It would be best to either whitelist that IP, or add to the file another END statement for this IP (REMOTEIP).
John's suggestion will work, however it could produce unintended results because Declude will act as if there is no IP address. If IMail is generating the message, I see no reason why you shouldn't whitelist it.
I'm also a bit surprised that IMail will send these notifications through Declude instead of bypassing it like they do with many of their other system notifications.
The next time Ipswitch asks you for money to upgrade their AV solution, send the check to Scott instead :)
Matt
Kami Razvan wrote:
Matt:
I am curious about this since we recently ran into this issue.
It seems like now IMail (with version 8.x) sends the virus notices to Declude with IP: 127.0.0.1 and no reverse DNS.
What that has done in our system is the virus alerts were being caught as spam with high weight. I exchanged some email with Scott and he was the one that pointed these out.
Before we had our own REVDNS whitelisted but now we had to add some of the signatures of Declude virus to our negative file to compensate for the filters.
Some of your words in the filter will cause issues with the new behavior of IMail 8.
Any thoughts?
Kami
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 29, 2004 1:10 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] ANTI-AV for forged virus bounces
Here's a quickie (not really) filter that was cobbed together from my own system as well as a good deal of input from Andrew and some from Kami and Nick as well (thanks).
This filter is coded for JunkMail Pro v1.77i7+, if you are running an earlier version, you can remove the MAXWEIGHT, SKIPIFWEIGHT and END lines that appear in the file and it should work fine. Note that this file is scored for a system that holds on a 10 and deletes on a 25 (or equivalants of spamliness). It will detect many different mail server AV products, as well as some desktop ones, that send notifications out to the percieved sender as well as ones that attempt to clean the infected file. The goal is to turn this stuff off without breaking legitimate notifications. This filter does not attempt to block banned extensions notifications, though I'll probably code a different filter for that eventually so that it can be turned on (HOLD action) during times of need.
ANTI-AV v1.0.0
http://www.mailpure.com/software/decludefilters/anti-av/Anti-AV_v1-0-0.zip
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
