Post Your Email Filters

Miles · 10-23-2005, 08:59 AM

I thought it might be a good idea for those users having more SPAM than others for some of our more expereinced users to post some filters they use in their email program to combat the ever increasing amont of SPAM

Valium · 10-23-2005, 09:21 AM

Great idea, I myself am not running any filters but have noticed some spam getting in to my inboxes lately and am interested in running filters ...

Greetz

PCBruiser · 10-23-2005, 10:32 AM

OK, you asked, and here it comes. To use this list, your email client must be able to process filters that contain regular expressions. I developed some of these myself, others I developed from ideas on the Mailwasher forums for which credit belongs to each one's author in full or in part. Don't ask me to remember to explain all of how each one works, some are tough to understand. I use the excellent shareware RegExBuddy to do my development and testing.

Most of these have to be changed. I have marked where and indicated what needs changing with a dark red color. Since these were designed for my use, they may not work for you, so test them please. I will try to help out anyone who has a problem or a specific need. Also mnote that the smilies are where the following should be ; ) without the space between the two characters. Sorry about that but the smiley codes in vB override the RegEx coding, and I can't prevent that from happening

.

1. "Not to me". Filter: The "To:" field does not contain myemail1|myemail2|myemail3| ...

2. Header Spam Indicators: Filter: The "Entire Header Contains" Received: from unknown|SEXUALLY(\W*|\s*)EXPLICIT|[S|s]exually(\W*|\s*)[E|e]xplicit|X-Text-Classification: spam|X-Distribution: bulk|X-Confirm-Reading-To:|X-UIDL:|may be forged|unverified|from unknown|spam|advertisement|misconfigured sender|Content-Type:[\S\D]*;|helo((\s*=|\s*)((\[|\x28|\s*)\D*(\[|\x29|\s*)))

3. Foreign Language Spam. Filter: The "Entire Email Contains" Content-Type: text/(plain|html);[\s]*charset=\x22*(ISO-8859-[2-9]|windows-125[13-8]|windows-874|big-5|euc-kr)\x22* Note you must change this filter if your native language is not English.

4. Spoofed IANA Reserved IPs. Filter: "Entire Header Contains" ^Received: from [^[]*?\[([1257]|2[37]|3[1679]|4[129]|5[089]|7\d|8[3-9]|9\d|1[01]\d|12[0-6]|17[3-9]|18[0-79]|19[07]|22[3-9]|2[34]\d|25[0-5])(\.[1-2]?\d?\d?){3}\]

5. Subject Spam Indicators. Filter: "Subject Contains" [A-Z]([^A-Z0-9]+)([A-Z]\1){2,}[A-Z]|([A-Z]+[:=\.\-_]){3,}|^\W{0,5}[Rr]e:\W[a-zA-Z0-9]{1,10},\W[a-z]{1,10}\W[a-z]{1,10}

6. Spam Traps. Filter: "Either Subject and/or Body Contain" [v,V,(\\/)](\W|)[i,I,1,l,L](\W|)[a,A,@,(\/\\)](\W|)[g,G](\W|)[r,R](\W|)[a,A,@,(\/\\))]|.*[Vv][Ii1]agr.*|.*[Pp]en[Ii1][\$s].*|.*[Pp]re[Ss\$]cr[iI1]pt.*|.*[Oo0][Ee][Mm].*|

7. Foreign Letter Traps. Filter: "Either Subject and/or Body Contain" (À|Á|Â|Ã|Ä|Å|à|á|â|ã|ä|å|a|A|@|&commat;|α|À|Á|Â|Ã|Ä|Å|À|Á|Â|Ã|&Auml ;|Å|à|á|â|ã|ä|å|à|á|â|ã|ä|&aring

|(È|É|Ê|Ë|è|é|ê|ë|E|e|È|É|Ê| Ë|È|É|Ê|Ë|è|é|ê|ë|è|é|ê|&euml

|(¡|Ì|Í|Î|Ï|ì|í|î|ï|!|¡| ¡|¹|¹|¦|Ì|Í|Î|Ï|ì|í|ï|Ì|Í|Î|Ï|ì|í|î|ï|I|i)| (Ò|Ó|Ô|Õ|Ö|Ø|ð|ò|ó|ô|õ|ö|ø|0|O|o|Ò|Ó|Ô|Õ|Ö|Ø|Ò|Ó|Ô|Õ|Ö|Ø|ò|ó| ô|õ|ò|ó|ô|õ|ö|&oslash

|(Ù|Ú|Û|Ü|ù|ú|û|ü|µ|U|u|µ|µ|Ù|Ú|Û|Ü|&Ug rave;|Ú|Û|Ü|ù|ú|ûü|ù|ú|û|&uuml

Note this may need changing if your native language is not English.

8. HTML Spam Tricks. Filter: "Body Contains" font size="?0"?|((<![\w\s,\.\-]+>)+([\w\s,\.\-]){1,20}){3}|(</\w>)[\w\s,\.\-]{1,20}(\1([\w\s,\.\-]){1,20}){2}|<a .*href="?http://.+=(al)[^>]*?myemail"?>|(?i)<\s*a[\s\w=]+(?s)href=(3D)??"?http://[\d\w\./]+(@|{0,5}64;|\*|{0,5}42

.+>|^Content-Type: application/octet-stream[^:]*?name=["\w][^:]*?\.(exe|com|bat|scr|pif|zip)[^:]*?^Content-Transfer-Encoding: base64

The last part of Filter #2 is particularly powerful as it looks for a spoofed sender via a malformed "HELO" in the header. I'd say it picks up about 50% of all my spam. That idea is my work. Now some spammer will figure out how to defeat it, LOL. One further format issue - there should not be any spaces or line breaks in any of the actual filters except where indicated. vB breaks the lines up on length, not based on there being a space or line break. If you have anyproblems, I will zip and send to anyone a copy of any filter that you are unsure of how it should format.

PCBruiser · 10-23-2005, 10:41 AM

Sorry Paragon, but after considering this subject more, I think it should be moved to the Security Forum. I will leave a redirect in Applications.

Valium · 10-23-2005, 10:49 AM

Hey PCB, thx for the filters, I'll try them out some time next week ...

'Bout the smilies showing up, couldn't you use the [Code] tags to prevent smilies from coming up? Or would that screw up the filters?

Greetz

PCBruiser · 10-23-2005, 10:51 AM

I think it would screw up the filters, so that's why I didn't use them. You would have to remove them. I think if you just copy and paste, the email program will see the proper characters without replacing them with smileys. So, you may not have to actually edit them at all except for where I indicated they need to be customized either by adding your email address or changed for your language needs.

PCBruiser · 10-23-2005, 11:01 AM

I mentioned earlier that I use RegExBuddy for developing my filters and modifying those of others to fit my needs. RegExBuddy is available here:

http://www.regexbuddy.com/

Just to show how it works, I have copied one of the filters to it for analysis and took a screen shot, the 2nd filter actually, although the screen shot only shows the partial analysis.

Miles · 10-23-2005, 11:22 AM

Quote:

Originally Posted by PCBruiser

Sorry Paragon, but after considering this subject more, I think it should be moved to the Security Forum. I will leave a redirect in Applications.

Probably the best locaton, I debated where to put it

Saiasanc · 10-23-2005, 12:30 PM

love the filters, Paragon

I wonder if Thunderbird supports regex filters....hmmm, have to check and see.

I actually use Popfile to catch all my spam. Once you have trained it, it hardly ever misses a spam. You can set it to alter the header with a X-Text-Classification, I then just create a rule that says if the X-Text-Classification header entry = "spam" it automatically routes the mail to my spam folder.

--Saiasanc

Gavsman · 10-23-2005, 12:45 PM

spam is too much in my mail
but can anyone tell me how these filters work plz ?

PCBruiser · 10-23-2005, 03:26 PM

Look at each filter's title. That is your clue as to what it is filtering. The simplist is the first one - that simply identifies that any email it says is "good" is addressed to one of your valid email addresses. Everything else it rejects.

The second one is very complex and does several different things, but each of those things is trying to determine if the email is spam or not. It looks for spam which the sender labels "sexually explicit" as is required in the US, including several variations such as deliberate misspellings. It checks for things like bulk mail indicators, spam indicators set by filtering systems like Brightmail (used by many ISPs), several error messages and finally, possibly spoofed senders or zombies via examining the HELO in most email.

I am not going to go through them one-by-one, they cover too much ground. If you are going to use RegEx filters, you are going to have to learn something about them to customize them to your needs.

Edit: Remember to test each filter. Depending on many factors, some may not work properly for you while working properly for me. An example: Filter 3 checks for correct character encoding for me, i.e., standard English. If I receive an email in Russian - it is spam. If, however, you are Russian, receiving an email in Russian doesn't automatically qualify it as spam but one in English might, so that filter must be changed depending on each of our circumstances.

polonyc2 · 10-23-2005, 03:59 PM

Quote:

Originally Posted by Valium

I myself am not running any filters

me neither...I rarely get any SPAM nowadays because I use my e-mail addresses carefully....

I have one Hotmail address which I use as a SPAM e-mail address when I'm asked to register for anything online...setting up separate e-mail accounts for different tasks is a good idea...one e-mail account for friends and family...another for work...another one in case you visit chat rooms, forums etc. etc....I guess in a way this is another form of an e-mail filter

SupDawg · 10-24-2005, 12:03 AM

While I don't get much spam on my main email, does anyone know if there are some filters that will work with Outlook 2k3? I get about 5 spam emails a week... But still, that is too many.

Gavsman · 10-24-2005, 06:25 AM

Quote:

Originally Posted by polonyc2

me neither...I rarely get any SPAM nowadays because I use my e-mail addresses carefully....

I have one Hotmail address which I use as a SPAM e-mail address when I'm asked to register for anything online...setting up separate e-mail accounts for different tasks is a good idea...one e-mail account for friends and family...another for work...another one in case you visit chat rooms, forums etc. etc....I guess in a way this is another form of an e-mail filter

that is a very good idea.

10-23-2005, 08:59 AM	#1
Miles Registered User Join Date: May 2001 Location: South Carolina Posts: 5,558	Post Your Email Filters I thought it might be a good idea for those users having more SPAM than others for some of our more expereinced users to post some filters they use in their email program to combat the ever increasing amont of SPAM __________________ Regards, Miles ________________________________ Intel Core 2 Duo E6850 w/ Enzotech Ultra \| ASUS Blitz Formula SE \| 2 x 2Gb Mushkin XP2-6400 DDR-2 \| XFX 8800 GTX XXX\| 2 - Seagate 750GB Barracuda ES \| PCP&C 1KWSR \| Lian Li G70 \| Windows Vista 64-bit Ultimate \| Dell 2407 FPW Monitor
(Offline)

10-23-2005, 09:21 AM	#2
Valium Gotta hav'em :D Join Date: Apr 2002 Location: Flanders! Posts: 675	Great idea, I myself am not running any filters but have noticed some spam getting in to my inboxes lately and am interested in running filters ... Greetz __________________ Download and install Mirc
(Offline)

10-23-2005, 10:32 AM	#3
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	OK, you asked, and here it comes. To use this list, your email client must be able to process filters that contain regular expressions. I developed some of these myself, others I developed from ideas on the Mailwasher forums for which credit belongs to each one's author in full or in part. Don't ask me to remember to explain all of how each one works, some are tough to understand. I use the excellent shareware RegExBuddy to do my development and testing. Most of these have to be changed. I have marked where and indicated what needs changing with a dark red color. Since these were designed for my use, they may not work for you, so test them please. I will try to help out anyone who has a problem or a specific need. Also mnote that the smilies are where the following should be ; ) without the space between the two characters. Sorry about that but the smiley codes in vB override the RegEx coding, and I can't prevent that from happening . 1. "Not to me". Filter: The "To:" field does not contain myemail1\|myemail2\|myemail3\| ... 2. Header Spam Indicators: Filter: The "Entire Header Contains" Received: from unknown\|SEXUALLY(\W\|\s)EXPLICIT\|[S\|s]exually(\W\|\s)[E\|e]xplicit\|X-Text-Classification: spam\|X-Distribution: bulk\|X-Confirm-Reading-To:\|X-UIDL:\|may be forged\|unverified\|from unknown\|spam\|advertisement\|misconfigured sender\|Content-Type:[\S\D];\|helo((\s=\|\s)((\[\|\x28\|\s)\D(\[\|\x29\|\s))) 3. Foreign Language Spam. Filter: The "Entire Email Contains" Content-Type: text/(plain\|html);[\s]charset=\x22(ISO-8859-[2-9]\|windows-125[13-8]\|windows-874\|big-5\|euc-kr)\x22* Note you must change this filter if your native language is not English. 4. Spoofed IANA Reserved IPs. Filter: "Entire Header Contains" ^Received: from [^[]?\[([1257]\|2[37]\|3[1679]\|4[129]\|5[089]\|7\d\|8[3-9]\|9\d\|1[01]\d\|12[0-6]\|17[3-9]\|18[0-79]\|19[07]\|22[3-9]\|2[34]\d\|25[0-5])(\.[1-2]?\d?\d?){3}\] 5. Subject Spam Indicators. Filter: "Subject Contains" [A-Z]([^A-Z0-9]+)([A-Z]\1){2,}[A-Z]\|([A-Z]+[:=\.\-_]){3,}\|^\W{0,5}[Rr]e:\W[a-zA-Z0-9]{1,10},\W[a-z]{1,10}\W[a-z]{1,10} 6. Spam Traps. Filter: "Either Subject and/or Body Contain" [v,V,(\\/)](\W\|)[i,I,1,l,L](\W\|)[a,A,@,(\/\\)](\W\|)[g,G](\W\|)[r,R](\W\|)[a,A,@,(\/\\))]\|.[Vv][Ii1]agr.\|.[Pp]en[Ii1][\$s].\|.[Pp]re[Ss\$]cr[iI1]pt.\|.[Oo0][Ee][Mm].\| 7. Foreign Letter Traps. Filter: "Either Subject and/or Body Contain" (À\|Á\|Â\|Ã\|Ä\|Å\|à\|á\|â\|ã\|ä\|å\|a\|A\|@\|&commat;\|α\|À\|Á\|Â\|Ã\|Ä\|Å\|À\|Á\|Â\|Ã\|&Auml ;\|Å\|à\|á\|â\|ã\|ä\|å\|à\|á\|â\|ã\|ä\|&aring\|(È\|É\|Ê\|Ë\|è\|é\|ê\|ë\|E\|e\|È\|É\|Ê\| Ë\|È\|É\|Ê\|Ë\|è\|é\|ê\|ë\|è\|é\|ê\|&euml\|(¡\|Ì\|Í\|Î\|Ï\|ì\|í\|î\|ï\|!\|¡\| ¡\|¹\|¹\|¦\|Ì\|Í\|Î\|Ï\|ì\|í\|ï\|Ì\|Í\|Î\|Ï\|ì\|í\|î\|ï\|I\|i)\| (Ò\|Ó\|Ô\|Õ\|Ö\|Ø\|ð\|ò\|ó\|ô\|õ\|ö\|ø\|0\|O\|o\|Ò\|Ó\|Ô\|Õ\|Ö\|Ø\|Ò\|Ó\|Ô\|Õ\|Ö\|Ø\|ò\|ó\| ô\|õ\|ò\|ó\|ô\|õ\|ö\|&oslash\|(Ù\|Ú\|Û\|Ü\|ù\|ú\|û\|ü\|µ\|U\|u\|µ\|µ\|Ù\|Ú\|Û\|Ü\|&Ug rave;\|Ú\|Û\|Ü\|ù\|ú\|ûü\|ù\|ú\|û\|&uuml Note this may need changing if your native language is not English. 8. HTML Spam Tricks. Filter: "Body Contains" font size="?0"?\|((<![\w\s,\.\-]+>)+([\w\s,\.\-]){1,20}){3}\|(</\w>)[\w\s,\.\-]{1,20}(\1([\w\s,\.\-]){1,20}){2}\|<a .href="?http://.+=(al)[^>]?myemail"?>\|(?i)<\sa[\s\w=]+(?s)href=(3D)??"?http://[\d\w\./]+(@\|{0,5}64;\|\\|{0,5}42.+>\|^Content-Type: application/octet-stream[^:]?name=["\w][^:]?\.(exe\|com\|bat\|scr\|pif\|zip)[^:]?^Content-Transfer-Encoding: base64 The last part of Filter #2 is particularly powerful as it looks for a spoofed sender via a malformed "HELO" in the header. I'd say it picks up about 50% of all my spam. That idea is my work. Now some spammer will figure out how to defeat it, LOL. One further format issue - there should not be any spaces or line breaks in any of the actual filters except where indicated. vB breaks the lines up on length, not based on there being a space or line break. If you have anyproblems, I will zip and send to anyone a copy of any filter that you are unsure of how it should format. Last edited by PCBruiser; 10-23-2005 at 10:49 AM..
(Offline)

10-23-2005, 10:41 AM	#4
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Sorry Paragon, but after considering this subject more, I think it should be moved to the Security Forum. I will leave a redirect in Applications.
(Offline)

10-23-2005, 10:49 AM	#5
Valium Gotta hav'em :D Join Date: Apr 2002 Location: Flanders! Posts: 675	Hey PCB, thx for the filters, I'll try them out some time next week ... 'Bout the smilies showing up, couldn't you use the [Code] tags to prevent smilies from coming up? Or would that screw up the filters? Greetz __________________ Download and install Mirc
(Offline)

10-23-2005, 10:51 AM	#6
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	I think it would screw up the filters, so that's why I didn't use them. You would have to remove them. I think if you just copy and paste, the email program will see the proper characters without replacing them with smileys. So, you may not have to actually edit them at all except for where I indicated they need to be customized either by adding your email address or changed for your language needs.
(Offline)

10-23-2005, 12:30 PM	#9
Saiasanc Registered User Join Date: Sep 2005 Posts: 146	love the filters, Paragon I wonder if Thunderbird supports regex filters....hmmm, have to check and see. I actually use Popfile to catch all my spam. Once you have trained it, it hardly ever misses a spam. You can set it to alter the header with a X-Text-Classification, I then just create a rule that says if the X-Text-Classification header entry = "spam" it automatically routes the mail to my spam folder. --Saiasanc __________________ DFI LanParty UT nF4-D \|\| AMD Athlon 64 X2 4600+ \|\| OCZ 2GB (2 x 1GB) DDR 400 (PC 3200) Unbuffered Dual Channel Platinum (OCZ4002048ELDCPE-K) \|\| BFG Geforce 7800GT 256MB \|\| COOLMAX "SLI" CXI-600B ATX v2.01 600W Power Supply \|\| 2x WD800JD 80GB 7200 RPM Serial ATA150 (Raid 0)
(Offline)

10-23-2005, 12:45 PM	#10
Gavsman Registered User Join Date: Jun 2004 Posts: 2,553	spam is too much in my mail but can anyone tell me how these filters work plz ? __________________ knock konk i am in abxzone
(Offline)

10-23-2005, 03:26 PM	#11
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Look at each filter's title. That is your clue as to what it is filtering. The simplist is the first one - that simply identifies that any email it says is "good" is addressed to one of your valid email addresses. Everything else it rejects. The second one is very complex and does several different things, but each of those things is trying to determine if the email is spam or not. It looks for spam which the sender labels "sexually explicit" as is required in the US, including several variations such as deliberate misspellings. It checks for things like bulk mail indicators, spam indicators set by filtering systems like Brightmail (used by many ISPs), several error messages and finally, possibly spoofed senders or zombies via examining the HELO in most email. I am not going to go through them one-by-one, they cover too much ground. If you are going to use RegEx filters, you are going to have to learn something about them to customize them to your needs. Edit: Remember to test each filter. Depending on many factors, some may not work properly for you while working properly for me. An example: Filter 3 checks for correct character encoding for me, i.e., standard English. If I receive an email in Russian - it is spam. If, however, you are Russian, receiving an email in Russian doesn't automatically qualify it as spam but one in English might, so that filter must be changed depending on each of our circumstances. Last edited by PCBruiser; 10-23-2005 at 03:36 PM..
(Offline)

10-24-2005, 12:03 AM	#13
SupDawg Registered User Join Date: Jun 2002 Posts: 7,090	While I don't get much spam on my main email, does anyone know if there are some filters that will work with Outlook 2k3? I get about 5 spam emails a week... But still, that is too many. __________________ The views expressed in this electronic dialogue are mine alone. "All physics are belong to me. " Kongo
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode