Print Page | Close Window

Qustion re:Keyword Filtering process

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=2065
Printed Date: 12 December 2017 at 6:46pm


Topic: Qustion re:Keyword Filtering process
Posted By: Guests
Subject: Qustion re:Keyword Filtering process
Date Posted: 25 September 2003 at 4:27pm

I'm new to SpamFilter,and have a question about the Keyword Filtering.

If a message has a file attachment, is the entire message scanned for keywords including the MIME portion containing the attachment? Or just the main message body itself?

I tried a RegEx statement to catch some of the SWEN  virus crap by looking for the more common names of the file attachment.  The virus bypasses the filtering by attaching the MS HTML Notice and infected file as file attachments.  The raw message then just has 2 MIME sections and keywords can't be used to catch a thing.

(I know I know.. I should just rely on the anti-virus engine to handle this, but we get a lot of users asking about the residual fake MS Notice still being sent to them).

The RegEx statement is:

    (\b(patch|upgrade|update|installer|install|pack|q)\d{0,6}(\.exe|\.zip|\.com|\.pif))

It works in the RegExt Test region by catching the MIME info in the message:

   ---MOQ1064520418e5535a1509346a8b2a8d2d47da9f337c
   Content-Type: application/octet-stream; name="patch.exe"
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename="patch.exe"

But... it doesn't work in the actual live environment.

 




Print Page | Close Window