[Declude.JunkMail] Filter question
I am attempting to create a filter that contains conditions that will cause a HOLD on the emails that it matches. My HOLD weight is 100 but I also use some reverse weighting so I was thinking that adding 500 points should do it. In my global.cfg I have : BLACKFILTER filter D:\IMAIL\Declude\Filters\BlackFilter.txt x 500 0 In my $default$junkmail I have : BLACKFILTERWARN As 500 points is enough to HOLD the email I want the processing of this email to stop as soon as it matches something in this filter. If my BlackFilter.txt file is composed of lines like: SUBJECT STOPALLTESTS CONTAINS China Business Directory BODY STOPALLTESTS CONTAINS Evil Spammer will the test return 500 points on the first match and HOLD the email without further processing of filters or other tests. I understand the filters are processed in the order they are listed in the $default$junkmail so this will be the first Filter listed but there are FROMFILE's listed earlier in the $default$junkmail. If I put the filters earlier in the $default$junkmail than the FROMFILE's will they also trigger earlier? In this scenario will I need a SKIPIFWEIGHT line in any subsequent filters to suppress their running? Thanks in advance, -- Michael Hoyt Communication Arts 110 Constitution Drive Menlo Park, CA 94025 (650) 326-6040 fax:(650) 326-1648 e-mail: [EMAIL PROTECTED] Web Site: http://www.commarts.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
Hi Michael. To answer your questions... If my BlackFilter.txt file is composed of lines like: SUBJECT STOPALLTESTS CONTAINS China Business Directory BODY STOPALLTESTS CONTAINS Evil Spammer will the test return 500 points on a match and HOLD the email without further processing of filters or other tests. Yes, this is correct. I understand the filters are processed in the order they occur in the $default$junkmail so this will be the first Filter listed but there are FROMFILE's listed earlier in the $default$junkmail. In this scenario will I need a SKIPIFWEIGHT line in any subsequent filters to suppress their running? Actually, filters are not processed in the order that they occur in the $default$.junkmail file, so no, you do not need to add a SKIPIFWEIGHT directive to your filters. The STOPALLTESTS directive in your BLACKFILTER will accomplish what you need. If you have any further questions, please do not hesitate to contact me either by email or call Toll free 1-866-332-5833 Ext.7008 Linda Pagillo Technical Support Engineer | Declude Your Email Security is our business Office: 978.499.2933 x7008 Toll Free: 1-866.332.5833 x7008 Fax: 978.334.0700 Email: [EMAIL PROTECTED] - Original Message - From: Michael Hoyt [EMAIL PROTECTED] To: Declude JunkMail @declude.com Declude.JunkMail@declude.com Sent: Friday, August 17, 2007 10:32 AM Subject: [Declude.JunkMail] Filter question I am attempting to create a filter that contains conditions that will cause a HOLD on the emails that it matches. My HOLD weight is 100 but I also use some reverse weighting so I was thinking that adding 500 points should do it. In my global.cfg I have : BLACKFILTER filter D:\IMAIL\Declude\Filters\BlackFilter.txt x 500 0 In my $default$junkmail I have : BLACKFILTERWARN As 500 points is enough to HOLD the email I want the processing of this email to stop as soon as it matches something in this filter. If my BlackFilter.txt file is composed of lines like: SUBJECT STOPALLTESTS CONTAINS China Business Directory BODY STOPALLTESTS CONTAINS Evil Spammer will the test return 500 points on the first match and HOLD the email without further processing of filters or other tests. I understand the filters are processed in the order they are listed in the $default$junkmail so this will be the first Filter listed but there are FROMFILE's listed earlier in the $default$junkmail. If I put the filters earlier in the $default$junkmail than the FROMFILE's will they also trigger earlier? In this scenario will I need a SKIPIFWEIGHT line in any subsequent filters to suppress their running? Thanks in advance, -- Michael Hoyt Communication Arts 110 Constitution Drive Menlo Park, CA 94025 (650) 326-6040 fax:(650) 326-1648 e-mail: [EMAIL PROTECTED] Web Site: http://www.commarts.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
I've just started using Sniffer and am wondering if I can create a test for the following condition and take an action. Say: if the declude score is greater than 20 and Sniffer has not been triggered, copy the message to a spam account. So something like header contains WEIGHT20 and doesn't contain SNIFFER would trigger a COPYTO. But do it with a declude test, not a Imail Domain incoming rule. I'd like to get all spam not caught by Sniffer and forward the messages back to Sniffer. Thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
I need to create a filter for a client that I am gatewaying their Exchange server. I have their server listed in the Global.cfg for whitelisting. (WHITELIST IP yaddayaddayadda) Now there is a need to create a filter file so that if the e-mail is from a broadcast address and to an address on the list, to route to back to the sales manager. -- MAILFROM END NOTCONTAINS [EMAIL PROTECTED] ALLRECIPS 0 CONTAINS e-mailaddresslisted -- On Failure, route to [EMAIL PROTECTED] Is there a way to override a whitelist? John T eServices For You Seek, and ye shall find!
Re: [Declude.JunkMail] Filter question
Move the whitelist setting to a custom filter and place an END on the filter for the condition that you want to track elsewhere: MAILFROM END IS [EMAIL PROTECTED] REMOTEIP WHITELIST IS 12.34.56.78 Have a good evening, Matt John T (Lists) wrote: I need to create a filter for a client that I am gatewaying their Exchange server. I have their server listed in the Global.cfg for whitelisting. (WHITELIST IP yaddayaddayadda) Now there is a need to create a filter file so that if the e-mail is from a broadcast address and to an address on the list, to route to back to the sales manager. -- MAILFROM END NOTCONTAINS [EMAIL PROTECTED] ALLRECIPS 0 CONTAINS e-mailaddresslisted -- On Failure, route to [EMAIL PROTECTED] Is there a way to override a whitelist? John T eServices For You "Seek, and ye shall find!"
RE: [Declude.JunkMail] Filter question
Thanks Matt. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, February 14, 2006 3:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Filter question Move the whitelist setting to a custom filter and place an END on the filter for the condition that you want to track elsewhere: MAILFROM END IS [EMAIL PROTECTED] REMOTEIP WHITELIST IS 12.34.56.78 Have a good evening, Matt John T (Lists) wrote: I need to create a filter for a client that I am gatewaying their Exchange server. I have their server listed in the Global.cfg for whitelisting. (WHITELIST IP yaddayaddayadda) Now there is a need to create a filter file so that if the e-mail is from a broadcast address and to an address on the list, to route to back to the sales manager. -- MAILFROM END NOTCONTAINS [EMAIL PROTECTED] ALLRECIPS 0 CONTAINS e-mailaddresslisted -- On Failure, route to [EMAIL PROTECTED] Is there a way to override a whitelist? John T eServices For You Seek, and ye shall find!
[Declude.JunkMail] Filter question
The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
What about SPF? One of the benefits of having SPF records is that you can easily add weight to email with your domain in the FROM address that does not originate from designated sources (i.e. your servers). Darin. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, February 24, 2005 9:54 AM Subject: RE: [Declude.JunkMail] Filter question I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
Scott: I set up a filter of MAILFROM 0 STARTSWITH [EMAIL PROTECTED] I am only holding right now. The following was caught. Notice the coups@ is in the Received: line, not the From: line. Should this one have been caught or skipped? BTW, in 24 hours have caught around 600 msgs with this and similar sender@ filter with zero false positives. Your mileage will vary. :) Thanks, John Received: from pmk77.productsmarket.com [206.71.59.77] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.12) id A13216CF00C4; Thu, 30 Sep 2004 13:32:18 -0500 Received: by pmk77.productsmarket.com (PowerMTA(TM) v1.5); Thu, 30 Sep 2004 04:34:21 -0700 (envelope-from [EMAIL PROTECTED]) Subject: Smile Day Wishes and Poetry contest From: [EMAIL PROTECTED][EMAIL PROTECTED] et.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
I set up a filter of MAILFROM 0 STARTSWITH [EMAIL PROTECTED] I am only holding right now. The following was caught. Notice the coups@ is in the Received: line, not the From: line. Should this one have been caught or skipped? It should have been caught. That's because the sender was actually [EMAIL PROTECTED] (if you look at the X-Declude-Sender: header, or the MAIL FROM: line in the IMail SMTP log file, you'll see it). Declude JunkMail filters on the actual sender, which may be different from the E-mail addresses in the From:, Reply-To:, or other headers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Hi Doug, If you look for somethink like this, maybe give a try to SpamChk an external test for Declude Junkmail. SpamChk will accumulate the weight for every instance of a certain keyword. You can define also a max. number of how many instances should be counted, and the weight for keywords can be dinamically reduced for large messages. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Anderson Sent: Tuesday, December 16, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filter question This may sound stupid, but if I create a filter searching for a string in an email... BODY 2 CONTAINS xyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
This may sound stupid, but if I create a filter searching for a string in an email... BODY2CONTAINSxyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2?
Re: [Declude.JunkMail] Filter question
It will return a weight of 2. The filter will only flag the first occurrence that it finds, then ignores the rest. Bill - Original Message - From: Doug Anderson To: [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:32 AM Subject: [Declude.JunkMail] Filter question This may sound stupid, but if I create a filter searching for a string in an email... BODY2CONTAINSxyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2?
Re: [Declude.JunkMail] Filter question
This may sound stupid, but if I create a filter searching for a string in an email... BODY 2 CONTAINS xyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2? The filter would add 2 to the weight of the E-mail. The filters will only look at the first match. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
Title: Filter question Good morning, For the spam that doesnt contain a URL that I can block in my URL filter, I have taken to trying to find phrases that I can block in my BODY filter. My question is Should I be blocking these phrases using the text in the email that I can see, or should I be blocking phrases that appear when you look at the source. This filter isn't working very well at all so I'm sure I'm doing something wrong. My URL filter works GREAT. Thanks, Sharyn
Re: [Declude.JunkMail] Filter question
For the spam that doesn t contain a URL that I can block in my URL filter, I have taken to trying to find phrases that I can block in my BODY filter. My question is Should I be blocking these phrases using the text in the email that I can see, or should I be blocking phrases that appear when you look at the source. That depends. If there is a difference between what you see and what is in the source of the E-mail, you'll need to determine what the difference is. If the E-mail is HTML with comments or HTML codes used to bypass filters, the latest release of Declude JunkMail (1.75) will be able to filter the text. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question On Short Keywords
We make extensive use of filters based on keywords. With short keywords like like S_e_x we sometimes run into problems with keyword being triggered based on base64 encoding of an attachment. Example: 10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER on sex [weight-2; SExQlAnjsABzk My Questions: 1.) Is it possible to have a test created that detects attachments? 2.) Is there some kind of general text that is inserted into the headers or body that indicates that an attachment is present? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Im using the latest release. In this last example that everyone's filter probably caught, the original email came through unflagged, but when I forwarded it to the list, the filter caught it. I have double checked the per user configs to ensure both my personal email account (where the forwarded spam was caught) and the original account it was sent to, (where it wasn't caught) have the same action for that filter. They do. So why would it get caught on one account, when forwarded, and not on the other, when received originally? Sharyn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, October 16, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter question For the spam that doesn t contain a URL that I can block in my URL filter, I have taken to trying to find phrases that I can block in my BODY filter. My question is Should I be blocking these phrases using the text in the email that I can see, or should I be blocking phrases that appear when you look at the source. That depends. If there is a difference between what you see and what is in the source of the E-mail, you'll need to determine what the difference is. If the E-mail is HTML with comments or HTML codes used to bypass filters, the latest release of Declude JunkMail (1.75) will be able to filter the text. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
In this last example that everyone's filter probably caught, the original email came through unflagged, but when I forwarded it to the list, the filter caught it. Remember that failing a test and flagging (or any other action) are very different. In this case, the original question made it seem as though the E-mail wasn't failing the test, whereas it may be that the E-mail did fail the test but an action other than the one you wanted was used. Does the X-Spam-Tests-Failed: header show the name of the filter test? If so, the E-mail is failing the test (the next step would be to determine which configuration file was used for the outgoing actions). If not, then then the E-mail did not fail the test (posting the source and the filter string would be helpful to determine what happened there -- for example, the spammer may have used 2 spaces instead of one between some words). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Remember that failing a test and flagging (or any other action) are very different. In this case, the original question made it seem as though the E-mail wasn't failing the test, whereas it may be that the E-mail did fail the test but an action other than the one you wanted was used. The email was't failing the test. Im sorry to be so confusing. The only action I have on this body filter is attach, no weights have been applied. The particular email in question shouldve failed this test and been attached, automatically as that what the action is. Here are the message headers: Received: from 200-140-164-090.bsace7024.dsl.brasiltelecom.net.br [200.140.164.90] by todhunter.com (SMTPD32-7.15) id A5EE223500DE; Thu, 16 Oct 2003 08:58:22 -0400 Received: from [244.16.159.174] by 200-140-164-090.bsace7024.dsl.brasiltelecom.net.br with ESMTP id 009310-63652; Thu, 16 Oct 2003 13:06:30 -0100 Message-ID: [EMAIL PROTECTED] From: Nelson Hurt [EMAIL PROTECTED] Reply-To: Nelson Hurt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: 7 How about obtaining a fully recognized University degree at home!!? Date: Thu, 16 Oct 2003 13:06:30 -0100 X-Mailer: QUALCOMM Windows Eudora Version 5.1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=FF_E90E7._.F0E265C X-Priority: 3 X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-Declude-Sender: [EMAIL PROTECTED] [200.140.164.90] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: ROUTING X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 366043108 Here is the line for the filter in my global.cfg InBodyFilter Filter D:\Imail\Declude\inBody.txt x 0 0 Here are the lines in the user junkmail file that the failed email was addressed to: INBODYFILTERATTACH Here is the line in the filter itself: BODY 0 CONTAINS Bachelors and other higher education available in your fields And here is the line, copied and pasted directly from the spam email that should've triggered the filter and didn't: Bachelors and other higher education available in your fields Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Here are the message headers: X-Spam-Tests-Failed: ROUTING OK, it did not fail the INBODYFILTER test. Here is the line in the filter itself: BODY 0 CONTAINS Bachelors and other higher education available in your fields And here is the line, copied and pasted directly from the spam email that should've triggered the filter and didn't: Bachelors and other higher education available in your fields Those do look the same. Did you cut and paste it from what you were viewing in the E-mail, or from the source? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Those do look the same. Did you cut and paste it from what you were viewing in the E-mail, or from the source? I cut and pasted it from what I was viewing in the email, NOT from the source, hence my original question. I did go back and run the -diag and I am definitely running JM 1.75 Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I cut and pasted it from what I was viewing in the email, NOT from the source, hence my original question. I did go back and run the -diag and I am definitely running JM 1.75 So now I would ask what the source of the E-mail shows? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
So now I would ask what the source of the E-mail shows? This particular one, came in plain text, I just realized. That is probably why I didn't use the source to begin with. When I right click on it, view source is greyed out. I would be happy to forward the email to the list but I did that earlier and I'm thinking everyone's filter blocked it but mine. Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
I have setup a filter to froward all email that seems to be from the sobig virus to a specian mail box. Global.CFG SOBIGFILTER filter D:\IMail\Declude\SOBIG.txt x 0 0 sobig.txt REMOTEIP 0 IS 206.111.17.194 REMOTEIP 0 IS 66.185.39.38 REMOTEIP 0 IS 66.123.247.98 REMOTEIP 0 IS 69.37.1.22 SUBJECT 0 IS Re: Details SUBJECT 0 IS Re: Approved SUBJECT 0 IS Re: Re: My details SUBJECT 0 IS Re: Thank you! SUBJECT 0 IS Re: That movie SUBJECT 0 IS Re: Wicked screensaver SUBJECT 0 IS Re: Your application SUBJECT 0 IS Thank you! SUBJECT 0 IS Your details $default$.junkmail SOBIGFILTER ROUTETO [EMAIL PROTECTED] I have sent an email with the subject line of Re: Wicked screensaver to test declude does not seem to be running the test We are running Declude v1.75i1 Where did I go wrong in setting this up? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with RE: are not catching the mail. the subject lines without the RE: are catching the emails. I have changed the IS in SUBJECT lines to CONTAINS and I get the same results. I want these emails because I have been successful at tracking down the machine sending out the messages and getting the user to clean the virus. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Tuesday, August 26, 2003 5:42 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filter question I have setup a filter to froward all email that seems to be from the sobig virus to a specian mail box. Global.CFG SOBIGFILTER filter D:\IMail\Declude\SOBIG.txt x 0 0 sobig.txt REMOTEIP 0 IS 206.111.17.194 REMOTEIP 0 IS 66.185.39.38 REMOTEIP 0 IS 66.123.247.98 REMOTEIP 0 IS 69.37.1.22 SUBJECT 0 IS Re: Details SUBJECT 0 IS Re: Approved SUBJECT 0 IS Re: Re: My details SUBJECT 0 IS Re: Thank you! SUBJECT 0 IS Re: That movie SUBJECT 0 IS Re: Wicked screensaver SUBJECT 0 IS Re: Your application SUBJECT 0 IS Thank you! SUBJECT 0 IS Your details $default$.junkmail SOBIGFILTER ROUTETO [EMAIL PROTECTED] I have sent an email with the subject line of Re: Wicked screensaver to test declude does not seem to be running the test We are running Declude v1.75i1 Where did I go wrong in setting this up? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with RE: are not catching the mail. the subject lines without the RE: are catching the emails. That is odd. Could there be spaces/tabs at the end of the lines that aren't working? If that doesn't explain it, you can use LOGLEVEL DEBUG temporarily and send an E-mail through that should be caught by the filter -- you can then E-mail me the results, and I can take a look to see what went wrong. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Well Scott you are correct again. I had a cut and paste error in the filter file all of the lines ended with an extra space except the last two lines. Kevin Bibee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, August 27, 2003 5:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Filter question I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with RE: are not catching the mail. the subject lines without the RE: are catching the emails. That is odd. Could there be spaces/tabs at the end of the lines that aren't working? If that doesn't explain it, you can use LOGLEVEL DEBUG temporarily and send an E-mail through that should be caught by the filter -- you can then E-mail me the results, and I can take a look to see what went wrong. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question
Hello, what am I doing wrong? I have an IP Filter called BAD-IP, a textfile with ip adresses and a test for the user. But still the mails get through. global.cfg: [...] BAD-IP ipfile C:\IMail\Declude\BAD-IP.txt x 5 0 [...] c:\imail\declude\bad-ip.txt (yes, it's really there ;-) [...] 217.173.135.114 [...] default.junkmail [...] BAD-IP BOUNCE [...] Header: -- Exchange Internet Mail Service Version 5.5.2653.13) id JPW838YW; Fri, 27 Jun 2003 09:28:21 +0200 Received: from mail3.cytainment.de [217.173.135.114] by siller.de with ESMTP (SMTPD32-7.13) id A139395700DA; Fri, 27 Jun 2003 09:24:41 +0200 Received: from mail3.cytainment.de (localhost [127.0.0.1]) by mail3.cytainment.de (8.12.3/8.12.3/Debian-6.3) with ESMTP id h5R7O0Fg027452 for [EMAIL PROTECTED]; Fri, 27 Jun 2003 09:24:00 +0200 Received: (from [EMAIL PROTECTED]) by mail3.cytainment.de (8.12.3/8.12.3/Debian-6.3) id h5R7O0er027438 for [EMAIL PROTECTED]; Fri, 27 Jun 2003 09:24:00 +0200 From: [EMAIL PROTECTED] -- Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question
global.cfg: [...] BAD-IP ipfile C:\IMail\Declude\BAD-IP.txt x 5 0 [...] c:\imail\declude\bad-ip.txt (yes, it's really there ;-) [...] 217.173.135.114 [...] This looks good. Header: -- Received: from mail3.cytainment.de [217.173.135.114] by siller.de with ESMTP (SMTPD32-7.13) id A139395700DA; Fri, 27 Jun 2003 09:24:41 +0200 Do you have the full headers? That will normally show what tests the E-mail failed (to determine if the E-mail did fail your test or not), as well as the IP address of the remote mailserver (in case HOP/HOPHIGH/IPBYPASS lines are interfering). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question
Hi Scott, Nothing like a quiet Sunday morning to get the questions going. I have a filter question and will use the following header to explain. The e-mail is being handled correctly by JunkMail according to the GLOBAL.CFG settings I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. I realize that this particular piece of SPAM has been identified as such by many other tests, but that's not the question here. As always, thanks for the time. George Kulman Partner Ridge Systems, L.L.C. Example Header follows: *** Received: from mtiwmhc14.worldnet.att.net [204.127.131.114] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A1E0250252; Sun, 02 Feb 2003 09:57:36 -0500 Received: from mtiwmhc14.worldnet.att.net ([127.0.0.1]) by mtiwmhc14.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id [EMAIL PROTECTED] net for [EMAIL PROTECTED]; Sun, 2 Feb 2003 14:56:07 + Received: from data.aebolts.com ([216.171.211.31]) by mtiwmhc14.worldnet.att.net (mtiwmhc14) with ESMTP id 2003020214560611400kmvlje; Sun, 2 Feb 2003 14:56:06 + Received: from data.aebolts.com (data.aebolts.com [216.171.211.31] (may be forged)) by data.aebolts.com (8.12.6/8.12.6) with ESMTP id h12FSook018111 for [EMAIL PROTECTED]; Sun, 2 Feb 2003 07:28:50 -0800 Received: (from root@localhost) by data.aebolts.com (8.12.6/8.12.6/Submit) id h12FSo64018109; Sun, 2 Feb 2003 07:28:50 -0800 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: Rick Wagner [EMAIL PROTECTED] Subject: Date: Sun Feb 2 01:05:00 PST 2003 MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?216.171.211.31 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D31e0002502523542.SMD X-Spam-Tests-Failed: 15 SPAMCOP, BADHEADERS, IPNOTINMX, WEIGHT10 X-Note: This E-mail was sent from (Private IP) ([127.0.0.1]). X-Country-Chain: UNITED STATES-destination X-ALLRECIPS: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 341851603 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question
I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. No, there isn't any other parameter aside from HEADERS that you could filter on in this case. Although Declude JunkMail does look at the server names, the only one it cares about is one corresponding to the remote mailserver (the HELO parameter in filtering). In this case, I would recommend using something like: HEADERS 5 CONTAINS .aebolts.com ( Adding the ( there should prevent virtually all other headers from triggering the filter (for example, you could have Subject: We have to do something about these .aebolts.com E-mails! that wouldn't get caught). It's not quite as accurate as it would be if there was a parameter that just searched the server names, but it's pretty close. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Question
Scott, OK. I'll leave you alone for the rest of today G. BTW, HiJack has trapped over 500 pieces of SPAM this weekend for 2 domains whose Primary MX's have been up and running the entire time. JunkMail got another 400+ for 1 of those domains. Just shows how the spammers are going after the secondary MX's. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Question I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. No, there isn't any other parameter aside from HEADERS that you could filter on in this case. Although Declude JunkMail does look at the server names, the only one it cares about is one corresponding to the remote mailserver (the HELO parameter in filtering). In this case, I would recommend using something like: HEADERS 5 CONTAINS .aebolts.com ( Adding the ( there should prevent virtually all other headers from triggering the filter (for example, you could have Subject: We have to do something about these .aebolts.com E-mails! that wouldn't get caught). It's not quite as accurate as it would be if there was a parameter that just searched the server names, but it's pretty close. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
If I have a line in a filter, say: MAILFROM-8 CONTAINS@domain.com The test is defined in the Global.cfg like this: MYFILTERfilter c:\imail\declude\filter.txt x -10 0 That would give any message from @domain.com a negative weight of 18, correct? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] filter question
Can Junkmail pro filters (for msg body) use wildcards? Is there a reference? I want to create a filter (to hold) msgs that have embedded urls with IP addresses in them. I can do this is my IMGate machine but want to see what I catch first. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] filter question
Can Junkmail pro filters (for msg body) use wildcards? No. Is there a reference? The Filtering section of the manual covers the filtering. We do plan to add a reference section to the manual like for the whitelisting/blacklisting. I want to create a filter (to hold) msgs that have embedded urls with IP addresses in them. The best you could do with Declude JunkMail would be to search for http://%;. However, with IMail's filters, you should be able to be more accurate. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question...
One question about filters... You assign the rule in the Global.cfg file a weight. You also assign each filter a weight. Are these two weights added to get the final weight for the message? For example, if you have: MYFILTER filter c:\iMail\Declude\myfilter.txt x 5 0 And in \myfilter.txt you have: HELO 8 CONTAINS $domain Would a hit on this rule have a total weight of 8+5=13? Thanks! --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question...
One question about filters... You assign the rule in the Global.cfg file a weight. You also assign each filter a weight. Are these two weights added to get the final weight for the message? For example, if you have: MYFILTER filter c:\iMail\Declude\myfilter.txt x 5 0 And in \myfilter.txt you have: HELO 8 CONTAINS $domain Would a hit on this rule have a total weight of 8+5=13? Yes, in this case, the total weight would be 13. Note that multiple hits would result in an even higher weight -- so if you had another line HELO 4 CONTAINS dom, another 4 would get added to the weight, bringing it up to 17. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
Scott, I guess I could test this, but I'm sure you can tell me off the top of your head. When using the BODY search in the filter file, does Declude search just the actual body of the e-mail message or does it search all attachments, as well? I'm guessing it's just the actual body of the message, or maybe I just hoping that's the case. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
Scott, I guess I could test this, but I'm sure you can tell me off the top of your head. When using the BODY search in the filter file, does Declude search just the actual body of the e-mail message or does it search all attachments, as well? It searches the entire body of the E-mail, which includes the attachments. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question
How would I go about filtering for this in the header? Is it possible? To: Undisclosed Recipients Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Filter question
How would I go about filtering for this in the header? Is it possible? To: Undisclosed Recipients It isn't currently possible in Declude JunkMail. It most likely will be possible in an upcoming release, though. However, you should note that Undisclosed Recipients is used by many legitimate mailing lists, so it might be best to use it only as part of a weighting system. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
