It seems that this setup should be working. Can you send me [email protected] JunkMail DEBUG log entries for a specific message to have a look at?
From: [email protected] [mailto:[email protected]] On Behalf Of John Doyle Sent: Wednesday, February 26, 2014 1:32 PM To: [email protected] Subject: [MBF]Re: MBF releases new build of Declude 4.12.05 David Years ago I set up a system to forward uncaught sniffer email with a weight of 18 or greater to an account used by ARM. Since we use different weights for various tests, we have 18 various tests. I then use a filter file to flag as SNIFFERNOCATCH those not caught. In the past the problem was that declude did not attach a weight untill the very end so there was no way to only flag mail with a weight of 18 or greater. So we copyto all mail that is caught by SNIFFERNOCATCH to the account and delete if the weight is less than 18. I hoped that the new NOHIT test would use our test SNIFFERCATCH and look at the total weight and only trigger on those whose weight is greater than 18. I do know that the SNIFFERNOCATCH does grab mail not caught by sniffer, and that SNIFFERCATCH correctly flags those caught. ========================================================================= Hhere is our test for mail not caught by sniffer SNIFFERCATCH filter D:\Imail\Declude\Filters\SNIFFERCATCH.txt x 0 0 ========================================================= here are our SNIFFERCATCH.txt TESTSFAILED 0 CONTAINS SNIFFER-SURE TESTSFAILED 0 CONTAINS SNIFFER-AV-PUSH TESTSFAILED 0 CONTAINS SNIFFER-WAREZ TESTSFAILED 0 CONTAINS SNIFFER-SPAMWARE TESTSFAILED 0 CONTAINS SNIFFER-SNAKEOIL TESTSFAILED 0 CONTAINS SNIFFER-SCAMS TESTSFAILED 0 CONTAINS SNIFFER-PORN TESTSFAILED 0 CONTAINS SNIFFER-MALWARE TESTSFAILED 0 CONTAINS SNIFFER-ADVERTISING TESTSFAILED 0 CONTAINS SNIFFER-SCHEME TESTSFAILED 0 CONTAINS SNIFFER-CREDIT TESTSFAILED 0 CONTAINS SNIFFER-GAMBLING TESTSFAILED 0 CONTAINS SNIFFER-EXPERIMENTAL TESTSFAILED 0 CONTAINS SNIFFER-OBFUSCATION TESTSFAILED 0 CONTAINS SNIFFER-IP-RULES TESTSFAILED 0 CONTAINS SNIFFER-INSURANCE TESTSFAILED 0 CONTAINS SNIFFER-SUSPECT TESTSFAILED 0 CONTAINS SNIFFER-TRAVEL TESTSFAILED 0 CONTAINS SNIFFER-GREYMAIL ========================================================================== SNIFFERMOVE NOHIT SNIFFERCATCH WEIGHT 18 0 0 BTW I just flew in to LA from Portugal and am lacking some sleep so I hope I'm doing this correctly John ---- Original Message ---- From: "David Barker" <[email protected]> Sent: 2/26/2014 9:33:46 AM To: [email protected] Subject: [MBF]Re: MBF releases new build of Declude 4.12.05 Do you have a test called SNIFFERCATCH can you post the line in your global.cfg? From: [email protected] [mailto:[email protected]] On Behalf Of John Doyle Sent: Wednesday, February 26, 2014 11:37 AM To: [email protected] Subject: [MBF]Re: MBF releases new build of Declude 4.12.05 David I updated declude to 4.12.05 this morning and added the NOHIT test It works for the exception of the fact that the weight does not seem to work it catches anything not caught by sniffer, but even with a weight lower than the set value ie: I set the weight at 18 and it seems to catch everything SNIFFERMOVE NOHIT SNIFFERCATCH WEIGHT 18 0 0 do you see anything wrong with my setup thanks John ---- Original Message ---- From: "David Barker" <[email protected]> Sent: 2/24/2014 8:41:58 AM To: [email protected] Subject: [MBF]MBF releases new build of Declude 4.12.05 New files available from http://mailsbestfriend.com/downloads/ 4.12.05 FIX - Removed Key check for Declude, no need to hack the Host file. Declude no longer requires a key to run. 4.12.04 ADD - Created new test NOHIT 4.12.03 ADD - Improved Hijack by monitoring the Authenticated user rather than the mailfrom address The NOHIT test is used to determine which tests did NOT trigger. The main purpose of this implementation was to create a feedback system to Message Sniffer ARM research to improve spam catch rates on new spam. The new test syntax below and is located in the global.cfg TEST-NAME1 NOHIT TEST-NAME2 WEIGHT 0 0 TEST-NAME1 Your given name of the test NOHIT Test Type TEST-NAME2 The name of the test you are tracking that did NOT trigger WEIGHT The weight => when you would like this test to trigger Example of use (This test will trigger if SNIFFER is NOT triggered for emails over 30 points): SNF-FEEDBACK NOHIT SNIFFER 30 0 0 Using this test we can identify messages that scored more than 30 points and did NOT trigger sniffer. We then use either a COPYTO or ROUTETO Action in the $default$.junkmail file to have these messages go to a specific inbox where ARM research periodically retrieves these messages and writes new rules to distribute to other Message Sniffer users. The entry in the $default$.junkmail would be: SNF-FEEDBACK ROUTETO <mailto:[email protected]> [email protected] Where xxxx is your license key for Message Sniffer. Be sure to setup an email user with <mailto:[email protected]> [email protected] on your server and provide ARM research [email protected] with the POP account details to access the account to retrieve messages. I am sure there are other great ways the NOHIT test can be used. Let us know if you have some ideas. David Barker Mail's Best Friend Email : [email protected] Web : www.mailsbestfriend.com <http://www.mailsbestfriend.com/> Office : 866.919.2075 Mobile : 978.518.6461 cid:[email protected]
