[Declude.JunkMail] Testsfailed
Hi; Is this a valid test? TESTSFAILEDWHITELISTCONTAINS[WHITELIST. I have this as a group combo-filter but it seems not to be working.. a lot of email is passing through as whitelisted failing this line. Regards, Kami
RE: [Declude.JunkMail] TESTSFAILED Detection
Hi; I think it would be a great feature to be able to uniquely identify a test by its name as well as with CONTAIN. If one can do this it would be very easy to categorically define tests and then create action tests based on combination of various tests. I have the following test as a final check before delivering email. If an email in this case has failed 4 categories of IP4R tests and yet is not deleted then it goes through this filter. === SKIPIFWEIGHT 40 MINWEIGHTTOFAIL 2 MAXWEIGHT 2 TESTSFAILED END CONTAINSWHITELIST- TESTSFAILED END NOTCONTAINS MULTIPLE-COMBO-4 TESTSFAILED 1 CONTAINSHEUR TESTSFAILED 1 CONTAINSNOLEGITCONTENT TESTSFAILED 1 CONTAINSREVDNS TESTSFAILED 1 CONTAINSCOMBO-IP If I can search the tests failed with exact name or partial name then I can easily write various tests to detect a spam. It could also be nice to be able to ask.. Of all the tests failed does one STARTWITH or does one ENDSWITH a certain word(s). This way one can easily create subroutines :) - sort of. It could be a good feature to consider. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, November 26, 2004 8:06 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] TESTSFAILED Detection My ansewer has been to have the tests need to be unique (not subsets of another test) for this to work. I've been burned by the testfailed with the same substring in two different tests... Here's a case where a search for a preceding space would be nice (although then the test would be first...) Perhaps you should use: Spamhaus-SBL-IP4R Spamhaus-SBL-COMBO I would imagine all of the other options do work with testsfailed (ENDSWITH, etc,) They just they aren't very useful . -- Original Message -- From: Kami Razvan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 26 Nov 2004 12:04:38 -0500 Hi; I don't think with the current TESTSFAILED option one can uniquely identify a single test or can we? Example: I have broken down all tests into combination filters with a naming convention. IP4R-something COMBO-IP4r-something Now I can write combo filters that are: TESTSFAILEDENDCONTAINSCOMBO- Or TESTSFAILEDENDCONTAINSCOMBO-IP4R But I can not say TESTSFAILEDENDis the exact name of one of the failed test IP4R-something without triggering the COMBO-IP4R-something I guess the question is one can not detect a failed test by its exact name. In the manual the only option for TESTSFAILED is either CONTAINS or NOTCONTAINS. Can one find out if a TEST's name is among the tests that have failed but as the exact name of the test? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] TESTSFAILED Detection
Hi; I don't think with the current TESTSFAILED option one can uniquely identify a single test or can we? Example: I have broken down all tests into combination filters with a naming convention. IP4R-something COMBO-IP4r-something Now I can write combo filters that are: TESTSFAILED END CONTAINS COMBO- Or TESTSFAILED END CONTAINS COMBO-IP4R But I can not say TESTSFAILED END is the exact name ofone of thefailed test IP4R-something without triggering the COMBO-IP4R-something I guess the question is one can not detect a failed test by its exact name. In the manual the only option for TESTSFAILED is either CONTAINS or NOTCONTAINS. Can one find out if a TEST's name is among the tests that have failed but as the exact name of the test? Regards, Kami
Re: [Declude.JunkMail] TESTSFAILED option ???
Sounds like you have a pretty good handle on this. I would suggest using NOTCONTAINS with an END for this purpose. Make sure that the string is unique to that one filter so that it doesn't trip on others. Matt David wrote: Hello All, I am currently using the TESTFAILED option in my filters to save some CPU. Currently it is being used in the top of the filters like TESTSFAILED END CONTAINS DontScan. So the filter with this line in it wont run if the DontScan filter fires. I am wondering if there is an opposite command where I could build a filter DoScan and if the filter fires then the associated filter would run. I only want a couple filters to run if a pivotal filter runs. Example: only run filter 1b 1c if 1a fired. Any ideas? David Bryden -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] TESTSFAILED END Question
Correct format. It should show up at high level logs. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 05:12PM I seen this post below and wanted to implement the TESTSFAILED to exit out of one of my body filters based on if another test was already triggered. Is the below line correct (assuming REVERSEDNSFILTER is one of my filters that occurs before the filter I put the below line in)? TESTSFAILED END CONTAINS REVERSEDNSFILTER [2] When that line is matched does it show in the logs? Darrell - Check out http://www.invariantsystems.com for utilities for Declude and Imail. Scott Fisher writes: I haven't found any easy way to tell. The information is in the logs at high level. But I can chime in that SKIPIFWEIGHT bypasses about 80% of my e-mail that is obviously spam. TESTSFAILED ENDS for friendly domains/revdns drop off about 8% of e-mail that is most likely not spam, leaving about 12% of the e-mail that I run body filters on. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 12:03PM Matt- My body filters only catch about 4% of messages, but I don't know how often they are run. Is htere a convenient way to tell? -d - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:40 PM Subject: Re: [Declude.JunkMail] Declude and attachments Scott, I've got a lot more BODY filters than Dave has, though I don't feel that they are excessive. I probably have about 1,500 BODY searches, but with SKIPIFWEIGHT they only run about 25% of the time. If Dave is using Declude Virus, I would also look there for the issue. Anything besides F-Prot and ClamAV in daemon mode will chug a server on a large attachment and it will use up far more processing than Declude JunkMail, but it will keep the Declude instance alive for longer. On about 65,000 messages a day currently, we generally see from 2 to 10 Declude processes running at one time with both F-Prot and AVG enabled (much less with just F-Prot). Disabling AVG results in our average processor utilization dropping by 1/3 to 1/2 on heavy load hours. Matt R. Scott Perry wrote: One instance of Declude, then two, then three, all in the 25%+ range. As soon as it dropped to two Decludes, Queue Manager came right in at 30-40%, then the cycles dropped as QueueManager dropped down. It does sound like it is the large files that are causing the problem. One option would be to temporarily disable the BODY filter with the 200 lines in it, to see if that prevents the problem with the high CPU usage in Declude JunkMail. That could indeed be causing the problem. The other would be to use the debug mode (LOGLEVEL DEBUG in the \IMail\Declude\global.cfg file) and waiting for one of these files to be sent. We can look at the debug log file entries to get a better idea of where the high CPU usage is occurring. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came
[Declude.JunkMail] TESTSFAILED END Question
I seen this post below and wanted to implement the TESTSFAILED to exit out of one of my body filters based on if another test was already triggered. Is the below line correct (assuming REVERSEDNSFILTER is one of my filters that occurs before the filter I put the below line in)? TESTSFAILED END CONTAINS REVERSEDNSFILTER [2] When that line is matched does it show in the logs? Darrell - Check out http://www.invariantsystems.com for utilities for Declude and Imail. Scott Fisher writes: I haven't found any easy way to tell. The information is in the logs at high level. But I can chime in that SKIPIFWEIGHT bypasses about 80% of my e-mail that is obviously spam. TESTSFAILED ENDS for friendly domains/revdns drop off about 8% of e-mail that is most likely not spam, leaving about 12% of the e-mail that I run body filters on. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 12:03PM Matt- My body filters only catch about 4% of messages, but I don't know how often they are run. Is htere a convenient way to tell? -d - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:40 PM Subject: Re: [Declude.JunkMail] Declude and attachments Scott, I've got a lot more BODY filters than Dave has, though I don't feel that they are excessive. I probably have about 1,500 BODY searches, but with SKIPIFWEIGHT they only run about 25% of the time. If Dave is using Declude Virus, I would also look there for the issue. Anything besides F-Prot and ClamAV in daemon mode will chug a server on a large attachment and it will use up far more processing than Declude JunkMail, but it will keep the Declude instance alive for longer. On about 65,000 messages a day currently, we generally see from 2 to 10 Declude processes running at one time with both F-Prot and AVG enabled (much less with just F-Prot). Disabling AVG results in our average processor utilization dropping by 1/3 to 1/2 on heavy load hours. Matt R. Scott Perry wrote: One instance of Declude, then two, then three, all in the 25%+ range. As soon as it dropped to two Decludes, Queue Manager came right in at 30-40%, then the cycles dropped as QueueManager dropped down. It does sound like it is the large files that are causing the problem. One option would be to temporarily disable the BODY filter with the 200 lines in it, to see if that prevents the problem with the high CPU usage in Declude JunkMail. That could indeed be causing the problem. The other would be to use the debug mode (LOGLEVEL DEBUG in the \IMail\Declude\global.cfg file) and waiting for one of these files to be sent. We can look at the debug log file entries to get a better idea of where the high CPU usage is occurring. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED END Question
I seen this post below and wanted to implement the TESTSFAILED to exit out of one of my body filters based on if another test was already triggered. Is the below line correct (assuming REVERSEDNSFILTER is one of my filters that occurs before the filter I put the below line in)? TESTSFAILED END CONTAINS REVERSEDNSFILTER That should work fine. [2] When that line is matched does it show in the logs? No, it does not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] TESTSFAILED and NOT questions :)
Scott, This is obviously a very big advance to Declude because it now allows us to do combination tests. I have a few brief questions though. First, does IPNOTINMX and NOLEGITCONTENT still get processed (weight adjustments, and triggers for TESTSFAILED) after custom filters? I've been setting SKIPIFWEIGHT to a value equal to those tests because the points would be deducted afterwards. This is also important if we possibly write a custom filter that includes the TESTSFAILED action for these. Secondly, I noted the NOTENDSWITH action was added as per John's previous request. If you could add NOT functionality to all of the filter types, this would greatly enhance filtering capabilities. I've come across this need many times in the past and have been limited by the absence of such functionality. For everyone else, if you haven't figured it out yet, you can now create a simple filter for something like all DUL tests by setting the test scores to zero in the global.cfg, and then creating a DUL custom filter that is scored at one value. This way you don't have a huge range of scores based on how many such tests get hit. i.e. - Global.cfg - AHBL-DULip4r dnsbl.ahbl.org 127.0.0.90 0 NJABL-DUL ip4r dnsbl.njabl.org127.0.0.30 0 NJABL-DYNA ip4r dynablock.njabl.org 127.0.0.30 0 SORBS-DUL ip4r dnsbl.sorbs.net127.0.0.10 0 0 DULfilter C:\IMail\Declude\Filters\DUL.txtx 8 0 - DUL.txt TESTSFAILED 0 CONTAINS AHBL-DUL TESTSFAILED 0 CONTAINS NJABL-DUL TESTSFAILED 0 CONTAINS NJABL-DYNA TESTSFAILED 0 CONTAINS SORBS-DUL That's a good thing to have I think. It should help protect from false positives while also not severely weakening the system. I may even combine this with my DYNAMIC filter for one scoring hit. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED and NOT questions :)
First, does IPNOTINMX and NOLEGITCONTENT still get processed (weight adjustments, and triggers for TESTSFAILED) after custom filters? I've been setting SKIPIFWEIGHT to a value equal to those tests because the points would be deducted afterwards. This is also important if we possibly write a custom filter that includes the TESTSFAILED action for these. Actually, both IPNOTINMX and NOLEGITCONTENT should be run before the filters. Secondly, I noted the NOTENDSWITH action was added as per John's previous request. If you could add NOT functionality to all of the filter types, this would greatly enhance filtering capabilities. I've come across this need many times in the past and have been limited by the absence of such functionality. That is something that we are planning. For everyone else, if you haven't figured it out yet, you can now create a simple filter for something like all DUL tests by setting the test scores to zero in the global.cfg, and then creating a DUL custom filter that is scored at one value. This way you don't have a huge range of scores based on how many such tests get hit. i.e. - Global.cfg - AHBL-DULip4r dnsbl.ahbl.org 127.0.0.90 0 NJABL-DUL ip4r dnsbl.njabl.org127.0.0.30 0 NJABL-DYNA ip4r dynablock.njabl.org 127.0.0.30 0 SORBS-DUL ip4r dnsbl.sorbs.net127.0.0.10 0 0 DULfilter C:\IMail\Declude\Filters\DUL.txtx 8 0 - DUL.txt TESTSFAILED 0 CONTAINS AHBL-DUL TESTSFAILED 0 CONTAINS NJABL-DUL TESTSFAILED 0 CONTAINS NJABL-DYNA TESTSFAILED 0 CONTAINS SORBS-DUL That's a good thing to have I think. It should help protect from false positives while also not severely weakening the system. I may even combine this with my DYNAMIC filter for one scoring hit. That is a very good idea. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED and NOT questions :)
R. Scott Perry wrote: Actually, both IPNOTINMX and NOLEGITCONTENT should be run before the filters. Was this changed??? Back on 12/20/2003 in a thread started by Bill on Weight processing, several of us stated that we had seen issues related to these being deducted only after the custom filters were processed, and your response was that it was by design and that you couldn't guarantee the order of which things were processed (sorry, I couldn't find it in the archives). I have since added the points from these tests to my intended SKIPIFWEIGHT values, i.e. 25 + 1 + 2 = 28. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED and NOT questions :)
Actually, both IPNOTINMX and NOLEGITCONTENT should be run before the filters. Was this changed??? No. Back on 12/20/2003 in a thread started by Bill on Weight processing, several of us stated that we had seen issues related to these being deducted only after the custom filters were processed, and your response was that it was by design and that you couldn't guarantee the order of which things were processed (sorry, I couldn't find it in the archives). That is correct. However, the IPNOTINMX and NOLEGITCONTENT tests run before the filters. In most cases, the filters should be the last tests run (although there may be some exceptions, such as the weight tests, such as WEIGHT10). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
i just want an easy way (%variable%) to put in the header that will show all tests that contributed to the total weight, and their individual contribution that mean if a mail passes ipnotinmx, then ipnotinmx (-3) should show in the above %variable% The next release will allow for this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
Would anyone care to post an example so I can see the math? I still don't get how to use IPNOTINMX properly. Thanks, andy - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 1:24 AM Subject: RE: [Declude.JunkMail] %TESTSFAILED% In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If the messages fails, no weight is added or subtracted. If the test passes, the negative weight is subtracted. Therefore, if one of those tests is listed under %TESTSFAILED%, it means nothing was done. Likewise, the actions for those tests should be INGNORE or LOG only, as again if the tests failed means nothing. Only if the messages passes the test is weight subtracted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
From the JunkMail Manual: This test should NOT be used to detect spam! It will be triggered when an E-mail is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mailserver than they use to receive mail). What this test is good for is helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an E-mail does not fail this test (which is very different from the way a spam test normally works). John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, November 28, 2003 5:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Would anyone care to post an example so I can see the math? I still don't get how to use IPNOTINMX properly. Thanks, andy - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 1:24 AM Subject: RE: [Declude.JunkMail] %TESTSFAILED% In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If the messages fails, no weight is added or subtracted. If the test passes, the negative weight is subtracted. Therefore, if one of those tests is listed under %TESTSFAILED%, it means nothing was done. Likewise, the actions for those tests should be INGNORE or LOG only, as again if the tests failed means nothing. Only if the messages passes the test is weight subtracted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
John I understand how the ipnotinmx works i just want an easy way (%variable%) to put in the header that will show all tests that contributed to the total weight, and their individual contribution that mean if a mail passes ipnotinmx, then ipnotinmx (-3) should show in the above %variable% This can be a failed test, a passed test, a negative weight, or a positive weight, in summary, any test with a non zero weight added or substracted It will save us going to the logs every time to see how the weight was calculated the above is even more important with the new option that will hide ipnotinmx, since now, when we do not see ipnotinmx in testfailed, we know that we have a -3 but if we hide ipnotinmx, we will not know if it was passed or failed, and wont know if it contributed to total weight. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 6:24 AM Subject: RE: [Declude.JunkMail] %TESTSFAILED% In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If the messages fails, no weight is added or subtracted. If the test passes, the negative weight is subtracted. Therefore, if one of those tests is listed under %TESTSFAILED%, it means nothing was done. Likewise, the actions for those tests should be INGNORE or LOG only, as again if the tests failed means nothing. Only if the messages passes the test is weight subtracted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If the messages fails, no weight is added or subtracted. If the test passes, the negative weight is subtracted. Therefore, if one of those tests is listed under %TESTSFAILED%, it means nothing was done. Likewise, the actions for those tests should be INGNORE or LOG only, as again if the tests failed means nothing. Only if the messages passes the test is weight subtracted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] %TESTSFAILED%
Any progress/word on when certain tests can be excluded from this variable? By default, any test with WEIGHT in the name should be excluded, plus something like this in the Global.Cfg file: EXCLUDETESTSFAILED FILTER1 EXCLUDETESTSFAILED FILTER2 John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
You know, I was thinking that something similar would be very beneficial to go along with the new filtering functionality. When a test scores zero points because of an END or otherwise, it would be nice to have that test excluded from the WARN action, %TESTSFAILED% and log level low. My logs are also filled with this type of stuff already (ANTI-files and soon zero scoring files) along with a bunch of different weight tests. The only problem is that the Declude tests for REVDNS, IPNOTINMX and NOLEGITCONTENT won't show up when they credit points, only when they don't credit points, and something would need to be done with that for this to work and not be totally confusing (maybe just don't include this functionality for them, or rather show them only when they credit points instead of when they don't credit points). Similar to what you indicated, it would be nice if weight tests only show up in logs when an action is set for them. I have three levels of weights and 4 different potential actions for each level (meaning 4 tests defined for each level), which means I have 12 different weight tests plus a delete level, so on a message that scores from 16 to 29 points currently, there will be 12 lines added to my logs for that message instead of the 3 or so that I typically define an action for in the Default.junkmail files. So maybe instead of excluding all weights, it might be better to exclude weights for which there are no actions explicitly defined? This isn't a huge issue for me right now, but both things would be nice to have if only to make things a bit more tidy. I don't want to press my luck though considering my good fortune last week :) I would though put Kami's additional suggestion much higher on my wishlist though, where he asked about a cutoff weight in the Global.cfg similar to what was discussed in the custom filters. I've heard that one discussed before and I am definitely starting to appreciate the idea a bunch more since it could save some serious processing power, probably more than 70% on systems that extensively use custom filters, by stopping the processing as soon as a particular score was reached. So if you process the DNS based stuff first, for many E-mails you won't even have to load any custom filters because the message will have already reached a deletion weight (defined in the Global.cfg). All in due time I'm sure. Matt John Tolmachoff (Lists) wrote: Any progress/word on when certain tests can be excluded from this variable? By default, any test with WEIGHT in the name should be excluded, plus something like this in the Global.Cfg file: EXCLUDETESTSFAILED FILTER1 EXCLUDETESTSFAILED FILTER2 John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
I would though put Kami's additional suggestion much higher on my wishlist though, where he asked about a cutoff weight in the Global.cfg similar to what was discussed in the custom filters. I've heard that one discussed before and I am definitely starting to appreciate the idea a bunch more since it could save some serious processing power, probably more than 70% on systems that extensively use custom filters, by stopping the processing as soon as a particular score was reached. So if you process the DNS based stuff first, for many E-mails you won't even have to load any custom filters because the message will have already reached a deletion weight (defined in the Global.cfg). This, too, will be added for the next release. For the next release, an option SKIPIFWEIGHT can be used in the filter files, to automatically bypass them if a certain weight has already been reached. The warning with this one is that it will work with the weight of the E-mail at the time the filter is processed, so negative weights may or may not have already been taken into account. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
Scott: Great news indeed... Question: Will a test stop if a certain weight is reached? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 19, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% I would though put Kami's additional suggestion much higher on my wishlist though, where he asked about a cutoff weight in the Global.cfg similar to what was discussed in the custom filters. I've heard that one discussed before and I am definitely starting to appreciate the idea a bunch more since it could save some serious processing power, probably more than 70% on systems that extensively use custom filters, by stopping the processing as soon as a particular score was reached. So if you process the DNS based stuff first, for many E-mails you won't even have to load any custom filters because the message will have already reached a deletion weight (defined in the Global.cfg). This, too, will be added for the next release. For the next release, an option SKIPIFWEIGHT can be used in the filter files, to automatically bypass them if a certain weight has already been reached. The warning with this one is that it will work with the weight of the E-mail at the time the filter is processed, so negative weights may or may not have already been taken into account. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
This will be in the next release. :) :)) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. Will we have to list each test exactly, or a partial name match? E.g. will have to list WEIGHTRANGE10-14 WEIGHTRANGE15-19 and so forth, or can we just list WEIGHT and it will hide any test with the word weight in the name? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. Will we have to list each test exactly, or a partial name match? E.g. will have to list WEIGHTRANGE10-14 WEIGHTRANGE15-19 and so forth, or can we just list WEIGHT and it will hide any test with the word weight in the name? They will need to be exact. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
Question: Will a test stop if a certain weight is reached? With the MAXWEIGHT line in a filter file (also in the next release), the test will stop once the maximum weight is reached. So you could have something like: SKIPIFWEIGHT40 MAXWEIGHT 20 In this case, the filter test would not be run if the total weight of the E-mail was 40 so far (when the SKIPIFWEIGHT line is processed). Then, if at any point during the processing of the filter, the weight (for the filter test only) reached or exceeded 20, processing of the filter would stop (and a weight of 20 would be used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
Now that we are on the subject.. Any chance that this can be defined with the test definition? This way we can just change or pose the constraints when defining the test rather than in the filters. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 19, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] %TESTSFAILED% Question: Will a test stop if a certain weight is reached? With the MAXWEIGHT line in a filter file (also in the next release), the test will stop once the maximum weight is reached. So you could have something like: SKIPIFWEIGHT40 MAXWEIGHT 20 In this case, the filter test would not be run if the total weight of the E-mail was 40 so far (when the SKIPIFWEIGHT line is processed). Then, if at any point during the processing of the filter, the weight (for the filter test only) reached or exceeded 20, processing of the filter would stop (and a weight of 20 would be used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
This might be more of a question of what could be stopped in reality. It appears that the DNS-type tests pretty much go concurrently, but then there are external apps and custom filters. This will be great for custom filtering, but it would be nice to stop the external apps if possible as well. Putting the setting in the Global.cfg would be the only way to do this. And heck, if you could stop some DNS-type tests from executing once you reach a certain weight, all the better. As it stands though, still a massive improvement!!! Thanks Scott! Matt Kami Razvan wrote: Now that we are on the subject.. Any chance that this can be defined with the test definition? This way we can just change or pose the constraints when defining the test rather than in the filters. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 19, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] %TESTSFAILED% Question: Will a test stop if a certain weight is reached? With the MAXWEIGHT line in a filter file (also in the next release), the test will stop once the maximum weight is reached. So you could have something like: SKIPIFWEIGHT40 MAXWEIGHT 20 In this case, the filter test would not be run if the total weight of the E-mail was 40 so far (when the SKIPIFWEIGHT line is processed). Then, if at any point during the processing of the filter, the weight (for the filter test only) reached or exceeded 20, processing of the filter would stop (and a weight of 20 would be used). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] %TESTSFAILED%
Is there a way to not show the WEIGHT and WEIGHTRANGE tests in the %TESTFAILED% report? The weight tests are there to do accumulation. Say a message fails RVDNS, NOPOSTMASTER and SNIFFER and has a weight of 17. You have a test WEIGHTRANGE14-19, so it gets caught. %TESTSFAILED% will show RVDNS, NOPOSTMASTER, SNIFFER, WEIGHTRANGE14-19. But why show the weight test when the important information is why did it get caught, because it did not get caught because of the weight test, but because it failed the other 3 tests. It seems like redundancy. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
Say a message fails RVDNS, NOPOSTMASTER and SNIFFER and has a weight of 17. You have a test WEIGHTRANGE14-19, so it gets caught. %TESTSFAILED% will show RVDNS, NOPOSTMASTER, SNIFFER, WEIGHTRANGE14-19. But why show the weight test when the important information is why did it get caught, because it did not get caught because of the weight test, but because it failed the other 3 tests. But it may have been caught solely on the weight test. For example, if you use the WARN action on REVDNS, NOPOSTMASTER, and SNIFFER, but use the HOLD action on WEIGHTRANGE14-19, then it was the WEIGHTRANGE14-19 test that caused the E-mail to get caught. If we remove the weight tests from the list of tests that failed, we're almost certainly going to receive lots of support questions of The E-mail only failed REVDNS, NOPOSTMASTER, and SNIFFER, which are all set to WARN, but the E-mail was held!. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
But it may have been caught solely on the weight test. For example, if you use the WARN action on REVDNS, NOPOSTMASTER, and SNIFFER, but use the HOLD action on WEIGHTRANGE14-19, then it was the WEIGHTRANGE14-19 test that caused the E-mail to get caught. Yes and no, the reason it got caught by the weight test is because it failed the others. The point is that it will never fail the weight test only. It has to fail other tests, which then cause it to trigger the weight test. If we remove the weight tests from the list of tests that failed, we're almost certainly going to receive lots of support questions of The E-mail only failed REVDNS, NOPOSTMASTER, and SNIFFER, which are all set to WARN, but the E-mail was held!. Support questions from who, the admins that set the weight tests up? They should already know by the list of tests it failed that the weight test then got triggered. I am asking because I am thinking of using something like the following: WEIGHTRANGE15-19SUBJECT This failed SPAM tests %TESTFAILED% Having a WEIGHTRANGE15-19 will add additional unneeded length to the subject line. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] %TESTSFAILED% variable
Does the %TESTSFAILED% variable work with the Subject action? Steve --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] %TESTSFAILED% variable
Does the %TESTSFAILED% variable work with the Subject action? Variables in the SUBJECT action were added to v1.35, but there is a glitch that may prevent them from working until the next release. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] %TESTSFAILED% variable
Ok thats fine. Is there also a small bug in the custom blacklists? I am pretty sure I have it set up right but mail is not being caught if it doesn't come from the exact domain, ie: I thought if I put azoogle.com in my blacklists.txt file that it would catch childdomain.azoogle.com as well. Has anyone else mentioned this, or must I have something set up wrong? Thanks, Steve -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 2:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% variable Does the %TESTSFAILED% variable work with the Subject action? Variables in the SUBJECT action were added to v1.35, but there is a glitch that may prevent them from working until the next release. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . *** [ This E-mail is scanned for viruses by 270net Technologies (http://www.270net.com) ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] %TESTSFAILED% variable
Ok thats fine. Is there also a small bug in the custom blacklists? I am pretty sure I have it set up right but mail is not being caught if it doesn't come from the exact domain, ie: I thought if I put azoogle.com in my blacklists.txt file that it would catch childdomain.azoogle.com as well. That's a known issue. The next release will correct that. It affects any entries in the blacklist that do not have an @ in them. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
