First, does IPNOTINMX and NOLEGITCONTENT still get processed (weight adjustments, and triggers for TESTSFAILED) after custom filters? I've been setting SKIPIFWEIGHT to a value equal to those tests because the points would be deducted afterwards. This is also important if we possibly write a custom filter that includes the TESTSFAILED action for these.
Actually, both IPNOTINMX and NOLEGITCONTENT should be run before the filters.
Secondly, I noted the NOTENDSWITH action was added as per John's previous request. If you could add NOT functionality to all of the filter types, this would greatly enhance filtering capabilities. I've come across this need many times in the past and have been limited by the absence of such functionality.
That is something that we are planning.
For everyone else, if you haven't figured it out yet, you can now create a simple filter for something like all DUL tests by setting the test scores to zero in the global.cfg, and then creating a DUL custom filter that is scored at one value. This way you don't have a huge range of scores based on how many such tests get hit. i.e.
----- Global.cfg ----- AHBL-DUL ip4r dnsbl.ahbl.org 127.0.0.9 0 0 NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 0 0 NJABL-DYNA ip4r dynablock.njabl.org 127.0.0.3 0 0 SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 0 0 DUL filter C:\IMail\Declude\Filters\DUL.txt x 8 0
----- DUL.txt ---- TESTSFAILED 0 CONTAINS AHBL-DUL TESTSFAILED 0 CONTAINS NJABL-DUL TESTSFAILED 0 CONTAINS NJABL-DYNA TESTSFAILED 0 CONTAINS SORBS-DUL
That's a good thing to have I think. It should help protect from false positives while also not severely weakening the system. I may even combine this with my DYNAMIC filter for one scoring hit.
That is a very good idea. :)
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
