Wizcrafts Custom MailWasher Pro Filters discussed here

Whether you're a MailWasher veteran or complete newbie, all users are welcome to get together. Discussions include usage and possible problems.
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Wizcrafts Custom MailWasher Pro Filters discussed here

Wed Sep 17, 2008 8:49 am

Greeting the Forum! I am Wiz, a.k.a. Wizcrafts, the author of Wizcrafts' Custom MailWasher Pro Filters. I was discussing the development of my filters on the CastleCops MailWasher forum (infrequently lately). Now that Firetrust has created a users forum on their own domain (yea!) I will use this location for further discussions about my filter rules. Of course, as long as CastleCops allows the old MWP forum to stay on their server I will also answer any questions posted for me there.

For those of you who are new users of MailWasher Pro, here are the basic things you will need to know to use custom filter rules with the program.
  • MailWasher Pro stores user created filters in a text file named filters.txt
  • That file is found in your logged in (Documents and Settings or Users>Roaming) user profile folder, under Application Data > MailWasherPro. The Application Data directory is normally hidden and you must unhide it using the Folder View Options. You can read details about how to unhide it, here.
  • When you install MailWasher Pro, a new very basic filters.txt is created inside this Application Data sub-directory This file can either be edited to add new filter rules, or overwritten with one of my downloaded Custom MailWasher Pro Filters. There are currently three separate sets of custom filters on my web page, the differences of which are explained on the web page and in the comments of each filter set. Some of my filters are pretty intense and slow down processing of incoming email. I know about this and try to fix these bottlenecks from time to time.
  • Windows Vista has numerous restrictions on user and program permissions and sometimes does not allow filters.txt to be updated immediately after the initial installation. If this happens to you and the error mentions Access Denied, read this thread to resolve the problem.
  • If you manually edit or add a rule directly into filters.txt and you mistype or fail to include a required character, MailWasher Pro will delete that rule as the program is opened. It is a very prudent idea to always save experimental filter rules in a notepad, or NoteTab work file, in case you need to go over them for errors. If you don't have a backup and MWP deletes a bad rule, you'll have to start from scratch to recreate that rule.
  • The Filters wizard only allow ten input fields for each filter. If you want to add more you must close MWP and manually add the additional rules to the end of the existing one you wish to extend. Always save the existing, working rule to a text file before adding to it, just in case you get it wrong.
Once you begin editing filters.txt there are some very important things to keep in mind.
  1. Do not edit filters.txt while MailWasher Pro is still running. Close it first.
  2. Filter comments are at the top and are proceeded with double forward slashes (//). If you try to add your own comments, or copy mine, they will be overwritten when the program is opened. There is nothing I have found to stop comments from being overwritten. The program's stored filters.txt comments are:
    // MailWasher Pro filter settings
    //
    // If you make changes to this file while MailWasher Pro is running,
    // the changes will be overwritten when MailWasher Pro is closed.
  3. Each rule must occupy one (long) line. Turn off Word Wrap in your text editor. Your editor may have character limits that force text to overflow to a second or third line. This is ok as long as the rule doesn't contain any linefeeds until after the end of the last character.
  4. After the end of each rule you must have a linefeed. Start the next rule on the next available line under the previous rule. Do not insert a linefeed after the final rule.
  5. Once the filter rules begin you must not have any blank lines between rules, or after the last rule.
  6. You must not have blank spaces after the last character of any rule.
  7. Pay careful attention to double quotes ("). They are always needed if there are any blank spaces inside a rule or it's description areas. As an example, if a rule is named Loans, or contains just the word Loans, then it does not need quotes before and after the Filter name, or Status name, or the portion of the rule only containing that word. However, if the rule is named Loans and Bankruptcy it absolutely must be enclosed inside of double quotes, like this: "Loans and Bankruptcy"
  8. If a part of a rule contains double quotes, like this: "<a href="http://www.example.com">" you must 'escape' the inside quotes by adding a second double quote to each one inside the rule. Thus, the above example would become "<a href=""http://www.example.com"">"
  9. When you create a rule using the Filters box from the program interface, it takes care of all the quotes for you.
To get you started I have a relatively new MailWasher filter rule that deletes spam sent from a Botnet template created in the Thunderbird email client. None of my legitimate contacts use Thunderbird, which is about to be spun off by Mozilla. Furthermore, I "Whitelist" all friendly contacts, placing their email addresses into the MailWasher "Friends List." This overrides the custom filters, unless a rule has been specifically set to: "Overrides the Friends list." Finally, I use the built-in MailWasher Pro Recycle Bin and through it I can restore accidentally deleted friendly email (limited by the number of lines scanned when checking for new mail).

Here is my Thunderbird Spam filter, which currently detects at least 20% of incoming pharmaceutical spam over the last few weeks. It marks for deletion, which you must perform manually. It can be set to automatically delete all incoming spam matching this rule. Change this action using the Filters wizard box.

Note, this forum will wrap the long line of code, but the entire rule should occupy only one long line in filters.txt.

Code: Select all

[enabled],"Thunderbird Spam","Thunderbird Spam",16711680,AND,Delete,EntireHeader,contains,"User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)",EntireHeader,contains,"MIME-Version: 1.0"
That's all for now folks!
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
Xenophon
It begins with a single step
Posts: 1
Joined: Thu Sep 18, 2008 5:04 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Thu Sep 18, 2008 5:14 am

Thank you for the thunderbird filter! Just what I needed. (still got to learn how to make these filters myself).
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Fri Oct 03, 2008 6:20 pm

Here's another new filter that catches the current fake ABCNews Newsletter spam that is actually promoting the fake Canadian Pharmacy.

This should be on one long line of code, but is wrapped here.

Code: Select all

[enabled],"Fake ABCNews Canadian Pharmacy","Canadian Pharmacy",16711680,AND,Delete,Automatic,Body,contains,"To stop ALL email from ABCNews Newsletters, click here to remove =",Body,contains,&SESSID=3D,EntireHeader,contains,"X-MimeOLE: Produced By Microsoft Exchange V6.5"
It goes hand in hand with this filter for Canadian Pharmacy...

Code: Select all

[enabled],"Canadian Pharmacy","Canadian Pharmacy",16711680,OR,Delete,Automatic,Subject,containsRE,Canadian\s?(Pharmacy|p\.h\.a\.r\.m\.a\.c\.y|RX),Body,contains,"Canadian Pharmacy",Body,contains,CanadianPharmacy,Body,contains,"Canadian RX",Body,contains,CanadianRX,Body,contains,"This email was sent by: CMD",Body,containsRE,Canadian.?(Phar?|p\.h\.a\.r\.m\.a\.c\.y)|Canadian\s?Medical\s?Supplies|Pharma?.*(Canada|market)
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sun Oct 05, 2008 4:46 am

Here is a custom filter for the latest (10/4/08) Canadian Pharmacy scam, which pretends to come from Fox News.

Code: Select all

[enabled],"Fake Fox News Canadian Pharmacy","Canadian Pharmacy",16711680,AND,Delete,EntireHeader,contains,"X-MimeOLE: Produced By Microsoft Exchange V6.5",EntireHeader,doesn'tContain,"Received: from listserv.foxnews.com",Body,contains,"To stop ALL email from FOX News Network",Body,contains,"This email was sent by: FOX News Network"
You can use it as is, set to fully automatic, or remove the word: Automatic, and have to delete manually. I just subscribed to Fox Newsletters and have changed the filter to contain a negative condition in the header that makes the detection of fakes 100% accurate. Should the spammer change the template again I will adjust this filter as soon as possible.

This filter has been added to my published MailWasher Pro Filters web page.

Death to spammers!
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Mon Oct 13, 2008 5:24 am

The Canadian Pharmacy spam gang is in overdrive right now, spewing out gozillions of spam emails promoting the fake Canadian Pharmacy. Their latest template makes it look like you are receiving a newsletter you subscribed to.

The From field is fake and does not match the Received from domains they claim to represent (all sent from Bots, as usual). All contain images to deliver the spam message, with very little actual text. The text does contain words that are usually duplicated in the From field, as the sender's name. For instance, the current scam contains the following in both the From field and Body text: Healthcare Management Inc.

There are a couple of ways to block these messages. The first is to blacklist the faked senders based on both the name and part of the email address. Here is the Blacklist addition to stop the curent crop of Healthcare spam:

Code: Select all

noreply@newsletter.+
It is possible that you may subscribe to legitimate newsletters that use noreply@newsletter in their From or Reply to fields, so be sure you whitelist them before applying this blacklist rule.

The other way of dispatching this garbage is to match the sender's name, in the From field. This is a changing scenario, with a new name every week, or less. However, the current sender name is: Healthcare Management Inc. The following filter blocks Healthcare Management Inc in the From field and the Body, as well as most of the current variations of the Canadian Pharmacy spam template, based on their headers.

Code: Select all

[enabled],"Known Spam [From or Body]","Known Spam [F or B]",16711680,OR,Delete,Automatic,Body,contains,"The most powerful weapon for your battles",Body,containsRE,"SpamIt\.com|best-kept\ secret\ for\ Men|^peascod|^(?-i)Severtieth|Healthcare\ Management\ Inc",Body,containsRE,"\b(show\ woman\ you(rself)?\ care|(many|Your)\ w[eo]men)\b",Body,contains,"The finest of products, at the lowest of prices:",EntireHeader,containsRE,"(^From:\s{1,3}(ph[ra]{2}macy|(?-i)E-STORE|\{|\}|""=\?ISO-8859-1\?Q\?))|(^X-Mailer:\ PHPMailer\ \[version 1\.73\]\r\n^X-Mailer:\ phplist\ v2\.10\.4$)",Body,contains,"Your tool can only get BIGGER",From,containsRE,"^i?Ci?a.?li?s\b|(?-i)(Express\ Newsletter|WWW\ News|Healthcare\ Management\ Inc)",Body,containsRE,"^Satisfy\ (your\ (girl|wom[ae]n)|her\b)|^Best\ offers\.\ \(c\)\ 200[89]",Body,contains,"gift for your lover",Body,contains,"Make her worship you",Body,contains,"pleasure in bed",Body,contains,"(c) 2008. To unsubscribe press <a"
This filter and all the rest of my custom filters are on my website, at http://www.wizcrafts.net/mwp-filters.html.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Tue Nov 11, 2008 1:06 pm

There is a new trick in the Zlob Trojan baiting campaign: bogus news alerts about Barack Obama - claiming to come from "USA Government Center." The links in these messages are now leading to a fake USA Government webpage, hosted on botnetted computers, where the victim is told they need to install a new Adobe Flash Player. Unfortunately, the file they are pushing is the Zlob Trojan, currently disguised as a file named AdobePlayer9.exe. I have added detections for these scams to some of my existing published MailWasher Pro Filters, but I have a simple Blacklist addition that will eliminate about half of these scams.

Add the following to your MailWasher Pro Blacklist as a wildcard addition:
+@usa.com

Here is an updated custom filter rule to block most forms of the Barack Obama bogus news scams:

Code: Select all

[enabled],"Trojan Video Link [S&B]","Trojan Video Link",16711680,AND,Delete,Automatic,Subject,containsRE,"Barack\ Obama|Britney\ Spears|(Paris|Barron)\ Hilton",Body,containsRE,"\.exe"">|/index_?\d{1,2}\.html"">|video\ report|news\ page>>"
Here is another rule to detect the faked From name:

Code: Select all

[enabled],"Known Spam [From or Body]","Known Spam [F or B]",16711680,OR,Delete,Automatic,Body,contains,"The most powerful weapon for your battles",Body,containsRE,"SpamIt\.com|best-kept\ secret\ for\ Men|^peascod|^(?-i)Severtieth|Healthcare\ Management\ Inc",Body,containsRE,"\b(show\ woman\ you(rself)?\ care|(many|Your)\ w[eo]men)\b",Body,contains,"The finest of products, at the lowest of prices:",EntireHeader,containsRE,"(^From:\s{1,3}(ph[ra]{2}macy|(?-i)E-STORE|\{|\}|""=\?ISO-8859-1\?Q\?))|(^X-Mailer:\ PHPMailer\ \[version 1\.73\]\r\n^X-Mailer:\ phplist\ v2\.10\.4$)",EntireHeader,contains,"From: ""USA Government Center""",Body,containsRE,"^Satisfy\ (your\ (girl|wom[ae]n)|her\b)|^Best\ offers\.\ \(c\)\ 200[89]",Body,contains,"gift for your lover",Body,contains,"Make her worship you",Body,contains,"pleasure in bed",Body,contains,"(c) 2008. To unsubscribe press <a"
Here is my latest updated filter to block the bogus Canadian Pharmacy scams:

Code: Select all

[enabled],"Canadian Pharmacy","Canadian Pharmacy",16711680,OR,Delete,Automatic,Subject,containsRE,Canadian\s?(Pharmacy|p\.h\.a\.r\.m\.a\.c\.y|RX),Subject,containsRE,"^\d\d\ percent\ discount$",Body,containsRE,Canadian\s?(Chemist|Medical|Pharmacy|RX),Body,contains,"Canadian Health and Care Mall",Body,contains,"Canadian Health & Care Mall ",Body,contains,"This email was sent by: CMD",Body,contains,<Info...>,Body,contains,"preparations for immunity improvement",Body,containsRE,Canadian.?(Phar?|p\.h\.a\.r\.m\.a\.c\.y)|Pharma?.*(Canada|market),Body,containsRE,"^<A\ href=3D""http://.+/index\d\d\.php"">.+>>></A>$"
Please note that these filters are set to automatically delete any matching incoming email. If you prefer to delete these messages manually, after examining them, remove the word "Automatic," including the trailing comma.

Many of my published MailWasher filters have been updated multiple times over the last month, so if you haven't downloaded them in a while you might want to get a fresh set. There are three sets available on the destination page. Read the on-page comments to decide which set is best for you.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sat Dec 13, 2008 5:26 am

Spam has dropped to very low levels, due to the takedown of the Command and Control Servers used by the major Botnets, but one Botnet has re-emerged as the strongest at this time. This is the so-called Mega-D Botnet, known as the leader in spam for male enhancement pill ripoffs. The spammers using this Botnet have fallen back on previously used templates, as well as creating some filterable new templates. I have some old and some new filters for MailWasher Pro users to apply, which will delete a lot of the current spam sent via this Botnet, at this point in their recovery process.

First item: Blacklist email entries

Add these wildcard rules to your MWP Blacklist now:

lin+met@+.de

kef+diz@+

Add this updated filter rule to flag the current image spam being sent out now:

Code: Select all


[enabled],"Image Spam #11","Image Spam #11",16711680,OR,Delete,TakesPrecedence,Body,containsRE,"^<(center|/style)>\r\n^<a\ href=""http://.+\.(ca|cn|com|net|org|info)""><img\ src="".+/.*\.gif"">\r\n^<style>$",Body,contains,img0.gif,Body,contains,"alt=3D""Want to request ? It's easy to make a request online.",Body,contains,8dvs9.jpg,Body,contains,ioreuu78.jpg,Body,containsRE,"(?-i)^<BODY><a\ href=""http://.+\.com/""\ target=""_blank"">\r\n^<img\ src=""http://.+\.com/.+\.(gif|jpg)""\ border=0\ alt=""Having\ trouble\ viewing\ this\ email\?\s?\r\n^Click\ here\ to\ view\ as\ a\ webpage\.""></a></BODY></HTML>$",Body,containsRE,"(?-i)^<BODY><table>\r\n<tr><td><a\ href=""http://.+\.com/""><img\ src=""http://.+\.com/.+\.jpg""\ border=0\ alt=""Visit\ site\ now!""></a><br>\r\n<br></td></tr></table></BODY></HTML>$"

Add these updated Male Enhancement filters to automatically delete them:

Code: Select all


[enabled],"Male Enhancement [S]","Male Enhancement",16711680,OR,Delete,Automatic,Subject,containsRE,"your\ (male\ p[a@]ck[a@]ge|copulation|manliness|masculinity|new\ (tool|rod|size|weener|willy))|Bodypart|(giant|gigantic|male|man|pocket)\ tool|manly|Masculine|lovemaking|(harder|thicker)\ and\ longer|penetrate|Enlarge,\ Widen\ and\ Strengthen|enlarge\ and\ lengthen",Subject,containsRE,"add\ (\d\s)?inches|\d\ inn?cc?hes|girth,?\s( and\s)?(length|lenght)|(length|lenght)\ and\ (girth|thickness)|thickness\ (a[nd][dn])\ length|long(er)?\ and\ thick(er)?",Subject,containsRE,(big(ger|gest)?|<expletive deleted>|hard(er)?|gigantic|love|man)\s(pecker|pole|rod|sausage|stick|tool|weapon),Subject,containsRE,"Bring\ her\ to\ seventh\ heaven|huge\s?(dic'?k|dignity|package)|problems?\swith\ssize|size\ (really\s)?(does\s)?matters?|I've\ gained\ an\ inch|your\ dic?'?k\ size|rock\ hard|Upsize\ your\ DlC?'?K|(Enlarge|Super-Size)\ It|Impress\ .*wom[ae]n",Subject,containsRE,"(boner|blue\ balls|c[o0]ck|\bcum\b|d1ck|dic'?k|\bdong\b|ejaculat(e|ion|ory)|ejauclation|elongate|enhancements?|enlarge(d|ment)|enlarge\syour|Erectile|Erection|flaccid|foreplay|\bpeckers?\b|pen.?[i1l!]s\b|p[e3]nis|pen-nis|p\ e\ n\ [i1l]\ s|\bp[aei3]nis\b|phall(i|us)?|prick|sex(ual)?|s'e[^a-z]?x|s'e_xual|\$e><|Sizeable|VPXL)",Subject,containsRE,"Gains?\ (up\ to\ )?(\d\+?\s)?(inches\ )?in\ (girth|length|size)|Gaining\ inches",Subject,containsRE,"(bat|bulge|monster|python|rocket|snake)\ in\ your\s{0,3}(pants|pocket|trousers)|trouser\ snake",Subject,containsRE,"\b(?-i)(FDA|Doctor)\ Approved",Subject,containsRE,"(get|grow)\ (a\s)?bigger|sc?h[l1][o0]ng|love\ muscle|\b(bigger|harder|larger|thicker|your)\ (?-i)(PE)\b|giant\ bulge|your\ small\ (di.?k|stick)|your\ little\s",Subject,contains,"thicker shaft"

[enabled],"Male Enhancement [B]","Male Enhancement",16711680,OR,Delete,Automatic,Body,containsRE,"(?-i)P.n.ss?\ En[lI1]argement",Body,contains,"Enlargement Patch",Body,contains," PE ",Body,contains,peniss,Body,contains,patchess,Body,contains,"male enhancement",Body,containsRE,"(enlarge|enhance|increase)\ (and\ thicken\s)?your\ (tool|manhood|p.n.ss?)|your\ tool\ ",Body,containsRE,"(?-i)VPXL|MaxDic?k|Maxgain|POWER\ Gain\+|Advanced\ Gain\ Pro|AGP\ [Pp]ills",Body,contains,"penis size",Body,contains," Penis "

Add this Hidden ISO/ASCII subject filter:

Code: Select all


[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"

Now, let's filter out pirated software and counterfeit watches:

Code: Select all


[enabled],"Watches Spam",Watches,16711680,OR,Delete,Automatic,From,containsRE,R[o0]lexx?,Subject,is,Luxury,Subject,contains,//atches,Subject,contains,\/\/ATCHES,Subject,containsRE,"(replica|Rolex|swiss|vip)\ watches|w\.a\.t\.c\.h\.e\.s|\ba\ watch\b",Subject,containsRE,"\b(R[0olex\.]{8,}|Rolex|r,?eplicas?|r\.{1,3}e\.{1,3}p\.{1,3}.l\.{1,3}i\.{1,3}c\.{1,3}a\.{1,3}|watches|chronometers|timepieces?|time\ control)\b",Body,contains,"luxury replica",Body,contains,"We only sell premium watches.",Body,contains,"exact copies of the original watches",Body,contains,"Detailed replicas of best chronometers by the best brands",Body,contains,"put one of these on your xmas list, you will fall in love with them all",Body,containsRE,"Rolex|Rollie|replicas?|watches|//atches|chronometers?|timepieces?|flashy\ bling|expensive\ watch|fashion\ pieces"

[enabled],"Software Spam","Software Spam",16711680,OR,Delete,Subject,is,Software,Subject,containsRE,"\$oftware|software\ price\$",Subject,containsRE,"(best|cheap(est)?|downloadable|oem|office|quality).*s[o0]ft(wares?)?|Soft(ware)?\ in\ many\ languages|software\ at\ (amazingly|surprisingly)\ low\ prices|perfectly\ working\ software|software\ immediately\ after\ purchase|ado6e|Vista\ Microsoft\ SP1\ and\ XP\ Cracked|Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(?-i)(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]",Body,contains,"Click this link and download most popular software",Body,contains,"Click this link and downloaded newest software",Body,contains,"you can download them right after pur",Body,contains,"The best software products at the best prices.",Body,containsRE,"EURO\ SOFT(WARE)?|European\ languages|Fully\ localized\ versions",Body,containsRE,"^Retail Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}\r\n^Our Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}",Body,containsRE,"Operational\ systems|newsoft|softwares|Cheap.*soft(ware)?|oem\ssoftware|software\ (you\s)?needs?",Body,containsRE,"SSoftwarr?e|down.?lo.?ad(d?able)?\ (legal\ )?s?so.?ft(ware)?|(Best|cheapest|lowest)\ software\ prices",Body,containsRE,http://.*software.*\.(com|cn|net|org|php|html?),Body,containsRE,^(type|vis[il]t)\s'?.+soft.*\s\.\scom'?\sin\syour\s.nternet\sExplorer,Body,containsRE,"(?-i)Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]"

Let's not forget about the scammers in Nigeria either:

Code: Select all


[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Subject,is,"URGENT AND CONFIDENTIAL",Subject,containsRE,"(?-i)(CONFIDENTIAL\s)?(MUTUAL\s)?BUSINESS\ PROPOSAL|UNITEDN\ NATION|CONTACT\ ATM\ DEPARTMENT|Director,\ United\ Nations",Subject,containsRE,"(?-i)^CONTACT\ .+\ (COURIER\ COMPANY|ATM\ DEPARTMENT)",Subject,containsRE,"(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL",Body,containsRE,"^(?-i)\*?Dear\ (Sir/Madam|Friend),\*?(<br>)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,containsRE,"Bank\ of\ (Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA",Body,containsRE,"unclaimed\ (benefits|funds)",Body,contains,"contacting you based on Trust",Body,containsRE,"(Kind\s)?Attn:\s?Beneficiary|^(Hello\s)?(MY\s)?(DEAR\s)?(GOOD\s)?FRIEND[,.]|^Atte?n:Dear\ Friend,|^(Attn,\s)?My Dear\ (Beloved|Friend)[,.]$|^ATTENTION\s?:\s?BENEFICIARY.?$|(?-i)<STRONG>Kind\ Attn:\s?</STRONG>|(?-i)<STRONG>Beneficiary|BENEFICIARY,",Body,containsRE,"demurrage|dumourage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT|(I\ am|My\ name\ is)\ Barrister"

[enabled],"Subject All Caps","Subject All Caps",33023,AND,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,containsRE,.

[enabled],"Lottery Scam","Lottery Scam",16711680,OR,Blacklist,Delete,Automatic,Subject,containsRE,"^WINNING\ (Notification|NUMBER:)",Subject,contains,"Microsoft Lottery",Subject,contains,"GO FOR CLAIM VERIFICATION FORM",From,contains,LOTTERY,From,contains,"Department of National Lotteries",Body,contains,"Attn: Lucky Winner",Body,contains,"DEAR WINNER",Body,contains,"YOUR E-MAIL ADDRESS WON ",Body,contains,"please contact your fudiciary agent",Body,contains,"International Program Online Co-ordinator",Body,containsRE,"(?-i)WINNING\ NUMBER:|LOTTERY|RE:\ LOTTO|Lottery\ Coordinator",Body,containsRE,"(jackpot|International|Microsoft|National)\ Lottery|fiduciary|The\ Kings\ Charity|weekly\ sweepstakes",Body,containsRE,"You\ are\ advised\ to\ keep\ this\ winning\ (.+\s)?confidential"

[enabled],"Money Transfer Scam","$ Xfer Scam",16711680,OR,Delete,Automatic,Subject,contains,"TRANSFER ASSISTANCE",Subject,contains,"SWIFT CREDIT CARD",Body,contains,"SWIFT CREDIT CARD",Body,contains,AWARD/INHERITANCE/CONTRACT,Body,contains,"Promptitude in sending the payment",Body,contains,"We redirect the client's payment to you",Body,contains,"after you'll keep our(and yours) earnings, ",Body,contains,"it is your obligation to transfer the rest",Body,contains,"Basic knowledge in Acconting and payment transactions.",Body,containsRE,"^My\ dear\ friend,$|Dear\ good\ friend\s?,|modalities|money\ transfer\ system|I\ will\ give\ you\ \d\d%\ for\ your\ kind\ assistance to me",Body,contains,CONTRACT/INHERITANCE

IMPORTANT!
All of the filter rules in this post must each start on a new line, with no blank lines between rules and each must begin at the left margin of filters.txt (no tabs). There should be no extra spaces at the end of any filter, but, the final filter in filters.txt may have a linefeed. Filters.txt is created by MailWasher Pro, but is user modifiable, as long as MWP is closed before you edit the file. If the program is open and you make additions to filters.txt, the next time it closes those changes will be lost!

Filters.txt is located in your logged in identity, %AppData%\MailWasherPro folder.

These updated filters, along with my previously posted Canadian Pharmacy filters, will either flag as spam or auto delete 99% of the current spam for pharmaceuticals, enhancement pills, pirated software, counterfeit watches and Nigerian scams.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Fri Mar 06, 2009 4:11 pm

Russian dating scammers are busy again. Lately, the only type of spam I still see manually is classified as Dating scams. I have been adjusting the filter rules accordingly, to detect the new spam run. The following is the updated Dating Spam filter, as of March 5, 2009, at 20:14 EST.

Code: Select all

[enabled],"Dating Spam","Dating Spam",16711680,OR,Hidden,Delete,Automatic,Subject,containsRE,"\bdating\b|single.?ladies|Married.{1,5}lonely",Body,contains,"Greetings! I wish to get acquainted with you",Body,contains,flirting,Body,containsRE,"\bdating\ system\b|dating!",Body,containsRE,"\d\d%\ of\ our\ members\ .*hooked\ up\ (using|with)\ our\ .*system|maybe\ we\ can\ hook\ up",Body,contains,"I read your profile online and I was int",Body,contains,"Please write me a letter here http://",Body,contains,"Do you like beautiful girls?",Body,contains,"good looking girl who is looking to chat with you",Body,contains,"looking for a nice guy to chat with",Body,contains,Ifoundyourprofileonline,Body,contains,HithereI,Body,containsRE,"i\ (found|loved|was\ just\ reading)\ your\ profile|and\ i\ would\ (like|love)\ to\ get\s"
Note, that the above rule is my Judge Dredd Murder Death Kill actions! If you prefer to manually delete and not hide known spam, change the beginning to the following:

[enabled],"Dating Spam","Dating Spam",16711680,OR,Delete,
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sun Mar 08, 2009 8:55 am

I just updated the Nigerian 419 Scam filter on my website, in the iframe, on http://www.wizcrafts.net/mwp-filters.html. For those who prefer to grab it here, this is the new filter rule:

Code: Select all

[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Delete,Subject,is,"Dear Friend",Subject,is,"URGENT AND CONFIDENTIAL",Subject,contains,"Business letter from",Subject,containsRE,"(?-i)(CONFIDENTIAL\s)?(MUTUAL\s)?BUSINESS\ PROPOSAL|UNITEDN\ NATION|CONTACT\ ATM\ DEPARTMENT|Director,\ United\ Nations",Subject,containsRE,"(?-i)^CONTACT\ .+\ (COURIER\ COMPANY|ATM\ DEPARTMENT)",Subject,containsRE,"(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL",Body,containsRE,"^(?-i)\*?Dear\ (Sir/Madam|Friend),\*?(<br>)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,containsRE,"Bank\ of\ (Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA",Body,containsRE,"unclaimed\ (benefits|funds)",Body,contains,"contacting you based on Trust",Body,containsRE,"(Kind\s)?Attn:\s?Beneficiary|^(Hello\s)?(MY\s)?(DEAR\s)?(GOOD\s)?FRIEND[,.]|^Atte?n:Dear\ Friend,|^(Attn,\s)?My Dear\ (Beloved|Friend)[,.]$|^ATTENTION\s?:\s?BENEFICIARY.?$|(?-i)<STRONG>Kind\ Attn:\s?</STRONG>|(?-i)<STRONG>Beneficiary|BENEFICIARY,",Body,containsRE,"demurrage|dumourage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT|(I\ am|My\ name\ is)\ Barrister"
This has always been a manual deletion rule, in all three of my filter versions, as there is room for false positives. Also, I leave this rule set to manual so that I can send a LART, via SpamCop, to the ISPs responsible for allowing this bad behavior.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Wed Jan 27, 2010 11:42 am

It's been a while since I posted any new or updated filters on this forum topic, but I can't resist giving you this one to try out for matches or false positives. If you use it please report on your findings. Once any bugs are worked out I will decide whether or not to add it to my published custom MailWasher filters.

New trial filter: Matches subjects with letters and spaces and multiple * + ' < > interspersed, or at the beginning and end. It will be added to my published filters after testing for false positives. This filter matches these terms:
  • <<<< SPAM >>>>
  • [*****SPAM*****]
  • Seve*re depr_ession may+ result in se*rious dis'eases and diso'rders. Prote,ct y'our life!
[enabled],"Subject contains < * + ' >","Known Spam Subjects",16711680,AND,Delete,Subject,containsRE,"(.+(\*|\+|'|<|>)){4,}"

I will probably be adding to the expressions as I observe related spam subjects.

Place this filter up high in the list, with other Subject filters.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sat Feb 20, 2010 10:47 am

Here is an important custom filter to add to your MailWasher Pro filters. It blocks messages in the wild (Feb 2010), the Body of which contains only a plain text link to a malware infected PC, hosting an exploit page, running on a Russian Nginx web server. The Subject may be changed soon, so be prepared for filter updates.

Code: Select all

[enabled],"Exploit Link Only","Exploit Link",16711680,AND,Delete,TakesPrecedence,Subject,containsRE,"^RE:|RE:\ FW:|FW:$",Body,containsRE,"^http://[a-z0-9.]+\.[a-z]{2,4}/archive[0-9]{2,6}/\?id=.+@.+\.[a-z]{2,4}$"
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Wizcrafts Custom MailWasher Pro Filters Updated

Sun Feb 21, 2010 1:19 pm

I have done quite a few updates to all of my published filters today and earlier this week, including a couple of new additions. I added a new blacklist entry as well. The blacklist is now responsible for blocking as much as 25% of all incoming spam, since January 2010. I prefer to set my blacklist to automatic deletion. I never ever receive legitimate mail from any domain or user that is defined in my blacklist.

Download the new version of the filter set you have been using from my MailWasher Pro Custom Filters web page. Note, I copied and pasted my own filter set as filters3.txt, which as noted on the filters page, has many automatic deletion rules. If this worries you, choose filters2.txt, or even the larger filters.txt (which contains many old and outdated rules). Rename the downloaded file to filters.txt. Close MailWasher, then drag the downloaded file into your user_profile MailWasherPro application data folder.

You can find your own logged in account's Application Data directory by using the Start > Run input box, or the Vista/W7 command/search input box, off the Start Button. Just type in: %AppData%\MailWasherPro\ and press the Enter key. Save any custom rules to a separate file, so you can copy and paste them bnack into the file after you update it with my new filter rules. Make sure MailWasher is not running when you paste in the new filters, or they will be overwritten with the previous ones.

Later...
Last edited by Wizcrafts on Sun Feb 21, 2010 8:44 pm, edited 1 time in total.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Pierre
Knowledgeable Kea
Location: Australia - North of the "Ditch".
Posts: 1008
Joined: Thu Jul 24, 2008 4:57 pm

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sun Feb 21, 2010 7:22 pm

Wiz, your link does not work as it has a comma in it instead of a full stop. :bow
IF IT AIN'T BROKE - DON'T FIX IT

I am only a ßeta Tester and getting older as well.
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Sun Feb 21, 2010 8:45 pm

Pierre wrote:Wiz, your link does not work as it has a comma in it instead of a full stop. :bow
Thanks Pierre! I fixed the link. I was in a hurry when I posted the message.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Contact:
Location: Flint, Michigan, USA
Posts: 276
Joined: Wed Sep 17, 2008 5:37 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Tue Feb 23, 2010 5:33 am

URGENT! Blogger Exploit Link Filter
February 22, 2010

Right now there is an exploit link spam run trying to fool users of the Google Blogger service into following an alleged "update your Blogger account" link. The link includes your email account, to which the spam was sent. It fakes a legitimate Google URL in the link text. However, the actual "href" points to domains in Korea, or other countries that allow malware sites to exist.

Since many of us use various Google services we white list most of their accounts and domains. Spammers know this and use it against us by faking those domains. Fortunately, MailWasher Pro has the ability to create custom filters that override the Friends list, via a checkbox titled: "This filter takes precedence over the friends list." I have used this function often in my custom MailWasher Pro filters and it came in handy for use in the following new filter to detect and delete the new Blogger exploit scam.

Code: Select all

[enabled],"Blogger Exploit Link","Blogger Exploit Link",16711680,AND,Delete,TakesPrecedence,Automatic,Subject,contains,"Blogger account",Body,contains,"Dear Blogger account owner",Body,contains,"update your Blogger account",Body,contains,"please click the following link:",Body,containsRE,"<a\ href=3D""http://www\.google\.com\..{3,10}\.\w{2,3}/update/VE\.php\?"
I have tested the filter and it works for now (Feb 22, 2010) and has been uploaded into all three of my online filter sets. If the scammers change the wording, or URL rules, I will post an update to match them. I always post updates to my filters on my previously mentioned web page on Wizcrafts.net. You will always get the latest filters there.

Note, that I have set the action to Judge Dredd rules: Automatic Deletion! If this worries you, or if you do have a Blogger account, remove the following word and comma: Automatic,

PS: I am working on refining and splitting the Nigerian 419 Scam filter in multiple parts. This will speed up detection and lighten the load on the CPU and RAM.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html

Return to “Troubleshooting and Help for MailWasher 5 and 6”