Help me out please. Why are we looking for the beginning of an IP address? Also my understanding of these filters is to eliminate sending emails to users that were not the original senders because of a forged virus. Is that correct??? If so wouldn't adding the Virus name to the declude forged tag solve that??
I am asking here so please do not assume I know much <G>... >>bracketfl - returned messages should have the original headers so I'm looking for the >>beginning of an IP address -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Thursday, May 06, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] blocking auto reply messages on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote: > Does anyone have a suggestion on what to do about the growing number > of auto reply messages being received by clients because of the > current amount of forging viruses. I am getting daily complaints from > clients who say they never sent anything to someone but are receiving > multiple auto response messages (user unknown, mailbox full, virus > warnings, etc.) I am at a loss on what to do about this. I was having the same problem as you and I came up with these filters that seem to work for me. UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt x 0 0 BRACKETFL filter e:\imail\declude\bracketfl.txt x 0 0 BRACKETFR filter e:\imail\declude\bracketfr.txt x 0 0 ACSMAILF filter e:\imail\declude\acsmailf.txt x 0 0 NEVERSENTF filter e:\imail\declude\neversentf.txt x 0 0 unknownuserf - SKIPIFWEIGHT 50 BODY 0 CONTAINS unknown user BODY 0 CONTAINS user unknown bracketfl - returned messages should have the original headers so I'm looking for the beginning of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS [1 BODY 0 CONTAINS [2 BODY 0 CONTAINS [3 BODY 0 CONTAINS [4 BODY 0 CONTAINS [5 BODY 0 CONTAINS [6 BODY 0 CONTAINS [7 BODY 0 CONTAINS [8 BODY 0 CONTAINS [9 bracketfr - looking for the end of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS 0] BODY 0 CONTAINS 1] BODY 0 CONTAINS 2] BODY 0 CONTAINS 3] BODY 0 CONTAINS 4] BODY 0 CONTAINS 5] BODY 0 CONTAINS 6] BODY 0 CONTAINS 7] BODY 0 CONTAINS 8] BODY 0 CONTAINS 9] acsmailf - contains the IP and name of my outgoing mail server (obviously substitute yours), if the message contains one of these values it is possible the message did originate here. SKIPIFWEIGHT 50 BODY 0 CONTAINS 12.4.184.4 BODY 0 CONTAINS mail.acsworld.com neversentf - if the message was about an "unknown user" and had header records, but they were not from my mail server, then it didn't come from my mail server so we add 40 to the weight. We delete on 40 weight. SKIPIFWEIGHT 50 TESTSFAILED END CONTAINS acsmailf TESTSFAILED 40 CONTAINS unknownuserf bracketfl bracketfr If anyone is interested, our newest nigerian filter is available for download at http://www.acsworld.net/declude/nigerianf.zip . It's a work in progress but it seems to catch some scam messages everyday. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.