I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email
SNIFFER-WHTLIST result code 000 SNIFFER-PORN result code 054
Which would take precedence over the other, as far as which would be the final code passed to Declude?
There is some confusion about this.
A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all.
In the first case - where an actual white rule has fired, the Message Sniffer log will show a "White" entry and the "Final" result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code.
In the second case - where no rules matched, the Message Sniffer log will show a "Clean" entry and Declude will see a zero result.
So, from Declude's perspective it will see a zero result in both the "Clean" and the "White" case. As a result, your SNIFFER-WHTLIST result code 000 test will fire.
In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result.
SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean "White" but instead means "Clean".
If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1.
I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing.
In Sniffer we use white rules to force a "non result" more than we ever use them to indicate a true "white" result.
Hope this helps, _M
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
