3
Using Declude - setup basics
Problem reported by Steve Guluk - 2/9/2018 at 9:55 AM
Submitted
Hello, 
Is anyone using Declude and found documentation on installation and writing your own rules?
I've reviewed (http://mailsbestfriend.com/downloads/docs/Declude_JunkMail_Manual.pdf) but don't see any references to the PATH varible or writting rules formating.

For instance, where is the [PATH] variable set since it fails to find "blacklistip.txt" using:
[PATH \blacklistip.txt  <-- default setting
or
[PATH ]\blacklistip.txt 
 
Log results:
02/09/2018 08:43:57.575 75196965 fromfile: Could not load [PATH]\blacklist.txt [3].
02/09/2018 08:43:57.778 75196965 Could not load ipfile [PATH]\blackip.txt.
 
And then when uncommenting rules the same issue happens:
 
FILTER-ADULT filter declude\filters\FILTER-ADULT.txt x 0 0
FILTER-DRUGS filter declude\filters\FILTER-DRUGS.txt x 0 0
FILTER-MEDICAL filter declude\filters\FILTER-MEDICAL.txt x 0 0
OR
FILTER-ADULT filter     [PATH]\Declude\filters\FILTER-ADULT.txt x 0 0
FILTER-DRUGS filter     [PATH]\Declude\filters\FILTER-DRUGS.txt x 0 0
FILTER-MEDICAL filter     [PATH]\Declude\filters\FILTER-MEDICAL.txt x 0 0
 
 
Resulting log records:
02/09/2018 08:44:35.139 75196968 Could not load filter file [PATH]\Declude\filters\FILTER-ADULT.txt.
02/09/2018 08:44:35.139 75196968 Could not load filter file [PATH]\Declude\filters\FILTER-DRUGS.txt.
02/09/2018 08:44:35.139 75196968 Could not load filter file [PATH]\Declude\filters\FILTER-MEDICAL.txt.

26 Replies

Reply to Thread
0
Linda Pagillo Replied
Hi Steve. The [PATH] is the path to the filters you are using or want to use. For example, if you have Declude filters located at C:\Smartermail\Declude\Filters, your lines in the global.cfg should look like this...
 
FILTER-ADULT filter     C:\Smartermail\Declude\filters\FILTER-ADULT.txt x 0 0
FILTER-DRUGS filter     C:\Smartermail\Declude\filters\FILTER-DRUGS.txt x 0 0
FILTER-MEDICAL filter     C:\Smartermail\Declude\filters\FILTER-MEDICAL.txt x 0 0
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Yes, I figured that out though originally thought it a variable...

One issue I did have was following a Anti Spam sheet that was to replace Bruce Barnes sheet but IF you also use Declude those same settings are present in the default declude scans. Hense, Double Points!

In other words, we were running the same rules twice so incurring higher than expected spam points.
0
Linda Pagillo Replied
Yes, that is correct. You should either use Declude or the settings in our white paper, but not both because double scores will happen. She sheet is for people who are not using Declude :)
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Linda, Any tips for using Declude to screen Countries? For instance I want to exclude Germany from incoming emails.

MAIL DETAIL:
X-Country-Chain: GERMANY->destination

Is it simple a matter of allowing FILTER-COUNTRY.txt and then uncommenting:

#GERMANY
COUNTRIES 0 CONTAINS DE
MAILFROM 0 ENDSWITH .de

Do the zeros then take on our weight value?
0
Linda Pagillo Replied
Hi Steve. Yes, it's a simple matter of allowing the FILTER-COUNTRY to run and then uncommenting those lines. Yes, the zeros are the weight value. If you want to completely filter out all email from Germany, you would need to make those values higher than your delete weight. Also, at the top of the filter you will see this line... MAXWEIGHT 10... that means that the maximum weight this filter will apply if triggered is 10. You may want to comment out that line or change it to a value which matches whatever weight you choose for Germany.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Hi Linda, thanks for the details on Filter Syntax

I found the following in the Country Filter:

#GERMANY
#COUNTRIES 0 CONTAINS DE
#MAILFROM 0 ENDSWITH .de

Though updated it with to use the Perl RegEx:

# ---------------------- #
#GERMANY
COUNTRIES 10 PCRE (DE)
MAILFROM 5 ENDSWITH .de
COUNTRY 3 PCRE (DE)
REVDNS 3 PCRE (?i:\.de$)
MAILFROM 2 PCRE (?i:\.de$)
HELO 2 PCRE (?i:\.de$)

# ---------------------- #

Looking at my filter today I see it reverted and there is a backup called:
"FILTER-COUNTRY_safe_save_161444.txt"

I'm expecting this is due to an update to the Filters on your side? I do have a Cron / Windows Task set to update the Filters. I'll disable that if it is creating a case where changes are overwritten.

Couple Questions, I created a custom filter (based on the porn filter) as follows:

_______________________________________________________________________________

#LAST UPDATED 2/23/2018
#SKIPIFWEIGHT 25
MINWEIGHTTOFAIL 4

TESTSFAILED 3 PCRE (SNIFFER-PORN)

#--------------------------------------------------------------------#
# EXCEPTIONS #
#--------------------------------------------------------------------#
TESTSFAILED END PCRE (IADB|BONDEDSENDER|GOOD-REVDNS)
BODY END PCRE (?i:Content-Transfer-Encoding\: base64)

#--------------------------------------------------------------------#
# MAILFROM #
#--------------------------------------------------------------------#
MAILFROM 20 PCRE (?i:adultmailer-bounces@)

#--------------------------------------------------------------------#
# SUBJECT #
#--------------------------------------------------------------------#

SUBJECT 15 PCRE (?i:(Shark Tank))

#--------------------------------------------------------------------#
# BODY #
#--------------------------------------------------------------------#
BODY 30 PCRE (?i:\https://www.exclaimer.com/email-signature-handbook/\b)

_______________________________________________________________________________

"TESTSFAILED 3 PCRE (SNIFFER-PORN)"
Does this pertain to IF Sniffer is running and has encountered 3 positive hits as spam, and if so ignore this Filter?

The only filter lines I care about are the Subject where I have this coded to look for "Shark Tank" without regards to Capitalization (?i:)
Also check the Body for the noted string as I found a large number of emails having that pattern for obfuscation.

SIDE NOTE:
How hard would it be to create a filter that looks for repeating patterns that would be useful as the "obfuscation" patterns are used to thwart common anti-spam filters. If we could have a Filter that looked for X number of Characters that "repeat" we could catch a lot more Spam.

For instance: IF repeat chars x = Y, length = Z then Weight = W
So if we set "repeat chars" as 3 then "length" = 24 and Weight = 15
we would have a rule that looks for a repeating pattern of 24 characters found to repeat 3 times, then we assign a weight of 15. The "length" Content/Pattern would have to be a dynamic variable which is likely the issue that makes this difficult to create.

I keep finding content like the following which is a bunch of random characters or repeating html then a Dictionary Word appended to each line:

....<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:CHCO
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:RESUMO
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:MARTES
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:insecure
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:pencils
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:semiconductor
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:eugenio
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:moedas
<img class="EmojiInsert" id="OWAEmoji147586" alt="?" style="font-family: "Gothic, Arial, Comic-Sans"Apple Color Emoji", " "Segoe UI Symbol", Android Oreo, font-size: 22px; vertical-align: top;" src="cid:peels ...

I'll be happy when someone figures out how to use BlockChain as a mini SmartContract to validate legitimate emails prior to delivery... :-)

0
Linda Pagillo Replied
Hi Steve. To answer your questions...

1.) In reference to your FILTER-COUNTRY being overwritten... I apologize, I should have mentioned this before... If you have a Windows Task set up to download the new filters from our website each day, anything you change will be overwritten. The best thing to do would be to name your current FILTER-COUNTRY.txt to FILTER_COUNTRY.txt so that it does not get overwritten when a new FILTER-COUNTRY.txt is downloaded automatically. Also, remember to change the line in your global.cfg for the filter to...

FILTER_COUNTRY filter [PATH]\Declude\filters\FILTER_COUNTRY.txt x 0 0

2.) In reference to "TESTSFAILED 3 PCRE (SNIFFER-PORN)". If you are using the external Message Sniffer within Declude, you can break it down into specific tests such as SNIFFER-PORN, SNIFFER-SPAMWARE, SNIFFER-SCAMS etc... If you have your external Sniffer set up this way and you are using the porn filter in Declude and it is triggered, the TESTSFAILED 3 PCRE (SNIFFER-PORN) line will add 3 points to a message if SNIFFER-PORN is triggered as well.

3.) Is there a specific, repetitive string that you want to block currently, or are you simply asking if this is possible with Declude filters?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Thanks Linda,
As far as a "repetitive string" I was only floating the idea that a dynamic solution would be likely since the whole point of these dictionary words and random character strings is to get around spam filters.

Here is one I got today :

['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\Peas?nliche(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______marcada(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______wingdings(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______ruas(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______1135(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______0599(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Hyman(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______drie(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______09B(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______vorig(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______7MM(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______BOI(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Finley(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______backroom(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______activision(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______promouvoir(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\digestif(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+

I already had a rule looking for :
(}>}**})_)\}}#*{)}})*^)]>*)?}}^{\}}!^{{}*:>{*<{}/}*}}}(){)^]^}

But as I see their patterns change, and it looks random, it's unlikely we can create a rule that would catch these (unless it was dynamic matching looped strings).

Thanks again for your reply.
0
Linda Pagillo Replied
Do you have any other examples of this? If yes, can you post the headers from a few messages like this? I may have a better solution for you.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Here is another that just came in (header plus a few lines of repeating obfuscation and appended with a dictionary word:

Return-Path: <contact@symset.artoat.com>
Received: from symset.artoat.com (symset.artoat.com [204.12.220.6]) by mail.sgdesign.net with SMTP;
Mon, 26 Feb 2018 08:33:08 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=0d2c848; d=symset.artoat.com;
h=MIME-Version:From:Message-id:To:Subject:Content-Type:Date; i=contact@symset.artoat.com;
bh=hsNi6PeMcxxKtws3xxreIUB6kaGW5qTHPBWAnXl7sJw=;
b=Ej95uinYG9xW2sQwWOnxzgyNAzR9dCNnVjGVxaesroBIIsOghR49WlmE6VJvxZcIyLaVnquW8QLG
gdjbYLkK+kP9kg4PiSqL4K+UBmrh1c3xC4oASNzaFACvSSU6+2VHzTBoJREMsiAIgPAQGlqRVxj8
TOhq61JVbhxisgzd0KA=
Received: from localhost (127.0.0.1) by symset.artoat.com id higrf816lt00 for <steve@sgdesign.com>; Mon, 26 Feb 2018 11:33:51 -0500 (envelope-from <contact@symset.artoat.com>)
MIME-Version: 1.0
From: RateSite Refi Notice: 26-02-2018<contact@symset.artoat.com>
Message-id: <ca1d640c3a31faedbe5ae8706771c873@symset.artoat.com>
To: steve@sgdesign.com
Subject: Rates drop to new lows, Don't Miss Out
Content-Type: text/html
Date: Mon, 26 Feb 2018 11:33:51 -0500
X-Declude-Sender: contact@symset.artoat.com [204.12.220.6]
X-Declude-Spoolname: 62651523.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [2] at 08:33:12 on 26 Feb 2018
X-Declude-Tests: SPAMHEADERS [3]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: 4000100e
X-HELO: symset.artoat.com
X-Identity: 204.12.220.6 | symset.artoat.com | symset.artoat.com
X-SmarterMail-Spam: SPF_Pass, Barracuda - BRBL, Bayesian Filtering, DKIM_Pass, Custom Rules [], Declude: 2
X-SmarterMail-TotalSpamWeight: 21

<table width="900" border="0" cellpadding="0" cellspacing="0" align="center"><tr><td align="center">
<a href="http://intimtch.com/ud.php?aQ==mMFlHgqHH1H1dH1mq/fLMkedqKkuKqbdJJJJKEZhR/b=qGUTJHB8QdiSOWiHN|Nq/KFhLheuLqWiCTFAYl"></a>
<a href="http://intimtch.com/ud.php?Zw==mMFlHgqHH1H1dH1mq/fLMkedqKkuKqbdJJJJKEZhR/b=qGUTJHB8QdiSOWiHN|Nq/KFhLheuLqWiCTFAYl"></a>
<a href="http://intimtch.com/ud.php?cg==mMFlHgqHH1H1dH1mq/fLMkedqKkuKqbdJJJJKEZhR/b=qGUTJHB8QdiSOWiHN|Nq/KFhLheuLqWiCTFAYl"><img src="http://intimtch.com/4001/id7478Ratesitev2n1.jpg"></a><p>;
<a href="http://intimtch.com/ud.php?bw==mMFlHgqHH1H1dH1mq/fLMkedqKkuKqbdJJJJKEZhR/b=qGUTJHB8QdiSOWiHN|Nq/KFhLheuLqWiCTFAYl"><img src="http://intimtch.com/4001/ID7478RateSiteUNS.jpg"></a><p>;
</tr>
</table>

<style>
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">abandon
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">abrams
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">accommodate
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">accordance
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">accounts
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">acid
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">acknowledges
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">actor
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">actors
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">addiction
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">addressed
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">adjust
<img src="image" alt="speakyourmigraine/your-doctor-knows-best" style="width:304px;height:228px;">Adobe
0
Steve Guluk Replied
Another:

Return-Path: <contact@rau.premierldings.net>
Received: from rau.premierldings.net (rau.premierldings.net [74.63.248.84]) by mail.sgdesign.net with SMTP;
Mon, 26 Feb 2018 06:48:21 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=d6b1195; d=rau.premierldings.net;
h=MIME-Version:From:To:Subject:Content-Type:Date; i=contact@rau.premierldings.net;
bh=dXISnCh+nVICWoi4VMiwwfPWOIhr8YqxBw11jsT4hWc=;
b=N36vb9tge+KzKh7lalT/T0ouXOqduODZTMotv8LpRIkdHJJK5itVuB1FvUyIxlI1aWZVmVApt+tu
ly3wHTi95cEsaCAe4RlI1mWhvkEP43d+DGhDMSvDZk3wTZBKXfha++d4fIWHW2TGhxVxBp1PZpCR
PBrgo/mYUk7Ibo8iThc=
Received: from localhost (127.0.0.1) by rau.premierldings.net id higf3a16lt0q for <steve@sgdesign.com>; Mon, 26 Feb 2018 09:48:15 -0500 (envelope-from <contact@rau.premierldings.net>)
MIME-Version: 1.0
Precedence: Normal
From: Lowermybills.com<contact@rau.premierldings.net>
To: steve@sgdesign.com
Subject: [Spam--14] :Less than 16 Months LEFT! If you OWE LESS than $625,000 on your HOME, use the President's REFI Program.
Content-Type: text/html
Date: Mon, 26 Feb 2018 09:48:15 -0500
X-Declude-Sender: contact@rau.premierldings.net [74.63.248.84]
X-Declude-Spoolname: 62650970.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [17] at 06:48:25 on 26 Feb 2018
X-Declude-Tests: SPAMHEADERS [3], SUBSPACE-12 [5], SUBSPACE-15 [6], SUBSPACE-17 [7], WEIGHT10 [10], WEIGHT14 [14]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: 4000100e
X-HELO: rau.premierldings.net
X-Identity: 74.63.248.84 | rau.premierldings.net | rau.premierldings.net
Message-ID: <f5be03986c7e4e0fa567882824ff750a@com>
X-SmarterMail-Spam: SPF_Pass, DKIM_Fail, Declude: 17
X-SmarterMail-TotalSpamWeight: 22

<CENTER>
<CENTER><a href="http://74.63.248.82//click.php?r-GrUFV5cEUArXAXRAFEcRqrrBqcqHE|Xc/nWffffgyzoZcUqif|kNEe6v6cgUoqoH|qcMhaxUkpF72568"><br><img src="http://74.63.248.82/4001/trail20226lower125957.jpg"></a></CENTER>;
<CENTER><a href="http://74.63.248.82//click.php?o-GrUFV5cEUArXAXRAFEcRqrrBqcqHE|Xc/nWffffgyzoZcUqif|kNEe6v6cgUoqoH|qcMhaxUkpF72568"><br><img src="http://74.63.248.82/4001/trail20226lower125957_uns.jpg"><h3></a></CENTER>;
<CENTER><a href="http://74.63.248.82//click.php?u-GrUFV5cEUArXAXRAFEcRqrrBqcqHE|Xc/nWffffgyzoZcUqif|kNEe6v6cgUoqoH|qcMhaxUkpF72568"><img src="http://74.63.248.82//he609-1.png"></a></CENTER>;
<CENTER><a href="http://74.63.248.82//click.php?g-GrUFV5cEUArXAXRAFEcRqrrBqcqHE|Xc/nWffffgyzoZcUqif|kNEe6v6cgUoqoH|qcMhaxUkpF72568"style='display:none'></a></CENTER>
<CENTER><img src="http://74.63.248.82//click.php?i-GrUFV5cEUArXAXRAFEcRqrrBqcqHE|Xc/nWffffgyzoZcUqif|kNEe6v6cgUoqoH|qcMhaxUkpF72568"width=1/> </CENTER>
</CENTER>

<style>
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\voto(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______tricolor(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______indiv?duo(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Calv?(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Elsevier(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______complexity(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______hotly(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Casey(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
0
Linda Pagillo Replied
Steve, the first example had a score of 21 - X-SmarterMail-TotalSpamWeight: 21
The second example had a score of 22 - X-SmarterMail-TotalSpamWeight: 22

At what score are you holding or deleting spam?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Linda, 15 is moved to Junk Mail and 30 is deleted.
0
Linda Pagillo Replied
Were these messages moved to Junk E-Mail or did they land in the Inbox?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
They properly moved to the Junk Email box...
0
Steve Guluk Replied
Another:

Return-Path: <contact@ohris.cluballenge.com>
Received: from ohris.cluballenge.com (ohris.cluballenge.com [136.243.202.115]) by mail.sgdesign.net with SMTP;
Mon, 26 Feb 2018 10:57:26 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=68a2ab8; d=ohris.cluballenge.com;
h=MIME-Version:From:To:Subject:Content-Type:Date; i=contact@ohris.cluballenge.com;
bh=7BNBaUNn8z3GAEITr96Sr2lxv27VhyAa+jZ27KTqzeY=;
b=OZFnFgyX9ie/fEi0qXxmdK+vPgaP02E7STfg7t9udikZPPA9xNhZ4Kx5goC6NJzWtYqH1aKb+hnz
tTXmv9u35sR0lLZaokFHbq6rx20G4vp/FbB18tAdrTNsqC0GRksWe+gaxFTsJKtTiWagC9qmvxyf
/+GLc40UG6aO34MqIlQ=
Received: from localhost (127.0.0.1) by ohris.cluballenge.com id hihc9c16lt0k for <steve@sgdesign.com>; Mon, 26 Feb 2018 13:57:23 -0500 (envelope-from <contact@ohris.cluballenge.com>)
MIME-Version: 1.0
Precedence: Normal
From: Timeshare Expert<contact@ohris.cluballenge.com>
To: steve@sgdesign.com
Subject: [Spam--10] :Get your Timeshare Market Analysis
Content-Type: text/html
Date: Mon, 26 Feb 2018 13:57:23 -0500
X-Declude-Sender: contact@ohris.cluballenge.com [136.243.202.115]
X-Declude-Spoolname: 62652422.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [12] at 10:57:31 on 26 Feb 2018
X-Declude-Tests: SPAMHEADERS [3], FILTER-COUNTRY [13], WEIGHT10 [10]
X-Country-Chain: GERMANY->destination
X-Declude-Code: 4000100e
X-HELO: ohris.cluballenge.com
X-Identity: 136.243.202.115 | ohris.cluballenge.com | ohris.cluballenge.com
Message-ID: <0af3d9bf32a64368a030ffe6d860b814@com>
X-SmarterMail-Spam: SPF_Pass, DKIM_Fail, Declude: 12
X-SmarterMail-TotalSpamWeight: 16

<CENTER>
<CENTER><a href="http://136.243.202.115//click.php?r-GrUFV5cRRAXrAVUAHrcRqrHqRcqHE|Xc/nWffffgyzoZcUqif|.Nwe7NrWrZqcgUoqoH|qcMhaxUkpF36107"><br><img src="http://136.243.202.115/4001/cx33626timeshare1.jpg"></a></CENTER>;
<CENTER><a href="http://136.243.202.115//click.php?o-GrUFV5cRRAXrAVUAHrcRqrHqRcqHE|Xc/nWffffgyzoZcUqif|.Nwe7NrWrZqcgUoqoH|qcMhaxUkpF36107"><br><img src="http://136.243.202.115/4001/cx33626timeshare_uns.jpg"><h3></a></CENTER>;
<CENTER><a href="http://136.243.202.115//click.php?u-GrUFV5cRRAXrAVUAHrcRqrHqRcqHE|Xc/nWffffgyzoZcUqif|.Nwe7NrWrZqcgUoqoH|qcMhaxUkpF36107"><img src="http://136.243.202.115//he609-1.png"></a></CENTER>;
<CENTER><a href="http://136.243.202.115//click.php?g-GrUFV5cRRAXrAVUAHrcRqrHqRcqHE|Xc/nWffffgyzoZcUqif|.Nwe7NrWrZqcgUoqoH|qcMhaxUkpF36107"style='display:none'></a></CENTER>
<CENTER><img src="http://136.243.202.115//click.php?i-GrUFV5cRRAXrAVUAHrcRqrHqRcqHE|Xc/nWffffgyzoZcUqif|.Nwe7NrWrZqcgUoqoH|qcMhaxUkpF36107"width=1/> </CENTER>
</CENTER>

<style>
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\voto(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______tricolor(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______indiv?duo(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Calv?(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Elsevier(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______complexity(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______hotly(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______Casey(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______pessoalmente(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+
['(\$>\(=#/^\>{#=/(/-[}':}}|]><+/}))}-(}\]\%:{>/|:/#]!#/")[}/:=\|</!%\+|?))/!/=(\{)[?)}\$'_-(%'=*-|\$]/](:\)':_/=<{]///?%!/%}'^\{}!}__^[+/\$]]>({*'!>;|)?#)\{?>?)/{\*:}[%|]!*\___________________________https://support.microsoft.com/contactus/Uid/______0304(?$}((\<?|<:^=%\==}${<(|$#%[='+$#'[|[/)]|*\>|/##-#}](/^<=]/?})/}=\=)-!-?/-^[=\%>/+<[/+)?^]?/]*)::\]/:-/}\)\:\^{/-+(*:/]<-]>=/<}*)/\[*==?<])/+

Etc etc
0
Linda Pagillo Replied
Thanks for the samples. Since these messages are already moved to the Junk E-Mail folder, I'm assuming you want to stop them completely for landing in any folder and that is why you are inquiring about a filter? I just want to make sure I understand your end-goal. I noticed that all of these examples have one thing in common... they all triggered Declude's SPAMHEADERS test. The SPAMHEADERS test checks the email for headers that are common in spam, but not common in
legitimate email. This test is very similar to the BADHEADERS test, except the problems this test looks for are not RFC violations, so there's a good chance the test will catch a small amount of legitimate email (typically mail sent from mail clients written by webmasters rather than programmers). In my experience, this test catches very little legit email. Since this is the case, what I can do is write a filter that will trigger on all email which fails the SPAMHEADERS test and I can show you how to tell Declude to move it to a folder so you can review the messages. If you see that the messages that are triggered are consistently spam, I can then show you how to configure Declude to delete the messages instead of sending them to a folder for review. Are you open to giving this a try?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Steve Guluk Replied
Let's give it a try... Customers are already complaining about having to deal with a new Junk E-Mail folder...
0
Linda Pagillo Replied
Sounds like a plan. I will speak with you via direct email to help you get this set up and then I we can report back here to let everyone know if it worked or not and then I can share what I did with the community. I just don't want to clog up the thread with configurations if they don't work for you. :)
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
J Lee Replied
Hi Steve

Have you had any luck having Declude block shell command pdf files?
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
Linda Pagillo Replied
Hey Steve!

Please send me the headers from a message that made it through and we will review.

Thanks!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
J Lee Replied
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
Linda Pagillo Replied
Unfortunately we do not. You may want to check their docs and see what directives they have. Once you figure out what works for you, you will need to add the line to your virus.cfg file in order for Declude to call the scanner.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
J Lee Replied
Hi Linda

How do I uninstall Declude?
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
Linda Pagillo Replied
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
karl kapacee Replied
Hello, how do i add domain or email id that has for email  "IDS Rule Triggered" information me 
The IDS rule, Default Brute Force by IP rule, has been triggered by 194.169.175.33. Detection Type: BruteForceByIp

so like have 
has been triggered by @domain.com or test@domain.com 194.169.175.33. Detection Type: BruteForceByIp
if possible can you some send me variable and the file need to edit please



Reply to Thread