Outlook Rules & Baffling Spam

  • Thread starter Thread starter Tom
  • Start date Start date
T

Tom

Using OL 2003 with Spam Filter set to "high,' but I doubt that's
related...

I use a "premium" (that's a joke) Yahoo! POP account w/OL. They actually
have a pretty decent spam filter of their own. Between that, and OL's
built-in spam filter, I rarely, if ever, end-up with one in my inbox out
of about 200 received and identified each day.

The bummer is that Yahoo! forces me to download them all, but they
include a tag, X-YahooFilteredBulk: (ip address) in the header.

So, I simply set-up a rule in OL to check messages when they arrive,
looking for X-YahooFilteredBulk in the header, move the message to the
"Junk mail" folder, and stop processing more rules.

It is the first rule in my list.

Like I said, between that, and the built-in OL filtering, I'm happy.

Until "Bullguard."

Yahoo is properly identifying it as spam (with the above tag in the
header), but OL is falling apart on the ever growing number of messages
from these guys!!!

For some reason, even though "X-YahooFilteredBulk" appears in the header
as it does with all of the other spams, OL is not processing the rule for
it, and OL's junk mail filtering is ignoring it, too, despite the fact
that it's filled with all the "red flags" "free," "save," "act now," mis-
matched originating domain, sender domain, and reply-to domain, etc.,
etc., etc.

These guys are doing something that is causing all of the safeguards in
OL to fail, but (obviously) Yahoo is still able to recognize it as spam.

During this morning's download, I received 147 messages. Two were
legitimate. 145 had "X-YahooFilteredBulk" in the header, and the rule
moved 139 of those to the junk mail folder. 6 (all from "Bullguard") were
completely ignored by the rule, and by OL's junk mail filter.

Of course, I can create a new rule, specifically for these guys, but a)
they using a different sending address and subject line each time, and b)
if the spammers have discovered a way to defeat OL's filters and rules,
it's a matter of time before they all do it, and we can't write specific
rules for each!?

What have these guys done to "defeat the system?"

Here's the header (with my e-mail addy munged, but everything else in-
tact)... And remember, searching for "X-YahooFilteredBulk" in the header,
moving the file, and "stop processing more rules" is the FIRST rule in my
list, so that "stock answer" to questions like this doesn't apply...

X-Apparently-To: (e-mail address removed) via web9902.mail.yahoo.com; Fri, 16 Jan
2004 22:37:30 -0800
X-YahooFilteredBulk: 80.160.89.28
Return-Path: <[email protected]>
Received: from tool1.bullguard.com.89.160.80.in-addr.arpa (EHLO
tool1.bullguard.com) (80.160.89.28)
by mta2-vm3.mail.yahoo.com with SMTP; Fri, 16 Jan 2004 22:37:29 -0800
Received: from tool1.bullguard.com.89.160.80.in-addr.arpa
([::ffff:127.0.0.1])
by tool1.bullguard.com with esmtp; Sat, 17 Jan 2004 07:37:22 +0100
Message-ID:
<26294724.1074321442694.JavaMail.newsletter@tool1.bullguard.com.89.160.80
..in-addr.arpa>
Date: Sat, 17 Jan 2004 07:37:22 +0100 (CET)
From: (e-mail address removed)
To: (e-mail address removed)
Subject: BullGuard Newsletter - Viruses spawn $55 billion loss
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=_tool1.bullguard.com-
7564-1074321444-0001-2"

This is a MIME-formatted message. If you see this text it means that
your
E-mail software does not support MIME-formatted messages.

--=_tool1.bullguard.com-7564-1074321444-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
 
The rule that identifies "X-YahooFilteredBulk," and moves the message to
the junk mail folder also sets the priority to low (it's the only rule I
have that changes priority).

That way, when I look in the junk mail folder, I know which spams were
caught by Yahoo, and which slipped-through, and were caught by OL 2003.

I tell you, today, that rule found the tag as placed by Yahoo in all spam,
except for the ones from Bullguard, which escaped both the rule, and the
built-in junk mail filter completely.
 
Hi Tom,

I don't have the same problem, but the overall issue with
Microsoft filters is that the user doesn't have enough
control. I just posted about a problem I'm having with
blocked domains and Outlook slipping through some messages
even though they should be blocked. (I don't need email
from anyone at yahoo.com.hk for example)

Microsoft should look at Pocomail filters and rules. They
are much better, even though Pocomail has it's own
problems. (I don't use it anymore, but I sure do love their
filters)

-----Original Message-----
Using OL 2003 with Spam Filter set to "high,' but I doubt that's
related...

I use a "premium" (that's a joke) Yahoo! POP account w/OL. They actually
have a pretty decent spam filter of their own. Between that, and OL's
built-in spam filter, I rarely, if ever, end-up with one in my inbox out
of about 200 received and identified each day.

The bummer is that Yahoo! forces me to download them all, but they
include a tag, X-YahooFilteredBulk: (ip address) in the header.

So, I simply set-up a rule in OL to check messages when they arrive,
looking for X-YahooFilteredBulk in the header, move the message to the
"Junk mail" folder, and stop processing more rules.

It is the first rule in my list.

Like I said, between that, and the built-in OL filtering, I'm happy.

Until "Bullguard."

Yahoo is properly identifying it as spam (with the above tag in the
header), but OL is falling apart on the ever growing number of messages
from these guys!!!

For some reason, even though "X-YahooFilteredBulk" appears in the header
as it does with all of the other spams, OL is not processing the rule for
it, and OL's junk mail filtering is ignoring it, too, despite the fact
that it's filled with all the "red flags" "free," "save," "act now," mis-
matched originating domain, sender domain, and reply-to domain, etc.,
etc., etc.

These guys are doing something that is causing all of the safeguards in
OL to fail, but (obviously) Yahoo is still able to recognize it as spam.

During this morning's download, I received 147 messages. Two were
legitimate. 145 had "X-YahooFilteredBulk" in the header, and the rule
moved 139 of those to the junk mail folder. 6 (all from "Bullguard") were
completely ignored by the rule, and by OL's junk mail filter.

Of course, I can create a new rule, specifically for these guys, but a)
they using a different sending address and subject line each time, and b)
if the spammers have discovered a way to defeat OL's filters and rules,
it's a matter of time before they all do it, and we can't write specific
rules for each!?

What have these guys done to "defeat the system?"

Here's the header (with my e-mail addy munged, but everything else in-
tact)... And remember, searching for "X-YahooFilteredBulk" in the header,
moving the file, and "stop processing more rules" is the FIRST rule in my
list, so that "stock answer" to questions like this doesn't apply...

X-Apparently-To: (e-mail address removed) via
Click to expand...
web9902.mail.yahoo.com; Fri, 16 Jan
2004 22:37:30 -0800
X-YahooFilteredBulk: 80.160.89.28
Return-Path: <[email protected]>
Received: from tool1.bullguard.com.89.160.80.in-addr.arpa (EHLO
tool1.bullguard.com) (80.160.89.28)
by mta2-vm3.mail.yahoo.com with SMTP; Fri, 16 Jan 2004 22:37:29 -0800
Received: from tool1.bullguard.com.89.160.80.in-addr.arpa
([::ffff:127.0.0.1])
by tool1.bullguard.com with esmtp; Sat, 17 Jan 2004 07:37:22 +0100
Message-ID:
<26294724.1074321442694.JavaMail.newsletter@tool1.bullguard.com.89.160.80
..in-addr.arpa>
Date: Sat, 17 Jan 2004 07:37:22 +0100 (CET)
From: (e-mail address removed)
To: (e-mail address removed)
Subject: BullGuard Newsletter - Viruses spawn $55 billion loss
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=_tool1.bullguard.com-
7564-1074321444-0001-2"

This is a MIME-formatted message. If you see this text it means that
your
E-mail software does not support MIME-formatted messages.

--=_tool1.bullguard.com-7564-1074321444-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
.
Click to expand...
 
Microsoft should look at Pocomail filters and rules. They
are much better, even though Pocomail has it's own
problems. (I don't use it anymore, but I sure do love their
filters)
Click to expand...

This doesn't seem to have anything to do with the spam filtering, but
rather, with the rules engine!

I'm now receiving mail from a number of spammers (the other day, it was
just one) that seem to be "defeating" rules...

Again, My first rule is: If the mail has YahooFilteredBulk in the header,
mark it as low priority, move it to the Junk Mail folder, and stop
processing more rules.

It work on 100% of the spam detected by Yahoo for quite a while, then
that one company started slipping-through, and today, it was spam from
four different outfits that "slipped" through... As if they've found a
way to get-around the rules processing, not the spam filter itself.

As usual this morning, the rule moved about 95% of the spam identified by
Yahoo, but these got through. The YahooFilteredBulk tag is present in the
"problem" messages, it's just ignored by OL 2003's rules engine.

Any thoughts MVPs?
 
Back
Top