I just thought I would send an update about this filter.
Given Declude's ability to detect zero-byte attachments as vulnerabilities in recent interim releases, much of the potential that would otherwise exist for this filter, doesn't. I upped the max file size for the test to 5K and found that it's catch rate was only about 1 in 10,000 messages, and it would trip on attachments that were formerly viruses but stripped by virus scanners and replaced the attachments with text messages but left indications of the original virus' name. All of these messages would have otherwise passed, and although they weren't dangerous, they were unwanted. I also found one message that was a false positive where there was a string of attached messages and the header code in one just so happened to hit all of the required strings, and didn't trip the exception found when there is a base64 attachment. I believe that this can be properly resolved by requiring the string "base64", however this would also cause most of the good catches to not be caught since the base64 attachments were replaced by plain text.
Due to the very low hit rate, the possibility of somewhat random false positives without additional exceptions which in turn would limit the hit rate even further, I believe that this filter isn't worth the processing and I'm going to retire it. For the good catches that it made, I feel that these are best targeted with more specific filters such as ANTI-AV.
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
