Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Keyword blocks 99% of the time
  FAQ FAQ  Forum Search   Register Register  Login Login

Topic ClosedKeyword blocks 99% of the time

 Post Reply Post Reply
Author
Brian View Drop Down
Guest Group
Guest Group
Direct Link To This Post Topic: Keyword blocks 99% of the time
    Posted: 19 November 2003 at 4:41pm

Just wanted to post this to see if others have the same experience or maybe it's just my install.

I have a regex configured to block 'viagra'.  I has worked great from version .178 and now that I purchased SPAMfilter in .206.  The issue is that from time to time the keyword filter just seems to forget what it's job is.  I'll get a couple of SPAM messages squeak through that should have been blocked.  I copied the message over and even tested it within the program and with TestRExp and both confirm that the keyword filter works fine.  Could it be an overload on the Regex file that it checks against?  Any ideas or suggestions?

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Direct Link To This Post Posted: 20 November 2003 at 12:29am

Brian,

Are you copying the message by selecting the text from MS Outlook and then pasting it into th TestRegEx box, or are you selecting the real source of the email by using another email client, as Outlook Express, that shows the real source?

If case (1), please not that Outlook changes rather drastically the email source, so what you'recopying and pasting is not what the email really was.

If case (2), if you can post a sample of the source of the email that is failing, along with the RegEx you're using, we can try to take a look.

Roberto F.
LogSat Software

Back to Top
Brian View Drop Down
Guest Group
Guest Group
Direct Link To This Post Posted: 20 November 2003 at 1:15am
Thanks for the response,

We use MS Exchange 5.5 and Outlook 2000-2003 for the client. The point that it fails is mostly in the subject line and not in the body of the text. I figured out that SF looks at the source of html files so that to RegEx against something in the Webpage would not work, but instead views the source and works from there, but does this affect subject lines as well?

Here is the message in 'raw format' made available via Mail.app in Mac OS X. The subject line is the main point of attack in my regexes and this is where it fails (the seldom ramdom times that it does fail at least). I won't post my regex in public, so if you would like to see what I'm using to block this, I'll email it if you would like. Names and emails have been removed to protect the innocent. :-). After further analysis right now, I just noticed that 'Viag[ra' is shown both in the subject line and in the source of the email... I'm still stumped on this one. I also have 'Phentermine' as a keyword, but not as a regex.. just a keyword. So this issue is pertains to both a regex keyword filter and a regular keyword filter (This message got by both keywords!). Sorry for the long post, but hopefully this is detailed enought to properly troubleshoot. If you need more details, please let me know.

Thanks for your help. Begin an all too familiar SPAM message:

Received: by RACKSERVER3 id <01C3AED5.07041140@RACKSERVER3>; Wed, 19 Nov 2003 11:40:46 -0800 Message-ID: From: "OMITTED" To: "OMITTED" Subject: FW: Cheapest Viag[ra, Phentermine, Levitr(a, Soma, etc Date: Wed, 19 Nov 2003 11:40:46 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3AED5.07041140"

This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3AED5.07041140 Content-Type: text/plain

_____

From: Bud Dye [http://mailto:bud_dye_lt@siba.fi] Sent: Wednesday, November 19, 2003 11:36 AM To: OMITTED Subject: Cheapest Viag[ra, Phentermine, Levitr(a, Soma, etc

------_=_NextPart_001_01C3AED5.07041140 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

 =

 =


From: Bud = Dye [http://mailto:bud_dye_lt@siba.fi]
Sent: Wednesday, = November 19, 2003 11:36 AM
To: = OMITTED
Subject: Cheapest = Viag[ra, Phentermine, Levitr(a, Soma, etc

 

=

------_=_NextPart_001_01C3AED5.07041140--
Back to Top
Brian View Drop Down
Guest Group
Guest Group
Direct Link To This Post Posted: 20 November 2003 at 1:23am
I noticed due to my long post the email was trunicated. I appended the rest of the message taking out some of the blank lines to conserve space.

From: Bud Dye [http://mailto:bud_dye_lt@siba.fi] Sent: Wednesday, November 19, 2003 11:36 AM To: OMITTED Subject: Cheapest Viag[ra, Phentermine, Levitr(a, Soma, etc ------_=_NextPart_001_01C3AED5.07041140 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

 =

 =


From: Bud = Dye [http://mailto:bud_dye_lt@siba.fi]
Sent: Wednesday, = November 19, 2003 11:36 AM
To: = OMITTED
Subject: Cheapest = Viag[ra, Phentermine, Levitr(a, Soma, etc

 

=

------_=_NextPart_001_01C3AED5.07041140--
Back to Top
Brian View Drop Down
Guest Group
Guest Group
Direct Link To This Post Posted: 21 November 2003 at 1:46pm

I figured out how they get through now.  I was not looking at the subject field within the header. I was just looking at the displayed suject line.  Some SPAM even spoof the subject line and that is what got through my keyword filter.  But I'll get them on that trick too... :-p

So at this point the filters are doing their jobs and there appears to be no random issue with it.  It's just me..

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.301 seconds.