That's the way to do it :)
Matt
Andy Schmidt wrote:
I think I found a solution.
Global.cfg:
SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 4 0 SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 1 0 SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0
SNIFFERREPORT weightrange x x 0 15 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0
NOTSNIFFEDfilter.txt:
TESTSFAILED END CONTAINS SNIFFER REMOTEIP 0 CONTAINS .
The result will be that the filter will "end", if EITHER sniffer tagged the mail OR if the weightrage is 0-15. So - the only mail that should be tagged as "NOTSNIFFED" are emails that are NOT "sniffed" and that are above 15 in weight.
Best Regards Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 31, 2004 09:15 PM To: Matt Subject: Re[2]: [Declude.JunkMail] Detect "Test NOT Failed"
I'm just curious... Wouldn't the following work for the intended purpose (in this case)...
NOTSNIFFED external 0 "....." ...
Specifically - an external test that fails on a zero result should work right Scott?
_M
On Monday, May 31, 2004, 7:01:50 PM, Matt wrote:
M> I believe that MINWEIGHT 15 always exits the filter since it M> startswith a score of zero.
M> If Andrew's suggestion doesn't work for your purposes, there's likely M> akludge that can be written with multiple filter files that can do M> this.
M> Matt
M> Andy Schmidt wrote:
M> Hi Matt:
M> M> Uh - I see. We would need a"SKIPIFWEIGHTLESS" option. Scott?
M> M> But - I still don't understand why I don'tsee lots of entries for M> "NOTSNIFFed". If anything, now I should seelots of legitimate mail M> "match" that test?
M> Best Regards
M> Andy Schmidt
M> H M Systems Software, Inc.
M> 600 East Crescent Avenue, Suite 203
M> Upper Saddle River, NJ 07458-1846
M> Phone: +1 201 934-3414x20 (Business)
M> Fax: +1 201 934-9206
M> http://www.HM-Software.com/
M> -----Original Message-----
M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-owner
M> @declude.com]
M> On Behalf Of Matt
M> Sent: Monday, May 31, 2004 06:18 PM
M> To:[EMAIL PROTECTED]
M> Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed"
M> Andy,
M> That's not how MINWEIGHT works. MINWEIGHT is used for a filter so M> thatit doesn't subtract any more than the value that you give it, M> generallya negative number unless you get fancy and apply scoring M> tests first.
M> The only way to do this currently would be to create an external M> testto run after Sniffer which passes in the %WEIGHT% variable.
M> Matt
M> Andy Schmidt wrote:
M> Hi,
M> M> I'mtrying to detect mails weight >= 15 that did NOT fail "Sniffer".
M> M> Ihave:
M> M> Global.cfg:
M> M> SNIFFER external
M> nonzero"D:\IMAIL\Sniffer\Win32\????????.exe ?????" 4 0 SNIFFER-SNAKE M> external
M> 052 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 1 0 SNIFFER-SCAMS M> external
M> 053 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-PORN M> external
M> 054 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-MALWARE M> external
M> 055 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-OBFUSC M> external
M> 061 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0
M> M> NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0
M> M> In"NOTSNIFFEDfilter.txt"
M> M> MINWEIGHT 15
M> TESTSFAILED END CONTAINS SNIFFER
M> REMOTEIP 0 CONTAINS .
M> M> Yet,the log doesn't show "NOTSNIFFed":
M> M> 05/31/2004 17:48:59 Qa83f230c00e4d595SPAMCOP:7 XBL-DYNA:7 M> HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight= 26. 05/31/2004 M> 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith M> weight >=19 (26) and at least 1 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=14 M> (26) and at least 4 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=12 M> (26) and at least 6 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to M> [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 M> From: [EMAIL PROTECTED]
M> To: [EMAIL PROTECTED] IP: 61.73.93.27 ID:
M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed
M> [weight=26]:BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE
M> SPAMCOP=WARNNJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE
M> HELOBOGUS=WARNIPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN
M> NOLEGITCONTENT=IGNOREWEIGHTKILL=DELETE M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from
M> [EMAIL PROTECTED] to
M> [EMAIL PROTECTED]@alloysinternational.com
M> Best Regards
M> Andy Schmidt
M> H M Systems Software, Inc.
M> 600 East Crescent Avenue, Suite 203
M> Upper Saddle River, NJ 07458-1846
M> Phone: +1 201934-3414 x20 (Business)
M> Fax: +1 201 934-9206
M> http://www.HM-Software.com/
M> M> --
M> =====================================================
M> MailPure custom filters for Declude JunkMail
M>
Pro.http://www.mailpure.com/software/=======================================
==============
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
