Community Discussions and Support
POP3 mail filtering

[quote user="denniss"]X-MailScanner-SpamCheck: LEVEL= *************************

I believe this is a spam flag set by my ISP mail server. I used this as an expression filter rule in my POP3 filter set. Things seem to have simmered down for the past few hours at least. Sometimes I feel like I'm trying to hit a very fast moving target![/quote]

It would probably be a good idea to verify who is adding the spam level header based on what criteria and what the "cut-off level" (at which to delete messages with a neglectable chance of getting false positives) should be.

[quote user="denniss"]X-MailScanner-SpamCheck: LEVEL= *************************<p>I believe this is a spam flag set by my ISP mail server. I used this as an expression filter rule in my POP3 filter set. Things seem to have simmered down for the past few hours at least. Sometimes I feel like I'm trying to hit a very fast moving target![/quote]</p><p>It would probably be a good idea to verify who is adding the spam level header based on what criteria and what the "cut-off level" (at which to delete messages with a neglectable chance of getting false positives) should be.</p>
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Having read through previous posts on the subject I believe I have a pretty good understanding of how POP3 mail filtering works. Still have a couple quick questions, though.

 Does entering a IP address work as well for an expression filter? eg. Expression=*[xxx.xxx.xx.xxx]* then DeleteOnServer. Do I run the risk of further exposure by opening a spam message to examine the header in RAW view?My thought is, perhaps mistakenly, if I identify the trash coming from a specific site and filter it thus, perhaps it would avoid setting up numerous filter rules to catch a broader spectrum of messages.

 In the POP3 download control dialog there's an option to "Download only unread mail". Since I have Download Control set to delete all mail on the server once retrieved, does this option have any significance? I'm on dial up with an average of 31+KbS connect speed so anything I can do to limit the time it takes to wade through what had become an avalanche of garbage is a real plus.

Lastly, on the advice of others here (many thanks, BTW) I attempted to implement Spamhaus and a couple other blacklist services on site. None of them appear to offer an option to delete the spam messages, only move them to a designated folder. Their webmail application in turn doesn't offer any sort of auto-purge such that I'm obligated to log onto my webmail account periodically and purge the Trash folder.

Win4.51[Win32]

Thanks!!!

 

<p>Having read through previous posts on the subject I believe I have a pretty good understanding of how POP3 mail filtering works. Still have a couple quick questions, though.</p><p> Does entering a IP address work as well for an expression filter? eg. Expression=*[xxx.xxx.xx.xxx]* then DeleteOnServer. Do I run the risk of further exposure by opening a spam message to examine the header in RAW view?My thought is, perhaps mistakenly, if I identify the trash coming from a specific site and filter it thus, perhaps it would avoid setting up numerous filter rules to catch a broader spectrum of messages. </p><p> In the POP3 download control dialog there's an option to "Download only unread mail". Since I have Download Control set to delete all mail on the server once retrieved, does this option have any significance? I'm on dial up with an average of 31+KbS connect speed so anything I can do to limit the time it takes to wade through what had become an avalanche of garbage is a real plus.</p><p>Lastly, on the advice of others here (many thanks, BTW) I attempted to implement Spamhaus and a couple other blacklist services on site. None of them appear to offer an option to delete the spam messages, only move them to a designated folder. Their webmail application in turn doesn't offer any sort of auto-purge such that I'm obligated to log onto my webmail account periodically and purge the Trash folder.</p><p>Win4.51[Win32]</p><p>Thanks!!!</p><p> </p>

[quote user="denniss"] Does entering a IP address work as well for an expression filter? eg. Expression=*[xxx.xxx.xx.xxx]* then DeleteOnServer. Do I run the risk of further exposure by opening a spam message to examine the header in RAW view?My thought is, perhaps mistakenly, if I identify the trash coming from a specific site and filter it thus, perhaps it would avoid setting up numerous filter rules to catch a broader spectrum of messages.[/quote]

You can filter on anything the headers provide, but the crucial question is which of the data to trust since almost anything can be forged. IOW: You need to know exactly what you're doing, just remember that most spam these days is distributed via "zombie" computers controlled by "stealth" command servers, so you'll hardly ever see the same sender twice. And, BTW, opening an email as raw (unformatted) data cannot do any harm at all unless your email application has a "vulnerability" (most likely a buffer overflow) already known to the bad guys ("zero day exploit") - but then they still need to execute some code on your local machine for causing anything else than simple crashes. Processing HTML is a different issue, though, but this won't happen for just reading headers ...

[quote user="denniss"]In the POP3 download control dialog there's an option to "Download only unread mail". Since I have Download Control set to delete all mail on the server once retrieved, does this option have any significance?[/quote]

In this case, no.

[quote user="denniss"]Lastly, on the advice of others here (many thanks, BTW) I attempted to implement Spamhaus and a couple other blacklist services on site. None of them appear to offer an option to delete the spam messages, only move them to a designated folder. Their webmail application in turn doesn't offer any sort of auto-purge such that I'm obligated to log onto my webmail account periodically and purge the Trash folder.[/quote]

Of course not, no automatic system can be as accurate as you in determining the difference between spam and non-spam: Only at the risk of more or less (and varying degrees) of false positives you can have such a system permanently delete your messages. I guess it's simply a matter of financial and judicial resources whether an organization or company dares to offer such a risky option ...

<p>[quote user="denniss"] Does entering a IP address work as well for an expression filter? eg. Expression=*[xxx.xxx.xx.xxx]* then DeleteOnServer. Do I run the risk of further exposure by opening a spam message to examine the header in RAW view?My thought is, perhaps mistakenly, if I identify the trash coming from a specific site and filter it thus, perhaps it would avoid setting up numerous filter rules to catch a broader spectrum of messages.[/quote]</p><p>You can filter on anything the headers provide, but the crucial question is which of the data to trust since almost anything can be forged. IOW: You need to know <em>exactly</em> what you're doing, just remember that most spam these days is distributed via "zombie" computers controlled by "stealth" command servers, so you'll hardly ever see the same sender twice. And, BTW, opening an email as raw (unformatted) data cannot do any harm at all unless your email application has a "vulnerability" (most likely a buffer overflow) already known to the bad guys ("zero day exploit") - but then they still need to execute some code on your local machine for causing anything else than simple crashes. Processing HTML is a different issue, though, but this won't happen for just reading headers ...</p><p>[quote user="denniss"]In the POP3 download control dialog there's an option to "Download only unread mail". Since I have Download Control set to delete all mail on the server once retrieved, does this option have any significance?[/quote]</p><p>In this case, no.</p><p>[quote user="denniss"]Lastly, on the advice of others here (many thanks, BTW) I attempted to implement Spamhaus and a couple other blacklist services on site. None of them appear to offer an option to delete the spam messages, only move them to a designated folder. Their webmail application in turn doesn't offer any sort of auto-purge such that I'm obligated to log onto my webmail account periodically and purge the Trash folder.[/quote]</p><p>Of course not, no automatic system can be as accurate as you in determining the difference between spam and non-spam: Only at the risk of more or less (and varying degrees) of false positives you can have such a system permanently delete your messages. I guess it's simply a matter of financial and judicial resources whether an organization or company dares to offer such a risky option ...</p>
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Thank you very much, Michael, for the concise info.

I guess it was rather naive of me to imagine I could identify a select few sources for junkmail. Indeed, I've looked through several headers lately and no single IP address seems to be repeated. I did find one interesting entry in one of the headers:

X-MailScanner-SpamCheck: LEVEL= *************************

I believe this is a spam flag set by my ISP mail server. I used this as an expression filter rule in my POP3 filter set. Things seem to have simmered down for the past few hours at least. Sometimes I feel like I'm trying to hit a very fast moving target!

 

 

<p>Thank you very much, Michael, for the concise info.</p><p>I guess it was rather naive of me to imagine I could identify a select few sources for junkmail. Indeed, I've looked through several headers lately and no single IP address seems to be repeated. I did find one interesting entry in one of the headers: </p><p>X-MailScanner-SpamCheck: LEVEL= *************************</p><p>I believe this is a spam flag set by my ISP mail server. I used this as an expression filter rule in my POP3 filter set. Things seem to have simmered down for the past few hours at least. Sometimes I feel like I'm trying to hit a very fast moving target!</p><p> </p><p> </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft