I believe that MINWEIGHT 15 always exits the filter since it starts
with a score of zero.
If Andrew's suggestion doesn't work for your purposes, there's likely a
kludge that can be written with multiple filter files that can do this.
Matt
Andy Schmidt wrote:
Message
Hi Matt:
Uh - I see. We would need a
"SKIPIFWEIGHTLESS" option. Scott?
But - I still don't understand why I don't
see lots of entries for "NOTSNIFFed". If anything, now I should see
lots of legitimate mail "match" that test?
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414
x20 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
Andy,
That's not how MINWEIGHT works. MINWEIGHT is used for a filter so that
it doesn't subtract any more than the value that you give it, generally
a negative number unless you get fancy and apply scoring tests first.
The only way to do this currently would be to create an external test
to run after Sniffer which passes in the %WEIGHT% variable.
Matt
Andy Schmidt wrote:
Hi,
I'm
trying to detect mails weight >= 15 that did NOT fail "Sniffer".
I
have:
Global.cfg:
SNIFFER external nonzero
"D:\IMAIL\Sniffer\Win32\????????.exe ?????" 4 0
SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\????????.exe
?????" 1 0
SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\????????.exe
?????" 2 0
SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\????????.exe
?????" 2 0
SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\????????.exe
?????" 2 0
SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\????????.exe
?????" 2 0
NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0
In
"NOTSNIFFEDfilter.txt"
MINWEIGHT 15
TESTSFAILED END CONTAINS SNIFFER
REMOTEIP 0 CONTAINS .
Yet,
the log doesn't show "NOTSNIFFed":
05/31/2004 17:48:59 Qa83f230c00e4d595
SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight
= 26.
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=19 (26) and at least 1 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=14 (26) and at least 4 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=12 (26) and at least 6 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED]
05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID:
05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]:
BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN
NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN
IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE
WEIGHTKILL=DELETE
05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED]
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201
934-3414 x20 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|