|
Definitely,
I see this as primarily being used in two
ways
1. Reduce false positives by negative weighting
larger files....maybe...
2. Stopgap for new viruses until new definitions
are released by check for file size ranges (assuming a particular virus always
sends similar file sizes).
Probably many other provider-specific uses for
these kinds of plug-ins...
Darin.
----- Original Message -----
Sent: Tuesday, April 06, 2004 9:04 PM
Subject: Re: [Declude.JunkMail] Test for message size and return
codes
Matt
I would definetly be interested by the
code
I suppose you are going to pass a size as a
parameter to the script, and have the test pass or fail if the file is
smaler/larger than the parameter ?
Also, I am curious about the test environement you
are using, is this documentend somewhere? ho to call declude and collect the
results to see if they are as expected ? Do you set a special test directory
with local global.cfg and local logs?
Interested in devoloping some tests about size and
number of "remote recipients" so we can delay large files to low traffic hours
(bandwidth too expensive in here).
TIA
----- Original Message -----
Sent: Wednesday, April 07, 2004 12:50
AM
Subject: Re: [Declude.JunkMail] Test for
message size and return codes
Thanks everyone for your help here. The CScript method
does in fact work! Looks like I'll probably be able to get some of those
other things taken care of as well now that I understand what was at issue
here, or at least how to work around it.
Darin, I hear you loud and
clear about the utility of having compiled code, and if you are still
interested after I test a bit more, I may ask you for some assistance.
What I'll probably do is grab myself a copy of Visual Studio .Net and have a
friend help me convert the vbscript to a VB.Net (if that's a good
choice). I suppose it wouldn't hurt to start learning VB.Net (ASP.Net)
anyway.
When I get the file size test optimized (meaning figuring out
what sizes are useful to tag), and I get the Sniffer bypasser running, I'll
share the sources here. I'm sure there are a lot of things that can be
done over the long-term.
Thanks,
Matt
Darin Cox
wrote:
Hi Matt,
What we're saying is to try
this
EXTERNALTEST
external 30
"cscript.exe C:\IMail\Declude\test.vbs"
0 0
instead of
EXTERNALTEST
external 30
"C:\IMail\Declude\test.vbs" 0
0
Not sure, but you may have to provide a path to
cscript.exe. It should be in the %SYSTEMROOT%\system32 directory on
your machine.
Darin.
-----
Original Message -----
Sent: Tuesday, April 06, 2004 6:30 PM
Subject: Re: [Declude.JunkMail] Test for message size and return
codes
Andrew,
Thanks for taking the time to check things
out. I haven't tried calling the script with another script, just
Declude, so there are no cscript calls being made here. I came across
this old post where Scott provided some background though on the
"ExitProcess" method:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg02589.html
I
assume that this will work, but this isn't best practices for result codes
from vbscript so far as I can tell, it was an old work around that could be
used with VB4 when it didn't have the benefit of WScript.Quit. I'll
probably give that a try though.
Scott, is there a reason why Declude
isn't accepting the result code from WScript.Quit? Here's a sample
piece of code that I was using to test:
-----
Global.cfg -----
EXTERNALTEST
external
30 "C:\IMail\Declude\test.vbs"
0 0
----- test.vbs
-----
WScript.Quit(30)
Thanks,
Matt
Colbeck, Andrew
wrote:
Putting all
of 60 seconds into this, Matt, I've the following I can help
with:
Your link
works great, so the method of calling it is probably suspect. I
haven't tried to check the return code in Declude, but in a mini-script it
works fine.
Have you
set the cscript host to be the default host?
cscript
//H:CScript
Are you
calling cscript.exe with command line parameters in your declude config
file, e.g.
cscript
temp.vbs //B //NoLogo //T:2
Here was my
test for your link:
Listing of
temp.vbs:
----------------------------
WScript.Quit (1);
// This
line of code is never executed.
var i = 0;
Listing of
calltemp.cmd:
----------------------------------
cscript
temp.vbs //B //NoLogo //T:2
@if errorlevel 10 echo errorlevel is
10
@if errorlevel 1 echo errorlevel is 1
@if errorlevel 0 echo
errorlevel is 0
Results of
running calltemp.cmd:
------------------------------------------------
C:\temp\>calltemp.cmd
C:\temp\>cscript temp.vbs //B //NoLogo //T:2
errorlevel is
1
errorlevel is 0
which shows
that all is right with the world. Hope that helps
some.
Andrew
8)
Kevin and
Darin,
This is something that would be configured as an external
test in Declude, and it's not calling any other programs so I'm not sure
that cscript is useful here. If I was calling something like
Sniffer, I do understand that the call should be made with cscript
though. I also understand the limitations of scripted code vs
compiled code, but I can do some basic scripting (most of my experience
is in simple database ASP stuff) and test some ideas before finding
someone to code it up as something that can be compiled. For
something as basic as checking just the file size, this should work
plenty fast though, it doesn't even need to open the file.
The
real issue that I have though is pumping out a result code from vbscript
to Declude. From my reading of things, the WScript.Quit method
should do this, but it's not working. BTW, there is no
CScript.Quit method. Here's the page on MSDN for
WScript.Quit:
http://msdn.microsoft.com/library/default.asp?url="">
I
can't find anything else in vbscript that is supposed to be used for
returning a result code except for an old method for ExitProcess that
existed before WScript.Quit came around. Here's an example of
that, but I'm not sure how to use it exactly, or even if that would
work.
http://www.mentalis.org/apilist/ExitProcess.shtml
I'm
more concerned that WScript.Quit is sending the exit code back to
Declude in the wrong format, or possibly that you just can't use
vbscript, or at least WScript to return a result code.
This one
little script is only one of many little but useful things that could be
done if I can get my hands around this. I came across similar
problems when I was trying to create a handler for Sniffer that would
skip calling Sniffer if the weight was already high enough for my Drop
setting. I thought the problem was related to retrieving the
result code from Sniffer, but it will echo it in testing, however I
can't get it to Declude in proper result code
format.
Matt
Darin Cox wrote:
Probably need to use cscript to call the
vbs file like "cscript filesize.vbs d00000....smd"
Also, it would probably be much better to
compile this into a C++ or C#/VB.net console app.
Interpreted code like this runs a lot slower than
compiled. Haven't done tests for this in the past couple of
years, but it used to be an order of magnitude faster for compiled
over interpreted.
Darin.
-----
Original Message -----
Sent: Tuesday, April 06, 2004 3:53 PM
Subject: [Declude.JunkMail] Test for message size and
return codes
Scott,
I have tried scripting several different
things with vbscript for use as external tests in Declude to no
avail. Here for example is a simple piece of code that can
detect if a message is above or below a certain size:
Dim Args, oFSO, oFile
Set Args =
WScript.Arguments
Set oFSO =
CreateObject("Scripting.FileSystemObject")
Set oFile =
oFSO.GetFile(Args(0))
If oFile.size > 102400
Then
'Return a code of
1
Else
'Return a code of 0
End
If
Set Args = nothing
Set oFile = nothing
Set oFSO =
nothing
I have comments in there for the result
codes because I tried the WScript.Quit(1) method and Declude doesn't
pick that up. From everything that I have read, it appears that
this is the preferred method with vbscript (note that I'm not an
expert in this area by any means), and the ExitProcess method
indicated in your manual is an old work around that was appropriate
(the only method) for old VB.
I've searched the Internet
several times for a good example of returning a result code to Declude
and I'm a bit stumped. I was hoping that you or someone else has
some vbscript examples that will work with Declude. A lot could
be done to add little functions like a test for size, which in my
case, could be used to defeat certain filters that are targeted at
zombie spam which are heavy on the BODY searches, such as GIBBERISH,
!YDIRECTED, IPLINKED, and @LINKED (and I'm sure several more at
least).
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
