RE: [Declude.JunkMail] Help in creating a Filter
Scott, I agree, unfortunately I do not have that information at present, I have requested this information from the engineers and will post it a soon as this is available. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 5:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Re: [Declude.JunkMail] Help in creating a Filter
Thanks David. It's good to have you monitoring the list. - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, September 19, 2005 10:26 AM Subject: RE: [Declude.JunkMail] Help in creating a Filter Scott, I agree, unfortunately I do not have that information at present, I have requested this information from the engineers and will post it a soon as this is available. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 5:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
RE: [Declude.JunkMail] Help in creating a Filter
Erik, I have also asked the engineers to look into this for us, ie. A directive to force tests to run in a specific order. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Saturday, September 17, 2005 5:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Help in creating a Filter It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
Wow, that would be great! :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, September 19, 2005 9:38 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Help in creating a Filter Erik, I have also asked the engineers to look into this for us, ie. A directive to force tests to run in a specific order. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Saturday, September 17, 2005 5:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Help in creating a Filter It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
Title: Message Thanks Matt. The variable %COUNTRIES% does not pass to a parm line; nor does %COUNTRY%. But, I've noticed in our config file, we do not have a country test; but I thought this was internal to Declude? Is this what I need to add to my config? At one point we did have this in our config as we still have the ALL_LIST.DAT file. http://support.declude.com/Customer/KBArticle.aspx?articleid=6KBSearchID=1012 I want to be able to detect multiple countries and pass that to our external program. But as Scott mentioned, externals are ran before filters. Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Saturday, September 17, 2005 4:10 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Help in creating a FilterErik,Flexibility is a nice thing, but this isn't really practical to do for Declude without a major, major rewrite.The better approach would be to actually introduce the ability to use operators and variables in custom filters so that the exact order didn't matter. That would also be a rather involved new feature, but it would seem more practical and would have a greater overall utility. I'm sure if time wasn't an issue and there weren't more pressing things, they would have leaped to provide this a long time ago.As far as your specific need, some of this could be written in _vbscript_ as an external test in Declude. Note that %COUNTRIES% is definitely preferable to %COUNTRYCHAIN% as the data used for %COUNTRIES% is updated more often if I am not mistaken. The two letter country codes in standardized format are also preferable for filtering. You can then combo a single test with the others and probably have no concern about the order of tests that you can't easily overcome.MattErik wrote: It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
Title: Message Erik, The all_list.dat file is required for testing COUNTRIES in a filter file. If you have determined that %COUNTRIES% is not passed to external tests and you have an all_list.dat, that would indicate that Declude doesn't populate that value or expose it to external tests. Not all such variables are available when external tests run, and I am not aware of a list of what is and isn't, but I know that things like %REVDNS%, %REMOTEIP%, %HELO%, %MAILFROM% and %WEIGHT% are. In the case of %WEIGHT% this is something that was enabled after it was asked for, and I would imagine that the %COUNTRIES% variable could also be populated before running external tests. As far as test order goes, I would too like to run external tests sometimes after custom filters, but I also desire to run them before as well, so if Declude does allow for changing the order, maybe they could just simply add an after-filter external program call so you could have them both. It would seem that almost all of the utility in running tests in a customized order would be to have some external tests run after custom filters, and instead of allowing us to rearrange things, it would make sense to just allow us to run external tests before and after custom filters and call it a day. The utility that I see in running tests after everything else would be to create specific external tests that could handle messages in different ways. One way for instance would be to run a test last and if the message was good and looked like personal E-mail, the external test could log the IP and Mail From somewhere and you could use that information for crediting weight on future messages from the same person. You could do the same thing with bad E-mail and build a blacklist. I personally would definitely make use of that functionality, but I wouldn't want to run all external tests last since some of them are deeply important for adding on points and most spam reaches my delete weight before custom filters are run and that saves on processing power when using SKIPIFWEIGHT or STOPALLTESTS. Matt Erik wrote: Thanks Matt. The variable %COUNTRIES% does not pass to a parm line; nor does %COUNTRY%. But, I've noticed in our config file, we do not have a country test; but I thought this was internal to Declude? Is this what I need to add to my config? At one point we did have this in our config as we still have the ALL_LIST.DAT file. http://support.declude.com/Customer/KBArticle.aspx?articleid=6KBSearchID=1012 I want to be able to detect multiple countries and pass that to our external program. But as Scott mentioned, externals are ran before filters. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Saturday, September 17, 2005 4:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik, Flexibility is a nice thing, but this isn't really practical to do for Declude without a major, major rewrite. The better approach would be to actually introduce the ability to use operators and variables in custom filters so that the exact order didn't matter. That would also be a rather involved new feature, but it would seem more practical and would have a greater overall utility. I'm sure if time wasn't an issue and there weren't more pressing things, they would have leaped to provide this a long time ago. As far as your specific need, some of this could be written in _vbscript_ as an external test in Declude. Note that %COUNTRIES% is definitely preferable to %COUNTRYCHAIN% as the data used for %COUNTRIES% is updated more often if I am not mistaken. The two letter country codes in standardized format are also preferable for filtering. You can then combo a single test with the others and probably have no concern about the order of tests that you can't easily overcome. Matt Erik wrote: It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail
RE: [Declude.JunkMail] Help in creating a Filter
From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Re: [Declude.JunkMail] Help in creating a Filter
I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail
RE: [Declude.JunkMail] Help in creating a Filter
If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe
Re: [Declude.JunkMail] Help in creating a Filter
Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
Erik, Flexibility is a nice thing, but this isn't really practical to do for Declude without a major, major rewrite. The better approach would be to actually introduce the ability to use operators and variables in custom filters so that the exact order didn't matter. That would also be a rather involved new feature, but it would seem more practical and would have a greater overall utility. I'm sure if time wasn't an issue and there weren't more pressing things, they would have leaped to provide this a long time ago. As far as your specific need, some of this could be written in _vbscript_ as an external test in Declude. Note that %COUNTRIES% is definitely preferable to %COUNTRYCHAIN% as the data used for %COUNTRIES% is updated more often if I am not mistaken. The two letter country codes in standardized format are also preferable for filtering. You can then combo a single test with the others and probably have no concern about the order of tests that you can't easily overcome. Matt Erik wrote: It would be nice if there was a directive that forced the tests to run as they are in the order of which the appear in the CONFIG file. I know this may/would be a performance decrease but it would give end users control of external tests. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Saturday, September 17, 2005 3:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Erik wrote: If Declude could confirm the order of how/which tests are run, it would be nice to know. I agree. The archives may help but as I recall Scott [former of Declude] was nebulous in what the order is. The only thing for sure was filters ran last in the order listed in global.cfg listing - generally :) Running in debug mode does confirm this. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
One more comment. The country processing won't occur unless you have the all_list.dat file in the declude folder. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 3:42 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas
RE: [Declude.JunkMail] Help in creating a Filter
That we do have. ;-) But it appears the %COUNTRYCHAIN% doesn't register with Declude until all other tests have been run (filters and external calls). Declude does not pass this to a command line. We've re-coded our external program to read the combo filter; since declude doesn't read it before hand (per our ordering of tests in the config file). But the problem remains of determining of how the email was received based on bounces from countries. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 10:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter One more comment. The country processing won't occur unless you have the all_list.dat file in the declude folder. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 3:42 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter If Declude could confirm the order of how/which tests are run, it would be nice to know. As far as reading our combo filter of failed tests (%TESTSFAILED%), we can read/code that from our combo filter file (same file that declude is reading) and do our own tests failed combo (since Declude isn't doing this at the point our external program is called; as per our order in the Config file). But, we still need to know the country chain; of which is not passed to our external program... %COUNTRYCHAIN% passes a NULL value. Without knowing the country chain, this program will not work. Upon looking at our CONFIG file for Declude, we do not use any COUNTRY or COUNTRIES test (in the past I believe we did). Do you know if this needs to be in the default config file or is it internal to Declude? Thanks Scott for the thread. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Saturday, September 17, 2005 2:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I believe the order is: IP4R RHSBL, Declude Internal, spamdomains, Extermal, Fromfile, IPFile, Filter Within the filters type the filters are run in the order listed in the global.cfg - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, September 17, 2005 2:05 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter From our testing of our new external program, you are right. The external program is being called before our combo filter is being triggered. And the %COUNTRYCHAIN% variable is blank. So this variable is probably being created after Declude is done processing all tests. Now, using %COUNTRY% or %COUNTRIES% returns [UNKNOWN VAR]. It would be nice if an external can be called AFTER all other tests; ordering by how it is in the config file. There is nothing in the manual about %COUNTRYCHAIN% or COUNTRY or COUNTRIES. The only mention of this is in the release notes posted; which was added in version 1.62 in November 2002. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's
Re: [Declude.JunkMail] Help in creating a Filter
I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
Can the %COUNTRYCHAIN% variable be used instead of %COUNTRIES%? Right about be careful... But the MN-COMBO is a mix of 3 to 5 TESTSFAILED combos already. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 12:57 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
I don't believe so. I think you have COUNTRY and COUNTRIES. COUNTRY is the last counry in the country chain. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 2:07 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter Can the %COUNTRYCHAIN% variable be used instead of %COUNTRIES%? Right about be careful... But the MN-COMBO is a mix of 3 to 5 TESTSFAILED combos already. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, September 16, 2005 12:57 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help in creating a Filter
We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. It should be - at this point any variable I have messed with has been passable to an external test. Darrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help in creating a Filter
I don't have the order... But I believe filters are done last after External comments. If David's monitoring the list, I think a list of what order the tests run in would be a great addition to the Junkmail manual. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 3:44 PM Subject: RE: [Declude.JunkMail] Help in creating a Filter We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months. Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I think this would do it in two filters: filter 1: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO COUNTRIES 100 NOTCONTAINS US filter 2: SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINS MN-COMBO TESTSFAILED END CONTAINS filter1 COUNTRIES END STARTSWITH US COUNTRIES 100 CONTAINS US I'd be careful. Lots of US subsidaries are owned by a foreign company and have their mail server overseas. Also watch out for these special country codes: (which can belong to valid servers): # # Special Codes # *1 Multi-Regional *2 Europe *3 North America *4 Central/South America *5 Pacific Rim *A ARIN Unlisted (North America/South Africa) *B Public Data Network *E RIPE Unlisted (Europe, North Africa, Middle East) *I Private IP *L Loopback *M Multicast *P APNIC Unlisted (Asia Pacific) *R IANA Reserved *U Unknown - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 16, 2005 12:45 PM Subject: [Declude.JunkMail] Help in creating a Filter Could someone help me in creating a filter? I need something to this effect. Can this be done in one filter? If WEIGHT = 100 or Higher then END If TESTFAILED CONTAINS MN-COMBO Then If CountryChain NOTCONTAINS UNITED STATES Then Then DELETE (triggers the filter - return 100 as weight) End If If CountryChain CONTAINS UNITED STATES-destination Then 'Email is probably good (return zero) Else DELETE (triggers the filter - return 100 as weight) End If End If Thanks! Erik --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
