Wizcrafts Custom MailWasher Pro Filters discussed here

Whether you're a MailWasher veteran or complete newbie, all users are welcome to get together. Discussions include usage and possible problems.
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Tue Feb 23, 2010 11:46 am

As promised, I have put some brain power into my (huge) Nigerian 419 Scam filter and have decided to split it into several separate filters. This will make detection of 419 scams faster and with less drain on your CPU! I have placed Subject AND filters first in the list, followed by Subject OR, then Body AND, followed by Body OR rules. Hopefully, this arrangement will work faster than the single huge filter did.

I have left the original 419 filter in the online filters, but set it to disabled. Do as you want with these filters.

The following filters are set to manual deletion, for your safety. I have all of mine set to Judge Dredd - Murder/Death/Kill Auto deletion! :twisted:

Code: Select all

[enabled],"Nigerian 419 Scam #1 [S]","419 Scam",16711680,AND,Delete,Subject,contains,URGENT,Subject,contains,AND,Subject,contains,CONFIDENTIAL
[enabled],"Nigerian 419 Scam #2 [S]","419 Scam",16711680,AND,Delete,Subject,containsRE,(?-i)^URGENT|CONFIDENTIAL,Subject,contains,BUSINESS,Subject,containsRE,(?-i)PROPOSAL|RELATIONSHIP
[enabled],"Nigerian 419 Scam #3 [S, F, R]","419 Scam",16711680,OR,Delete,From,containsRE,BARRISTER|TRANSFER,EntireHeader,containsRE,^Reply-To:\s.+<.+@yahoo.com\.hk>$,Subject,is,BUSINESS,Subject,is,"URGENT BUSINESS",Subject,containsRE,"(?-i)(^CONTACT\ (\w*\s)?(COURIER\ COMPANY|ATM\ DEPARTMENT))",Subject,containsRE,"(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL",Subject,containsRE,"UNITEDN\ NATION|Director,\ United\ Nations",Subject,containsRE,"^Dear\ Friend$|Urgent\ Proposal|Business\ letter\ from"
[enabled],"Nigerian 419 Scam #4 [B]","419 Scam",16711680,AND,Delete,Body,containsRE,^(Kind\s)?Atte?n:|ATTENTION|Hello,Body,containsRE,"Beneficiary|(My\ )?Dear\ (GOOD\s)?(Beloved|Friend)"
[enabled],"Nigerian 419 Scam #5 [B]","419 Scam",16711680,OR,Delete,Body,contains,"contacting you based on Trust",Body,containsRE,"^Hello,\ I.{0,2}m\ Sgt\.",Body,containsRE,"^(?-i)\*?(Dear\ (Sir/Madam|Friend)|Complement\ of\ the\ day)",Body,contains,"I need your urgent assistance in transferring",Body,contains,"Waiting to hear from you soonest",Body,containsRE,"unclaimed\ (benefits|funds)",Body,containsRE,"(I\ am|My\ name\ is)\ Barrister|^Barrister.+ESQ$",Body,containsRE,^Best\sregards.?\r\nBarr\..?[A-Z],Body,containsRE,"^Mr\.\ \w{3,}\ \w{3,}\ \(Barrister\)"
[enabled],"Nigerian 419 Scam #6 [B]","419 Scam",16711680,OR,Delete,Body,containsRE,"Business\ proposal\ valued\ at|(?-i)(CONFIDENTIAL\s)?(MUTUAL\s)?BUSINESS\ (PROPOSAL|RELATIONSHIP?)|URGENT\ AND\ CONFIDENTIAL",Body,containsRE,"Bank\ (of\ )?(Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA",Body,containsRE,"beneficiary|no\ Beneficiaries|demurrage|dumourage|duemorrage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT",Body,containsRE,"\{[a-z]{3,8}\sMillion\s[a-z-]{3,6}\sHundred\sThousand\sDollars}"


A good followup filter for these would be my African Sender filter:

Code: Select all

[enabled],"African Sender (419)","African Sender (419)",16711680,OR,Blacklist,Delete,EntireHeader,containsRE,"Received:\sfrom\s.*[\[\(]41\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]\)]",EntireHeader,containsRE,"Received:\sfrom\s.*[\[\(]196\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]\)]",EntireHeader,containsRE,"Received:\sfrom\s.*[\[\(]81\.199\.\d{1,3}\.\d{1,3}[\[\]\)]",EntireHeader,containsRE,"^Received:\ from\ .+41\.\d{1,3}\.\d{1,3}\.\d{1,3}"


BTW: I just analyzed an incoming "KIA Motors International Promotion" scam and obtained three IP CIDRs to possibly add to my .htaccess Nigerian Blocklist. :ninja
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Bicuspid
It begins with a single step
Posts: 1
Joined: Wed Jul 01, 2009 1:10 pm

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Bicuspid Mon May 10, 2010 12:57 pm

How do I set a default to 'Disable Reporting' globally?
Which flag in the filters list sets this option?
I otherwise have to edit each filter rule to set the 'Disable" flag.
I get so much spam that the uploading of reporting is slowing my system.
Thanks.
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Wed May 12, 2010 10:48 am

Bicuspid wrote:How do I set a default to 'Disable Reporting' globally?
Which flag in the filters list sets this option?
I otherwise have to edit each filter rule to set the 'Disable" flag.
I get so much spam that the uploading of reporting is slowing my system.
Thanks.

Open your MWP settings, click on the FirstAlert link and uncheck "Use FirstAlert! database of spam." Then, click on the SpamCop link and disable reporting there. That will remove the Reporting tab from your view and you won't have to disable reporting in individual filters.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
iwaddo
Travelling Tuatara
Posts: 47
Joined: Fri May 21, 2010 2:39 am

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby iwaddo Fri May 21, 2010 2:55 am

Hi, hopefully this is the right place to post a question about performance of the filters....

I installed the custom set and my Mailwasher Pro, latest version, takes forever (machine appears to have stopped for a long time) to process the emails. Where is the best place to look
    could I have installed them incorrectly
    will it be the number of email accounts I am downloading
    will it be parallel or sequential processing
Any initial guidance appreciated.

Regards
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Fri May 21, 2010 4:50 am

iwaddo wrote:Hi, hopefully this is the right place to post a question about performance of the filters....

I installed the custom set and my Mailwasher Pro, latest version, takes forever (machine appears to have stopped for a long time) to process the emails. Where is the best place to look
    could I have installed them incorrectly
    will it be the number of email accounts I am downloading
    will it be parallel or sequential processing
Any initial guidance appreciated.

Regards

Many of my filters use Regular Expressions that parse body text for a match. This takes some time to complete. The more filters you use, the more drain there can be on your CPU and RAM. If your PC is not very new and has less then say 4 GB of DDR RAM, it can bog down during processing of incoming email.

You can minimize the load on your PC by changing to sequential checking for multiple accounts, or by using filter set #1 or #2. Set 1 uses automatic deletion, while set #2 uses manual deletion. Aside from that they are the same rules.

You can manually rearrange your filters so that the ones detecting the most spam are near the top of the list. These include filters for Viagra (4), Pharmaceuticals (2), Canadian Pharmacy (2), counterfeit Watches and Nigerian 419 scams (6). Since, for some unimaginable reason, I am currently seeing a lot of misdirected Russian language spam, I would move the Russian Sender filter up the list as well. It sucks when one can't even read the junk they are reporting to SpamCop!

If my filters contain rules you do not need, close the program, open the filters file and Cut the unwanted filters out, saving them to a backup file for future use.

I do not recommend using Filters1.txt, as it goes way back with many outdated rules.

I hope this helps.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Sat May 22, 2010 10:12 am

I have been getting a lot of mis-directed Russian language spam lately, perhaps from a badly configured botnet spam template. If you are also receiving unreadable spam, or spam with Cyrillic characters and wish to delete it upon arrival, use my Russian Sender filter and keep it up high in the list.

Code: Select all

[enabled],"Russian Sender","Russian Sender",16711680,OR,Delete,TakesPrecedence,EntireHeader,containsRE,"^Received:\ from\ .*85\.140\.\d{1,3}\.\d{1,3}",EntireHeader,containsRE,"^Received:\ from\ .*80\.85\.1([7][6-9]|[8[0-9]|9[01])\.\d{1,3}(\]\))?",EntireHeader,contains,"charset=""koi8-r"";",EntireHeader,contains,"Subject: =?koi8-r",Body,contains,charset=3Dkoi8-r,EntireHeader,containsRE,Message-ID:\s<.+@.+\.ru>,EntireHeader,containsRE,"\(envelope-from\ <.+@.+\.ru>\)",EntireHeader,containsRE,HELO\s.+\.ru,EntireHeader,contains,"From: =?koi8-r"

I personally have mine set to automatically delete all Russian garbage, so add "Automatically," after "Delete," to do the same. I also block tons of these with a blacklist rule to delete all email claiming to come from any .RU domain. Here's the Blacklist rule: +@+.ru - and set it to Automatic to never see their garbage at all.

UPDATE May 31, 2010:
The flood of Russian language spam has increased, just like the oil leak in the Gulf. My MailWasher Blacklist rule that blocks .ru senders is now blocking about 1/3 of today's spam. Eventually, the spammers behind the Russian spam bots will realize that most Western Hemisphere recipients don't normally read Cyrillic!

Update #2, June 3:
Added TakesPrecedence, after Delete, as the From domain may include gmail, or another whitelisted source.

If you do receive legitimate email from Russia, do not apply the filter or Blacklist rule.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
davews
Travelling Tuatara
Posts: 74
Joined: Thu Sep 11, 2008 7:30 pm

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby davews Thu Sep 16, 2010 6:04 pm

Oh dear, looks like the spammers are everywhere on this forum now...
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Thu Sep 16, 2010 6:10 pm

I reported it as spam, but the mods are probably sleeping right now. The spam post will be deleted tomorrow.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Mon Jul 25, 2011 5:54 am

I just reported a new user: jamespeter1121, for spamming my topic with an advertisement for his personal services. They have nothing to do with MailWasher Pro, or my spam filters. Do NOT click on any links posted by this soon to be non-member.

If anybody would like to actually discuss my work on custom MailWasher filters, this is the place to do so. But, be forewarned, I am notified of all replies to this topic and will get rid of spammers as quickly as humanly possible. Email spammers get the same treatment from me.

For those members who aren't aware of my work, my custom MailWasher spam filters are detailed on my website, in the page titled Wizcrafts' MailWasher Pro - Spam Detection Filters. The filters are now published for both the old and new versions and formats of MailWasher Pro.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

A new filter to detect new exploit links

Postby Wizcrafts Thu Dec 15, 2011 5:24 pm

There is a new spam template making the rounds, with links leading to a Russian server, where malicious exploit attacks are launched against your browser and its plug-ins. The link contains a file ending in .htm, followed by a huge query string, separated into groups by = signs.

Here is my initial filter to match the query strings appended to .HTM or .HTML file types.

Here is the MailWasher version 6.x filter:

Code: Select all

[enabled],"Fake Query String In Link (Dangerous!)","Exploit Link",255,OR,Delete,Body,containsRE,"""http://.+\.[a-z]{2,4}/.+\.html?\?.+"""

Here is the MailWasher 2012 version:

Code: Select all

  <Filter Name="Fake Query String In Link (Dangerous Link!)" Enabled="True">
    <Description>Exploit Link</Description>
    <MatchAll>False</MatchAll>
    <Rating>-200</Rating>
    <Colour>#FFCC0098</Colour>
    <TextColour>White</TextColour>
    <AutoDelete>False</AutoDelete>
    <HideEmail>False</HideEmail>
    <HideEmailOption>All</HideEmailOption>
    <Rule>
      <Field>Body</Field>
      <Operator>Contains</Operator>
      <Type>RegEx</Type>
      <Expression>"http://.+\.[a-z]{2,4}/.+\.html?\?.+"</Expression>
    </Rule>
  </Filter>


I will update it as necessary. As of now, it is being used by Russian criminals to drive traffic to the Blackhole Exploit Kit, via a JavaScript array, vertically stacked and Eval'd.

This filter has just been added to both the old and new versions of my Custom MailWasher Spam Filters
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
TrustFire
βeta Tester
Posts: 12693
Joined: Fri Jul 30, 2010 11:04 pm
Location: 127.0.0.1

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby TrustFire Thu Dec 15, 2011 5:34 pm

Wonderful job you're doing on this thread, Wizcrafts - simply amazing. :thumbsup
MWP 7 disabled from the cloud (ßeta) | Windows 8.1 Pro (x64) | The Bat! Professional (ßeta) | Windows Firewall Control (WFC) | NOD32 EAV (ßeta) | Intel® HD Graphics 3000 | Internet Connection Speed (D=50 Mb/s U=3.5 Mb/s) | .NET Framework (4.7.1)
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Fri Dec 16, 2011 6:05 am

I have updated my filter rule for the fake query strings in .htm files, leading to Russian exploit kits. Add a second rule to the existing one, with this RegExpr for the Body:

Code: Select all

"http://.+\.[a-z]{2,4}/.+\.html?\?[A-Za-z0-9=&]+=


Note;
This code could replace the original, but we'll see...

This blocks fake Facebook Friend Requests (in subject), with the same obfuscated invalid link codes appended to a .htm file on a compromised server.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Fri Dec 16, 2011 7:56 am

I have refined my Octopus Ink filter several times today. If anybody has applied the first incarnation, please remove it and install and test this version. Please let me know about any false positives, caused or fixed by this filter.

For Version 6.5.4:

Code: Select all

[enabled],"Fake Query String In Link (Dangerous!)","Exploit Link",255,OR,Delete,Body,containsRE,"http://[a-z0-9]+\.[a-z]{2,4}/.+\.html?\?.+",Body,containsRE,"(?-i)""http://.+\.[a-z]{2,4}/.+\.html?\?[A-Z0-9=&]+="

For version 201x:

Code: Select all

  <Filter Name="Fake Query String In Link (Dangerous!)" Enabled="True">
    <Description>Exploit Link</Description>
    <MatchAll>False</MatchAll>
    <Rating>-200</Rating>
    <Colour>#FFCC0098</Colour>
    <TextColour>White</TextColour>
    <AutoDelete>False</AutoDelete>
    <HideEmail>False</HideEmail>
    <HideEmailOption>All</HideEmailOption>
    <Rule>
      <Field>Body</Field>
      <Operator>Contains</Operator>
      <Type>RegEx</Type>
      <Expression>(?-i)http://[a-z0-9]+\.[a-z]{2,4}/.+\.html?\?[A-Z0-9=&amp;]+=</Expression>
    </Rule>
    <Rule>
      <Field>Body</Field>
      <Operator>Contains</Operator>
      <Type>RegEx</Type>
      <Expression>(?-i)http://[a-z0-9]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.html?\?[A-Z0-9=&amp;]+=</Expression>
    </Rule>
  </Filter>


This incarnation only checks for capital letters in the query string. I'm sure I will have to expand that to mixed case later on, once the Ruskies alter their scam templates.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Tue Feb 14, 2012 6:16 am

I just discovered a whoopty-doo in one of my recently changed filters. It is the filter named .RU or .UA Domain Link. I recently expanded the filter to include .SU domains now being used by Russian Botnets and top level spammers. However, my code was short-sided and today it deleted a perfectly good email that contained a link to www.survermonkey.com.

Updated twice today!

Here is the latest corrected code for the first line of the .RU .SU or .UA filter:

Code: Select all

http://(www\.)?(.+\.r[uo]/|.+\.r[uo]\b|.+\.ua)|.+\.su(/|\b)


I have already uploaded the changed filters in both old and new formats. You can either copy and paste the new code to replace the first line in that filter, or download the entire updated filters file and install it.

I apologize for any inconvenience this may have caused.
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html
User avatar
Wizcrafts
Guardian Gecko
Posts: 275
Joined: Wed Sep 17, 2008 5:37 am
Location: Flint, Michigan, USA
Contact:

Re: Wizcrafts Custom MailWasher Pro Filters discussed here

Postby Wizcrafts Sun Jul 08, 2012 6:44 am

Check out my newest filter which detects a new type of pharmaceutical Russian domain spam containing multiple long lines of nothing but uppercase alphanumeric characters.

First, MailWasher version 6.x:

Code: Select all

[enabled],"Spam link with multiple long lines of characters",Pharmaceuticals,16711680,AND,Delete,EntireHeader,contains,"Content-Type: text/plain; charset=utf-8",EntireHeader,contains,"Content-Transfer-Encoding: 7bit",Body,containsRE,"^(?i)([A-Z0-9]{22,}\r?\n|\n?)[A-Z].+http://.+\.\w{2}/(\??[A-Z0-9]{22,})?(\r?\n){2,3}([A-Z0-9]{22,}\r?\n){3,}$"


Here is the same filter in XML format, for use in MailWasher 2012.

Code: Select all

  <Filter Name="Spam link with multiple long lines of characters" Enabled="True">
    <Description>Pharmaceuticals</Description>
    <MatchAll>True</MatchAll>
    <Rating>-200</Rating>
    <Colour>#FFCC0098</Colour>
    <TextColour>White</TextColour>
    <AutoDelete>False</AutoDelete>
    <HideEmail>False</HideEmail>
    <HideEmailOption>All</HideEmailOption>
    <Rule>
      <Field>Header</Field>
      <Operator>Contains</Operator>
      <Type>PlainText</Type>
      <Expression>Content-Type: text/plain; charset=utf-8</Expression>
    </Rule>
    <Rule>
      <Field>Header</Field>
      <Operator>Contains</Operator>
      <Type>PlainText</Type>
      <Expression>Content-Transfer-Encoding: 7bit</Expression>
    </Rule>
    <Rule>
      <Field>Body</Field>
      <Operator>Contains</Operator>
      <Type>RegEx</Type>
      <Expression>^\n?(?i)[A-Z].+http://.+\.\w{2}/\r\n\r\n([A-Z0-9]{22,}\r\n){3,}$</Expression>
    </Rule>
  </Filter>


Here is an example of the type of spam this detects and which can be manually or automatically deleted by MWP.

Code: Select all

Keep your health in balance. Buy meds from us http://www.EXAMPLE.ru/

3CEF6736C6B97161F68E15C62BF1D75F
460A223061DA1362A19A9BD4D6396B05B1
A238D11C7E046A6C2D4607E3198D09DCEC
Submitted respectfully by Wiz.
Member of the MailWasher Beta Tester Team
Fighting spam by writing, updating and publishing MailWasher Pro custom filters.
See www.wizcrafts.net/mwp-filters.html

Return to “Troubleshooting and Help for MailWasher 5 and 6”

Who is online

Users browsing this forum: Bing [Bot] and 12 guests