I am not getting a
consistent behavior on one of the filters I am using. The filter test
does not seem to catch anything from some addresses even though I have not set
any whitelists on my server. I have attached a txt file of the headers from the
messages, the entries from the declude log file, and the related
entries from my cfg file. The example emails are two that I sent with
the same subject line, one from my gmail account and one from my hotmail
account. the one from hotmail is caught, and one from gmail is not. I'm
not sure what I am missing here. Any suggestions or ideas would be greatly
appreciated.
Jeffrey
Jeffrey Di
Gregorio MCSE CCNP
Systems
Administrator
Pacific School of
Religion
510-849-8283
test PHISHINGFILTER filter D:\IMail\Declude\Filters\phishing.txt x 0 0
****************************************************************************
Action
PHISHINGFILTER ROUTETO [EMAIL PROTECTED]
****************************************************************************
entry in the filter
SUBJECT 0 CONTAINS Your Account Will Be Suspended
*****************************************************************************
this message got through, did not trip the filter...
02/24/2005 14:59:50 Q5c641c9803d4c707 R1 Message OK
02/24/2005 14:59:50 Q5c641c9803d4c707 Subject: your account will be suspended
02/24/2005 14:59:50 Q5c641c9803d4c707 From: [EMAIL PROTECTED] To: [EMAIL
PROTECTED] IP: 64.233.170.204 ID: b11so443721rne02/24/2005 14:59:50
Q5c641c9803d4c707 Tests failed [weight=0]: IPNOTINMX=WARN NOLEGITCONTENT=WARN
CATCHALLMAILS=IGNORE
02/24/2005 14:59:50 Q5c641c9803d4c707 Last action = IGNORE.
message header
Microsoft Mail Internet Headers Version 2.0
Received: from mecca.psr.edu ([209.76.204.2]) by psr-exch01.psr.edu with
Microsoft SMTPSVC(6.0.3790.211);
Thu, 24 Feb 2005 15:02:47 -0800
Received: from rproxy.gmail.com [64.233.170.204] by mecca.psr.edu with ESMTP
(SMTPD32-8.11) id AC641C9803D4; Thu, 24 Feb 2005 14:59:48 -0800
Received: by rproxy.gmail.com with SMTP id b11so443721rne
for <[EMAIL PROTECTED]>; Thu, 24 Feb 2005 14:59:30 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
b=VHGNr9rLCK5DNvyNzfvPeLYT/xbQmeMt9cEPolvkrAuTqONgxBfFxdFHgDGNu90jWaRDW5YkhDSq1RCh4ZyOWibwd7m9Xuuikl6tXFJsc1ganKPm0SvNO0wkhShHCybe++7ZOPfxmyrHxgvmuZliMAPSQdJn/8piZLXb0JC1Ku8=
Received: by 10.38.22.69 with SMTP id 69mr192034rnv;
Thu, 24 Feb 2005 14:59:30 -0800 (PST)
Received: by 10.38.98.27 with HTTP; Thu, 24 Feb 2005 14:59:30 -0800 (PST)
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 24 Feb 2005 14:59:30 -0800
From: jeffrey Di Gregorio <[EMAIL PROTECTED]>
Reply-To: jeffrey Di Gregorio <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: your account will be suspended
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.
X-Declude-Sender: [EMAIL PROTECTED] [64.233.170.204]
X-Spam-Tests-Failed: None
X-Country-Chain: UNITED STATES->destination
X-Note: Reverse DNS: rproxy.gmail.com
X-Note-Out: The total spam weight is 0
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 24 Feb 2005 23:02:47.0947 (UTC)
FILETIME=[F53105B0:01C51AC4]
************************************************************************************
This message was caught by the filter and the ROUTETO action was used...
02/24/2005 14:58:24 Q5c0f18fd03ccc6f4 nNOLEGITCONTENT:-40 . Total weight = -40.
02/24/2005 14:58:24 Q5c0f18fd03ccc6f4 R1 Message OK
02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Subject: your account will be suspended
02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 From: [EMAIL PROTECTED] To: [EMAIL
PROTECTED] IP: 64.4.56.33 ID:
02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Tests failed [weight=-40]:
NOPOSTMASTER=IGNORE IPNOTINMX=WARN PHISHINGFILTER=ROUTETO CATCHALLMAILS=IGNORE
02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Last action = IGNORE.
message header
Microsoft Mail Internet Headers Version 2.0
Received: from mecca.psr.edu ([209.76.204.2]) by psr-exch01.psr.edu with
Microsoft SMTPSVC(6.0.3790.211);
Thu, 24 Feb 2005 15:01:22 -0800
Received: from hotmail.com [64.4.56.33] by mecca.psr.edu with ESMTP
(SMTPD32-8.11) id AC0F18FD03CC; Thu, 24 Feb 2005 14:58:23 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Thu, 24 Feb 2005 14:58:04 -0800
Message-ID: <[EMAIL PROTECTED]>
Received: from 64.162.197.45 by by101fd.bay101.hotmail.msn.com with HTTP;
Thu, 24 Feb 2005 22:57:15 GMT
X-Originating-IP: [64.162.197.45]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
From: "jeffree 13" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Bcc:
Subject: your account will be suspended
Date: Thu, 24 Feb 2005 22:57:15 +0000
Mime-Version: 1.0
Content-Type: text/html; format=flowed
X-OriginalArrivalTime: 24 Feb 2005 22:58:04.0529 (UTC)
FILETIME=[4C42DE10:01C51AC4]
X-RBL-Warning: IPNOTINMX:
X-Declude-Sender: [EMAIL PROTECTED] [64.4.56.33]
X-Spam-Tests-Failed: NOPOSTMASTER [0], PHISHINGFILTER [0]
X-Country-Chain: UNITED STATES->destination
X-Note: Reverse DNS: bay101-f23.bay101.hotmail.com
X-Note-Out: The total spam weight is -40
Return-Path: [EMAIL PROTECTED]
