Spam has dropped to very low levels, due to the takedown of the Command and Control Servers used by the major Botnets, but one Botnet has re-emerged as the strongest at this time. This is the so-called Mega-D Botnet, known as the leader in spam for male enhancement pill ripoffs. The spammers using this Botnet have fallen back on previously used templates, as well as creating some filterable new templates. I have some old and some new filters for MailWasher Pro users to apply, which will delete a lot of the current spam sent via this Botnet, at this point in their recovery process.
First item: Blacklist email entries
Add these wildcard rules to your MWP Blacklist now:
lin+met@+.de
kef+diz@+
Add this updated filter rule to flag the current image spam being sent out now:Code: Select all
[enabled],"Image Spam #11","Image Spam #11",16711680,OR,Delete,TakesPrecedence,Body,containsRE,"^<(center|/style)>\r\n^<a\ href=""http://.+\.(ca|cn|com|net|org|info)""><img\ src="".+/.*\.gif"">\r\n^<style>$",Body,contains,img0.gif,Body,contains,"alt=3D""Want to request ? It's easy to make a request online.",Body,contains,8dvs9.jpg,Body,contains,ioreuu78.jpg,Body,containsRE,"(?-i)^<BODY><a\ href=""http://.+\.com/""\ target=""_blank"">\r\n^<img\ src=""http://.+\.com/.+\.(gif|jpg)""\ border=0\ alt=""Having\ trouble\ viewing\ this\ email\?\s?\r\n^Click\ here\ to\ view\ as\ a\ webpage\.""></a></BODY></HTML>$",Body,containsRE,"(?-i)^<BODY><table>\r\n<tr><td><a\ href=""http://.+\.com/""><img\ src=""http://.+\.com/.+\.jpg""\ border=0\ alt=""Visit\ site\ now!""></a><br>\r\n<br></td></tr></table></BODY></HTML>$"
Add these updated Male Enhancement filters to automatically delete them:Code: Select all
[enabled],"Male Enhancement [S]","Male Enhancement",16711680,OR,Delete,Automatic,Subject,containsRE,"your\ (male\ p[a@]ck[a@]ge|copulation|manliness|masculinity|new\ (tool|rod|size|weener|willy))|Bodypart|(giant|gigantic|male|man|pocket)\ tool|manly|Masculine|lovemaking|(harder|thicker)\ and\ longer|penetrate|Enlarge,\ Widen\ and\ Strengthen|enlarge\ and\ lengthen",Subject,containsRE,"add\ (\d\s)?inches|\d\ inn?cc?hes|girth,?\s( and\s)?(length|lenght)|(length|lenght)\ and\ (girth|thickness)|thickness\ (a[nd][dn])\ length|long(er)?\ and\ thick(er)?",Subject,containsRE,(big(ger|gest)?|<expletive deleted>|hard(er)?|gigantic|love|man)\s(pecker|pole|rod|sausage|stick|tool|weapon),Subject,containsRE,"Bring\ her\ to\ seventh\ heaven|huge\s?(dic'?k|dignity|package)|problems?\swith\ssize|size\ (really\s)?(does\s)?matters?|I've\ gained\ an\ inch|your\ dic?'?k\ size|rock\ hard|Upsize\ your\ DlC?'?K|(Enlarge|Super-Size)\ It|Impress\ .*wom[ae]n",Subject,containsRE,"(boner|blue\ balls|c[o0]ck|\bcum\b|d1ck|dic'?k|\bdong\b|ejaculat(e|ion|ory)|ejauclation|elongate|enhancements?|enlarge(d|ment)|enlarge\syour|Erectile|Erection|flaccid|foreplay|\bpeckers?\b|pen.?[i1l!]s\b|p[e3]nis|pen-nis|p\ e\ n\ [i1l]\ s|\bp[aei3]nis\b|phall(i|us)?|prick|sex(ual)?|s'e[^a-z]?x|s'e_xual|\$e><|Sizeable|VPXL)",Subject,containsRE,"Gains?\ (up\ to\ )?(\d\+?\s)?(inches\ )?in\ (girth|length|size)|Gaining\ inches",Subject,containsRE,"(bat|bulge|monster|python|rocket|snake)\ in\ your\s{0,3}(pants|pocket|trousers)|trouser\ snake",Subject,containsRE,"\b(?-i)(FDA|Doctor)\ Approved",Subject,containsRE,"(get|grow)\ (a\s)?bigger|sc?h[l1][o0]ng|love\ muscle|\b(bigger|harder|larger|thicker|your)\ (?-i)(PE)\b|giant\ bulge|your\ small\ (di.?k|stick)|your\ little\s",Subject,contains,"thicker shaft"
[enabled],"Male Enhancement [B]","Male Enhancement",16711680,OR,Delete,Automatic,Body,containsRE,"(?-i)P.n.ss?\ En[lI1]argement",Body,contains,"Enlargement Patch",Body,contains," PE ",Body,contains,peniss,Body,contains,patchess,Body,contains,"male enhancement",Body,containsRE,"(enlarge|enhance|increase)\ (and\ thicken\s)?your\ (tool|manhood|p.n.ss?)|your\ tool\ ",Body,containsRE,"(?-i)VPXL|MaxDic?k|Maxgain|POWER\ Gain\+|Advanced\ Gain\ Pro|AGP\ [Pp]ills",Body,contains,"penis size",Body,contains," Penis "
Add this Hidden ISO/ASCII subject filter:Code: Select all
[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"
Now, let's filter out pirated software and counterfeit watches:Code: Select all
[enabled],"Watches Spam",Watches,16711680,OR,Delete,Automatic,From,containsRE,R[o0]lexx?,Subject,is,Luxury,Subject,contains,//atches,Subject,contains,\/\/ATCHES,Subject,containsRE,"(replica|Rolex|swiss|vip)\ watches|w\.a\.t\.c\.h\.e\.s|\ba\ watch\b",Subject,containsRE,"\b(R[0olex\.]{8,}|Rolex|r,?eplicas?|r\.{1,3}e\.{1,3}p\.{1,3}.l\.{1,3}i\.{1,3}c\.{1,3}a\.{1,3}|watches|chronometers|timepieces?|time\ control)\b",Body,contains,"luxury replica",Body,contains,"We only sell premium watches.",Body,contains,"exact copies of the original watches",Body,contains,"Detailed replicas of best chronometers by the best brands",Body,contains,"put one of these on your xmas list, you will fall in love with them all",Body,containsRE,"Rolex|Rollie|replicas?|watches|//atches|chronometers?|timepieces?|flashy\ bling|expensive\ watch|fashion\ pieces"
[enabled],"Software Spam","Software Spam",16711680,OR,Delete,Subject,is,Software,Subject,containsRE,"\$oftware|software\ price\$",Subject,containsRE,"(best|cheap(est)?|downloadable|oem|office|quality).*s[o0]ft(wares?)?|Soft(ware)?\ in\ many\ languages|software\ at\ (amazingly|surprisingly)\ low\ prices|perfectly\ working\ software|software\ immediately\ after\ purchase|ado6e|Vista\ Microsoft\ SP1\ and\ XP\ Cracked|Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(?-i)(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]",Body,contains,"Click this link and download most popular software",Body,contains,"Click this link and downloaded newest software",Body,contains,"you can download them right after pur",Body,contains,"The best software products at the best prices.",Body,containsRE,"EURO\ SOFT(WARE)?|European\ languages|Fully\ localized\ versions",Body,containsRE,"^Retail Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}\r\n^Our Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}",Body,containsRE,"Operational\ systems|newsoft|softwares|Cheap.*soft(ware)?|oem\ssoftware|software\ (you\s)?needs?",Body,containsRE,"SSoftwarr?e|down.?lo.?ad(d?able)?\ (legal\ )?s?so.?ft(ware)?|(Best|cheapest|lowest)\ software\ prices",Body,containsRE,http://.*software.*\.(com|cn|net|org|php|html?),Body,containsRE,^(type|vis[il]t)\s'?.+soft.*\s\.\scom'?\sin\syour\s.nternet\sExplorer,Body,containsRE,"(?-i)Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]"
Let's not forget about the scammers in Nigeria either:Code: Select all
[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Subject,is,"URGENT AND CONFIDENTIAL",Subject,containsRE,"(?-i)(CONFIDENTIAL\s)?(MUTUAL\s)?BUSINESS\ PROPOSAL|UNITEDN\ NATION|CONTACT\ ATM\ DEPARTMENT|Director,\ United\ Nations",Subject,containsRE,"(?-i)^CONTACT\ .+\ (COURIER\ COMPANY|ATM\ DEPARTMENT)",Subject,containsRE,"(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL",Body,containsRE,"^(?-i)\*?Dear\ (Sir/Madam|Friend),\*?(<br>)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,containsRE,"Bank\ of\ (Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA",Body,containsRE,"unclaimed\ (benefits|funds)",Body,contains,"contacting you based on Trust",Body,containsRE,"(Kind\s)?Attn:\s?Beneficiary|^(Hello\s)?(MY\s)?(DEAR\s)?(GOOD\s)?FRIEND[,.]|^Atte?n:Dear\ Friend,|^(Attn,\s)?My Dear\ (Beloved|Friend)[,.]$|^ATTENTION\s?:\s?BENEFICIARY.?$|(?-i)<STRONG>Kind\ Attn:\s?</STRONG>|(?-i)<STRONG>Beneficiary|BENEFICIARY,",Body,containsRE,"demurrage|dumourage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT|(I\ am|My\ name\ is)\ Barrister"
[enabled],"Subject All Caps","Subject All Caps",33023,AND,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,containsRE,.
[enabled],"Lottery Scam","Lottery Scam",16711680,OR,Blacklist,Delete,Automatic,Subject,containsRE,"^WINNING\ (Notification|NUMBER:)",Subject,contains,"Microsoft Lottery",Subject,contains,"GO FOR CLAIM VERIFICATION FORM",From,contains,LOTTERY,From,contains,"Department of National Lotteries",Body,contains,"Attn: Lucky Winner",Body,contains,"DEAR WINNER",Body,contains,"YOUR E-MAIL ADDRESS WON ",Body,contains,"please contact your fudiciary agent",Body,contains,"International Program Online Co-ordinator",Body,containsRE,"(?-i)WINNING\ NUMBER:|LOTTERY|RE:\ LOTTO|Lottery\ Coordinator",Body,containsRE,"(jackpot|International|Microsoft|National)\ Lottery|fiduciary|The\ Kings\ Charity|weekly\ sweepstakes",Body,containsRE,"You\ are\ advised\ to\ keep\ this\ winning\ (.+\s)?confidential"
[enabled],"Money Transfer Scam","$ Xfer Scam",16711680,OR,Delete,Automatic,Subject,contains,"TRANSFER ASSISTANCE",Subject,contains,"SWIFT CREDIT CARD",Body,contains,"SWIFT CREDIT CARD",Body,contains,AWARD/INHERITANCE/CONTRACT,Body,contains,"Promptitude in sending the payment",Body,contains,"We redirect the client's payment to you",Body,contains,"after you'll keep our(and yours) earnings, ",Body,contains,"it is your obligation to transfer the rest",Body,contains,"Basic knowledge in Acconting and payment transactions.",Body,containsRE,"^My\ dear\ friend,$|Dear\ good\ friend\s?,|modalities|money\ transfer\ system|I\ will\ give\ you\ \d\d%\ for\ your\ kind\ assistance to me",Body,contains,CONTRACT/INHERITANCE
IMPORTANT!
All of the filter rules in this post must each start on a new line, with no blank lines between rules and each must begin at the left margin of
filters.txt (no tabs). There should be no extra spaces at the end of any filter, but, the final filter in filters.txt may have a linefeed. Filters.txt is created by MailWasher Pro, but is user modifiable, as long as MWP is closed before you edit the file. If the program is open and you make additions to filters.txt, the next time it closes those changes will be lost!
Filters.txt is located in your logged in identity,
%AppData%\MailWasherPro folder.
These updated filters, along with my previously posted Canadian Pharmacy filters, will either flag as spam or auto delete 99% of the current spam for pharmaceuticals, enhancement pills, pirated software, counterfeit watches and Nigerian scams.