Here are some notes for filtering that I have compiled: Data Types to Search:
ALLRECIPS searches the recipients of the e-mail message. It was broken in the earlier 1.79 versions and was fixed with 1.79i7. ALLRECIPS with IS test: It needs to be "<[EMAIL PROTECTED]>, < [EMAIL PROTECTED] (where the first "[EMAIL PROTECTED]" is the name entered by the user, and the second one is the one that IMail uses). http://www.mail-archive.com/[EMAIL PROTECTED]/msg18392.html ANYWHERE searches the header and the body. ANYWHERE was introduced in the 1.76 version. BODY searches the body which includes any attachments. COUNTRY is used for searching the last country in the country chain. COUNTRY requires the all_list.dat file.. See the end of the document for a link to this file. COUNTRY was introduced in the 1.62. COUNTRIES is used for searching all countries in the country chain. COUNTRIES requires the all_list.dat file. See the end of the document for a link COUNTRIES was introduced in the 1.62 version. HEADERS searches the headers. Remember this includes the subject. HELO searches the HELO given by the sending server. MAILFROM searches the Declude mailfrom. REMOTEIP searches the sending IP address. If you want a filter that should always be true, use REMOTEIP 0 CONTAINS . REVDNS seaches the Reverse DNS of the sending server. This is preferred over MAILFROM. You may also search REVDNS for timeout or No Reverse DNS. SUBJECT As of 1.78, the subject will be decoded for use in the filters. Subject and decoded subject wrapping bug fixed in 1.79i6. TESTSFAILED Introduced in the 1.78 series. A list of all tests failed up to this point. Filters get processed in the order they appear in the global.cfg, so be sure your filter testing TESTSFAILED is below the filter you are testing. If you want to use "combination tests" where additional points are added if more than one test fails, there are two ways to accomplish this. If you are not using the NOTCONTAINS test, you must make sure that the tests fail one after another in order for both of them to be in order within the TESTSFAILED so that the CONTAINS filter works. Without using a NOTCONTAINS here is a "combination test" example where you would give 10 more weight points to those that fail SBL and SPAMCOP: SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 10 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 8 0 COMBO-SBL filter d:\combo-sbl.txt x 0 0 COMBO-SPAMCOP filter d:\combo-spamcop.txt x 0 0 COMBO-SBL-SPAMCOP filter d:\combo-sbl-spamcop.txt x 0 0 Combo-sbl.txt: TESTSFAILED 0 CONTAINS SBL Combo-Spamcop.txt TESTSFAILED 0 CONTAINS SPAMCOP Combo-SBL-SPAMCOP: TESTSFAILED 10 CONTAINS COMBO-SBL COMBO-SPAMCOP (Mailpure has a good example of the Combo tests in their beta area). When using a NOTCONTAINS test, it is more straight-forward: SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 10 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 8 0 COMBO-SBL-SPAMCOP filter d:\combo-sbl-spamcop.txt x0 0 Combo-SBL-SPAMCOP: TESTFAILED END NOTCONTAINS SBL TESTSFAILED 10 CONTAINS SPAMCOP Actions and Weights: END Ends the filter at this point on a match. END will end with the current score. END can be used in the beginning or middle of a filter. MAILFROM END ENDSWITH @DECLUDE.COM 0 A score of 0 is still a match. The test will "fail" and be logged in the TESTSFAILED line even with a score of zero. Useful for "combination tests" in which multiple tests must fail, yet you don't want to increase the score without the multiple failure. 10 A positive number adds weight. -10 A negative number subtracts weight. Comparison Types: BEGINSWITH CIDR Introduced in 1.78. Example: REMOTEIP 0 CIDR 192.0.2.0/24 CONTAINS ENDSWITH Good match with REVDNS and MAILFROM. IS ISBLANK NOTCONTAINS was introduced in 1.79i7. NOTENDSWITH was introduced in 1.78. Bug with country filters fixed 1.79i6. Great match with MAILFROM and REVDNS. Other: MAXWEGHT stops processing when this weight has been achieved for this filter. Thus, it is the maximum weight of a filter. MAXWEIGHT was introduced in version 1.77i7. A well used MAXWEIGHT can stop a filter after one hit. MAXWEIGHT can be reset with another MAXWEIGHT line. For example Freemail.txt: MAXWEIGHT 1 MAILFROM 1 ENDSWITH HOTMAIL.COM MAXWEIGHT 3 MAILFROM 3 ENDSWITH OUTBLAZE.COM MINWEIGHT stops processing when this weight has been achieved for this filter. Used when subtracting weight. See MailPure's Foreign TLD filters for an example of using this. The filter is assigned 3 points and up to three points can be deducted for valid entries. MINWEIGHT was introduced in version 1.77i7. MINWEIGHT can be reset with another MINWEIGHT line. SKIPIFWEIGHT will exit the filter if the current weight of the e-mail is equal to or greater than the weight indicated. SKIPIFWEIGHT was introduced in version 1.77i7. This can dramatically reduce CPU utilization. # A line starting with a pound sign is a comment. I find it useful to comment out filters that just didn't work, so I'll remember not to put them in again. Trailing spaces. Make sure each filter line ends with a CR/LF, unless you want to search for a word with a space after it. This is useful for shorter words in body filters. Such as BODY 10 CONTAINS HGH(space). A good way to check for trailing spaces is to open your filter in Word and show formatting marks. If I use a trailing space, I'll document it with a comment line, so I will remember why it was there. CR/LF in Body: Declude JunkMail should translate the CRLF (linefeed) into a space. Final CR/LF. Make sure the final line has a CR/LF at it's end. Otherwise the final line may not get processed. Leading spaces. You cannot search for leading space. I.E. you cannot search for (space)cialis. The SPAMCHK add-on can perform this. Filter Resources: Declude all_list.dat fro COUNTRY and COUNTRIES filter: http://www.declude.com/release/179/all_list.dat Declude Junkmail Manual: http://www.declude.com/junkmail/manual.htm Declude Release Notes: http://www.declude.com/Articles.asp?ID=122 Declude Junkmail Mailing List: http://www.mail-archive.com/[EMAIL PROTECTED]/ Mailpure's filters: http://www.mailpure.com/software/decludefilters/ MailPure's Beta Filters (the good stuff) for version 1.78 or higher: http://www.mailpure.com/software/decludefilters/beta/ SpamChk: http://www.spamchk.com/ SURBL filter script: http://www.botany.gu.se/download/decludescript/SURBL_filter.zip Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
