MTA Filtering Not Working Properly

Discussions on webmail and the Professional version.
Post Reply
fmaxwell
Posts: 151
Joined: Sat Aug 03, 2002 9:10 am

MTA Filtering Not Working Properly

Post by fmaxwell » Sat Oct 02, 2004 6:39 pm

I have enabled "MailEnable MTA Message Filter" and created a filter called "Chinese Spam." The filter is set up as follows:
Criteria:
Where the subject line contains specific words (Enabled)
Word List: big5

Actions:
Delete Message (Enabled)
Yet the following spam message was delivered to my catchall:
Received: from dale_web_1 ([216.216.134.153]) by anti-spam.org with MailEnable ESMTP; Sat, 02 Oct 2004 12:44:38 -0400
Received: from dodliws ([61.31.128.40]) by dale_web_1 with Microsoft SMTPSVC(6.0.3790.0);
Sat, 2 Oct 2004 12:48:04 -0400
From: =?Big5?B?qLO9R652?= <nMHak@msa.hinet.net>
To: "undisclosed-recipients" {address deleted for privacy}
Subject: =?Big5?B?t1G9Ry4uLr7jpNG3Uaazpc623D8/?=
Date: Sun, 3 Oct 2004 00:49:41 +0800
Content-Type: text/html;
charset="big5"
Content-Transfer-Encoding: 8bit
Sender: =?big5?B?qLO9R652?= <nMHak@msa.hinet.net>
Reply-To: ebJrb@mailfb.com
X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000
Return-Path:RpveF@mailfb.com
Message-ID: <DALE_WEB_1MaF6D0kve0008a58b@dale_web_1>
X-OriginalArrivalTime: 02 Oct 2004 16:48:05.0208 (UTC) FILETIME=[96898D80:01C4A89F]
Received-SPF: none (anti-spam.org: msa.hinet.net does not designate permitted sender hosts)
X-RCPT-TO: {address deleted for privacy},{address deleted for privacy}

{message body deleted}
So I ran a test. I created another filter for any message containing the word "BLeEB" in the subject.

I sent messages with the subjects:
bleeb
BLeEB
aBLeEB?
Enlarge your bleeb!
Make your bleeb larger!
The three bold-faced ones were deleted, but only two deletions showed up in the filter log while the MTA log showed all three:

Filter Log:
Time Action MessageID Connector Filter Result Account Sender
10/02/04 13:29:35 Start - - - - - -
10/02/04 13:29:43 Executed CF8D732CD864478AB1EB5F9CC059D.MAI SMTP Subject contains BLeEB DELETE anti-spam.org {address deleted for privacy} 10.0.0.10
10/02/04 13:34:43 Executed 8FC6ED924F5847338867EC216B6163.MAI SMTP Subject contains BLeEB DELETE anti-spam.org {address deleted for privacy} 10.0.0.10
MTA Activity Log:
10/02/04 13:29:32 [50061FD4ADF64B4698A8862E5CA4.MAI] from (SMTP) [SMTP:{address/mailbox deleted for privacy}] Mapped Literal
10/02/04 13:29:35 [50061FD4ADF64B4698A8862E5CA4.MAI]:[SMTP] (Subject contains BLeEB DELETE)
10/02/04 13:29:40 [CF8D732CD864478AB1EB5F9CC059D.MAI] from (SMTP) [SMTP:{address/mailbox deleted for privacy}] Mapped Literal
10/02/04 13:29:43 [CF8D732CD864478AB1EB5F9CC059D.MAI]:[SMTP] (Subject contains BLeEB DELETE)
10/02/04 13:30:08 [F33371961A8648049E31FF82968D7C.MAI] from (SMTP) [SMTP:{address/mailbox deleted for privacy}] Mapped Literal
10/02/04 13:33:54 [9B0755B24C87407FAA63A3C1DFB771.MAI] from (SMTP) [SMTP:{address/mailbox deleted for privacy}] Mapped Literal
10/02/04 13:34:41 [8FC6ED924F5847338867EC216B6163.MAI] from (SMTP) [SMTP:{address/mailbox deleted for privacy}] Mapped Literal
10/02/04 13:34:43 [8FC6ED924F5847338867EC216B6163.MAI]:[SMTP] (Subject contains BLeEB DELETE)
Conclusions:

1. The filtering is not case sensitive [good!]
2. The first filter applied causes the daily MTA filtering log to be created but does not record the filter's action [bad!]
3. The filtering has defined "words" as having some kind of delimitation which is not documented [very bad!].


Further testing reveals that words are not recognized if they have certain punctuation after them (commas, periods, question marks, exclamation points). They are recognized if they are between quotes.

So, if you filter on the word "bleeb" in the subject, all of the follow messages will get past the filter:

You can have a 9-inch bleeb!
Men all over the world have larger bleebs because of our product.
Enlarge your bleeb.
Do you want a larger bleeb?

I recommend that "words" be changed to "strings" for flexibility, usefulness, and to reduce confusion. By strings, I mean that the ME matches the user string without testing for spaces, punctuation, or other delimiters unless included by the user. If I create the string "tick", then it should match on " tick ", " ticks ", " stick ", and " sticks ".

mammdo
Posts: 35
Joined: Tue Nov 16, 2004 7:21 pm
Location: México

Post by mammdo » Sat Aug 06, 2005 6:37 am

Hello fmaxwell

You can use this to detect it:

bleeb*

simonhoatson
Posts: 4
Joined: Sat Aug 27, 2005 5:59 am
Location: Sydney, Australia

Post by simonhoatson » Sat Aug 27, 2005 6:10 am

I can't get filtering to work either!

I set up a filter to mark messages as spam if the message body contains either korma or korma*

Sending a msg with korma in it is successfully marked as spam, but a msg with kormasauce gets through.

I'm using Professional 2.6 (although the Diag report says I'm using Enterprise 1.03 - presumably from a previous installation!).

Does anyone else have trouble filtering with wildcards?

Many thanks
Simon

mammdo
Posts: 35
Joined: Tue Nov 16, 2004 7:21 pm
Location: México

Post by mammdo » Sat Aug 27, 2005 5:48 pm

Did you use korma* on your spam word list?

How is configured your filter in the Mailenable MMC?

simonhoatson
Posts: 4
Joined: Sat Aug 27, 2005 5:59 am
Location: Sydney, Australia

Post by simonhoatson » Sun Aug 28, 2005 12:23 am

Yes - korma* is listed in the spam word list.

Configuration is as follows:

Filter name - Test.
Criteria:
Where the message body contains specific words:
Use short word list:
korma
korma*
Actions:
Mark message as Spam

I know everything else is configured OK because I have some other filters to trap other stuff, and they're working most of the time.

Any help is greatly appreciated.

mammdo
Posts: 35
Joined: Tue Nov 16, 2004 7:21 pm
Location: México

Post by mammdo » Sun Aug 28, 2005 6:34 am

ok, may be is from a problem with HTML codes may be in your body text have something like this:

<font size="1">kormasause</font> in this case: korma* won't match
only if you use *korma*

Look at the source code and look how is printed the korma word.

simonhoatson
Posts: 4
Joined: Sat Aug 27, 2005 5:59 am
Location: Sydney, Australia

Post by simonhoatson » Mon Aug 29, 2005 11:03 am

I appreciate that HTML tags can cause problems. However, all my testing has involved plain text messages.

I have since discovered that if I use an external word list, everything works fine - specifying *korma* catches korma, kormasauce, and lambkorma - both in plain text and in HTML. Why it should work any differently is beyond me.

With renewed hope, I applied this logic to a new filter to catch a piece of spam that I often receive. It's a plain text msg and the body starts with 'Use [SPAM] Soft Tabs.' (I'm sure everyone's seen this one, right :wink: )

But specifying [SPAM] soft tabs* in an external word list refuses to catch it.

I'm confused! :?

mammdo
Posts: 35
Joined: Tue Nov 16, 2004 7:21 pm
Location: México

Post by mammdo » Mon Aug 29, 2005 4:16 pm

Please check that is not:

Use CiaIis Soft Tabs with an I and not an L

and add an * before, try with that

I always use the external list and with both * in my phrases and never have problems with detections

simonhoatson
Posts: 4
Joined: Sat Aug 27, 2005 5:59 am
Location: Sydney, Australia

Post by simonhoatson » Tue Aug 30, 2005 8:44 am

Hi mammdo

Well, it's definitely an 'I', and not an 'L" - I even copied the text to a file, then extraced the ascii code of each letter of the file to make sure.

However, as per your suggestion, I added a '*' to the start of my spam phrase, and initial testing now seems to work fine.

Many thanks for your help and patience :) .
Simon

mammdo
Posts: 35
Joined: Tue Nov 16, 2004 7:21 pm
Location: México

Post by mammdo » Tue Aug 30, 2005 4:25 pm

Perfect!!! :D

Everything to stop spam is well done..

Post Reply