Effective Spam Filtering with Eudora - Most Effective Search Terms

THE FILTERS
1 Virus Attached?
2 Duplicate Fm-To
3 Whitelist (Passlist)
4 Friendly Domains
5 Newsletters
6 List Subscriptions
7 Keywords
8 Personality
9 Bogus Address
10 Username in
   Subject
11 Click Here
12 !!!!!!!!!!!!
13 Remote Images
    or Database Links
14 Bcc From
    Unknown
15 Bad Word List #1
16 Bad Word List #2
17 Tracking Codes
   in Subject
18 Bad Word List #3
19 Bad Word List #4
20 Bad Word List #5
21 Too Many HTTP's
22 Adult Links
23 Bogus Hotmail,
    AOL and Yahoo

"REGEXP" INFO

MOST EFFECTIVE
SEARCH TERMS

LINKS

FILTER VERBS

Other Interesting
Eudora Filters:

Numerical User
Name
HTML Contents
Asian Characters
Blank Subject
Secret Keyword
With Auto-Reply

MOST EFFECTIVE SPAM SEARCH TERMS
IN MY RECENT SPAM AND FRIENDLY EMAIL

This is a recent list of the Eudora filter search terms I use to identify the most spam with the fewest false positive hits on my email collection. This list of terms identifies 94% of spam and only 2.1% of friendly emails in my sample collection. I've made a few more changes to the filters since making this page and currently I'm getting a 97% hit on spam and less than 2% false positives. The full text of the filters.pce file for these terms is included at the bottom of this page. To download the most recent Filters.pce file of these filters click here.

Notes*
1) All Spam received in January-February 2003, "friendly" email dates back to January 2000.
2) Your spam and friendly email may be very different from mine, so your results may vary.
3) Replace "cecilw" with your login name and "pullman.com" with your email (ISP) domain name in the search terms as needed.
4) Search terms are not case sensitive.
5) ALL terms are understood as regular expressions (case insensitive) and search the BODY of the email unless stated otherwise.

SAMPLE SIZE




SEARCH TERMS

2176
SPAM
2176
FRIENDLY
EMAILS MULTI-
PLIER

1 (HTTP|MAILTO).{1,50}REMOV 581    26.7%    1    0.05%    581.0

2 to be (excluded|removed) 280 12.9% 0 0.00% 280.0

3 Subject: Contains "CECILW" (my username) 252 11.6% 0 0.00% 252.0

3A Subject: contains "Free" 163 7.5% 1 0.00% 163.0

4 BODY: [-A-Z0-9]{60} unless body contains -{60} or "WARNING:" 162 7.4% 1 0.05% 162.0

5 OPT.?(IN|OUT) 314 14.4% 2 0.09% 157.0

5A Subject: CONTAINS "$" (a dollar sign) 150 6.9% 0 0.00% 150.0

6 Subject: ^ADV (Starts with "ADV") 149 6.8% 0 0.00% 149.0

7 REMOV.{1,50}(HTTP|MAILTO) 293 13.5% 2 0.09% 146.5

8 Any recipient:(PULLMAN\.COM.*){4} 134 6.2% 0 0.00% 134.0

9 SIZE="[13-5]" 533 24.5% 4 0.18% 133.3

10 HTTP.{1,100}(SEX|ADULT) 131 6.0% 1 0.05% 131.0

11 penis 123 5.7% 0 0.00% 123.0

12 LOSE WEIGHT 120 5.5% 0 0.00% 120.0

13 CASINO 119 5.5% 0 0.00% 119.0

14 OFFER(!|:) 108 5.0% 0 0.00% 108.0

15 //[0-9] unless body contains "photo" or "card" 211 9.7% 2 0.09% 105.5

16 HGH 104 4.8% 0 0.00% 104.0

17 #(3333|666666) 200 9.2% 2 0.09% 100.0

18 mortgage.*(rates|free) 98 4.5% 0 0.00% 98.0

19 <!-- unless body contains "xml" 368 16.9% 4 0.18% 92.0

20 refinance 87 4.0% 0 0.00% 87.0

21 From: AOL and header "Message-ID" Doesn't Contain "AOL.COM" 80 3.7% 1 0.05% 80.0

22 Subject: [ ]{4}   (subject contains 4 contiguous spaces) 318 14.6% 4 0.18% 79.5

23 From: HOTMAIL and header "X-Originating-IP" Doesn't appear 208 9.6% 3 0.14% 69.3

24 N[O0]RT[O0]N.*\$ 125 5.7% 2 0.09% 62.5

25 (SPECIAL|THIS) OFFER 240 11.0% 4 0.18% 60.0

26 IMG.*SRC=.?.?.?HTTP
unless "/TSMILEYS/|graphics.hotmail|images/paypal"   715 32.9% 12 0.55% 59.6

27 SCRIPTS/REDIR 52 2.4% 0 0.00% 52.0

28 VIAGRA 96 4.4% 2 0.09% 48.0

29 ([A-Z] ){5}       (5 letters separated by s p a c e s) 60 2.8% 2 .10% 30.0

30 ANY HEADER: 0-[1234]POOL 30 1.4% 0 0.00% 30.0

31 From: @.*\(.*@ 20 0.9% 0 0.00% 20.0

32 GO[[:space:]]{2}HERE 19 0.9% 0 0.00% 19.0

33 ANY HEADER: NEXTPART_[^0] 18 0.8% 0 0.00% 18.0

33A Free!! 15 0.7% 1 0.05% 15.0

34 banned CD 13 0.6% 0 0.00% 13.0

35 SCRAMBLER 7 0.3% 0 0.00% 7.0

36 Nigeria 10 0.5% 2 0.09% 5.0

37 ( CONGO ) 5 0.2% 0 0.00% 5.0

38 ( Lagos) 2 0.1% 0 0.00% 2.0

39 LOLITAS 2 0.1% 0 0.00% 2.0

40 SIERRA-LEON 1 0.0% 0 0.00% 1

Filters - Totals 2039 93.7% 46 2.1% 44.3

The following text is the entire "Filters.pce" file for the
above listed set of filter terms. You may copy and paste
all or part of this text into your filters.pce file if you wish, or you may
download the latest version of this file.
The filters in the download file have been combined to compact them
into about 20 spam filters, plus several whitelist filters.

3
rule «Body»(HTTP|MAILTO).{1,50}REMOV
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value (HTTP|MAILTO).{1,50}REMOV
conjunction ignore
header
verb contains
value
rule «Body»to be (excluded|removed)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value to be (excluded|removed)
conjunction ignore
header
verb contains
value
rule Subject:CECILW
transfer Spam.mbx
stop
incoming
manual
header Subject:
verb contains
value CECILW
conjunction unless
header Subject:
verb contains
value cecilw.com
rule Subject:FREE
transfer SPAM.mbx
stop
incoming
manual
header Subject:
verb contains
value FREE
conjunction ignore
header
verb contains
value
rule «Bodyt»[-A-Z0-9]{70}
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value [-A-Z0-9]{70}
conjunction unless
header «Body»
verb regex_icase
value -{70}|WARNING:
rule «Body»OPT.?(IN|OUT)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value OPT.?(IN|OUT)
conjunction ignore
header
verb contains
value
rule Subject:$
transfer SPAM.mbx
stop
incoming
manual
header Subject:
verb contains
value $
conjunction ignore
header
verb contains
value
rule Subject:^ADV
transfer Spam.mbx
stop
incoming
manual
header Subject:
verb regex_icase
value ^ADV
conjunction ignore
header
verb contains
value
rule «Body»REMOV.{1,50}(HTTP|MAILTO)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value REMOV.{1,50}(HTTP|MAILTO)
conjunction ignore
header
verb contains
value
rule «Any Recipient»(PULLMAN\.COM.*){4}
transfer Spam.mbx
stop
incoming
manual
header «Any Recipient»
verb regex_icase
value (PULLMAN\.COM.*){4}
conjunction ignore
header
verb contains
value
rule «Body»SIZE="[13-5]"
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value SIZE="[13-5]"
conjunction ignore
header
verb contains
value
rule «Body»HTTP.{1,100}(SEX|ADULT)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value HTTP.{1,100}(SEX|ADULT)
conjunction ignore
header
verb contains
value
rule «Body»PENIS
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value PENIS
conjunction ignore
header
verb contains
value
rule «Body»LOSE WEIGHT
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value LOSE WEIGHT
conjunction ignore
header
verb contains
value
rule «Body»CASINO
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value CASINO
conjunction ignore
header
verb contains
value
rule «Body»OFFER(!|:)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value OFFER(!|:)
conjunction ignore
header
verb contains
value
rule «Body»//[0-9]
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value //[0-9]
conjunction unless
header «Body»
verb regex_icase
value photo|card
rule «Body»HGH
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value HGH
conjunction ignore
header
verb contains
value
rule «Body»#(3333|666666)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value #(3333|666666)
conjunction ignore
header
verb contains
value
rule «Body»mortgage.*(rates|free)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value mortgage.*(rates|free)
conjunction ignore
header
verb contains
value
rule «Body»<!--
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value <!--
conjunction unless
header «Body»
verb contains
value xml
rule «Body»refinance
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value refinance
conjunction ignore
header
verb contains
value
rule From:AOL
transfer Spam.mbx
stop
incoming
manual
header From:
verb contains
value AOL
conjunction and
header Message-ID
verb !contains
value AOL.COM
rule Subject:[ ]{4}
transfer Spam.mbx
stop
incoming
manual
header Subject:
verb regex_icase
value [ ]{4}
conjunction ignore
header
verb contains
value
rule From:HOTMAIL
transfer Spam.mbx
stop
incoming
manual
header From:
verb contains
value HOTMAIL
conjunction and
header X-Originating-IP
verb !appears
value
rule «Body»N[O0]RT[O0]N.*\$
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value N[O0]RT[O0]N.*\$
conjunction ignore
header
verb contains
value
rule «Body»(SPECIAL|THIS) OFFER
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value (SPECIAL|THIS) OFFER
conjunction ignore
header
verb contains
value
rule «Body»(IMG.*SRC=.?.?.?HTTP)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value (IMG.*SRC=.?.?.?HTTP)
conjunction unless
header «Body»
verb regex_icase
value /TSMILEYS/|graphics.hotmail|images/paypal
rule «Body»SCRIPTS/REDIR
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value SCRIPTS/REDIR
conjunction ignore
header
verb contains
value
rule «Body»VIAGRA
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value VIAGRA
conjunction ignore
header
verb contains
value
rule «Body»([A-Z] ){5}
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value ([A-Z] ){5}
conjunction ignore
header
verb contains
value
rule «Any Header»0-[1234]POOL
transfer Spam.mbx
stop
incoming
manual
header «Any Header»
verb regex_icase
value 0-[1234]POOL
conjunction ignore
header
verb contains
value
rule From:@.*\(.*@
transfer Spam.mbx
stop
incoming
manual
header From:
verb regex_icase
value @.*\(.*@
conjunction ignore
header
verb contains
value
rule «Body»GO[[:space:]]{2}HERE
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value GO[[:space:]]{2}HERE
conjunction ignore
header
verb contains
value
rule «Any Header»NEXTPART_[^0]
transfer Spam.mbx
stop
incoming
manual
header «Any Header»
verb regex_icase
value NEXTPART_[^0]
conjunction ignore
header
verb contains
value
rule «Body»FREE!!
transfer SPAM.mbx
stop
incoming
manual
header «Body»
verb contains
value FREE!!
conjunction ignore
header
verb contains
value
rule «Body»banned CD
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value banned CD
conjunction ignore
header
verb contains
value
rule «Body»SCRAMBLER
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value SCRAMBLER
conjunction ignore
header
verb contains
value
rule «Body»Nigeria
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value Nigeria
conjunction ignore
header
verb contains
value
rule «Body»( CONGO )
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value ( CONGO )
conjunction ignore
header
verb contains
value
rule «Body»( Lagos)
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb regex_icase
value ( Lagos)
conjunction ignore
header
verb contains
value
rule «Body»LOLITAS
transfer Spam.mbx
stop
incoming
manual
header «Body»
verb contains
value LOLITAS
conjunction ignore
header
verb contains
value
rule «Body»Sierra-Leon
transfer Spam.mbx
stop
incoming
header «Body»
verb contains
value Sierra-Leon
conjunction ignore
header
verb contains
value