RE: [Declude.JunkMail] Help in creating a Filter
From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Re: [Declude.JunkMail] Help in creating a Filter
I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail
RE: [Declude.JunkMail] Help in creating a Filter
If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe,
Re: [Declude.JunkMail] Help in creating a Filter
Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4
Hi, John. Just curious... What method did you use to determine that those 4 messages were causing the 'decludeproc.exe' service to unexpectedly stop? I would like to be able to send Declude the messages in our 'proc' folder that are causing the same problem here. Regards, Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] The problem appears to be caused/centered/triggered/co-incidental to 4 spam messages. Also, a large Dr Watson log file and dmp were created when this happened. After isolating these messages, stopping the Imail SMTP, QueueManager services, disabling and stopping the decludeproc service, clearing both the proc and proc\work directories of everything, then reenabling the decludeproc service and restarting the SMTP and QueueManger services, the server is running as expected. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
Erik, Flexibility is a nice thing, but this isn't really practical to do for Declude without a major, major rewrite. The better approach would be to actually introduce the ability to use operators and variables in custom filters so that the exact order didn't matter. That would also be a rather involved new feature, but it would seem more practical and would have a greater overall utility. I'm sure if time wasn't an issue and there weren't more pressing things, they would have leaped to provide this a long time ago. As far as your specific need, some of this could be written in _vbscript_ as an external test in Declude. Note that %COUNTRIES% is definitely preferable to %COUNTRYCHAIN% as the data used for %COUNTRIES% is updated more often if I am not mistaken. The two letter country codes in standardized format are also preferable for filtering. You can then combo a single test with the others and probably have no concern about the order of tests that you can't easily overcome. Matt Erik wrote: It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4
Stopped Imail SMTP and QueueManger services. Removed all files in the proc folder to a temp folder. Restarted the DecludeProc service Moved 1 set of files in at a time and watched what happened. All good ones were processed. The problem ones just sat there. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kim Premuda Sent: Saturday, September 17, 2005 3:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Beta 3.0.4 Hi, John. Just curious... What method did you use to determine that those 4 messages were causing the 'decludeproc.exe' service to unexpectedly stop? I would like to be able to send Declude the messages in our 'proc' folder that are causing the same problem here. Regards, Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] The problem appears to be caused/centered/triggered/co-incidental to 4 spam messages. Also, a large Dr Watson log file and dmp were created when this happened. After isolating these messages, stopping the Imail SMTP, QueueManager services, disabling and stopping the decludeproc service, clearing both the proc and proc\work directories of everything, then reenabling the decludeproc service and restarting the SMTP and QueueManger services, the server is running as expected. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
One more comment. The country processing won't occur unless you have the all_list.dat file in the declude folder. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 3:42 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas.
RE: [Declude.JunkMail] Help in creating a Filter
That we do have. ;-) But it appears the %COUNTRYCHAIN% doesn't register with Declude until all other tests have been run (filters and external calls). Declude does not pass this to a command line. We've re-coded our external program to read the combo filter; since declude doesn't read it before hand (per our ordering of tests in the config file). But the problem remains of determining of how the email was received based on bounces from countries. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 10:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter One more comment. The country processing won't occur unless you have the all_list.dat file in the declude folder. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 3:42 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's
