Search  
Tuesday, January 06, 2009 ..:: Forum ::.. Register  Login
 Donate

If you appreciate my work and want to make a donation, please click on the image below. I would really appreciate that!
Thank you!

Alternative: visit one of the sponsers in the advertisement section! They have wonderfull products, and take a look won't cost you anything but makes me happy

      

 Advertisements Minimize
      

 Old forum down :( Minimize

Below you’ll find the ORFilter support forum. I’m sorry to tell that the old forum is gone. I’m still trying to salvage the messages, but I don’t have much hope. Sorry for that! To post in the forum, please register first!
      

 Forum Minimize
SearchForum Home
     
  Discussions  ORFilter  ORFilter for du...
 ORFilter for dummies (some questions)
 
 10/26/2006 5:12:40 PM
Achim
4 posts


ORFilter for dummies (some questions)
 (Germany)

Hi all,
I'm new to ORFilter (5.0.2), which is working fine now for some days -so thanks for the program.
Now I have some questions:

  1. Is it possible to use regular expressions as keywords? Are there any hints? Is it possible to search only in 'subject'?
  2. Are there any new ORDB- or SURBL-Servers I should use? The orconfig-file is dated NOV. 25. 2004?
  3. Are there any sample orconfig-files?
  4. The Config-utility (0.97) is only for version 4.x. Is there a new one for version 5.x?
  5. Does ORFilter write some temporary files, so I should disable virus-scan for these (which?) directories?

Thank you for any help,
Regards

Achim
 9/29/2007 6:57:49 AM
thehelpdesk
5 posts


Re: ORFilter for dummies (some questions)
 (United States)

1. Regular expressions are great for parsing emails and keywords.  I have listed some of my rules, since this was a great help in the previous forum seeing an example of what others use. 

2.  they are out there you have to look for em but here is some.

      <type>DNS</type>
      <parameter score="140" enabled="true">bl.spamcop.net</parameter>
      <parameter score="200" enabled="true">xbl.spamhaus.org</parameter>
      <parameter score="200" enabled="true">list.dsbl.org</parameter>
      <parameter score="200" enabled="true">dnsbl.ahbl.org</parameter>
      <parameter score="200" enabled="true">cbl.abuseat.org</parameter>
      <parameter score="200" enabled="true">dnsbl.njabl.org</parameter>
    </rule>
    <rule>
      <type>URLDNS</type>
      <parameter score="150" enabled="true">multi.surbl.org</parameter>
      <parameter score="150" enabled="true">black.uribl.com</parameter>
      <parameter score="149" enabled="true">sbl.spamhaus.org</parameter>
    </rule>

3. here is some example rules.

      <parameter score="300" enabled="true" method="asis" where="header" reason="">(?im:^Subject: Mail server report)</parameter>
      <parameter score="5000" enabled="true" method="asis" where="header" reason="Virus">(?im:^Subject: Microsoft Security Bulletin MS07-0065)</parameter>
      <parameter score="5000" enabled="true" method="asis" where="header" reason="SPAM">(?im:^Subject: You.ve received a (greeting |greeting-)?(ecard|card|postcard) from a (class |class-|school |school- )?(neighbou?r|worshipper|mate|colleague|family member|friend|partner))</parameter>
      <parameter score="5000" enabled="true" method="asis" where="all" reason="SPAM">(?im:(class |class-|school |school- )?(neighbou?r|worshipper|mate|colleague|family member|friend|partner|daughter|brother|sister) (has )?sent you (an? )?(greeting |greeting-|funny|love|animated|musical|birthday|funny)?(ecard|card|postcard))</parameter>
      <parameter score="5000" enabled="true" method="asis" where="all" reason="SPAM">(?im:(class |class-|school |school- )?(neighbou?r|worshipper|mate|colleague|family member|friend|partner|daughter|brother|sister).{9,50} has (created|sent) (greeting |greeting-|animated|musical|love|birthday|funny)?(e-card|ecard|card|postcard) for you at)</parameter>
      <parameter score="5000" enabled="true" method="asis" where="header" reason="SPAM">(?is:From: User [a-zA-Z]{7,11}.{0,60} on behalf of)(?is:.+?http://\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)</parameter>
      <parameter score="5000" enabled="true" method="asis" where="all" reason="SPAM">(?im:To:.{1,50}<(\b\w*\b)@.*(?:morning|hi there|regards|good (day|evening|morning|night)|compliments|greeting(s)?|wa[sz]{2}up|hi|hello|yo yo yo)\s\1)</parameter>
      <parameter score="5000" enabled="true" method="asis" where="body" reason="Romario Virus">(?im:Mario.?Bross)</parameter>
      <parameter score="1500" enabled="true" method="asis" where="all" reason="W32.Sixem.A@mm">(Soccer fans killed five teens|Crazy soccer fans|Please reply me Tomas|My tricks for you|Naked World Cup game set|My sister whores)</parameter>
      <parameter score="1000" enabled="true" method="asis" where="body" reason="SPAM">(?:It seams that your mailserver is used bij others)</parameter>
      <parameter score="250" enabled="true" method="asis" where="header" reason="Spam">(?im:User-Agent: Thunderbird 1.5.0.12)</parameter>
      <parameter score="200" enabled="true" method="asis" where="header" reason="Spam">(?im:^Subject: Unwanted emails)</parameter>
      <parameter score="250" enabled="true" method="asis" where="header" reason="Spam">(?im:The United States National Medical Association)</parameter>
      <parameter score="50" enabled="true" method="asis" where="all" reason="SPAM">\b(rolex|cartier|sw{1,2}is{1,2} w{1,2}atch(e(s|z))?)\b</parameter>
      <parameter score="30" enabled="true" method="asis" where="all" reason="SPAM">\bO.{0,2}T.{0,2}C\b</parameter>
      <parameter score="30" enabled="true" method="asis" where="all" reason="SPAM">\bc.{0,2}o.{0,2}n.{0,2}t.{0,2}a.{0,2}c.{0,2}t.{0,2}y.{0,2}o.{0,2}u.{0,2}r.{0,2}b.{0,2}r.{0,2}o.{0,2}k.{0,2}e.{0,2}r.{0,2}n.{0,2}o.{0,2}w\b</parameter>
      <parameter score="30" enabled="true" method="asis" where="all" reason="SPAM">\bd.{0,2}o.{0,2}n.{0,2}t.{0,2}m.{0,2}i.{0,2}s.{0,2}s.{0,2}t.{0,2}h.{0,2}i.{0,2}s.{0,2}o.{0,2}p.{0,2}p.{0,2}o.{0,2}r.{0,2}t.{0,2}u.{0,2}n.{0,2}i.{0,2}t.{0,2}y\b</parameter>
      <parameter score="9" enabled="true" method="asis" where="all" reason="SPAM">expand.{0,20}your.{0,20}market</parameter>
      <parameter score="30" enabled="true" method="asis" where="all" reason="SPAM">urgent.{0,16}(?:assistance|business|buy|confidential|notice|proposal|reply| request|response)</parameter>
      <parameter score="5" enabled="true" method="asis" where="all" reason="SPAM">on this deal</parameter>
      <parameter score="2" enabled="true" method="asis" where="all" reason="SPAM">internet product</parameter>
      <parameter score="1" enabled="true" method="asis" where="all" reason="SPAM">genuine .{0,10}.?opportunity</parameter>
      <parameter score="16" enabled="true" method="asis" where="all" reason="SPAM">(?:internet|financial) (?:success|opportunit(?:y|ies))</parameter>
      <parameter score="16" enabled="true" method="asis" where="all" reason="SPAM">(?:millions of|mi\|\|i0n)\b</parameter>
      <parameter score="42" enabled="true" method="asis" where="all" reason="SPAM">valuable offers?</parameter>
      <parameter score="8" enabled="true" method="asis" where="all" reason="SPAM">(?:product offerings?|unique business|we offer|business partners?)</parameter>
      <parameter score="17" enabled="true" method="asis" where="all" reason="SPAM">network marketing</parameter>
      <parameter score="18" enabled="true" method="asis" where="all" reason="SPAM">business opportunit(ies|y)</parameter>
      <parameter score="25" enabled="true" method="asis" where="all" reason="SPAM">(?:\$[\s\S]*?){6,}</parameter>
      <parameter score="15" enabled="true" method="asis" where="all" reason="SPAM">(?:\%[\s\S]*?){5,}</parameter>
      <parameter score="50" enabled="true" method="asis" where="all" reason="SPAM">\bopt(ed|)\b\W?\b(in|out)\b</parameter>
      <parameter score="20" enabled="true" method="asis" where="all" reason="SPAM">((weekly|income|guaranteed|earn).{1,50}){3,}</parameter>
      <parameter score="5" enabled="true" method="asis" where="header" reason="SPAM">(?im:^From: "[a-zA-Z]* [a-zA-Z]. [a-zA-Z]*")</parameter>
      <parameter score="250" enabled="true" method="asis" where="header" reason="FRAUD SPAM">(?im:^Subject: Your Online Banking Account Profile Is Locked)</parameter>
      <parameter score="500" enabled="true" method="asis" where="header" reason="FRAUD SPAM">(?im:^From: "Bank of America".{0,2}.?bankofamerica@serv\.com.?)</parameter>
      <parameter score="500" enabled="true" method="asis" where="body" reason="FRAUD SPAM">(?ism: please login and verify your profile.{1,100}click the link below.)</parameter>
      <parameter score="20" enabled="true" method="asis" where="all" reason="FRAUD SPAM">confirm.{1,40}account</parameter>
      <parameter score="35" enabled="true" method="asis" where="all" reason="FRAUD SPAM">confirm.{1,40}(your|now)</parameter>
      <parameter score="10" enabled="true" method="asis" where="all" reason="FRAUD SPAM">your account</parameter>
      <parameter score="100" enabled="true" method="asis" where="all" reason="FRAUD SPAM">(?im:your response is required)</parameter>
      <parameter score="35" enabled="true" method="asis" where="all" reason="FRAUD SPAM">\byour access\b</parameter>
      <parameter score="300" enabled="true" method="asis" where="header" reason="FRAUD SPAM">(?im:^Subject: .{0,20}\b(?:Online User Violation|Important Notification|(Your Email.)?Account (Alert|Limitation|(is )?Suspen(ded|sion)|Will be)|Last Warning|Security measures))</parameter>
      <parameter score="300" enabled="true" method="asis" where="all" reason="FRAUD SPAM">(?:We regret to inform you that your account has been suspended|We attached some important information regarding|The message (contains Unicode characters|cannot be represented)|Mail transaction failed|Here are your banks documents)</parameter>
      <parameter score="100" enabled="true" method="asis" where="all" reason="FRAUD SPAM">\bthis(\s*)procedure(\s*)is(\s*)obligatory(\s*)for(\s*)all(\s*)business(\s*)and(\s*)corporate(\s*)clients</parameter>
      <parameter score="15" enabled="true" method="asis" where="all" reason="SPAM">[ ].{0,5}[a-zA-Z]\~[a-zA-Z].{0,5}[ ]</parameter>
      <parameter score="15" enabled="true" method="asis" where="all" reason="SPAM">[ ].{0,5}[a-zA-Z]\^[a-zA-Z].{0,5}[ ]</parameter>
      <parameter score="20" enabled="true" method="asis" where="all" reason="SPAM">[ ]([~\.\-`\^']|[a-zA-Z]){1,7}_([~\.\-`\^']|[a-zA-Z]){1,7}[ ]</parameter>
      <parameter score="15" enabled="true" method="asis" where="all" reason="SPAM">[ ]([~\.\-`\^_']|[a-zA-Z]){1,7}~([~\.\-`\^_']|[a-zA-Z]){1,7}[ ]</parameter>
      <parameter score="15" enabled="true" method="asis" where="all" reason="SPAM">[ ]([~\.`\^_'-]|[a-zA-Z]){1,7},([~\.-`\^_']|[a-zA-Z]){1,7}[ ]</parameter>

Hope this helps
 11/7/2007 8:52:01 AM
scottyman
2 posts


Re: ORFilter for dummies (some questions)
 (N/A)

that's cool - thanks for that quite useful

What scoring did you use for your rules?

Cheers

 

Scott
 Page 1 of 1
NextPreviousNo Rating
  Discussions  ORFilter  ORFilter for du...
Search  Forum Home         

 Advertisements Minimize
      

Copyright 2006 by martijnjongen.com   Terms Of Use  Privacy Statement
DotNetNuke® is copyright 2002-2009 by Perpetual Motion Interactive Systems Inc.