RE: [Declude.JunkMail] Custom Filter Diagnosis Help
It can be a good idea to take into account the IPNOTINMX and NOLEGITCONTENT which can bring down the weight under the threshold because this is a total of -8 I set the SKIPIFWEIGHT 8 points higher. Eg. I mark on WEIGHT15 SUBJECT so I use SKIPIFWEIGHT 23 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, May 13, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Custom Filter Diagnosis Help Kim, Keep in mind "SKIPIFWEIGHT" is a very good thing as it saves resources by not processing the filter file if the weight is at or above the line. I would leave it, but just set it at a weight where you know the message is SPAM and do not want to expend the resources on the filter file. Darrell --- DLAnalyzer - FREE reporting for Declude Junkmail and Virus - http://www.invariantsystems.com Kim Premuda writes: >>Are you using anything like "SKIPIFWEIGHT" options in the filter or "ENDS" >>clauses. > > > Yes, this particular custom filter has the following two lines at the beginning of the filter definition: > > TESTSFAILED END CONTAINS BYPASS > > SKIPIFWEIGHT 16 > > BYPASS never shows up in the line of filter tests, so SKIPIFWEIGHT may be the culprit. I'll comment out the SKIPIFWEIGHT line and see what happens (most likely, my misunderstanding of how SKIPIFWEIGHT works). > > Thanks for the help! > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. __ NOD32 1.1094 (20050512) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Kim, Keep in mind "SKIPIFWEIGHT" is a very good thing as it saves resources by not processing the filter file if the weight is at or above the line. I would leave it, but just set it at a weight where you know the message is SPAM and do not want to expend the resources on the filter file. Darrell --- DLAnalyzer - FREE reporting for Declude Junkmail and Virus - http://www.invariantsystems.com Kim Premuda writes: Are you using anything like "SKIPIFWEIGHT" options in the filter or "ENDS" clauses. Yes, this particular custom filter has the following two lines at the beginning of the filter definition: TESTSFAILED END CONTAINS BYPASS SKIPIFWEIGHT 16 BYPASS never shows up in the line of filter tests, so SKIPIFWEIGHT may be the culprit. I'll comment out the SKIPIFWEIGHT line and see what happens (most likely, my misunderstanding of how SKIPIFWEIGHT works). Thanks for the help! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
>Are you using anything like "SKIPIFWEIGHT" options in the filter or "ENDS" >clauses. Yes, this particular custom filter has the following two lines at the beginning of the filter definition: TESTSFAILED END CONTAINS BYPASS SKIPIFWEIGHT 16 BYPASS never shows up in the line of filter tests, so SKIPIFWEIGHT may be the culprit. I'll comment out the SKIPIFWEIGHT line and see what happens (most likely, my misunderstanding of how SKIPIFWEIGHT works). Thanks for the help! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Are you using anything like "SKIPIFWEIGHT" options in the filter or "ENDS" clauses. Darrell Kim Premuda writes: Also, one thing that can affect the filter files that I have seen in the past is spammers will put fake html tags in the middle of the URI to get it past filters Example: americaspharm.com - the email client will normally interpret this correctly and display americaspharm.com (i.e. not rendering the fake tag). My original post that contained the offending message was in plain-text format showing no embedded HTML tags in the domain name. I did save the 'D*.SMD' file...here is how the URL shows in plain-text: http://americaspharma.com/ I suspect that the test is not being run at all, and that something (another test, perhaps?) is preventing this...but, I have no idea what to look for. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
>Also, one thing that can affect the filter files that I have seen in the >past is spammers will put fake html tags in the middle of the URI to get it >past filters > >Example: americaspharm.com - the email client will normally >interpret this correctly and display americaspharm.com (i.e. not rendering >the fake tag). My original post that contained the offending message was in plain-text format showing no embedded HTML tags in the domain name. I did save the 'D*.SMD' file...here is how the URL shows in plain-text: http://americaspharma.com/ I suspect that the test is not being run at all, and that something (another test, perhaps?) is preventing this...but, I have no idea what to look for. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Kim, Also, one thing that can affect the filter files that I have seen in the past is spammers will put fake html tags in the middle of the URI to get it past filters Example: americaspharm.com - the email client will normally interpret this correctly and display americaspharm.com (i.e. not rendering the fake tag). If you still have the original d*.smd file this may shed some light... Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com - Original Message - From: "Kim Premuda" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 11, 2005 5:34 PM Subject: Re: [Declude.JunkMail] Custom Filter Diagnosis Help > >Couple of gotha's we usually see > >[1] Make sure there are no hidden or extra spaces after the name. > >[2} If it is the last item in the filter do an extra "return" so that your > >line is not the last line in the filter. > > > >Darrell > Hi, Darrel. > > Thanks for responding! > > There is no space character after 'americaspharma.com', and it is not the last item in the filter (there are over 100 lines after this one). > > Also, I should have mentioned that we are using JM 1.82. > > Another point of interest... > > When I sent my original message to the list, it was trapped by JM on the filter line containing 'americaspharma.com'. > > Kim > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
>Couple of gotha's we usually see >[1] Make sure there are no hidden or extra spaces after the name. >[2} If it is the last item in the filter do an extra "return" so that your >line is not the last line in the filter. > >Darrell Hi, Darrel. Thanks for responding! There is no space character after 'americaspharma.com', and it is not the last item in the filter (there are over 100 lines after this one). Also, I should have mentioned that we are using JM 1.82. Another point of interest... When I sent my original message to the list, it was trapped by JM on the filter line containing 'americaspharma.com'. Kim --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Kim, Couple of gotha's we usually see [1] Make sure there are no hidden or extra spaces after the name. [2} If it is the last item in the filter do an extra "return" so that your line is not the last line in the filter. Darrell -- invURIBL - Intelligent URI Filtering Plug-In For Declude. Stops 85%+ of SPAM with the default configuration. Try it out - http://www.invariantsystems.com Kim Premuda writes: I created a custom filter to help trap drug related spam called DRUGS-MEDICATIONS.TXT. This filter contains the following line: BODY 12 CONTAINS americaspharma.com Yet, spam containing 'americaspharma.com' does not get flagged by Declude JunkMail (see sample message below). Note that DRUGS-MEDICATIONS does not show up in the 'X-Spam-Tests-Failed:' line of the message header, nor does it show in the Declude log for this message. The 'global.config' file contains the following entry: DRUGS-MEDICATIONS filter C:\IMail\Declude\Filters\Drugs-Medications.txt x 0 0 and the '$default$.junkmail' contains the following entry: DRUGS-MEDICATIONS WARN I looking for recommendations as how to find the cause of failure for this filter. Any suggestions would be appreciated. Thanks! Kim Premuda FastWave Internet Services San Diego, CA --- Declude log file content --- 05/11/2005 10:44:29 Q44790a54022a0e51 Tests failed [weight=12]: HELOBOGUS=WARN IPNOTINMX=IGNORE MAILFROM=WARN WEIGHT10=HOLD CATCHALLMAILS=IGNORE TLD-TRUSTED-REVDNS=WARN --- Q44790a54022a0e51.SMD file contents --- QC:\IMail\spool\D44790a54022a0e51.SMD Hns3.fastwave.net WC:\IMail E0, S<[EMAIL PROTECTED]> NRCPT To:<[EMAIL PROTECTED]> R<[EMAIL PROTECTED]> --- D44790a54022a0e51.SMD file contents --- Received: from un2 [64.214.203.155] by ns3.fastwave.net with ESMTP (SMTPD32-8.05) id A479A54022A; Wed, 11 May 2005 10:44:25 -0700 Received: from localhost.localdomain (un2 [127.0.0.1]) by un2 (8.12.11/8.12.11) with ESMTP id j4BHgdMu025798 for <[EMAIL PROTECTED]>; Wed, 11 May 2005 12:42:39 -0500 Received: (from [EMAIL PROTECTED]) by localhost.localdomain (8.12.11/8.12.11/Submit) id j4BHgcTc025797; Wed, 11 May 2005 12:42:38 -0500 Date: Wed, 11 May 2005 12:42:38 -0500 Message-Id: <[EMAIL PROTECTED]> From: "O&S" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Info MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-RBL-Warning: HELOBOGUS: Domain un2 has no MX or A records [0301]. X-RBL-Warning: MAILFROM: Domain localhost.localdomain has no MX or A records [0301]. X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (line 37, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [64.214.203.155] X-Declude-Spoolname: D44790a54022a0e51.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: HELOBOGUS [5], MAILFROM [12], WEIGHT10 [10], TLD-TRUSTED-REVDNS [0] TOTAL [12] X-Note: This E-mail was sent from host-64-214-203-155.optynex.com ([64.214.203.155]). X-Note: Get your rx without leaving home. We ship throughout the United States (except AZ,FL,MN,RI,PR & ND) http://americaspharma.com/ We ship FDA approved products only. Thanks. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.