|
Without looking at the source of the email we can't give a definite answer, but the following forum posting usually explains the reason for most failures:
========================================================
Starting with build v1.2.0.151 SpamFilter is able to scan the whole email content + subject header for RegEx (Regular Expression) keywords.
This allows very powerful keyword searches. Many spammers send html emails containing invalid (thus invisible) html tags or html comments in between letters to avoid normal keyword detection.
For example, the following html source:
<!--fxkbu8116c72f6-->SP<mynqhy2d9bswg-->AM
<!--ei2rq7erjldy3y-->MER<!--ywf1ph1zmgcik9-->
will actually display SPAMMER in an email client.
We've been using the following RegEx search string to, so far, successfully block a lot of this spam:
(<[!--]*[a-zA-Z0-9]{11,})
This is what the above expressions looks for (remember that SpamFilter requires a RegEx expression to be sorrounded by parenthesis () in order to distinguish it from regular keywords):
- < look for an open tag start character, immediately followed by...
- [!--]* this looks for zero or more occurrences of the !-- characters indicating an html comment, immediately followd by...
- [a-zA-Z0-9] any letter or digit....
- {11,} repeated at least 11 times. This has to be a combination of only either letters or numbers. Any space, tab, single quote, double quote etc will break the sequence.
For example, <a href="aaaa.htm"> will not cause a trigger since there is a space immediately following the a before href.
We choose a minimum repetition of 11 since <blockquote> is a valid tag 10 characters long...
If anyone has comments, problems, or improvements with this "apparently magic" keyword search, please let us know!
Roberto Franceschetti
LogSat Software
|