I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with "RE: " are not catching the mail. the subject lines without the "RE: " are catching the emails.
I have changed the IS in SUBJECT lines to CONTAINS and I get the same results. I want these emails because I have been successful at tracking down the machine sending out the messages and getting the user to clean the virus. Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee > Sent: Tuesday, August 26, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Filter question > > > I have setup a filter to froward all email that seems to be from the sobig > virus to a specian mail box. > > Global.CFG > SOBIGFILTER filter D:\IMail\Declude\SOBIG.txt > x 0 0 > > sobig.txt > REMOTEIP 0 IS 206.111.17.194 > REMOTEIP 0 IS 66.185.39.38 > REMOTEIP 0 IS 66.123.247.98 > REMOTEIP 0 IS 69.37.1.22 > SUBJECT 0 IS Re: Details > SUBJECT 0 IS Re: Approved > SUBJECT 0 IS Re: Re: My details > SUBJECT 0 IS Re: Thank you! > SUBJECT 0 IS Re: That movie > SUBJECT 0 IS Re: Wicked screensaver > SUBJECT 0 IS Re: Your application > SUBJECT 0 IS Thank you! > SUBJECT 0 IS Your details > > $default$.junkmail > SOBIGFILTER ROUTETO [EMAIL PROTECTED] > > I have sent an email with the subject line of Re: Wicked > screensaver to test > > declude does not seem to be running the test > We are running Declude v1.75i1 > > Where did I go wrong in setting this up? > > > Kevin Bilbee > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
