Re: Multiple Responses re. Selective Download Filter Syntax
Joseph N. wrote: * To Ken: You've probably already fixed your situation, but the signal string I was using for selective downloads is the one I posted with my initial query. Maybe I am misreading the Help system, but I thought that Selective Download did not allow TB's 'special syntax' - so I don't understand the prefixes you are using in your list (MainSet:) How does: MainSet: microsoft MainSet: Internet MainSet: critical Differ from: microsoft Internet critical ?? It was only about 65% effective, so I have switched strategies. I am now filtering at the ISP level for all messages over a certain size. Since I only use this address for newsgroups and mailing lists, it should work fine; at least, it has been working so far today Has that method been consistent? I tried this too, and it has worked for the Swen.A messages so far. I set my threshold at 90K. But for some reason, it still allowed a 110K message through. ?? -- Ken Green Using The Bat! v1.62r on Windows 2000 5.0 Build 2195 Service Pack 4 Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Quoting Thomas Fernandez [EMAIL PROTECTED]: [SNIP] By now I am of the opinion that the ISP should delete Swen server-side. They should have an interest in eradicating it, as it is costing them a lot of bandwidth and therefore money, it annoys the users, and enough users might click on them and spread it further. Two of my ISPs have now started using Interscan VirusWall (I am sure there are other products) and I merely get a message saying: Receiver, InterScan has detected virus(es) in the e-mail attachment. My POP3/smtp provider (not my ISP0 puts email through 3 virus checkers, and I get a similar message. As they are coming through at a rate of over 1 a minute it seems a good idea. But it's a paid option. The impact of this volume on ISPs must be huge. I imagine some are cracking under the strain. [NIP] Doug -- Doug Helen's Dogs: http://www.dougandhelen.com Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
ken green wrote: Also (to Joseph N.) - I am currently dealing with the same virus e-mails you are filtering for. Problem is, every time I think I got a domain and/or subject line variation in my spamkill text file, another variant shows up. A comprehensive list is available here, at least until another variant shows up: http://www.f-secure.com/v-descs/swen.shtml As discussed in the Agent newsgroup, a regular expression filter on these two strings catches 99% of these: Content-Type: multipart/(mixed|alternative); boundary\=([a-z][a-z]*) To catch the rest, you'll need to relax or tweak the boundary expression a bit, as some contain nonalpha characters. -- zParticle Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
zParticle wrote: As discussed in the Agent newsgroup, a regular expression filter on these two strings catches 99% of these: Content-Type: multipart/(mixed|alternative); boundary\=([a-z][a-z]*) Thank you very much for that reference. I need to brush up on regex. Just to be clear: are you talking about using those filters above with Selective Download or regular Incoming filters? AVG steps in before TB processes any Incoming filters. -- Ken Green TheBat! v1.62r, Win2000 SP4 Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Multiple Responses re. Selective Download Filter Syntax
Thanks to all those who replied to my query about selective download filter syntax. Ironically, I received none of the replies, because TBUDL blocked my mail due to excessive bounces from my ISP, which in turn was due to my mailbox constantly becoming full from Swen.A messages. I have now fixed that problem and am back in the flow. So here, a tad late, are a few responses: * To Roelof: Because of the single quotation marks But the TB! help file specifically says to use single quotation marks: ---Begin Text--- ... Pipe character | can be used when the signal string contains two alternatives. For example, string John|Jack means that the filter will search for John OR Jack in the specified location. If either is present, the search is successful. If neither are present, the search fails. ... Any text containing the special characters mentioned above must be enclosed in single quotes ---End Text--- * To Ken: You've probably already fixed your situation, but the signal string I was using for selective downloads is the one I posted with my initial query. It was only about 65% effective, so I have switched strategies. I am now filtering at the ISP level for all messages over a certain size. Since I only use this address for newsgroups and mailing lists, it should work fine; at least, it has been working so far today * To zParticle: Thanks for the helpful cross-ref to the Agent NG. -- JN Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Multiple Responses re. Selective Download Filter Syntax
Hallo Joseph, On Wed, 24 Sep 2003 14:01:54 -0500GMT (24-9-03, 21:01 +0200, where I live), you wrote: Because of the single quotation marks JN But the TB! help file specifically says to use single quotation marks: JN Pipe character | can be used when the signal string contains JN ... JN Any text containing the special characters mentioned above JN must be enclosed in single quotes Thus stating that if you're using single quotation marks, the pipe character will be taken literally and not as a separator between alternatives. -- Groetjes, Roelof Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Multiple Responses re. Selective Download Filter Syntax
On Wednesday, September 24, 2003, Roelof Otten wrote in mid:[EMAIL PROTECTED]: RO Thus stating that if you're using single quotation marks, the pipe RO character will be taken literally and not as a separator between RO alternatives. Roelof, (spoken softly, with slightly sunken head) Oh -- JN Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Selective Download Filter Syntax
Why does the first line of the signal string data below not work? It seems to be constructed according to the help file, but it is ineffective. The following single-word lines are effective, however. MainSet: 'Microsoft|Internet|Critical|Update|Network' MainSet: microsoft MainSet: Internet MainSet: critical MainSet: update MainSet: Inet MainSet: MS MainSet: patch -- JN Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Hallo Joseph, On Tue, 23 Sep 2003 14:21:13 -0500GMT (23-9-03, 21:21 +0200, where I live), you wrote: JN Why does the first line of the signal string data below not work? JN MainSet: 'Microsoft|Internet|Critical|Update|Network' Because of the single quotation marks. -- Groetjes, Roelof Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Roelof Otten wrote: JN Why does the first line of the signal string data below not work? JN MainSet: 'Microsoft|Internet|Critical|Update|Network' Because of the single quotation marks. I thought that Selective Download did not allow special syntax (this is the help file wording). I can use pipe characters in selective download?!?! Wow. Also (to Joseph N.) - I am currently dealing with the same virus e-mails you are filtering for. Problem is, every time I think I got a domain and/or subject line variation in my spamkill text file, another variant shows up. This would be simple if I could use a regular filter in Selective Download: these are all coming to only one of my accounts. A simple to not download a message with attachment would work in this case. But the AVG plug-in keeps me from using a regular filter for this. I realize that's a good thing - AVG is jumping in first and finding the virus. But it's getting annoying getting the virus warning message 5-6 times a day. Actually, as I've been updating my kill file, that number is growing smaller. I'm just looking for an easy way to do this with less work. Joseph, would mind sending me your filters/kill file that you're using for the MS Network Security Update messages? I can send you what I have if you want - maybe together we can get all variations. -- Ken Green TheBat! v1.62r, Win2000 SP4 Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Selective Download Filter Syntax
Hello ken, On Tue, 23 Sep 2003, at 17:42:16 [GMT -0500] (which was 23:42 in my TimeZone) you wrote: kg Roelof Otten wrote: JN Why does the first line of the signal string data below not work? JN MainSet: 'Microsoft|Internet|Critical|Update|Network' Because of the single quotation marks. kg I thought that Selective Download did not allow special syntax (this kg is the help file wording). I can use pipe characters in selective kg download?!?! Wow. You can use regular expressions. So | would be an or statement and ^ is line start etc -- Best regards, Michael http://www.thompsonmike.co.uk/ PGP KeyID := 0xA9547E32 Common sense is the collection of prejudices acquired by age eighteen. -- Albert Einstein pgp0.pgp Description: PGP signature Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Wednesday, September 24, 2003, ken green wrote: Joseph, would mind sending me your filters/kill file that you're using for the MS Network Security Update messages? I can send you what I have if you want - maybe together we can get all variations. For some inspiration/ideas, you could do a deja [1] message posted to alt.usenet.offline-reader.forte-agent by Alex Regh on 23 Sep 2003. The subject is Filters to catch swen?? and the message-id [EMAIL PROTECTED] Footnotes: == [1] I keep forgetting the google-adress, so I use the older http://www.deja.com -- Urban Johann Bach wrote a great many musical compositions and had a large number of children. In between he practiced on an old spinster which he kept up in his attic. Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Urban wrote: For some inspiration/ideas, you could do a deja [1] message posted to alt.usenet.offline-reader.forte-agent by Alex Regh on 23 Sep 2003. The subject is Filters to catch swen?? and the message-id [EMAIL PROTECTED] Thank you. I found it very quickly. By the way, to use the Google method of searching just click the 'Groups' tab in the Google toolbar. -- Ken Green TheBat! v1.62r, Win2000 SP4 Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Selective Download Filter Syntax
Hello ken, On Tue, 23 Sep 2003 17:42:16 -0500 GMT (24/09/2003, 05:42 +0700 GMT), ken green wrote: I'm just looking for an easy way to do this with less work. By now I am of the opinion that the ISP should delete Swen server-side. They should have an interest in eradicating it, as it is costing them a lot of bandwidth and therefore money, it annoys the users, and enough users might click on them and spread it further. Two of my ISPs have now started using Interscan VirusWall (I am sure there are other products) and I merely get a message saying: Receiver, InterScan has detected virus(es) in the e-mail attachment. Date: Tue, 23 Sep 2003 09:49:49 +0800 Method: Mail From: [EMAIL PROTECTED] To: Inet User [EMAIL PROTECTED] File: fvxry.exe Action: deleted Virus: WORM_SWEN.A I like that. I can also easily filter these messages into trash and mark them read, so I don't even know any more whether Swen is still coming in. -- Cheers, Thomas. Moderator der deutschen The Bat! Beginner Liste. Wednesday, the Ladies Liturgy Society will meet. Mrs. Jones will sing Put me in My Little Bed accompanied by the pastor. Message reply created with The Bat! 2.00.6 under Chinese Windows 98 4.10 Build A using a Pentium P4 1.7 GHz, 128MB RAM Current version is 2.00 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
