Re: [Declude.JunkMail] CBL:Fw: news

Wed, 07 Dec 2005 12:50:23 -0800 


Erik wrote:


Using CONTAINS will trap a lot of real email if that is the only line in
your filter.

 


There best way is with combo filters but that was not his question  :)

-Nick



Could try this and set up the $default$.junkmail to HOLD so you can monitor
the filter for false positives:



SKIPIFWEIGHT 125 <--your delete weight
MAXWEIGHT 70 <--your hold weight

BODY END NOTCONTAINS Content-Type: image/gif
HEADERS END NOTCONTAINS Received: from unknown (HELO
HEADERS END NOTCONTAINS [192.168.

BODY 20 CONTAINS <img src=cid:

SUBJECT 50 STARTSWITH breaking news
SUBJECT 50 STARTSWITH OTC News
SUBJECT 50 STARTSWITH press release

SUBJECT 50 STARTSWITH news 
SUBJECT 50 STARTSWITH top news

SUBJECT 50 STARTSWITH headline news




-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Wednesday, December 07, 2005 1:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] CBL:Fw: news


Try CONTAINS instead of BEGINSWITH
Make sure you have at least one crlf [a bunch would not hurt] at the end of
the filter file.

-Nick


Todd wrote: 
I created a filter with the string


BODY 0 BEGINSWITH <img src=3Dcid:

The declude.cfg goes like this

GIFINBODYFILTER       filter
d:\imail\declude\filters\gifinbodyfilter.txt    x    150    0

After searching the declude log I dont see where the filter has been
triggered a single time in the last day.  There are no errors in the declude
log calling the test either.  To check it I took one of the gifs and sent it
to myself.  I received it.  Here is the header from the email.  You will see
in red where the gif seems to have a " but the original emails did not.

Todd



Received: from backup.progressive.loc [192.168.1.19] by net.smart-mail.net
 (SMTPD32-8.15) id A7821E0198; Wed, 07 Dec 2005 13:26:58 -0600
Received: (from office [68.203.154.122])
by backup.progressive.loc (SMSSMTP 4.0.0.59) with SMTP id
M2005120713264209805
for <hunter>; Wed, 07 Dec 2005 13:26:42 -0600
Message-ID: <[EMAIL PROTECTED]>
From: "Hunter" <hunter>
To: "Todd -Progressive.biz" <hunter>
Subject: breaking news
Date: Wed, 7 Dec 2005 13:26:41 -0600
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0095_01C5FB31.DC30EB90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-mxGuard-Info: Processed by net.smart-mail.net using mxGuard v1.5.0
X-mxGuard-Spool-ID: 377c001e01984a62
X-mxGuard-Sender: hunter@
X-mxGuard-Spam-Score: 0
X-Note: This message has been scanned for spam and viruses using mxGuard for
IMail

X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.

X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: -10.
X-Declude-Sender: hunter [68.203.154.122]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: IPNOTINMX, SPFUNKNOWN, SPAMCHK, CATCHALLMAILS [-25]
X-Note: Total spam weight of this E-mail is -25 .
X-Country-Chain: UNITED STATES->destination
X-Note: This E-mail was sent from cpe-68-203-154-122.houston.res.rr.com
([68.203.154.122]).
X-RCPT-TO: <hunter@>
Status: R
X-UIDL: 370538202

This is a multi-part message in MIME format.

------=_NextPart_000_0095_01C5FB31.DC30EB90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0096_01C5FB31.DC30EB90"


------=_NextPart_001_0096_01C5FB31.DC30EB90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_001_0096_01C5FB31.DC30EB90
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><IMG src=3D"cid:009401c5fb64$26cb5b90$1401a8c0@office"> =
</DIV></BODY></HTML>

------=_NextPart_001_0096_01C5FB31.DC30EB90--

------=_NextPart_000_0095_01C5FB31.DC30EB90
Content-Type: image/gif;
name="lzj.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>










----- Original Message ----- 
From: Scott Fisher 
To: Declude.JunkMail@declude.com 
Sent: Tuesday, December 06, 2005 3:51 PM

Subject: Re: [Declude.JunkMail] CBL:Fw: news


basically it will end the filter if any of the statements are not true.

These stock emails have always met these 4 criteria, so if it doesn't meet
them end the filter.

1. contains a gif attachment hence:Content-Type: image/gif
2&3.  contains a header like:  Received: from unknown (HELO randomword
[192.168.
4.  Always fails cmdspace

You could use mine and Kevin's combined:

BODY  END NOTCONTAINS Content-Type: image/gif
HEADERS  END NOTCONTAINS Received: from unknown (HELO
HEADERS  END NOTCONTAINS [192.168.
TESTSFAILED END NOTCONTAINS CMDSPACE

BODY 15 CONTAINS <img src=3Dcid

----- Original Message ----- 
From: Todd 
To: Declude.JunkMail@declude.com 
Sent: Tuesday, December 06, 2005 3:28 PM

Subject: Re: [Declude.JunkMail] CBL:Fw: news



Scott,  


I am looking through the Declude manual to determine what you are doing.  I
don't think I understand NOTCONTAINS. I would think CONTAINS mean it has
this string in the body and NOTCCONTAINS means it does not.  So why
NOTCONTAINS Content-Type: image/gif    ?

I feel like I am probably missing something painfully obvious here.

Todd



----- Original Message ----- 
From: Scott Fisher 
To: Declude.JunkMail@declude.com 
Sent: Tuesday, December 06, 2005 1:50 PM

Subject: Re: [Declude.JunkMail] CBL:Fw: news


I use this filter:

STOPATFIRSTHIT

BODY  END NOTCONTAINS Content-Type: image/gif
HEADERS  END NOTCONTAINS Received: from unknown (HELO
HEADERS  END NOTCONTAINS [192.168.
TESTSFAILED END NOTCONTAINS CMDSPACE

TESTSFAILED 100 CONTAINS HELO-IS-REVDNS
TESTSFAILED 100 CONTAINS HELOISIP
TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT

HELOISIP and HELO-IS-REVDNS are from external tests that I run.

----- Original Message ----- 
From: Richard Farris 
To: Declude.JunkMail@declude.com 
Sent: Tuesday, December 06, 2005 1:25 PM

Subject: [Declude.JunkMail] CBL:Fw: news


Does anyone have an answer to filter these type emails?

Richard Farris
Ethixs Online
1.270.247.5555 Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"


----- Original Message ----- 
From: [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] 
Sent: Tuesday, December 06, 2005 3:20 AM

Subject: news




---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



 


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.






















					Reply via email to