I have implemented these changes Michael, and it seems to work. I will
inform as they are in place for a while. The one thing that I am struggling
with is that when I have a message caught in the filter that shouldn't be, I
have to try to figure out which rule rejected the message. I was given an
ima file by Chris Hunt that is working pretty well, but I am having some
mail trapped that shouldn't be. Is there an easy way to track which rule
rejected the message when it is forwarded to the spam email box short of
100's of fwd files and sub mail boxes? What about using external files for
the rules to at least narrow down the area to which rules rejected the
message? Has anyone used some kind of tool that can take a message sent by
an administrator to add or subtract a rule to the ima files? I could then
add to the rules remotely by sending an email that is then added to the
rule.ima file. I could then have a scheduled event copy the update rules
and stop and restart the smtp server once or twice a day.
I seem to be having to manage the server much more than in the past. While
I expect some level of extra work, I really don't want this taking up so
much of my time. Thanks for all the help!!
Scott R. Morgan
[EMAIL PROTECTED]
SUPERIOR RESTAURANT MANAGEMENT SERVICES
(512) 443-3979
(512) 416-9621 (Fax)
USPA A-29450
Only a skydiver knows why the birds sing....
They don't have to repack a parachute every time they land!!!
-----Original Message-----
From: Michael Ernst [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 09, 2001 3:12 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Rule Filters
Scott, as you may have discovered, the first rule (for MIME-encoded
attachments) was missing the double quote (") following the file extension,
causing it to filter more attachments than just the virus-laden ones it is
intended to intercept, including some html attachments and zips.
The IMAIL Knowledgebase article was rewritten on Wed., 3/7/01 to correct
this error.
http://support.ipswitch.com/kb/IM-19980116-DD08.htm
Also, your rules seem to be missing the * for "repeated any number of
times".
Yours (ignore the !):
> B~(name=".\.vb!s|name=".\.sh!s|name=".\.sc!r):virus
> B~(Begin 6.\.vb!s|Begin 6.\.sh!s|Begin 6.\.sc!r):virus
Should read:
> B~(name=".*\.vb!s"|name=".*\.sh!s"|name=".*\.sc!r"):virus
> B~(Begin 6.*\.vb!s|Begin 6.*\.sh!s|Begin 6.*\.sc!r):virus
NOTES:
All MIME attachments are prefaced by the string
name="filename.ext"
(while Uuencoded attachment start with
begin 6nn - where nn is variable)
Thus, to filter all MIME attachments with the extension ".ggg", we would use
the rule:
B~name=".*\.ggg":virus
where the rule components are defined as follows:
B - Body of the message
~ - containing
name=" - the first part of the literal we're seeking
.* - followed by any characters (.) repeated any number of times (*)
\. - followed by a period
ggg" - followed by ggg"
:virus - send to the virus folder
Rules only filter the first 32K of any message.
Michael
--
Michael Ernst
Computer Systems Administrator
The Woods Hole Research Center
http://www.whrc.org
> ----------------------------------------------------------------------
>
> From: "Scott R. Morgan" <[EMAIL PROTECTED]>
> Subject: [IMail Forum] Rule Filters
> Date: Wed, 7 Mar 2001 22:33:34 -0600
> Reply-To: [EMAIL PROTECTED]
>
> I am filtering for ex!e, sc!r and vb!s files. I seem to be catching other
> file though in this filter. I am trapping zip files for one. (Obviously,
> all references here and following with ! marks need to be removed)
>
> Here is the rule as I have it set up:
> B~(name=".\.vb!s|name=".\.sh!s|name=".\.sc!r):virus
> B~(Begin 6.\.vb!s|Begin 6.\.sh!s|Begin 6.\.sc!r):virus
> B~name=".\.ex!e":virus
>
> The first question is why am I catching the zip files?
>
> Thanks for the help in advance.
>
> Scott R. Morgan
> [EMAIL PROTECTED]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
