We've been monitoring the MN-COMBO test (multiple tests failed) for the past 2 months.
Most are failing INV-URIBL and SNIFFER; but some only failing one of them (either SNIFFER or INV-URIBL) but will fail DSBL/CBL/ROUTING/MXRATE. We've noticed that all the emails that we've monitored with the MN-COMBO that are spam; have multiple country hops. This is what we want to catch. Deleting based just on MN-COMBO will delete some false positives. But detecting our MN-COMBO test and then filtering the country hops will eliminate the false positives as they all originate outside of USA and/or start in USA then bounce to another country, then back to USA. Does anyone know (Darrell); if the %COUNTRYCHAIN% can be passed to an external program? I've thought of developing an EXE that does this final scan after MN-COMBO is tested. TIA, Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 16, 2005 2:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Help in creating a Filter Just to second this - I have seen a large amount of customers also farm out filtering to companies like big fish which scan the mail in oversea's countries. Darrell ------------------------------------------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: > I think this would do it in two filters: > filter 1: > SKIPIFWEIGHT 100 > TESTSFAILED END NOTCONTAINS MN-COMBO > COUNTRIES 100 NOTCONTAINS US > > filter 2: > SKIPIFWEIGHT 100 > TESTSFAILED END NOTCONTAINS MN-COMBO > TESTSFAILED END CONTAINS filter1 > COUNTRIES END STARTSWITH US > COUNTRIES 100 CONTAINS US > > I'd be careful. Lots of US subsidaries are owned by a foreign company > and > have their mail server overseas. > Also watch out for these special country codes: (which can belong to valid > servers): > # > # Special Codes > # > *1 Multi-Regional > *2 Europe > *3 North America > *4 Central/South America > *5 Pacific Rim > *A ARIN Unlisted (North America/South Africa) > *B Public Data Network > *E RIPE Unlisted (Europe, North Africa, Middle East) > *I Private IP > *L Loopback > *M Multicast > *P APNIC Unlisted (Asia Pacific) > *R IANA Reserved > *U Unknown > > > ----- Original Message ----- From: "Erik" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Friday, September 16, 2005 12:45 PM > Subject: [Declude.JunkMail] Help in creating a Filter > > >> Could someone help me in creating a filter? >> >> I need something to this effect. Can this be done in one filter? >> >> >> >> If WEIGHT = 100 or Higher then END >> >> If TESTFAILED CONTAINS "MN-COMBO" Then >> If CountryChain NOTCONTAINS "UNITED STATES" Then >> Then DELETE (triggers the filter - return 100 as weight) >> End If >> >> If CountryChain CONTAINS "UNITED STATES->destination" Then >> 'Email is probably good (return zero) >> Else >> DELETE (triggers the filter - return 100 as weight) >> End If >> >> End If >> >> Thanks! >> Erik >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >> "unsubscribe Declude.JunkMail". The archives can be found at >> http://www.mail-archive.com. >> >> > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
