Re: [Declude.JunkMail] CBL:Fw: news

[Nick Hayer]

Try CONTAINS instead of BEGINSWITH Make sure you have at least one crlf [a bunch would not hurt] at the end of the filter file. -Nick Todd wrote: I created a filter with the string   BODY 0 BEGINSWITH <img src="">   The declude.cfg goes like this   GIFINBODYFILTER       filter     d:\imail\declude\filters\gifinbodyfilter.txt    x    150    0   After searching the declude log I dont see where the filter has been triggered a single time in the last day.  There are no errors in the declude log calling the test either.  To check it I took one of the gifs and sent it to myself.  I received it.  Here is the header from the email.  You will see in red where the gif seems to have a " but the original emails did not.   Todd       Received: from backup.progressive.loc [192.168.1.19] by net.smart-mail.net   (SMTPD32-8.15) id A7821E0198; Wed, 07 Dec 2005 13:26:58 -0600 Received: (from office [68.203.154.122])  by backup.progressive.loc (SMSSMTP 4.0.0.59) with SMTP id M2005120713264209805  for <hunter>; Wed, 07 Dec 2005 13:26:42 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Hunter" <hunter> To: "Todd -Progressive.biz" <hunter> Subject: breaking news Date: Wed, 7 Dec 2005 13:26:41 -0600 MIME-Version: 1.0 Content-Type: multipart/related;  type="multipart/alternative";  boundary="----=_NextPart_000_0095_01C5FB31.DC30EB90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-mxGuard-Info: Processed by net.smart-mail.net using mxGuard v1.5.0 X-mxGuard-Spool-ID: 377c001e01984a62 X-mxGuard-Sender: hunter@ X-mxGuard-Spam-Score: 0 X-Note: This message has been scanned for spam and viruses using mxGuard for IMail X-RBL-Warning: IPNOTINMX: X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: -10. X-Declude-Sender: hunter [68.203.154.122] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, SPFUNKNOWN, SPAMCHK, CATCHALLMAILS [-25] X-Note: Total spam weight of this E-mail is -25 . X-Country-Chain: UNITED STATES->destination X-Note: This E-mail was sent from cpe-68-203-154-122.houston.res.rr.com ([68.203.154.122]). X-RCPT-TO: <hunter@> Status: R X-UIDL: 370538202   This is a multi-part message in MIME format.   ------=_NextPart_000_0095_01C5FB31.DC30EB90 Content-Type: multipart/alternative;  boundary="----=_NextPart_001_0096_01C5FB31.DC30EB90"   ------=_NextPart_001_0096_01C5FB31.DC30EB90 Content-Type: text/plain;  charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable     ------=_NextPart_001_0096_01C5FB31.DC30EB90 Content-Type: text/html;  charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><IMG src="" class="moz-txt-link-rfc2396E" href="">"cid:009401c5fb64$26cb5b90$1401a8c0@office"> = </DIV></BODY></HTML>   ------=_NextPart_001_0096_01C5FB31.DC30EB90--   ------=_NextPart_000_0095_01C5FB31.DC30EB90 Content-Type: image/gif;  name="lzj.gif" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]>                 ----- Original Message ----- From: Scott Fisher To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2005 3:51 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news basically it will end the filter if any of the statements are not true.   These stock emails have always met these 4 criteria, so if it doesn't meet them end the filter.   1. contains a gif attachment hence:Content-Type: image/gif 2&3.  contains a header like:  Received: from unknown (HELO randomword [192.168. 4.  Always fails cmdspace You could use mine and Kevin's combined:   BODY  END NOTCONTAINS Content-Type: image/gif HEADERS  END NOTCONTAINS Received: from unknown (HELO HEADERS  END NOTCONTAINS [192.168. TESTSFAILED END NOTCONTAINS CMDSPACE   BODY 15 CONTAINS <img src=""> ----- Original Message ----- From: Todd To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2005 3:28 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news Scott,    I am looking through the Declude manual to determine what you are doing.  I don't think I understand NOTCONTAINS. I would think CONTAINS mean it has this string in the body and NOTCCONTAINS means it does not.  So why NOTCONTAINS Content-Type: image/gif    ?   I feel like I am probably missing something painfully obvious here.   Todd     ----- Original Message ----- From: Scott Fisher To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2005 1:50 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news I use this filter:   STOPATFIRSTHIT   BODY  END NOTCONTAINS Content-Type: image/gif HEADERS  END NOTCONTAINS Received: from unknown (HELO HEADERS  END NOTCONTAINS [192.168. TESTSFAILED END NOTCONTAINS CMDSPACE   TESTSFAILED 100 CONTAINS HELO-IS-REVDNS TESTSFAILED 100 CONTAINS HELOISIP TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT   HELOISIP and HELO-IS-REVDNS are from external tests that I run. ----- Original Message ----- From: Richard Farris To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2005 1:25 PM Subject: [Declude.JunkMail] CBL:Fw: news Does anyone have an answer to filter these type emails? Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message ----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 3:20 AM Subject: news