Re: [Declude.JunkMail] Filter question
Hi Michael. To answer your questions... If my BlackFilter.txt file is composed of lines like: SUBJECT STOPALLTESTS CONTAINS China Business Directory BODY STOPALLTESTS CONTAINS Evil Spammer will the test return 500 points on a match and HOLD the email without further processing of filters or other tests. Yes, this is correct. I understand the filters are processed in the order they occur in the $default$junkmail so this will be the first Filter listed but there are FROMFILE's listed earlier in the $default$junkmail. In this scenario will I need a SKIPIFWEIGHT line in any subsequent filters to suppress their running? Actually, filters are not processed in the order that they occur in the $default$.junkmail file, so no, you do not need to add a SKIPIFWEIGHT directive to your filters. The STOPALLTESTS directive in your BLACKFILTER will accomplish what you need. If you have any further questions, please do not hesitate to contact me either by email or call Toll free 1-866-332-5833 Ext.7008 Linda Pagillo Technical Support Engineer | Declude Your Email Security is our business Office: 978.499.2933 x7008 Toll Free: 1-866.332.5833 x7008 Fax: 978.334.0700 Email: [EMAIL PROTECTED] - Original Message - From: "Michael Hoyt" <[EMAIL PROTECTED]> To: "Declude JunkMail @declude.com" Sent: Friday, August 17, 2007 10:32 AM Subject: [Declude.JunkMail] Filter question > I am attempting to create a filter that contains conditions that will cause > a HOLD on the emails that it matches. My HOLD weight is 100 but I also use > some reverse weighting so I was thinking that adding 500 points should do > it. > > In my global.cfg I have : > BLACKFILTER filter D:\IMAIL\Declude\Filters\BlackFilter.txt x 500 0 > > In my $default$junkmail I have : > BLACKFILTERWARN > > As 500 points is enough to HOLD the email I want the processing of this > email to stop as soon as it matches something in this filter. If my > BlackFilter.txt file is composed of lines like: > > SUBJECT STOPALLTESTS CONTAINS China Business Directory > BODY STOPALLTESTS CONTAINS Evil Spammer > > will the test return 500 points on the first match and HOLD the email > without further processing of filters or other tests. I understand the > filters are processed in the order they are listed in the $default$junkmail > so this will be the first Filter listed but there are FROMFILE's listed > earlier in the $default$junkmail. If I put the filters earlier in the > $default$junkmail than the FROMFILE's will they also trigger earlier? In > this scenario will I need a SKIPIFWEIGHT line in any subsequent filters to > suppress their running? > > Thanks in advance, > > -- > Michael Hoyt > Communication Arts > 110 Constitution Drive > Menlo Park, CA 94025 > (650) 326-6040 fax:(650) 326-1648 > > e-mail: [EMAIL PROTECTED] > Web Site: http://www.commarts.com > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Thanks Matt. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, February 14, 2006 3:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Filter question Move the whitelist setting to a custom filter and place an END on the filter for the condition that you want to track elsewhere: MAILFROM END IS [EMAIL PROTECTED] REMOTEIP WHITELIST IS 12.34.56.78 Have a good evening, Matt John T (Lists) wrote: I need to create a filter for a client that I am gatewaying their Exchange server. I have their server listed in the Global.cfg for whitelisting. (WHITELIST IP yaddayaddayadda) Now there is a need to create a filter file so that if the e-mail is from a broadcast address and to an address on the list, to route to back to the sales manager. -- MAILFROM END NOTCONTAINS [EMAIL PROTECTED] ALLRECIPS 0 CONTAINS e-mailaddresslisted -- On Failure, route to [EMAIL PROTECTED] Is there a way to override a whitelist? John T eServices For You "Seek, and ye shall find!"
Re: [Declude.JunkMail] Filter question
Move the whitelist setting to a custom filter and place an END on the filter for the condition that you want to track elsewhere: MAILFROM END IS [EMAIL PROTECTED] REMOTEIP WHITELIST IS 12.34.56.78 Have a good evening, Matt John T (Lists) wrote: I need to create a filter for a client that I am gatewaying their Exchange server. I have their server listed in the Global.cfg for whitelisting. (WHITELIST IP yaddayaddayadda) Now there is a need to create a filter file so that if the e-mail is from a broadcast address and to an address on the list, to route to back to the sales manager. -- MAILFROM END NOTCONTAINS [EMAIL PROTECTED] ALLRECIPS 0 CONTAINS e-mailaddresslisted -- On Failure, route to [EMAIL PROTECTED] Is there a way to override a whitelist? John T eServices For You "Seek, and ye shall find!"
Re: [Declude.JunkMail] Filter question
What about SPF? One of the benefits of having SPF records is that you can easily add weight to email with your domain in the FROM address that does not originate from designated sources (i.e. your servers). Darin. - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Thursday, February 24, 2005 9:54 AM Subject: RE: [Declude.JunkMail] Filter question I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The "from" domain (mine) does not match the "from" [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: "Returned mail" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the "Received:" line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The "from" domain (mine) does not match the "from" [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: "Returned mail" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the "Received:" line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
I set up a filter of MAILFROM 0 STARTSWITH [EMAIL PROTECTED] I am only holding right now. The following was caught. Notice the "coups@" is in the Received: line, not the From: line. Should this one have been caught or skipped? It should have been caught. That's because the sender was actually "[EMAIL PROTECTED]" (if you look at the X-Declude-Sender: header, or the "MAIL FROM:" line in the IMail SMTP log file, you'll see it). Declude JunkMail filters on the actual sender, which may be different from the E-mail addresses in the From:, Reply-To:, or other headers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Hi Doug, If you look for somethink like this, maybe give a try to SpamChk an external test for Declude Junkmail. SpamChk will accumulate the weight for every instance of a certain keyword. You can define also a max. number of how many instances should be counted, and the weight for keywords can be dinamically reduced for large messages. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Anderson Sent: Tuesday, December 16, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filter question This may sound stupid, but if I create a filter searching for a string in an email... BODY 2 CONTAINS xyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
This may sound stupid, but if I create a filter searching for a string in an email... BODY 2 CONTAINS xyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2? The filter would add 2 to the weight of the E-mail. The filters will only look at the first match. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
It will return a weight of 2. The filter will only flag the first occurrence that it finds, then ignores the rest. Bill - Original Message - From: Doug Anderson To: [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:32 AM Subject: [Declude.JunkMail] Filter question This may sound stupid, but if I create a filter searching for a string in an email... BODY 2 CONTAINS xyz and the email contains 4 instances of that string now is the xyx time for all xyz good men xyz to come to the aid xyz of their country does the filter return an internal value of 8 or 2?
RE: [Declude.JunkMail] Filter question
So now I would ask what the source of the E-mail shows? This particular one, came in plain text, I just realized. That is probably why I didn't use the source to begin with. When I right click on it, view source is greyed out. I would be happy to forward the email to the list but I did that earlier and I'm thinking everyone's filter blocked it but mine. Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I cut and pasted it from what I was viewing in the email, NOT from the source, hence my original question. I did go back and run the -diag and I am definitely running JM 1.75 So now I would ask what the source of the E-mail shows? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Those do look the same. Did you cut and paste it from what you were viewing in the E-mail, or from the source? I cut and pasted it from what I was viewing in the email, NOT from the source, hence my original question. I did go back and run the -diag and I am definitely running JM 1.75 Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Here are the message headers: X-Spam-Tests-Failed: ROUTING OK, it did not fail the INBODYFILTER test. Here is the line in the filter itself: BODY 0 CONTAINS Bachelors and other higher education available in your fields And here is the line, copied and pasted directly from the spam email that should've triggered the filter and didn't: Bachelors and other higher education available in your fields Those do look the same. Did you cut and paste it from what you were viewing in the E-mail, or from the source? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Remember that failing a test and flagging (or any other action) are very different. In this case, the original question made it seem as though the E-mail wasn't failing the test, whereas it may be that the E-mail did fail the test but an action other than the one you wanted was used. The email was't failing the test. Im sorry to be so confusing. The only action I have on this body filter is attach, no weights have been applied. The particular email in question shouldve failed this test and been attached, automatically as that what the action is. Here are the message headers: Received: from 200-140-164-090.bsace7024.dsl.brasiltelecom.net.br [200.140.164.90] by todhunter.com (SMTPD32-7.15) id A5EE223500DE; Thu, 16 Oct 2003 08:58:22 -0400 Received: from [244.16.159.174] by 200-140-164-090.bsace7024.dsl.brasiltelecom.net.br with ESMTP id <009310-63652>; Thu, 16 Oct 2003 13:06:30 -0100 Message-ID: <[EMAIL PROTECTED]> From: "Nelson Hurt" <[EMAIL PROTECTED]> Reply-To: "Nelson Hurt" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: 7 How about obtaining a fully recognized University degree at home!!? Date: Thu, 16 Oct 2003 13:06:30 -0100 X-Mailer: QUALCOMM Windows Eudora Version 5.1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="FF_E90E7._.F0E265C" X-Priority: 3 X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-Declude-Sender: [EMAIL PROTECTED] [200.140.164.90] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: ROUTING X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 366043108 Here is the line for the filter in my global.cfg InBodyFilter Filter D:\Imail\Declude\inBody.txt x 0 0 Here are the lines in the user junkmail file that the failed email was addressed to: INBODYFILTERATTACH Here is the line in the filter itself: BODY 0 CONTAINS Bachelors and other higher education available in your fields And here is the line, copied and pasted directly from the spam email that should've triggered the filter and didn't: Bachelors and other higher education available in your fields Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
In this last example that everyone's filter probably caught, the original email came through unflagged, but when I forwarded it to the list, the filter caught it. Remember that failing a test and flagging (or any other action) are very different. In this case, the original question made it seem as though the E-mail wasn't failing the test, whereas it may be that the E-mail did fail the test but an action other than the one you wanted was used. Does the X-Spam-Tests-Failed: header show the name of the filter test? If so, the E-mail is failing the test (the next step would be to determine which configuration file was used for the outgoing actions). If not, then then the E-mail did not fail the test (posting the source and the filter string would be helpful to determine what happened there -- for example, the spammer may have used 2 spaces instead of one between some words). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Im using the latest release. In this last example that everyone's filter probably caught, the original email came through unflagged, but when I forwarded it to the list, the filter caught it. I have double checked the per user configs to ensure both my personal email account (where the forwarded spam was caught) and the original account it was sent to, (where it wasn't caught) have the same action for that filter. They do. So why would it get caught on one account, when forwarded, and not on the other, when received originally? Sharyn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, October 16, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter question >For the spam that doesn t contain a URL that I can block in my URL >filter, >I have taken to trying to find phrases that I can block in my BODY filter. > >My question is& > >Should I be blocking these phrases using the text in the email that I >can >see, or should I be blocking phrases that appear when you look at the source. That depends. If there is a difference between what you see and what is in the source of the E-mail, you'll need to determine what the difference is. If the E-mail is HTML with comments or HTML codes used to bypass filters, the latest release of Declude JunkMail (1.75) will be able to filter the text. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
For the spam that doesn t contain a URL that I can block in my URL filter, I have taken to trying to find phrases that I can block in my BODY filter. My question is& Should I be blocking these phrases using the text in the email that I can see, or should I be blocking phrases that appear when you look at the source. That depends. If there is a difference between what you see and what is in the source of the E-mail, you'll need to determine what the difference is. If the E-mail is HTML with comments or HTML codes used to bypass filters, the latest release of Declude JunkMail (1.75) will be able to filter the text. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
Well Scott you are correct again. I had a cut and paste error in the filter file all of the lines ended with an extra space except the last two lines. Kevin Bibee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Wednesday, August 27, 2003 5:45 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Filter question > > > > >I checked my logs and the REMOTEIP lines are catching the mail but the > >subject lines with "RE: " are not catching the mail. the subject lines > >without the "RE: " are catching the emails. > > That is odd. Could there be spaces/tabs at the end of the lines that > aren't working? > > If that doesn't explain it, you can use "LOGLEVEL DEBUG" temporarily and > send an E-mail through that should be caught by the filter -- you > can then > E-mail me the results, and I can take a look to see what went wrong. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with "RE: " are not catching the mail. the subject lines without the "RE: " are catching the emails. That is odd. Could there be spaces/tabs at the end of the lines that aren't working? If that doesn't explain it, you can use "LOGLEVEL DEBUG" temporarily and send an E-mail through that should be caught by the filter -- you can then E-mail me the results, and I can take a look to see what went wrong. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter question
I checked my logs and the REMOTEIP lines are catching the mail but the subject lines with "RE: " are not catching the mail. the subject lines without the "RE: " are catching the emails. I have changed the IS in SUBJECT lines to CONTAINS and I get the same results. I want these emails because I have been successful at tracking down the machine sending out the messages and getting the user to clean the virus. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee > Sent: Tuesday, August 26, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Filter question > > > I have setup a filter to froward all email that seems to be from the sobig > virus to a specian mail box. > > Global.CFG > SOBIGFILTER filter D:\IMail\Declude\SOBIG.txt > x 0 0 > > sobig.txt > REMOTEIP 0 IS 206.111.17.194 > REMOTEIP 0 IS 66.185.39.38 > REMOTEIP 0 IS 66.123.247.98 > REMOTEIP 0 IS 69.37.1.22 > SUBJECT 0 IS Re: Details > SUBJECT 0 IS Re: Approved > SUBJECT 0 IS Re: Re: My details > SUBJECT 0 IS Re: Thank you! > SUBJECT 0 IS Re: That movie > SUBJECT 0 IS Re: Wicked screensaver > SUBJECT 0 IS Re: Your application > SUBJECT 0 IS Thank you! > SUBJECT 0 IS Your details > > $default$.junkmail > SOBIGFILTER ROUTETO [EMAIL PROTECTED] > > I have sent an email with the subject line of Re: Wicked > screensaver to test > > declude does not seem to be running the test > We are running Declude v1.75i1 > > Where did I go wrong in setting this up? > > > Kevin Bilbee > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question
global.cfg: [...] BAD-IP ipfile C:\IMail\Declude\BAD-IP.txt x 5 0 [...] c:\imail\declude\bad-ip.txt (yes, it's really there ;-) [...] 217.173.135.114 [...] This looks good. Header: -- > Received: from mail3.cytainment.de [217.173.135.114] by siller.de with ESMTP > (SMTPD32-7.13) id A139395700DA; Fri, 27 Jun 2003 09:24:41 +0200 Do you have the full headers? That will normally show what tests the E-mail failed (to determine if the E-mail did fail your test or not), as well as the IP address of the remote mailserver (in case HOP/HOPHIGH/IPBYPASS lines are interfering). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Question
Scott,
OK. I'll leave you alone for the rest of today .
BTW, HiJack has trapped over 500 pieces of SPAM this weekend for 2 domains
whose Primary MX's have been up and running the entire time. JunkMail got
another 400+ for 1 of those domains. Just shows how the spammers are going
after the secondary MX's.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Sunday, February 02, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Filter Question
>I would like to be able to filter on the domain names of mailservers in
>the chain. In this case I would like to have an entry such as
>
>WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter
>screening criteria for the mailservers in the chain). I know I can use
>HEADER for this but is there a parameter I've missed that would let me
>have these checked as JunkMail is parsing to do its thing on each of
>the hops. I have HOPHIGH 6 in my GLOBAL.CFG.
No, there isn't any other parameter aside from HEADERS that you could
filter on in this case. Although Declude JunkMail does look at the server
names, the only one it cares about is one corresponding to the remote
mailserver (the HELO parameter in filtering).
In this case, I would recommend using something like:
HEADERS 5 CONTAINS .aebolts.com (
Adding the "(" there should prevent virtually all other headers from
triggering the filter (for example, you could have "Subject: We have to do
something about these .aebolts.com E-mails!" that wouldn't get
caught). It's not quite as accurate as it would be if there was a
parameter that just searched the server names, but it's pretty close.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question
I would like to be able to filter on the domain names of mailservers in the
chain. In this case I would like to have an entry such as
WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening
criteria for the mailservers in the chain). I know I can use HEADER for
this but is there a parameter I've missed that would let me have these
checked as JunkMail is parsing to do its thing on each of the hops. I have
HOPHIGH 6 in my GLOBAL.CFG.
No, there isn't any other parameter aside from HEADERS that you could
filter on in this case. Although Declude JunkMail does look at the server
names, the only one it cares about is one corresponding to the remote
mailserver (the HELO parameter in filtering).
In this case, I would recommend using something like:
HEADERS 5 CONTAINS .aebolts.com (
Adding the "(" there should prevent virtually all other headers from
triggering the filter (for example, you could have "Subject: We have to do
something about these .aebolts.com E-mails!" that wouldn't get
caught). It's not quite as accurate as it would be if there was a
parameter that just searched the server names, but it's pretty close.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
If I have a line in a filter, say: MAILFROM-8 CONTAINS@domain.com The test is defined in the Global.cfg like this: MYFILTERfilter c:\imail\declude\filter.txt x -10 0 That would give any message from @domain.com a negative weight of 18, correct? That is correct. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] filter question
Can Junkmail pro filters (for msg body) use wildcards? No. Is there a reference? The "Filtering" section of the manual covers the filtering. We do plan to add a "reference" section to the manual like for the whitelisting/blacklisting. I want to create a filter (to hold) msgs that have embedded urls with IP addresses in them. The best you could do with Declude JunkMail would be to search for "http://%";. However, with IMail's filters, you should be able to be more accurate. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question...
>One question about filters... > >You assign the rule in the Global.cfg file a weight. >You also assign each filter a weight. > >Are these two weights added to get the final weight for the message? > >For example, if you have: > >MYFILTER filter c:\iMail\Declude\myfilter.txt x 5 0 > >And in \myfilter.txt you have: > >HELO 8 CONTAINS $domain > > >Would a "hit" on this rule have a total weight of 8+5=13? Yes, in this case, the total weight would be 13. Note that multiple hits would result in an even higher weight -- so if you had another line "HELO 4 CONTAINS dom", another 4 would get added to the weight, bringing it up to 17. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
>Scott, I guess I could test this, but I'm sure you can tell me off the top >of your head. When using the "BODY" search in the filter file, does Declude >search just the actual body of the e-mail message or does it search all >attachments, as well? It searches the entire body of the E-mail, which includes the attachments. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
>How would I go about filtering for this in the header? Is it possible? > >To: It isn't currently possible in Declude JunkMail. It most likely will be possible in an upcoming release, though. However, you should note that "" is used by many legitimate mailing lists, so it might be best to use it only as part of a weighting system. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
