample one:

((?i)Subject:.*(mortag|mortgage)(.*?)(approv|rate))

The SPAM just keep coming through, here is an example of one (of hundreds) that slipped past overnight.

Microsoft Mail Internet Headers Version 2.0
x-fsavag4mse-ts: 82436ceb892a1995
Received: from webs3.webserver.server.com ([192.168.30.103]) by nospam.hbi.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 6 Apr 2006 05:06:07 +0900
Received: from webs3 ([127.0.0.1]) by webs3.webserver.server.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 6 Apr 2006 05:06:07 +0900
Content-Transfer-Encoding: 8bit
Received: from 201.13.11.175 by nospam20.hbi.com (LogSat Software SMTP Server) Thu, 6 Apr 2006 05:06:06 +0900
Received: (from tomcat@localhost) by 201.13.11.175 (8.12.8/8.12.8/Submit) id j3CHmn0V755004 for forum@hbi.com; Wed, 05 Apr 2006 15:05:51 -0600
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Message-ID: <170m690m.3591989@211.123.156.23>
Date: Wed, 05 Apr 2006 15:05:51 -0600
From: "Ignacio Wells" <support@caswellplating.com>
X-Mailer: MIME-tools 5.494 (Entity 5.289)
MIME-Version: 1.0
To: <forum@hbi.com>
Cc: <jteditor@hbi.com>
X-Spam-Score:  (-2.705) BAYES_00
X-Scanned-By: MIMEDefang 2.52 on 201.13.11.175
X-Scanned-By: SpamAssassin 3.103692, File::Scan 0.05, Archive::Zip 1.66
X-Recipient: <forum@hbi.com>
Subject: Mortagge ratee approvedd
Content-Type: multipart/related;
 boundary="------------AttPart_86833495==.OLA"
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <support@caswellplating.com>
X-SF-HELO-Domain: 201-13-11-175.dsl.telesp.net.br
X-SF-WhiteListedReason: Whitelisted EMail Address To
Return-Path: <support@caswellplating.com>
X-OriginalArrivalTime: 05 Apr 2006 20:06:07.0097 (UTC) FILETIME=[5FE46E90:01C658EC]

--------------AttPart_86833495==.OLA
Content-Type: text/html;
 charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

--------------AttPart_86833495==.OLA
Content-Type: image/gif;
 name="guanine.6.gif"
Content-Transfer-Encoding: base64
Content-ID: <3.0.0.65.0.53095026998546.61989080@bruit.msn.com.6>
Content-Disposition: inline;
 filename="guanine.6.gif"


--------------AttPart_86833495==.OLA--

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 05 April 2006 at 7:30pm

Hmmm .. do you have ScanReceivedHeaders=1 in your ini file?

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
caratking View Drop Down
Groupie
Groupie


Joined: 13 March 2006
Location: United States
Status: Offline
Points: 79
Post Options Post Options   Thanks (0) Thanks(0)   Quote caratking Quote  Post ReplyReply Direct Link To This Post Posted: 05 April 2006 at 7:32pm

I believe I have found the problem, it is not specifically related to the keyword filters.

After pasting the above header, I noticed Spam Filter ISP inserted this:

X-SF-WhiteListedReason: Whitelisted EMail Address To

The above SPAM was sent to two people, forum & jteditor.  The jteditor account is whitelisted (they were complaining about false positives - so they get whitelisted). 

Problem is, the forum email goes through because one of the people the message was for is whitelisted.

If someone sends the spam to 5 users, and one of them is whitelisted the other four people will get the message.

This seems like a possible bug to me.

This explains why my test messages were getting blocked, and the real spam gets through...



Edited by caratking
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 06 April 2006 at 4:47pm
caratking, I agree with you, I think that one whitelisted recipient shouldn't make everyone else receive the email as well.  While that is a problem, I found a work-around that should provide the correct functionality:
  • Add the following line to your AutoWhiteListForceDelivery.txt file and save:
    *|jteditor@yourdomain.com
  • remove jteditor's email address from the "Unfiltered Emails" tab in Spam
As I test this on version 2.7.1.532 (Unregistered), this work-around gives me the result that you were expecting from it.

Thanks again for your help with AuthTo lists,

Stephen

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.187 seconds.