[MBF]Re: MBF releases new build of Declude 4.12.05

[John Doyle]

This message was originally HTML formatted.  View in a HTML capable client to 
see the original version.\r\n\r\n   David
 Years ago I set  up a system to forward uncaught sniffer email with a weight 
of 18 or greater to an account used by ARM.
 Since we use different weights for various tests, we have 18 various tests.
 I then use a filter file to flag as SNIFFERNOCATCH those not caught.
 In the past the problem was that declude did not attach a weight untill the 
very end so there was no way to only flag mail with a weight of 18 or greater. 
 So we copyto all mail that is caught by SNIFFERNOCATCH to the account and 
delete if the weight is less than 18.

 I hoped that the new NOHIT test would use our test SNIFFERCATCH and look at 
the total weight and only trigger on those whose weight is greater than 18.

 I do know that the SNIFFERNOCATCH does grab mail not caught by sniffer, 
 and that SNIFFERCATCH correctly flags those caught.

 =========================================================================
 Hhere is our test for mail not caught by sniffer
 SNIFFERCATCH          filter  D:\Imail\Declude\Filters\SNIFFERCATCH.txt        
x       0       0

 =========================================================
 here are our SNIFFERCATCH.txt 

 TESTSFAILED   0     CONTAINS SNIFFER-SURE
 TESTSFAILED   0     CONTAINS SNIFFER-AV-PUSH
 TESTSFAILED   0     CONTAINS SNIFFER-WAREZ
 TESTSFAILED   0     CONTAINS SNIFFER-SPAMWARE
 TESTSFAILED   0     CONTAINS SNIFFER-SNAKEOIL
 TESTSFAILED   0     CONTAINS SNIFFER-SCAMS
 TESTSFAILED   0     CONTAINS SNIFFER-PORN
 TESTSFAILED   0     CONTAINS SNIFFER-MALWARE
 TESTSFAILED   0     CONTAINS SNIFFER-ADVERTISING
 TESTSFAILED   0     CONTAINS SNIFFER-SCHEME
 TESTSFAILED   0     CONTAINS SNIFFER-CREDIT
 TESTSFAILED   0     CONTAINS SNIFFER-GAMBLING
 TESTSFAILED   0     CONTAINS SNIFFER-EXPERIMENTAL
 TESTSFAILED   0     CONTAINS SNIFFER-OBFUSCATION
 TESTSFAILED   0     CONTAINS SNIFFER-IP-RULES
 TESTSFAILED   0     CONTAINS SNIFFER-INSURANCE

 TESTSFAILED   0    CONTAINS SNIFFER-SUSPECT
 TESTSFAILED   0    CONTAINS SNIFFER-TRAVEL
 TESTSFAILED   0    CONTAINS SNIFFER-GREYMAIL

 ==========================================================================

 
 SNIFFERMOVE             NOHIT         SNIFFERCATCH                WEIGHT       
     18      0      0

 
 BTW I just flew in to LA from Portugal and am lacking some sleep so I hope I'm 
doing this correctly

 John

 

 
 ---- Original Message ----
 From: "David Barker" david.bar...@mailsbestfriend.com
 Sent: 2/26/2014 9:33:46 AM
 To: community@mailsbestfriend.com
 Subject: [MBF]Re: MBF releases new build of Declude 4.12.05

    



Do you have a test called SNIFFERCATCH can you post the line in your 
global.cfg? 







From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Doyle
 Sent: Wednesday, February 26, 2014 11:37 AM
 To: community@mailsbestfriend.com
 Subject: [MBF]Re: MBF releases new build of Declude 4.12.05   



David
 I updated declude to 4.12.05 this morning and added the NOHIT test
 It works for the exception of the fact that the weight does not seem to work
 it catches anything not caught by sniffer, but even with a weight lower than 
the set value
 ie:
 I set the weight at 18 and it seems to catch everything
 SNIFFERMOVE             NOHIT         SNIFFERCATCH                WEIGHT       
     18      0      0
 do you see anything wrong with my setup
 thanks
 John

 
 ---- Original Message ----
 From: "David Barker" david.bar...@mailsbestfriend.com
 Sent: 2/24/2014 8:41:58 AM
 To: community@mailsbestfriend.com
 Subject: [MBF]MBF releases new build of Declude 4.12.05 

New files available from http://mailsbestfriend.com/downloads/ 



4.12.05  FIX - Removed Key check for Declude, no need to hack the Host file. 
Declude no longer requires a key to run. 

4.12.04  ADD - Created new test NOHIT 

4.12.03  ADD - Improved Hijack by monitoring the Authenticated user rather  
than the mailfrom address 



The NOHIT test is used to determine which tests did NOT trigger. The main 
purpose of this implementation was to create a feedback system to Message 
Sniffer ARM research to improve spam catch rates on new spam. The new test 
syntax below and is located in the global.cfg 

  TEST-NAME1             NOHIT          TEST-NAME2     WEIGHT          0       
0 

  TEST-NAME1      Your given name of the test NOHIT           Test Type 
TEST-NAME2      The name of the test you are tracking that did NOT trigger 
WEIGHT          The weight = when you would like this test to trigger 



Example of use (This test will trigger if SNIFFER is NOT triggered for emails 
over 30 points): 



SNF-FEEDBACK           NOHIT          SNIFFER         30      0       0 



Using this test we can identify messages that scored more than 30 points and 
did NOT trigger sniffer. We then use either a COPYTO or ROUTETO Action in the 
$default$.junkmail file to have these messages go to a specific inbox where ARM 
research periodically retrieves these messages and writes new rules to 
distribute to other Message Sniffer users.  



The entry in the $default$.junkmail would be: 



SNF-FEEDBACK   ROUTETO   x...@example.com 



Where xxxx is your license key for Message Sniffer.  Be sure to setup an email 
user with x...@example.com on your server and provide ARM research 
supp...@armresearch.com with the POP account details to access the account to 
retrieve messages. 



I am sure there are other great ways the NOHIT test can be used. Let us know if 
you have some ideas. 

David Barker
 Mails Best Friend 

Email     : david.bar...@mailsbestfriend.com
 Web      : www.mailsbestfriend.com
 Office    : 866.919.2075
 Mobile  : 978.518.6461