Mailwasher problem

[tlshell]

Hi, I'm trying to use Mailwasher and having all kinds of problems
logging in, plus I have to convert a filter from Agent for it to use
to delete the Swen virus. Can someone please convert the following for
me (and anyone else can use it too); bonus: I'll also be able to
create one for the fake bounce messages of the same virus once I
understand Mailwasher's language.

Agent filter (to delete)

subject: (current|last|latest|net|new|newest| *) and
(internet|microsoft|net|network| *) and (critical|security| *) and
(pack|patch|update|upgrade)

Mailwasher equivalent?--Please reply in the group so you can save
anybody's accounts that are being flooded.

Thx a million!!!

 

[Blinky the Shark]

Hi, I'm trying to use Mailwasher and having all kinds of problems
logging in, plus I have to convert a filter from Agent for it to use
to delete the Swen virus. Can someone please convert the following for
me (and anyone else can use it too); bonus: I'll also be able to
create one for the fake bounce messages of the same virus once I
understand Mailwasher's language.

Agent filter (to delete)

subject: (current|last|latest|net|new|newest| *) and
(internet|microsoft|net|network| *) and (critical|security| *) and
(pack|patch|update|upgrade)

All of those ANDs might be a little too specific. Granted, this is
only a small sampling, but of the 14 of these that I saved, before I
started killing them on the server and then making my filter to do
that without anything from me, only 4 contain four words. The rest
are two- and three-word permutations of the kind of keywords you're
going for. In fact, with my little sampling, your first two sets of
ORs alone would be triggered by 13 of the 14 Subjects. (The one that
that wouldn't catch is, simply, "Newest Pack".)[1]

Mailwasher equivalent?--Please reply in the group so you can save
anybody's accounts that are being flooded.

I don't speak Mailwasher (my mail client iself is doing the autokilling
on the server), but maybe the above will be of some assistance. Good
luck with the battle.

[1]This was an interesting little exercise -- I'm not killing on Subject,
so I hadn't taken a close look at those headers.

 

[John Fitzsimons]

Hi, I'm trying to use Mailwasher and having all kinds of problems
logging in, plus I have to convert a filter from Agent for it to use
to delete the Swen virus. Can someone please convert the following for
me (and anyone else can use it too); bonus: I'll also be able to
create one for the fake bounce messages of the same virus once I
understand Mailwasher's language.

Bouncing is often not a good idea. In this case it is even worse. The
"from" address is just about 100% NOT where things originated. So why
bounce ?

Agent filter (to delete)

subject: (current|last|latest|net|new|newest| *) and
(internet|microsoft|net|network| *) and (critical|security| *) and
(pack|patch|update|upgrade)

Mailwasher equivalent?--Please reply in the group so you can save
anybody's accounts that are being flooded.

Something like :

subject: current|last|latest|net|new|newest
subject: internet|microsoft|net|network
subject: critical|security
subject: pack|patch|update|upgrade

would come close. In your example you would need to make sure you
selected "all rules to be satisfied". You would also probably need to
select Contains RegExpr rather than contains.

If you are going to say "and" then you could consider putting all of
the above on one line. I am not sure what the character limit is but
some of my filters are pretty long.

Lastly, IMO you will NOT get many "hits" with the above. You MUST
get FOUR words in the subject to succeed with your list. Quite a lot
of mine only have three words.

Changing some "ands" to "ors" would probably be better. I also hide
emails that are addressed to me and display only items with
attachments.

Regards, John.

--
****************************************************
,-._|\ (A.C.F FAQ) http://clients.net2000.com.au/~johnf/faq.html
/ Oz \ John Fitzsimons - Melbourne, Australia.
\_,--.x/ http://www.aspects.org.au/index.htm
v http://clients.net2000.com.au/~johnf/

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Something like :

subject: current|last|latest|net|new|newest
subject: internet|microsoft|net|network
subject: critical|security
subject: pack|patch|update|upgrade

would come close.

For anyone trying to construct a comprehensive filter, Sophos has
listed the things that might appear in the From, To, and Subject
headers, at <http://sophos.com/virusinfo/analyses/w32gibef.html>.

 

[Blinky the Shark]

<news:[email protected]>:

For anyone trying to construct a comprehensive filter, Sophos has
listed the things that might appear in the From, To, and Subject
headers, at <http://sophos.com/virusinfo/analyses/w32gibef.html>.

With so many Subject permutations (and it's not unusual for someone
to email me with "Microsoft" in the subject header), I went a
different route. Simplified and pseudocode:

To: not [any address keywords like "shark"]
AND
Size: [140kb-161kb]

In reality, that's only one negated set of 4 or-strings and a size
range.

So far, the only thing that's sneaked through is an abberration like
the 12kb one I got, yesterday. I can live with that.

Only false kills (these are auto kills on the server, by my mail
client) would be legit distro lists that didn't use my address in To and
happened to be in that size range -- a risk I'll take.

 

[tlshell]

Bouncing is often not a good idea. In this case it is even worse. The
"from" address is just about 100% NOT where things originated. So why
bounce ?




Something like :

subject: current|last|latest|net|new|newest
subject: internet|microsoft|net|network
subject: critical|security
subject: pack|patch|update|upgrade

would come close. In your example you would need to make sure you
selected "all rules to be satisfied". You would also probably need to
select Contains RegExpr rather than contains.

If you are going to say "and" then you could consider putting all of
the above on one line. I am not sure what the character limit is but
some of my filters are pretty long.

Lastly, IMO you will NOT get many "hits" with the above. You MUST
get FOUR words in the subject to succeed with your list. Quite a lot
of mine only have three words.

Yeah, I'm noticing that. In Agent, the [space]* at the end indicates
an empty choice. I don't see an equivalent for that in Mailwasher as
it's ignoring this part. As for the "and" that is simply done by
choosing one rule for each set in parentheses, deleting the word
"and."

So what I've got now is:

Subject: (current|last|latest|net|new|newest| *)
Subject: (internet|microsoft|net|network| *)
Subject: (critical|security| *)
Subject: (pack|patch|update|upgrade)

I'm still waiting to see if someone can come up with a better
translation.

 

[Vic Dura]

Try setting up a filter:

If the To field doesn't contain "(e-mail address removed)" then mark the
message as mail to be deleted.

Then set up filters at a higher priority to handle any list-server
mailing lists that you are on, e.g.

If the To field contains "@yahoogroups.com" then don't display the
email in the messages list and mark the message as from a legitimate
source.

Note that to be a "higher" priority, it must be above the lower
priority filters in the filter list.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

With so many Subject permutations (and it's not unusual for
someone to email me with "Microsoft" in the subject header), I
went a different route. Simplified and pseudocode:

To: not [any address keywords like "shark"]
AND
Size: [140kb-161kb]

In reality, that's only one negated set of 4 or-strings and a size
range.

Thanks. I keep meaning to add a size criterion to avoid false
positives, and you have just reminded me to do it.

So far, the only thing that's sneaked through is an abberration
like the 12kb one I got, yesterday. I can live with that.

Me too. I get 2000-3000 Swens per day; if they were broken ones
only 12K, I'd be so much happier. As it is, I have to stay connected
pretty much all day just to have Hamster delete them from the server
so my mailbox does not fill up.

Only false kills (these are auto kills on the server, by my mail
client) would be legit distro lists that didn't use my address in
To and happened to be in that size range -- a risk I'll take.

Pretty small likelyhood of list mails of that size, but to be sure,
you could whitelist them. But I reckon you knew that.

 

[Blinky the Shark]

<news:[email protected]>:

With so many Subject permutations (and it's not unusual for someone
to email me with "Microsoft" in the subject header), I went a
different route. Simplified and pseudocode:
To: not [any address keywords like "shark"] AND Size: [140kb-161kb]
In reality, that's only one negated set of 4 or-strings and a size
range.

Thanks. I keep meaning to add a size criterion to avoid false
positives, and you have just reminded me to do it.

I exist but to serve!

Me too. I get 2000-3000 Swens per day; if they were broken ones only
Woo!

12K, I'd be so much happier. As it is, I have to stay connected
pretty much all day just to have Hamster delete them from the server
so my mailbox does not fill up.

Pretty small likelyhood of list mails of that size, but to be sure,
you could whitelist them. But I reckon you knew that.

True. I don't do any interactive lists (the ones that are, like,
discussion groups but email). Anything distribution lists I might be on
that wouldn't be showing one of my addresses would be stuff like Norton
AV bulletins and airline price heads-ups from Expedia; and I don't care
enough about any of those to care if they get munched or not.

 

[John Fitzsimons]

For anyone trying to construct a comprehensive filter, Sophos has
listed the things that might appear in the From, To, and Subject
headers, at <http://sophos.com/virusinfo/analyses/w32gibef.html>.

Now why didn't someone post that page BEFORE I started creating
my own list ?

Thanks »Q«. An excellent link to refer people to.

Regards, John.