Hi malware fighters,

Using a spamfilter, these were found to be good rules:
This is a first survey. Here are the spamfilter ruless to be used and that
work fine:

1. Mailserverconnectionss:

Always check incoming ip-address using bl.spamcop.net. and relays.ordb.org (frees blacklistservers)

2. FROM-field checks:

2a. Certainly NO spam:

paypal.com
*.be?
*.nl?
*.de?
*.pl

2b. Spamdomains to be denied:

dodgy.domain
sexyfun
howtomakemoney
inetekk
RapidDeals
rediffmail.com
digitalbooks.com
joinme.com
yesnorthbay.com
interbusiness.it
tom.com
earthlink.net
aol.com
in.roving.com
cox.net
backplanet.com
getpornmail.com
lovemail.com
sde@spledee.com
@163.com
@163.net
@3fec.com
@4urop.com
@bluelightoffers.com
@bonanzaoffers.com
@deal-seeker.com
@dealpatrol.com
@direct.email-publisher.com
@discountcertificates.com
@drm.email-publisher.com
@e-mailpromo.com
@fantastic-bargain.com
@fantasy-mail.com
@free2sample.com
@gr8dls.com
@greatdealsdepot.net
@hi-speedemail.com
@hi-speedmediaoffers.net
@hi-speedoffers.net
@hispeedmediaoffers.com
@hispeedoffers.net
@hsm-mailerdirect.com
@hsmediadirect.com
@hsmoffers.net
@hsmspecials.net
@itsremarkable.com
@ixpweb.com
@j4un.com
@j4yn.com
@jfyn.com
@jumpjive.com
@justforyou-mail.com
@justforyounewsletter.email-publisher.com
@lessthanyouthought.com
@lifesaversdirect.com
@lotto-mail.com
@mail.krazykash.com
@marinedigital.com
@mxdat.com
@mydailyoffers.com
@mypremiumoffers.com
@netadoffers.com
@offertoday.com
@optin-offers.net
@save99.com
@savingshaus.com
@sendgreatoffers.com
@speedyvalues.com
@somer.ew01.com
@super-bargains.net
@timesaversdirect2u.com
@top-brands.net
@vendeeamerica.com
@yourmailsource.com
@zaushon.com
@.ew01.com*
@.speedi-list.com*
@.verticalresponse.com*
@hspeedm.com
@..caumraen.com*
@..dewueld.com
@..festizone.com
@..inhauser.com
@..laufhuasn.com
@..nazlwons.com
@..optewian.com
@..pewuiea.com
@..queaton.com
@..rosevse.com
@.email-deliveries.net*
friend@public.com
dfk@msn.com*

2c. Deny mails with four or five digits just in front of thet ‘@’-sign:

[0-9][0-9][0-9][0-9]@
[0-9][0-9][0-9][0-9][0-9]@

3. TO-field checks

3a. Delete all mail with following terms in the TO-field:

dailyrocket
test@yahoo.com
realty
bounce
adult
dodgy.relay
pretzel
mb00.net
cheetahmail.com
indiatimes.com
dbhits.com
joinme.com
yesnorthbay.com
interbusiness.it
priceisright
xinhuanet.com
tom.com
earthlink.net
aol.com
netscape.com
getpornmail.com
lovemail.com
sde@spledee.com
@163.com
@163.net
@3fec.com
@4urop.com
@bluelightoffers.com
@bonanzaoffers.com
@deal-seeker.com
@dealpatrol.com
@direct.email-publisher.com
@discountcertificates.com
@drm.email-publisher.com
@e-mailpromo.com
@fantastic-bargain.com
@fantasy-mail.com
@free2sample.com
@gr8dls.com
@greatdealsdepot.net
@hi-speedemail.com
@hi-speedmediaoffers.net
@hi-speedoffers.net
@hispeedmediaoffers.com
@hispeedoffers.net
@hsm-mailerdirect.com
@hsmediadirect.com
@hsmoffers.net
@hsmspecials.net
@itsremarkable.com
@ixpweb.com
@j4un.com
@j4yn.com
@jfyn.com
@jumpjive.com
@justforyou-mail.com
@justforyounewsletter.email-publisher.com
@lessthanyouthought.com
@lifesaversdirect.com
@lotto-mail.com
@mail.krazykash.com
@marinedigital.com
@mxdat.com
@mydailyoffers.com
@mypremiumoffers.com
@netadoffers.com
@offertoday.com
@optin-offers.net
@save99.com
@savingshaus.com
@sendgreatoffers.com
@speedyvalues.com
@somer.ew01.com
@super-bargains.net
@timesaversdirect2u.com
@top-brands.net
@vendeeamerica.com
@yourmailsource.com
@zaushon.com
@.ew01.com
@.speedi-list.com*
@.verticalresponse.com*
@hspeedm.com
@..caumraen.com*
@..dewueld.com
@..festizone.com
@..inhauser.com
@..laufhuasn.com
@..nazlwons.com
@..optewian.com
@..pewuiea.com
@..queaton.com
@..rosevse.com
@.email-deliveries.net*
friend@public.com

3b. Refuse following ip-addresses (known ip-adressblocks that
are used by spammers):

[64.37.121.139]
[211.]*
(211.)*
202.102.170.191
[216.20.251.]*
[65.56.0.]*
[66.239.2.]*
[65.241.155.]*
[160.116.]*
[66.96.246.19[2-9]]
[66.96.246.2[0-9][0-9]]
[200.165.22.]*
[203.34.71.]*
[194.242.43.]*
[61.159.235.]*
[65.214.161.]*
[66.197.173.]*
[218.76.246.]*

4. SUBJECT-fieldchecks:

4a. Delete mails of which the subject ends in several spaces and three to
five digits

• [0-9][0-9][0-9]
• [0-9][0-9][0-9][0-9]
• [0-9][0-9][0-9][0-9][0-9]

4b. Suspicious subjects denoting spamn:

dave’s test phrase
information you requested
response to your request
check it out
adult
penis
biggertool*
v?agra
Re:Viagra
prescription
sexual
now!
addinches*
women
womanhappy*
shehappy*
please her
photosingle*
weight loss
looseweight*
loseweight*
looselbs*
loselbs*
loosepound*
losepound*
income
deserve
introducprice*
virgin
free quote
urgentassistance*
confidential
shady past
refinanc
offshoreaccount
earnrespect*
money
debt
mortgage
health
prescri
medication
rock bottom
big savings
sales
did you see
knowabout*
needchange*
directmarketing*
breastenhancement*
quitsmoking*
letmeet*
getdate*
hascrush*

4c. These terms are not necessarily spam related:

results
ebay

5. OTHER FIELDS

5a. These fields denote spam whenever found up:

X-Spam-Black-List*
Friend@public.com
To:friend@*
X-Mailer: Mail Bomber
X-LYRIS-M*
X-Mailer: PowerTCP Mail 2.0.37.0
X-Mailer: Dynamic Opt-In Emailer*
Octeth Email Manager Pro

5b. If you considering all html-mail as spam,
you should use this check:

Content-Type: text/html

5c. And if you foind these terms, you should be warned:

Content-Type: application/x-msdownload
Content-Transfer-Encoding: base64

6. MESSAGE CHECKS:

6a. These extension types are to be DENIED:

Content-Type:.scr*
Content-Type:.bat*
Content-Type:.lnk*
Content-Type:.cmd*
Content-Type:.pif*
Content-Type:.ceo*
Content-Type:.vbs*

6b. Optional is to deny attachments with .com and .exe:

Content-Type:.exe*
Content-Type:.com*

6c. If the following search terms are found in the message text,
it is highly suspicious to be spam:

emoval instructions
S.1618-SECTION 301
Bill s. 1618 TITLE III*
Bill HR 1910
message is sent in compliance
EC Email opt?out directive
loanhunter
genericviagra*
viagraprice*
viagracost*
viagraexpensive*
viagracheaper*
getviagra*
via<>gra*
vi<>gra*
inches limitedoffer*
introductoffer*
cheapestsupplier*
clickhere*
pushhere*
enterhere*
removehere*
remove me now
remove now
stophere*
call now
click now
visit now
learn more
call 24
check this out
mortgage
real estate
specialoffer*
promotionpric*
milliondollar*
moneymaking*
moneyearn*
earnmoney*
makemoney*
thousandsloan*
weight loss
looseweight*
loseweight*
paydebt*
debtpay*
lowinterest*
offshoreaccount
dietingexercise*
exercisedieting*
bigpenis*
largepenis*
penisgrow*
increasepenis*
enlargeinches*
getfor free*
try itnow*
prescription
100%guarantee
money back
free shipping
percent off
withdrawalsymptom
get a date
xcellentresults
milliondollar*
health.biz*
medical.biz*
edificagrowth
optmailsystem
81.180.94
*color=FF0000
*http://click
http://optout
http://opt?out
http://.biz
img src="http://
http-equiv="refresh"content=
<BODYonLoad
<IFRAME

polonus

1. Mailserverconnectionss:

Always check incoming ip-address using bl.spamcop.net. and relays.ordb.org (frees blacklistservers)

I would add to this sbl-xbl.spamhaus.org which is a combination of two blacklists from spamhaus.org, one of the best blacklists. This one, sbl-xbl.spamhaus.org catches more that spamcop.net and relays.ordb.org combined, so much so that I stopped using relays.ordb.org as it so infrequently detected anything. I also get a number of false positives from spamcop.net.

Hi DavidR,

Yes, and there are some more blacklists to be added.
All the mentioned rules and blacklist can be added to the good Mailwasher tool. Works like a beauty. Maybe some other would like to mention their filtering secrets as well, and we can sure reckon on an interesting thread to evolve.

Enjoy filtering,

polonus

pardon the newbie questions

1. but where in avast home edition do i place these settings?
2. if my host is using spamassasin (bluehost), should I do this on the host level or avast level

tx

These aren’t avast options, it isn’t a spam filter.

If spamassasin has the option to add blacklist database then this one is good sbl-xbl.spamhaus.org.