right click the msg and "view source"

paste the html source in so we can see it, there is bound to be something there to target

Marcus

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco wrote: Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach? I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco,

"valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.

Desperado wrote: Marco wrote: Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach? I am using that filter for quite some time, no probs here, but then again, im not an ISP :) Marco, "valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.

Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.

We've found it effective to block the cid's that are found in offensive unwanted email.  You'll find that they are the same per spamvertiser. So you would add:

cid:e86a81e69220472974bcbd61a7c8fa6b

to your keyword list, for example, if that image was an offensive image.  Obviously they can change the image and foil this, but spammers are pretty lazy.

Marco Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.   [/QUOTE wrote: I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they do

I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they don't see any confirmations of their subscriptions shortly after subscribing.

Most of our users realize that this is just part of life in an email world where 90% of email is spam.  It's either deal with a few inevitable false positives from time to time or receive 200 spams in your inbox each day.

We do have a mod on our site that allows senders who bother to read the NDR message to send a notification to recipients with a canned subject line and body to alert them to something really important that has landed in their quarantine amidst the few tons of spam.  It seems to work fairly well in most false positive cases involving business oriented emails and sends us a CC of the notice to help give us an idea of how often a false positive hits the quarantine.

pcmatt wrote: MartinC: I'm a bit of a Regex novice. Can you explain how this works like what the varied numbers will do:

bit of a novice with it myself, so my explanation might not be spot on.

the first number is the minimum length of string to match, the second one the length of the entire string? something like that.

so if the jumble of letters and numbers was 16 characters long and you wanted to match the entire thing, you could put 16,16 in the brackets.

if it was 16 characters but you were happy to match after a minimum of 8, then 8,16 would do the trick.

worth downloading "the Regex Coach" which I think someone linked off here... its a windows gui program that lets you try things out and see how the things will work.

I'm sure someone will come up with an even more efficient version of this expression.. but this one is fine for now.

Another pet peeve of mine with newsletters and some shopping carts is when the use the recipients email address as the from address in the emails they are sending from their own mail servers.

We reject emails that fail SPF checking, including our own domains.

MartinC wrote: Ken Bour wrote: Here is the regex that I am using to block these messages: src\=(\"c|c)id\: thats a bit vague to be honest, blocks all src=cid. I ended up putting in something a bit more specific. (img src=cid:[a-zA-Z0-9]{16,20}) you can vary the numbers to whatever you want, 32,32 or whatever.

Why does it even matter what comes after the cid:?  If the message contains the match from the first regex, then it should be canned.

I do see a flaw in the first regex, if there is a newline character before or after the "=" then it won't match.