Re: [sniffer] Rules Question
At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rules Question
Thanks for the aid. One last question, you mentioned: In a case where a white rule is present and a black rule is present the white rule will always win So if the White Rule fired 000, it would override a Porn Rule of 54? If so, how are these White Rules entered? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Madscientist Sent: Wed 3/3/2004 6:01 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [sniffer] Rules Question At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html winmail.dat
RE: [sniffer] Rules Question
White rules are entered either upon request or in response to a false positive report with your permission. In some cases we will enter a white rule based on our own research or in response to a false positive report if we feel a core white rule would be more appropriate. We add core white rules without permission. We add local rules of any type only with permission or by request. Hope this helps, _M At 06:43 PM 3/3/2004, you wrote: Thanks for the aid. One last question, you mentioned: In a case where a white rule is present and a black rule is present the white rule will always win So if the White Rule fired 000, it would override a Porn Rule of 54? If so, how are these White Rules entered? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Madscientist Sent: Wed 3/3/2004 6:01 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [sniffer] Rules Question At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html p/ This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
