Print Page | Close Window

Messages that can't be checked by keyword?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=1140
Printed Date: 05 February 2025 at 8:51am


Topic: Messages that can't be checked by keyword?
Posted By: Guests
Subject: Messages that can't be checked by keyword?
Date Posted: 27 June 2003 at 7:48am

We seem to be getting good hitrates for keyword checking, even with the junk html style that spammers use. However, some standard messages that are reliably blocked 99% of the time still get through, even though there is a keyword filter that will block them (a non html commented web address for example).

Spamfilter (build 124) reports that some messages can't be checked by the keyword filter - I'm assuming that these are ones getting through.

Is it possible to block these in Spamfilter or would that be dangerous?

I know the new version has RegEx and we will be installing it probably in a fortnight... is this a better safer solution?


Replies:
Posted By: Guests
Date Posted: 27 June 2003 at 11:44am

actually, a minor change to the above message..

its not corrupt messages that get through, just normal htlm rigged emails for no apparent reason.

the last line of a generic viagra junk message was

<p align="center"><a href=" undefined" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - Click'> http://www.nutbxxx.com/host/default.asp?id=1911" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.nutbxxx.com/host/default.asp?id=1911 ">Cli<!--8qhfz81flz4s-->ck H<!--heyw713qcth-->ere to<!--58uykar4xo3v--> Vi<!--tiuhrh3cgio-->sit O<!--vd6sr51gnmgfi-->ur Web<!--pv3dla3flxka-->site</a></p>

on most of the keyword filters putting in http://www.nutbxxx.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.nutbxxx.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.nutbxxx.com would block the message 100%, but on this one and others, the vast majority get blocked, but those odd few still get through.

its just in there as plain text, not html obscured.

 

Posted By: Desperado
Date Posted: 27 June 2003 at 12:48pm

Martin,

I STRONGLY recomend the use of RegEX.

The following, in your keyword list knocks that one right out.

(<[!--]+[a-zA-Z0-9]{11,})

I am also using the following expressions to kill "dotted IP" URL's because we feel that if a link dowsn't have a FQDN, then the gererator of the message is either lazzy or is sending Spam.

(href=" http://+[\d" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://+" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://+ [\d])
(href=" http://%[\d" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http:// %[\d])

We are actually using ONLY regular Expressions in our Keyword list to kill the "Spam flavor" of a message, rather than "censoring" email.

Dan S.

 


Print Page | Close Window