Many thanks to Rick Leske for posting his rules.ima file
and allowing all of us to share his hard work.
I downloaded the files and took a look at the rules.ima
file. Given the number of domains I manage (not all that
many) and that I enjoy the punishment I decided to
experiment and test the new rules.ima file. I wanted
to know what messages would be trapped and how many
trapped messages were messages I did not wanted trapped.
I updated the rules.ima file to redirect the trapped
messages to a folder (spambox not NUL) and placed the
the file in my personal mail directory.
I found that over 10 percent of the messages
were messages from opt-in mailing lists. These were
subscriptions in various industry mailing lists I track.
PC Week, Ziff-Davis, cNet, etc...
After looking at the messages, the pattern suggested
one rule was responsible for about 99 percent of these
false positive hits. The messages were all delivered
as HTML and the offending data was an e-mail address.
The Imail rule and data information in the message
header pointed to a mailto hypertext link where the
e-mail address was in a dot com domain and a single
space followed the quoted e-mail address.
The specific rule was looking at the body and appeared to
be looking for a file name equal to whatever and
ending with a dot com, a quote and a space.
Here is the rule:
B~(name=".*\.bat"\s|name=".*\.com"\s|name=".*\.exe"\s|name=".*\.lnk"\s|name=
".*\.pif"\s):spambox
And the data from the header inserted by Imail:
.comQuote class="topnav"> HotSpots
Replace Quote with "
(otherwise Rick might not see this message).
The actual HTML never showed "name=".
Just curious.
db
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
