I think I found a solution. Global.cfg:
SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 4 0 SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 1 0 SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFERREPORT weightrange x x 0 15 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 NOTSNIFFEDfilter.txt: TESTSFAILED END CONTAINS SNIFFER REMOTEIP 0 CONTAINS . The result will be that the filter will "end", if EITHER sniffer tagged the mail OR if the weightrage is 0-15. So - the only mail that should be tagged as "NOTSNIFFED" are emails that are NOT "sniffed" and that are above 15 in weight. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 31, 2004 09:15 PM To: Matt Subject: Re[2]: [Declude.JunkMail] Detect "Test NOT Failed" I'm just curious... Wouldn't the following work for the intended purpose (in this case)... NOTSNIFFED external 0 "....." ... Specifically - an external test that fails on a zero result should work right Scott? _M On Monday, May 31, 2004, 7:01:50 PM, Matt wrote: M> I believe that MINWEIGHT 15 always exits the filter since it M> startswith a score of zero. M> If Andrew's suggestion doesn't work for your purposes, there's likely M> akludge that can be written with multiple filter files that can do M> this. M> Matt M> Andy Schmidt wrote: M> Hi Matt: M> � M> Uh - I see.� We would need a"SKIPIFWEIGHTLESS" option.� Scott? M> � M> But - I still don't understand why I don'tsee lots of entries for M> "NOTSNIFFed".� If anything, now I should seelots of legitimate mail M> "match" that test? M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone:� +1 201 934-3414x20 (Business) M> Fax:��� +1 201 934-9206 M> http://www.HM-Software.com/ M> -----Original Message----- M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-owner M> @declude.com] M> On Behalf Of Matt M> Sent: Monday, May 31, 2004 06:18 PM M> To:[EMAIL PROTECTED] M> Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed" M> Andy, M> That's not how MINWEIGHT works.� MINWEIGHT is used for a filter so M> thatit doesn't subtract any more than the value that you give it, M> generallya negative number unless you get fancy and apply scoring M> tests first. M> The only way to do this currently would be to create an external M> testto run after Sniffer which passes in the %WEIGHT% variable. M> Matt M> Andy Schmidt wrote: M> Hi, M> � M> I'mtrying to detect mails weight >= 15 that did NOT fail "Sniffer". M> � M> Ihave: M> � M> Global.cfg: M> � M> SNIFFER �external M> �nonzero"D:\IMAIL\Sniffer\Win32\????????.exe ?????"�4�0 SNIFFER-SNAKE� M> external M> �052�"D:\IMAIL\Sniffer\Win32\????????.exe?????"�1�0 SNIFFER-SCAMS � M> external M> �053�"D:\IMAIL\Sniffer\Win32\????????.exe?????"�2�0 SNIFFER-PORN� M> external M> �054�"D:\IMAIL\Sniffer\Win32\????????.exe?????"�2�0 SNIFFER-MALWARE� M> external M> �055�"D:\IMAIL\Sniffer\Win32\????????.exe?????"�2�0 SNIFFER-OBFUSC � M> external M> �061�"D:\IMAIL\Sniffer\Win32\????????.exe?????"�2�0 M> � M> NOTSNIFFed�filter��D:\IMail\Declude\NOTSNIFFEDfilter.txt�x�0�0 M> � M> In"NOTSNIFFEDfilter.txt" M> � M> MINWEIGHT�15 M> TESTSFAILED�END�CONTAINS SNIFFER M> REMOTEIP�0�CONTAINS . M> � M> Yet,the log doesn't show "NOTSNIFFed": M> � M> 05/31/2004 17:48:59 Qa83f230c00e4d595SPAMCOP:7 XBL-DYNA:7 M> HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 .� Total weight= 26. 05/31/2004 M> 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith M> weight >=19 (26) and at least 1 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=14 M> (26) and at least 4 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=12 M> (26) and at least 6 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to M> [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 M> From: [EMAIL PROTECTED] M> To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed M> [weight=26]:BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE M> SPAMCOP=WARNNJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE M> HELOBOGUS=WARNIPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN M> NOLEGITCONTENT=IGNOREWEIGHTKILL=DELETE M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from M> [EMAIL PROTECTED] to M> [EMAIL PROTECTED]@alloysinternational.com M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone:� +1 201934-3414 x20 (Business) M> Fax:��� +1 201 934-9206 M> http://www.HM-Software.com/ M> � M> -- M> ===================================================== M> MailPure custom filters for Declude JunkMail M> Pro.http://www.mailpure.com/software/======================================= ============== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
