The MGA With An Attitude
MGAguru.com MGAguru.com
WHAT TO DO ABOUT SPAM - Filtering

SPAM -- More to do about Filtering - SP-102

With Eudora e-mail client (free by the way), a right click anywhere on the message (or index line) brings up options to "make filter" keyed on "from", "recipient", or "subject". None of that will be much help, as the real spam messages will almost always have forged headers with randomly assigned information there. You could block 10,000 different "senders" and much of the spam would still get past.

But also in Eudora there is a pull down menu under "Tools" at the top of the window. The first item there is Filters. When I click on that it opens a filter window showing the list of existing filter rules and a more extensive facility to create a new filter rule. This allows the filter to search in the body of the message as well as on any header line. It also allows for multiple instances of search phrases, such as:

If Subject contains "digital cable" or Body contains "digitalcable.com" then Transfer to "Junk mail".

I set filters like this fairly often, as it has a better chance of catching variations on the theme in future spam messages. This is effectively two separate filters combined in a single rule.

When I want to add a new filter rule I run down the list and pick the spot in alphabetical order to insert the new rule. Keeping them in alphanumeric order has some advantages. Occasionally you may notice multiple spams using similar but not identical IDs or links. In that case you might devise a more generic filter rule that will catch them all, including some future spam that may have another slight variation on the theme.

Also there will eventually be a time when you accidentally set a filter rule that will kick out a friendly message as you didn't intend (false positive). You may spend some time to identify the filter rule that actually trapped that message, and delete or modify that rule to fix the problem. It helps to have the filters in order when you have to do this.

I recently added some filter rules that are broadly effective in a generic nature. Remember me talking about spammers sometimes inserting comment tags in the body of the message top break up words? Well they also substitute ASCII or Hexidecimal code in place of keyboard characters. The latter case is often done to disguise a URL (click link web address), because the comment tags are not allowed within the character string of a web address. In many cases the spammer will use ASCII or Hexadecimal codes for characters in "www." or in ".com", so they might look like any of these:
Hexadecimal substitution

%77%77%77
ww%77
w%77%77
w%77w
%77w%77
%77%77w
%77ww
 
ASCII substitution

www
www
www
www
www
www
www
 
%63%6f%6d
co%6d
c%6f%6d
c%6f%m
%63o%6d
%63%6fm
%63om
com
com
com
com
com
com
com

Adding these 28 filter rules to the list, searching in the body of the message (do not use the combinations "www" or "com"), will catch a substantial number of the better disguised messages which are otherwise hard to filter. So far this has never produced a false positive, because anyone sending a non-spam message has no reason to do this. And I'm sort of surprised that the spammers would do this to the "www" or "com" text strings, because it's a sure way be ID'd as spam. I suspect it's a random generator doing this. Maybe with a little luck the spammers won't catch on for a while.

More notes may be added here as I get more aggeressive. All suggestions welcome.

HomeNext
Thank you for your comments -- Send e-mail to <Barney Gaylord>
© 2003 Barney Gaylord -- Copyright and reprint information