Using CONTAINS will trap a lot of real email if that is the only line in your filter.
Could try this and set up the $default$.junkmail to HOLD so you can monitor the filter for false positives: SKIPIFWEIGHT 125 <--your delete weight MAXWEIGHT 70 <--your hold weight BODY END NOTCONTAINS Content-Type: image/gif HEADERS END NOTCONTAINS Received: from unknown (HELO HEADERS END NOTCONTAINS [192.168. BODY 20 CONTAINS <img src=cid: SUBJECT 50 STARTSWITH breaking news SUBJECT 50 STARTSWITH OTC News SUBJECT 50 STARTSWITH press release SUBJECT 50 STARTSWITH news SUBJECT 50 STARTSWITH top news SUBJECT 50 STARTSWITH headline news -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Wednesday, December 07, 2005 1:16 PM To: [email protected] Subject: Re: [Declude.JunkMail] CBL:Fw: news Try CONTAINS instead of BEGINSWITH Make sure you have at least one crlf [a bunch would not hurt] at the end of the filter file. -Nick Todd wrote: I created a filter with the string BODY 0 BEGINSWITH <img src=3Dcid: The declude.cfg goes like this GIFINBODYFILTER filter d:\imail\declude\filters\gifinbodyfilter.txt x 150 0 After searching the declude log I dont see where the filter has been triggered a single time in the last day. There are no errors in the declude log calling the test either. To check it I took one of the gifs and sent it to myself. I received it. Here is the header from the email. You will see in red where the gif seems to have a " but the original emails did not. Todd Received: from backup.progressive.loc [192.168.1.19] by net.smart-mail.net (SMTPD32-8.15) id A7821E0198; Wed, 07 Dec 2005 13:26:58 -0600 Received: (from office [68.203.154.122]) by backup.progressive.loc (SMSSMTP 4.0.0.59) with SMTP id M2005120713264209805 for <hunter>; Wed, 07 Dec 2005 13:26:42 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Hunter" <hunter> To: "Todd -Progressive.biz" <hunter> Subject: breaking news Date: Wed, 7 Dec 2005 13:26:41 -0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0095_01C5FB31.DC30EB90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-mxGuard-Info: Processed by net.smart-mail.net using mxGuard v1.5.0 X-mxGuard-Spool-ID: 377c001e01984a62 X-mxGuard-Sender: hunter@ X-mxGuard-Spam-Score: 0 X-Note: This message has been scanned for spam and viruses using mxGuard for IMail X-RBL-Warning: IPNOTINMX: X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: -10. X-Declude-Sender: hunter [68.203.154.122] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, SPFUNKNOWN, SPAMCHK, CATCHALLMAILS [-25] X-Note: Total spam weight of this E-mail is -25 . X-Country-Chain: UNITED STATES->destination X-Note: This E-mail was sent from cpe-68-203-154-122.houston.res.rr.com ([68.203.154.122]). X-RCPT-TO: <hunter@> Status: R X-UIDL: 370538202 This is a multi-part message in MIME format. ------=_NextPart_000_0095_01C5FB31.DC30EB90 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0096_01C5FB31.DC30EB90" ------=_NextPart_001_0096_01C5FB31.DC30EB90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_0096_01C5FB31.DC30EB90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><IMG src=3D"cid:009401c5fb64$26cb5b90$1401a8c0@office"> = </DIV></BODY></HTML> ------=_NextPart_001_0096_01C5FB31.DC30EB90-- ------=_NextPart_000_0095_01C5FB31.DC30EB90 Content-Type: image/gif; name="lzj.gif" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> ----- Original Message ----- From: Scott Fisher To: [email protected] Sent: Tuesday, December 06, 2005 3:51 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news basically it will end the filter if any of the statements are not true. These stock emails have always met these 4 criteria, so if it doesn't meet them end the filter. 1. contains a gif attachment hence:Content-Type: image/gif 2&3. contains a header like: Received: from unknown (HELO randomword [192.168. 4. Always fails cmdspace You could use mine and Kevin's combined: BODY END NOTCONTAINS Content-Type: image/gif HEADERS END NOTCONTAINS Received: from unknown (HELO HEADERS END NOTCONTAINS [192.168. TESTSFAILED END NOTCONTAINS CMDSPACE BODY 15 CONTAINS <img src=3Dcid ----- Original Message ----- From: Todd To: [email protected] Sent: Tuesday, December 06, 2005 3:28 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news Scott, I am looking through the Declude manual to determine what you are doing. I don't think I understand NOTCONTAINS. I would think CONTAINS mean it has this string in the body and NOTCCONTAINS means it does not. So why NOTCONTAINS Content-Type: image/gif ? I feel like I am probably missing something painfully obvious here. Todd ----- Original Message ----- From: Scott Fisher To: [email protected] Sent: Tuesday, December 06, 2005 1:50 PM Subject: Re: [Declude.JunkMail] CBL:Fw: news I use this filter: STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif HEADERS END NOTCONTAINS Received: from unknown (HELO HEADERS END NOTCONTAINS [192.168. TESTSFAILED END NOTCONTAINS CMDSPACE TESTSFAILED 100 CONTAINS HELO-IS-REVDNS TESTSFAILED 100 CONTAINS HELOISIP TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT HELOISIP and HELO-IS-REVDNS are from external tests that I run. ----- Original Message ----- From: Richard Farris To: [email protected] Sent: Tuesday, December 06, 2005 1:25 PM Subject: [Declude.JunkMail] CBL:Fw: news Does anyone have an answer to filter these type emails? Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message ----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 3:20 AM Subject: news --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
