Here's what works for me: Matt's (Mailpure) ANTI-AV filter works pretty well for me.
Then this was discussed last weekend on the list. It involved punishing those that fail the anti-av filter and have a null mail. I have a postmaster-mail filter: MAILFROM 0 IS <> MAILFROM 0 CONTAINS administrator@ MAILFROM 0 CONTAINS Antigen@ MAILFROM 0 CONTAINS Antigen_ MAILFROM 0 CONTAINS DLWC-virus-scanner@ MAILFROM 0 CONTAINS e500admin@ MAILFROM 0 STARTSWITH NAV@ MAILFROM 0 CONTAINS NAVMSE- MAILFROM 0 CONTAINS NAVMSE_ MAILFROM 0 CONTAINS NAVMSE@ MAILFROM 0 CONTAINS POSTMASTER@ MAILFROM 0 STARTSWITH root@ MAILFROM 0 CONTAINS Symantec_AntiVirus_for_SMTP_Gateways@ MAILFROM 0 CONTAINS Virus_Alert@ MAILFROM 0 CONTAINS Virus-Alert@ MAILFROM 0 CONTAINS Virus-Alert. MAILFROM 0 CONTAINS viruschecker@ MAILFROM 0 CONTAINS virus-scanner@ MAILFROM 0 CONTAINS virusmanager@ MAILFROM 0 CONTAINS Virus-Monitor@ MAILFROM 0 CONTAINS virusscan@ Then I have a combo filter for the anti-av (called MP-ANTI-AV) and the Postmaster-mail, giving 10 more points. TESTSFAILED 10 CONTAINS MP-ANTI-AV POSTMASTER-MAIL Note, I'm lazy and have the postmaster-mail filter immediately after the mp-anti-av filter in my cfg file. This way I can avoid a couple of other Testfailed filter. If you move the postmaster-mail filter to a different location, you'll need to add testfailed to look for each individual filters and then combo testfailed on those. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/06/04 09:10AM >>> Help me out please. Why are we looking for the beginning of an IP address? Also my understanding of these filters is to eliminate sending emails to users that were not the original senders because of a forged virus. Is that correct??? If so wouldn't adding the Virus name to the declude forged tag solve that?? I am asking here so please do not assume I know much <G>... >>bracketfl - returned messages should have the original headers so I'm looking for the >>beginning of an IP address -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Thursday, May 06, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] blocking auto reply messages on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote: > Does anyone have a suggestion on what to do about the growing number > of auto reply messages being received by clients because of the > current amount of forging viruses. I am getting daily complaints from > clients who say they never sent anything to someone but are receiving > multiple auto response messages (user unknown, mailbox full, virus > warnings, etc.) I am at a loss on what to do about this. I was having the same problem as you and I came up with these filters that seem to work for me. UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt x 0 0 BRACKETFL filter e:\imail\declude\bracketfl.txt x 0 0 BRACKETFR filter e:\imail\declude\bracketfr.txt x 0 0 ACSMAILF filter e:\imail\declude\acsmailf.txt x 0 0 NEVERSENTF filter e:\imail\declude\neversentf.txt x 0 0 unknownuserf - SKIPIFWEIGHT 50 BODY 0 CONTAINS unknown user BODY 0 CONTAINS user unknown bracketfl - returned messages should have the original headers so I'm looking for the beginning of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS [1 BODY 0 CONTAINS [2 BODY 0 CONTAINS [3 BODY 0 CONTAINS [4 BODY 0 CONTAINS [5 BODY 0 CONTAINS [6 BODY 0 CONTAINS [7 BODY 0 CONTAINS [8 BODY 0 CONTAINS [9 bracketfr - looking for the end of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS 0] BODY 0 CONTAINS 1] BODY 0 CONTAINS 2] BODY 0 CONTAINS 3] BODY 0 CONTAINS 4] BODY 0 CONTAINS 5] BODY 0 CONTAINS 6] BODY 0 CONTAINS 7] BODY 0 CONTAINS 8] BODY 0 CONTAINS 9] acsmailf - contains the IP and name of my outgoing mail server (obviously substitute yours), if the message contains one of these values it is possible the message did originate here. SKIPIFWEIGHT 50 BODY 0 CONTAINS 12.4.184.4 BODY 0 CONTAINS mail.acsworld.com neversentf - if the message was about an "unknown user" and had header records, but they were not from my mail server, then it didn't come from my mail server so we add 40 to the weight. We delete on 40 weight. SKIPIFWEIGHT 50 TESTSFAILED END CONTAINS acsmailf TESTSFAILED 40 CONTAINS unknownuserf bracketfl bracketfr If anyone is interested, our newest nigerian filter is available for download at http://www.acsworld.net/declude/nigerianf.zip . It's a work in progress but it seems to catch some scam messages everyday. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
