SpamVault is our new and more powerful tool to help you block incoming spam - "unsolicited commercial email." In addition to blocking specific words or phrases, SpamVault also allows you to block using details from the spam email header information.  Headers contain important details about the origin of mail, but the details can be faked or obscured - make sure you understand exactly what you're blocking!

Understanding Email Header Information:

Every email sent has a section called the 'header'. This section includes commonly known data such as who the email is being sent from and who it is being sent to along with some other information that will help you manage your spam. The header is not usually viewable in the default settings of your email program. You may need to read the documentation on your email program to find out how to view the header.

SAMPLE email HEADER:
---------------------
X-POP3-Rcpt: you@your-mailaddress.com
Received: from welove.spamnet.com (spammers_isp.com [209.90.160.156])
by youremailserver.com (8.10.2/8.10.2) with SMTP id g05HX0N10982
for <me@youremailaddress.com>; Sat, 5 Jan 2002 12:33:04 -0500
Message-Id: <200201051733.g05HX0N10982@spammers_isp.com>
Content-Type: text/html; charset=US-ASCII
Date: Sat, 5 Jan 2002 09:33:13 -0800
To: you@your-mailaddress.com
From: Bob Spammer <bob@phonyaddress.com>
X-Mailer: Version 5.0
Subject: You may have already won $10,000!!!
Organization:

The "To:" Section. Info in this section can be shows where the email was delivered to. Often, this is a weak place to put a block because spammers take advantage of catch-all email boxes. The send it to Anybody@yourdomain.com and whoever has the catch-all email box will get it. So you might set up a block on anything sent to Anybody@yourdomain.com. Tomorrow they'll use NoBody@yourdomain.com and get by the block of "Anybody@yourdomain.com" that you'd set up. One thing this section is good for is to stop mail from going to someone who's left the company.

The "From" Section. In short, this is easily forged and can be changed as easily as the "To:" address. This is good to block out those annoying friends who keep sending you chain letters.

The "Subject:" Section. Now we're getting some power. Want to stop the emails with XXX or SEX or Work At Home in the subject line? This is the place to do that. Just use the snippet of the subject that you know will be offensive. If the subject reads, "XXX Pictures of Warm blooded carbon based life forms, " you may just want to block "XXX" or you might block out your son's biology assignments.

The "Received:" Section. Info in this section is blocked using the R (Received) trigger in SpamVault. This is one of the most powerful and most overlooked areas for blocking because you can block an entire network in one fell swoop. There are some services that are friendly to spammers and even encourage it - they profit from spamming on their network. Often, you'll get many different looking spams from one network and not realize it because the return addresses are phony. Before we decide what to block, remember to block as little as possible. Casting too wide a net or making a lot of unnecessary entries just makes the server work harder for no reason. So, looking at the Received: section here are the things I would consider candidates for blocking in order of preference. 1) spamnetwork.com 2) spammers_isp.com (but be careful, if the guy's on America Online, you've just blocked everyone on AOL).
On a number of spammer emails you will notice more than one "Received" lines - the bottom one is the originator - if you want to block by Received make sure you use this one and not the top as that could be your local mail server.

Spammers and Their Tricks:

SpamVault is not the end of all spam, but it will give you better control over your mail. Spammers are always devising tricks to work around every anti-spam program and we're constantly trying to prevent them from doing so. One way they will get around SpamVault is to trick you into blocking the wrong section of the email header. Technically speaking, it's easy to fake all but the "Received" section of an email. You might block everything coming from one email address and all they have to do is fake using another email address. Using this trick it can look like they're sending from a hotmail.com address today and tomorrow you'll get the same spam from yet another address. Here is where the power of the 'Received' section comes in and why it's important to review the header of your email rather than the default to and from sections.

A spammer typically not be able to change the information in the 'Received' section of the header. So, using that as a filter can be the strongest method of blocking email. Please do not just paste the entire 'Received' section into SpamVault. You need to review the header for a specific server name and sometimes an IP number (but these change regularly so it is not recommended). In the example above, the network that the spam is coming from is welove.spamnet.com. We would recommend that you only use the last and second from the last section of the network name: spamnet.com.

Spammers are using HTML based email more and more lately. Unfortunately for them, while it's often easy to fake parts of the headers, when it comes to the body of the email with links to their sites, it's especially hard to hide the references to their domains and IP addresses in the links of the source code. The trick is to view the source code of the email (usually by right clicking) and then search for the text "<href=". There is usually more than one of these. Following this is a reference to the server that the page links to. Grab just the domain name and block that. SpamVault will read that in the source code of the email as it passes through and block those emails in the future.

Many companies get duped by professional spamming companies into thinking that there's some money to be made in massive emailings.  The one common theme in this type of email is that the advertisers' links will probably always change in the body of the email but the "unsubscribe" link is probably directed right at the spam provider since they're the ones doing the spamming. When given a choice, I'd block the unsubscribe link domain name over the one in the body of the letter.

Warnings and Cautions:

When someone uses the term 'powerful program,' this is code for 'you can really mess things up with this program if you're not careful.' SpamVault is a powerful program and therefore you should be very selective in the entries you make. Adding an entry that only contains the letters '.com' in it will block all email coming from any email address that has '.com' in it. If all of a sudden your email doesn't work, check your entries in SpamVault before you contact support.

Illegal Characters. Only use the following characters in your entries as other characters such as a bracket "[" will cause very predictable results (all bad). You can use the following characters: A - Z, a - z, 0 - 9, period (.), dash (-), Underscore (_), and the At symbol (@).

Only if you are one of the very few people in the world who understand "Procmail" escape characters can you use backslash (/), forward slash (/), dollar sign ($), exclamation point (!), quotes (" or '), and the question mark (?).

Advanced features of SpamVault

This section is a special tutorial for advanced SpamVault users. The features shown here may not be supported by our tech support staff and therefore you are using them at your own risk. The reason for this is that any mistakes in this document or in your email entries can cause you to block all of the email going to your account. Now that you've entered all the dirty words in your vocabulary and are still getting spam, here's some tips.

New entry filters

SpamVault works by integrating itself with the email software (called Procmail) on the server. It is Procmail that actually blocks the email and SpamVault that tells Procmail what to block. The procmail syntax has some special characters that when used in an entry take on special meaning. SpamVault checks each new entry for illegal and sensitive characters in an effort to prevent novice users from unintentionally blocking email. This document will show you some tips on blocking emails using some of the special characters.

When you use special characters, such as those that are not "A-Z", "a-z" and "0-9" you may get a warning that notifies you that there might be a problem with some of the characters in your entry. For instance, an entry with a % sign will trigger such a warning even though your entry is accepted. If you use characters that have special meanings for procmail your entry will be rejected outright.

To enable you to work with these characters, you have to edit an existing entry. Existing entries are not screened for illegal characters. For example, enter this "Save 50%" (quoted items are to be entered without the quotes unless noted otherwise. and you'll get a warning. Once entered you won't get the warning again on this entry.

Feel the power...

Here are just a few tricks that you can use to screen out even more spam.

Here's a trick. Let's say you want to save space by putting several entries into one line. For instance: dog, cat and mouse. Just enter "dog|cat|mouse" (without quotes but with the pipe symbol) into one entry. This will work on the other options as well for instance the from address of more than one person: "@junkmail.com|@spamco.com|@hatemail.com". Note: entries area taken as a whole when SpamVault looks for a duplicate and sorts them. Therefore, in the above example, if you added "dog" as a new entry, it would not be considered a duplicate and would fall just before this one in the order.

Using the example above of "Save 50%", what if you get another email that reads, "Save 70%" or "Save 79%". Instead of making 100 entries to cover most of the possibilities, you would edit the "Save 50%" to read "Save .*%". The period asterisk combination mean "any character or characters". Therefore this entry now blocks any entry with the letters "Save" + <space> + <any character or characters> + "%". From now on, if I use <brackets> it means the mean of the word in the brackets not the literal words. For instance, to type in <space>, means a space, you press that long horizontal key at the bottom of your keyboard. Be warned, this is a good filter for the subject line but not the body of the email because the body (or even the header) might contain "I thought this would save money but I'm just not 100% satisfied". Note that the entries are not case sensitive and this client who needs immediate attention may get lost in the shuffle.

SpamVault uses periods as a wildcard character. Meaning the period can stand for any character. Therefore, to avoid the mishap of the above item you might wish to use "Save ..%" which means "Save" + "<a space>" + <any character> + <any character> + "%".

One of the tricks used by spammers is to send HTML formatted email with links and pictures and other goodies. And one work around they've used to block filtering is the use of HTML <!-- comments --> that break up words like this. "To Unsub<!--comment-->scribe just cli<!--comment-->ck here!". When viewed in the browser the comments disappear and the sentence looks like this, "To Unsubscribe just click here!". Now when someone screens for the word "Unsubscribe" or "Click Here" the search fails. So why not search for comments? Just make an entry like this "<!--" and any email with hidden comments will be gone. However, if your friends send email with hidden comments then SpamVault will eliminate it.

Note: if the spammer uses a graphic button that reads, "click here" rather than an HTML text or input button, SpamVault will not read the graphic.

Similarly, how many of your friends send you HTML forms to fill out via email. To make sure you never see one of these again, just filter for this "<FORM " (in this case, you actually type in the greater than symbol).

Another strong item to search for is the domain name within the source code of the email. Search for <href in the source code of the email and it will be followed by the domain name. Just use the "domainname.com" and not all the other stuff around it. Many spammers use IP addresses as well.

You can enter more than one filter in an entry by tagging a "|" (pipe symbol) followed by the new entry onto an existing entry. For instance, "Viagra|porno". Keep in mind this will be sorted as literal text so this will end up in with all the other V listings.

Some spammers kind enough to use the term "ADV" in the subject of emails make it a little difficult to block this specific term because SpamVault would also block emails with words like "Adventure" in the subject. To block a specific word, the syntax is "()<ADV>" or "\<ADV>. Block this in the subject, and you'll block all emails that have the word "ADV" in them. At this point, you might be asking yourself, "What in the world was the author of SpamVault thinking when he made up this syntax?" Alas, I cannot take credit for the syntax. The server uses procmail and I had to adhere to their syntax.

And how about those emails that have "something silly for sale                 ie8383"? Let's use the above example to block a bunch of spaces followed by at least three characters. Use this:   "<             ...>"

Credits: Copyright 2001-2002 by Thomas Leo. All rights reserved.

Back to Control Panel Details