Wizcrafts' MailWasher Pro Custom Spam Filter Rules

With many reports showing that spam email now accounts for between 80% and 90% of all of the email received, and because of the security and malware threats contained in many of those unwanted messages, a lot of people who use a stand-alone email "client" (program), like Outlook, Outlook Express, Windows Mail (Vista), Thunderbird, Eurora, etc, are turning to desktop anti-spam solutions like MailWasher Pro to screen and filter out spam and infected attachments before they are downloaded to their email client (program).

MailWasher Pro is an email screening program that automatically detects spam by scanning the headers, subject and body text, consulting online databases of known spam, checking against a BlackList the user has created and analyzing incoming raw source code with both Bayesian learning and user-configurable filters, which include positive and negative conditions and Regular Expressions filters. When properly configured MailWasher Pro also detects and deletes viruses embedded or attached to incoming email. With the click of a button you can view the source code of an email message, in safe, plain text, to see if it contains suspicious codes, or spam tricks, or obfuscated links to phishing websites. Learn more about how MailWasher Pro works to keep your inbox free of spam. MailWasher Pro is free to try out for 30 days, and only costs $39.95 US for a permanant license and a 6 month money back and lifetime upgrade guarantee! Download MailWasher Pro here.

This page contains the custom filter rules developed for use with MailWasher Pro, by Wiz Feinberg, owner of Wizcrafts Computer Services. You can use them to replace the tiny default filter set created by the program itself, if you haven't modified it yet. The rules have been refined over several years of constant use. Not all of these rules are required for every user, especially if you have created your own custom spam rules, and spam techniques change over time. I recommend that you review them and only copy the ones that filter out the types of spam that you are getting personally. An overly large filter list will slow down the parsing of incoming messages. I have done everything possible to streamline these rules for the best parsing speed, while still being effective against the threats they match. This is especially so in the case of the image spam filters, which have taken a lot of refining to get them to process email quickly and accurately.

I strongly recommend that you occasionally click the "Process Mail" button, even if there is nothing marked for deletion. For always on connections and people who check multiple email accounts frequently, MailWasher can build up a lot of temporary data that is held im memory and can slow it down, or even cause it to hang. Clicking the "Process Mail" button will free up some RAM that MailWasher consumes, clear temporary data, delete "hidden" spam messages, and can help improve the processing speed of the filters on incoming email and the general performance of the program. "Processing Mail" at least once per hour is a good idea.

The filter rules are inside the iframe below and are updated frequently to respond to changing spam techniques. You can download the entire set here, by right-clicking on the link and choosing "Save As" > "filters.txt" (without quotes), to your MailWasher Pro Application Data folder, or to your desktop for editing and later use. Alternately, copy individual rules by placing your pointer inside the iframe, highlighting the desired line(s), then right-click and choose "Copy." Close MailWasher Pro, then navigate to it's application data folder and open the existing filters.txt in Notepad, or your default .txt editor, then paste the copied rules into the file and save it. When you restart the program the new rules will be applied to all incoming messages. Note that your "Friends list" takes precedence over filter rules, unless you check the box in the rule to override the Friends list.

You can locate and open the data folder where the filters.txt lives by clicking on "Help" (with MailWasher Pro open), then "About," then click on the link to your application data files, at the bottom of the "About" box.

You absolutely must close the MailWasher Pro application before editing the filters.txt, or the blacklist.txt files, or your changes will be overwritten when it does close. Do not allow spaces after the last character on a rule line, or in between rules. Read the instructions in my filters.txt (below), before using them.

I have had reports about corruption when copying and pasting my filters into existing filters.txt files. Most of the time this is caused because the text editor you are using is allowing a mixture of Unicode and Ascii entries to be copied. If you experience MailWasher wiping out the pasted in filters, after you re-open it (assuming it was not running at all when you saved the changes), do this. When copying and pasting some or all of these filters into your own "filters.txt," if you are using a text editor that is unicode-aware, you should not just SAVE the file. Rather you should use the "Save AS" feature to save the file as either all ASCII or all UNICODE. MailWasher will accept either, but can only deal with one at a time.

Beginning with the December 2007 updates I have begun to merge various pharmceutical spam rules into fewer filters and separate them by spam in the message Subject [S], or Body [B]. Watch for more changes and merging of other drug related and organ enhancement spam into Subject or Body rules. Hopefully, this will speed up the processing of incoming spam messages, because filters that check just the subject work faster that the ones that (also) examine the message body. I also added what are known as regular expression "anchors" (^) to the beginning of certain rules, which speeds up their processing time.

MailWasher Pro tries to match filters from the top down and processing stops when the first match occurs. That's why I sometimes change the position of certain filters, to make them more efficient at catching their designated type of spam. Particular filters can be moved up the list to respond to changes in the type of spam you are receiving. Moving current spam detection rules up reduces the load on your CPU, which can get pretty intense with the Regular Expressions used in many of my rules.

One good thing about classifying messages as spam is that it helps to train the built-in learning filter about what you consider to be spam. Eventually, you may be able to rely upon just the learning filter for spam detection, which is a lot easier on your CPU and much faster than my filters.

Another very useful feature of MailWasher Pro is the senders BlackList, which is based on the "From" address. By adding repeat spammers to the BlackList you can have any messages from them automatically deleted, before the filters are processed. Two years ago I used to blacklist most senders, because the spammers used domains under their control. All of that has changed since late 2006, when various Botnets began sending spam, as ordered by the Botmasters. The computers in the Botnets are personal Windows PC's of residential, business and Internet Cafe customers. The sender's email addresses are now 100% forged and ficticious accounts. While there may be the occasional duplication of a forged address, it is rare. If one was to add every one of the spam senders to the BlackList, MailWasher would crumble trying to process this data.

Since the MailWasher BlackList is processed before the Filters, it makes sense to keep it as small as possible, while optimizing it's usefulness. You can do this by only adding wildcard entries or entire unwanted domains to the BlackList. The BlackList used in MailWasher Pro allows you to specify a limited number of wildcard descriptors, comprised of the following:

• ? means any one unspecified character
• * means zero or more unspecified characters
• + means one or more unspecified characters

You can combine those limited wildcard modifiers in a creative fashion to match and block a large assortment of forged sender addresses. For example, the latest botnet arrival in early 2008 is using underscores or hyphens at the beginning of the forged sender account, like this example: _fdjghf@udhf.com, or like this one: -gjdf@kjfd.com. Other forged senders match a specific repetitive pattern, where the first 2 or 3 letters and the final ones before the @ sign are always the same, with the domain name on both sides of the @ sign. Examples of those are: LINexampleMET@example.de and DWexampleM@example.com. The following simple BlackList rules will block all of these forged senders:

1. _+@+.+
2. -+@+.+
3. lin+met@+.de
4. dw+m@+.+
5. NEW blacklist addition: (3/20/08)   +@bestdebtrepair.net
6. NEW blacklist addition: (3/27/08)   +@freenet.de

If you are going to use the last two BlackList rules, be sure you have gone over your list of approved senders and added them to your WhilteList. False Positives could possibly occur from those fairly broad wildcard expression matches. I have a filter rule that does a better job of matching the actual use of the domain name on both sides of @, than these two BlackList rules. That rule is in the three filters.txt lists, that can be loaded into the iframe below and is named "XdomainY@domain.tld."

One final thought before you check out my filters; if you get spam with my domain listed as the sender, please believe me when I promise you that I didn't send it! I get spam sent to me - claiming to be from me also! It is forged and is known in the spam-fighting business as a "Joe-Job." If you are getting a lot of Joe-job spam messages I can create a custom rule for you, on a paid basis. Contact me via my Webmaster Services form.

Load Wiz's current (reduced) filter set into the iframe, or right-click on the link and save as "filters.txt"

Load the full set of filter rules into the iframe, or right-click on the link and save as "filters.txt"

Load Wiz's current auto-delete and hidden matches filter set into the iframe, or right-click on the link and save as "filters.txt". Warning! This Judge Dread set has murder-death-kill rules! Use set #3 at your own risk!

Monitor this page for changes		Donate to Wizcrafts ?
It's private by ChangeDetection

---