Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - key words case sensitive?
  FAQ FAQ  Forum Search   Register Register  Login Login

key words case sensitive?
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Jack View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jack Quote  Post ReplyReply Direct Link To This Post Topic: key words case sensitive?
    Posted: 23 June 2003 at 3:20pm
I have both "viagra" and "v1agra" in my key word list, as seperate entries, but I still get message with these listed in the subject line - why?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2003 at 3:29pm

Without looking at the source of the email we can't give a definite answer, but the following forum posting usually explains the reason for most failures:

========================================================

Starting with build v1.2.0.151 SpamFilter is able to scan the whole email content + subject header for RegEx (Regular Expression) keywords.

This allows very powerful keyword searches. Many spammers send html emails containing invalid (thus invisible) html tags or html comments in between letters to avoid normal keyword detection.

For example, the following html source:

<!--fxkbu8116c72f6-->SP<mynqhy2d9bswg-->AM 
    <!--ei2rq7erjldy3y-->MER<!--ywf1ph1zmgcik9-->

will actually display SPAMMER in an email client.

We've been using the following RegEx search string to, so far, successfully block a lot of this spam:

(<[!--]*[a-zA-Z0-9]{11,})

This is what the above expressions looks for (remember that SpamFilter requires a RegEx expression to be sorrounded by parenthesis () in order to distinguish it from regular keywords):

  • <   look for an open tag start character, immediately followed by...
  • [!--]*   this looks for zero or more occurrences of the  !--  characters indicating an html comment, immediately followd by...
  • [a-zA-Z0-9]  any letter or digit....
  • {11,}  repeated at least 11 times. This has to be a combination of only either letters or numbers. Any space, tab, single quote, double quote etc will break the sequence.

For example, <a href="aaaa.htm"> will not cause a trigger since there is a space immediately following the a before href.
We choose a minimum repetition of 11 since <blockquote> is a valid tag 10 characters long...

If anyone has comments, problems, or improvements with this "apparently magic" keyword search, please let us know!

Roberto Franceschetti
LogSat Software
Back to Top
Jack View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jack Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2003 at 3:37pm

Yes, I'm using this.  It works well.

Below is an excerpt from my key eord list:

sex, energy
hot, sex
hot, babe
hot, teen
hot, girl
viagra
v1agra

Today I received an email with the following subject line:

"Viagra and Diet Pills prescribed online!  US doctors and pharmacies! Overnight Shipping  fdf pqgfgg"
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2003 at 5:23pm

Jack,

The keywords are not case sensitive. If the subject header source is as you posted, then yes, it should have been blocked. However even subject headers can be encoded so that the source is not what you see.

Without the full source of the email, again, we can't give a definite answer. Please indicate also which version of SpamFilter you're using.

Roberto Franceschetti
LogSat Software
Back to Top
Jack View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jack Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2003 at 5:55pm

Version is 1.2.0.162

My mailserver is groupwise, which does not send me pure source of html message.  The subject I included was taken from the message header though.  Is there an address I can forward the message to?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2003 at 7:59pm

Yes, support@logsat.com

Roberto F.
LogSat Software
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.316 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us