RE: [Declude.JunkMail] Detect "Test NOT Failed"
Title: Message Thank's Matt - smart work-around. I incorporated the key concept and it seems to work! Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, May 31, 2004 11:08 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed"Andy,I'm a big proponent of a skip if less than or more than setup, however I would like to see this in the Global.cfg so that the filter files don't even need to be opened and read if the proper weights have been tripped, thus saving a bunch of processing. This could be done with two columns added to the definitions of each custom filter, the first number being less than or equal to and the second number being greater than or equal to resulting in a skip.Regarding this filter, just modify your approach a little. This requires 1.79i7 for NOTCONTAINS functionality. First test for the weight in a single filter.- WeightTest.txt -SKIPIFWEIGHT 15REMOTEIP 0 CONTAINS .Then check for both Sniffer plus the WEIGHTTEST filter:- NotSniffed.txt -TESTSFAILED END CONTAINS WEIGHTTESTTESTSFAILED 0 NOTCONTAINS SNIFFERNOTSNIFFED will only trip on E-mail that scores >=15 and doesn't fail any tests containing the string SNIFFER.MattAndy Schmidt wrote: That's the way to do it << Nope - it was a failure. The "WEIGHTRANGE" doesn't get processed by Declude until the end. So when the FITLER is running, the WEIGHTRANGE hasn't been set yet - apparently. So, Scott... We're back to needing "SKIPIFWEIGHTLESS"! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Detect "Test NOT Failed"
Andy, I'm a big proponent of a skip if less than or more than setup, however I would like to see this in the Global.cfg so that the filter files don't even need to be opened and read if the proper weights have been tripped, thus saving a bunch of processing. This could be done with two columns added to the definitions of each custom filter, the first number being less than or equal to and the second number being greater than or equal to resulting in a skip. Regarding this filter, just modify your approach a little. This requires 1.79i7 for NOTCONTAINS functionality. First test for the weight in a single filter. - WeightTest.txt - SKIPIFWEIGHT 15 REMOTEIP 0 CONTAINS . Then check for both Sniffer plus the WEIGHTTEST filter: - NotSniffed.txt - TESTSFAILED END CONTAINS WEIGHTTEST TESTSFAILED 0 NOTCONTAINS SNIFFER NOTSNIFFED will only trip on E-mail that scores >=15 and doesn't fail any tests containing the string SNIFFER. Matt Andy Schmidt wrote: That's the way to do it << Nope - it was a failure. The "WEIGHTRANGE" doesn't get processed by Declude until the end. So when the FITLER is running, the WEIGHTRANGE hasn't been set yet - apparently. So, Scott... We're back to needing "SKIPIFWEIGHTLESS"! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Detect "Test NOT Failed"
>> That's the way to do it << Nope - it was a failure. The "WEIGHTRANGE" doesn't get processed by Declude until the end. So when the FITLER is running, the WEIGHTRANGE hasn't been set yet - apparently. So, Scott... We're back to needing "SKIPIFWEIGHTLESS"! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Detect "Test NOT Failed"
That's the way to do it :) Matt Andy Schmidt wrote: I think I found a solution. Global.cfg: SNIFFER externalnonzero "D:\IMAIL\Sniffer\Win32\.EXE " 4 0 SNIFFER-SNAKE external052 "D:\IMAIL\Sniffer\Win32\.EXE " 1 0 SNIFFER-SCAMS external053 "D:\IMAIL\Sniffer\Win32\.EXE " 2 0 SNIFFER-PORNexternal054 "D:\IMAIL\Sniffer\Win32\.EXE " 2 0 SNIFFER-MALWARE external055 "D:\IMAIL\Sniffer\Win32\.EXE " 2 0 SNIFFER-OBFUSC external061 "D:\IMAIL\Sniffer\Win32\.EXE " 2 0 SNIFFERREPORT weightrange x x 0 15 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 NOTSNIFFEDfilter.txt: TESTSFAILED END CONTAINS SNIFFER REMOTEIP0 CONTAINS . The result will be that the filter will "end", if EITHER sniffer tagged the mail OR if the weightrage is 0-15. So - the only mail that should be tagged as "NOTSNIFFED" are emails that are NOT "sniffed" and that are above 15 in weight. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 31, 2004 09:15 PM To: Matt Subject: Re[2]: [Declude.JunkMail] Detect "Test NOT Failed" I'm just curious... Wouldn't the following work for the intended purpose (in this case)... NOTSNIFFED external 0 "." ... Specifically - an external test that fails on a zero result should work right Scott? _M On Monday, May 31, 2004, 7:01:50 PM, Matt wrote: M> I believe that MINWEIGHT 15 always exits the filter since it M> startswith a score of zero. M> If Andrew's suggestion doesn't work for your purposes, there's likely M> akludge that can be written with multiple filter files that can do M> this. M> Matt M> Andy Schmidt wrote: M> Hi Matt: M> M> Uh - I see. We would need a"SKIPIFWEIGHTLESS" option. Scott? M> M> But - I still don't understand why I don'tsee lots of entries for M> "NOTSNIFFed". If anything, now I should seelots of legitimate mail M> "match" that test? M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone: +1 201 934-3414x20 (Business) M> Fax:+1 201 934-9206 M> http://www.HM-Software.com/ M> -Original Message- M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-owner M> @declude.com] M> On Behalf Of Matt M> Sent: Monday, May 31, 2004 06:18 PM M> To:[EMAIL PROTECTED] M> Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed" M> Andy, M> That's not how MINWEIGHT works. MINWEIGHT is used for a filter so M> thatit doesn't subtract any more than the value that you give it, M> generallya negative number unless you get fancy and apply scoring M> tests first. M> The only way to do this currently would be to create an external M> testto run after Sniffer which passes in the %WEIGHT% variable. M> Matt M> Andy Schmidt wrote: M> Hi, M> M> I'mtrying to detect mails weight >= 15 that did NOT fail "Sniffer". M> M> Ihave: M> M> Global.cfg: M> M> SNIFFER external M> nonzero"D:\IMAIL\Sniffer\Win32\.exe ?" 4 0 SNIFFER-SNAKE M> external M> 052 "D:\IMAIL\Sniffer\Win32\.exe?" 1 0 SNIFFER-SCAMS M> external M> 053 "D:\IMAIL\Sniffer\Win32\.exe?" 2 0 SNIFFER-PORN M> external M> 054 "D:\IMAIL\Sniffer\Win32\.exe?" 2 0 SNIFFER-MALWARE M> external M> 055 "D:\IMAIL\Sniffer\Win32\.exe?" 2 0 SNIFFER-OBFUSC M> external M> 061 "D:\IMAIL\Sniffer\Win32\.exe?" 2 0 M> M> NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 M> M> In"NOTSNIFFEDfilter.txt" M> M> MINWEIGHT 15 M> TESTSFAILED END CONTAINS SNIFFER M> REMOTEIP 0 CONTAINS . M> M> Yet,the log doesn't show "NOTSNIFFed": M> M> 05/31/2004 17:48:59 Qa83f230c00e4d595SPAMCOP:7 XBL-DYNA:7 M> HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight= 26. 05/31/2004 M> 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith M> weight >=19 (26) and at least 1 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whit
RE: [Declude.JunkMail] Detect "Test NOT Failed"
Title: Message Hi Andrew, cool. Unfortunately, my goal was to route the messages not just "count". Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, May 31, 2004 06:32 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Detect "Test NOT Failed" fgrep "Total weight = " dec0531.log | fgrep -v "SNIFFER" | gawk "$NF >=20" >result.txt sample contents of result.txt: 05/31/2004 00:01:44 Qd84b1ec600561d03 IPNOTINMX:2 HELOBOGUS:6 MAILFROM:9 REVDNS:4 CMDSPACE:5 COUNTRY:10 DSBL:6 SPAMCOP:3 SPAMCOP-DYNA:7 FIVETENSRC:2 FIVETENSRC-DYNA:3 . Total weight = 57.05/31/2004 00:04:13 Qd8d21ede005628b1 IPNOTINMX:2 BADHEADERS:6 CMDSPACE:5 SPAMDOMAINS:6 NOABUSE:3 NOPOSTMASTER:3 NJABL-DYNABLOCK:6 FIVETENSRC:2 FIVETENSRC-DYNA:3 SORBS-DYNA:7 DYNAMIC:4 TELUS-DYNA:1 . Total weight = 48. Andrew 8) -Original Message-From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, May 31, 2004 3:03 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Detect "Test NOT Failed" Hi, I'm trying to detect mails weight >= 15 that did NOT fail "Sniffer". I have: Global.cfg: SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\.exe ?" 4 0SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\.exe ?" 1 0SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 In "NOTSNIFFEDfilter.txt" MINWEIGHT 15 TESTSFAILED END CONTAINS SNIFFERREMOTEIP 0 CONTAINS . Yet, the log doesn't show "NOTSNIFFed": 05/31/2004 17:48:59 Qa83f230c00e4d595 SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight = 26.05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=19 (26) and at least 1 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=14 (26) and at least 4 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=12 (26) and at least 6 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]: BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE WEIGHTKILL=DELETE 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED] Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
Re: [Declude.JunkMail] Detect "Test NOT Failed"
I believe that MINWEIGHT 15 always exits the filter since it starts
with a score of zero.
If Andrew's suggestion doesn't work for your purposes, there's likely a
kludge that can be written with multiple filter files that can do this.
Matt
Andy Schmidt wrote:
Message
Hi Matt:
Uh - I see. We would need a
"SKIPIFWEIGHTLESS" option. Scott?
But - I still don't understand why I don't
see lots of entries for "NOTSNIFFed". If anything, now I should see
lots of legitimate mail "match" that test?
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414
x20 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, May 31, 2004 06:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed"
Andy,
That's not how MINWEIGHT works. MINWEIGHT is used for a filter so that
it doesn't subtract any more than the value that you give it, generally
a negative number unless you get fancy and apply scoring tests first.
The only way to do this currently would be to create an external test
to run after Sniffer which passes in the %WEIGHT% variable.
Matt
Andy Schmidt wrote:
Hi,
I'm
trying to detect mails weight >= 15 that did NOT fail "Sniffer".
I
have:
Global.cfg:
SNIFFER external nonzero
"D:\IMAIL\Sniffer\Win32\.exe ?" 4 0
SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\.exe
?" 1 0
SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\.exe
?" 2 0
SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\.exe
?" 2 0
SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\.exe
?" 2 0
SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\.exe
?" 2 0
NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0
In
"NOTSNIFFEDfilter.txt"
MINWEIGHT 15
TESTSFAILED END CONTAINS SNIFFER
REMOTEIP 0 CONTAINS .
Yet,
the log doesn't show "NOTSNIFFed":
05/31/2004 17:48:59 Qa83f230c00e4d595
SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight
= 26.
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=19 (26) and at least 1 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=14 (26) and at least 4 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail
with weight >=12 (26) and at least 6 recipients (7).
05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED]
05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID:
05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]:
BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN
NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN
IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE
WEIGHTKILL=DELETE
05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED]
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201
934-3414 x20 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
RE: [Declude.JunkMail] Detect "Test NOT Failed"
Title: Message Hi Matt: Uh - I see. We would need a "SKIPIFWEIGHTLESS" option. Scott? But - I still don't understand why I don't see lots of entries for "NOTSNIFFed". If anything, now I should see lots of legitimate mail "match" that test? Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, May 31, 2004 06:18 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed"Andy,That's not how MINWEIGHT works. MINWEIGHT is used for a filter so that it doesn't subtract any more than the value that you give it, generally a negative number unless you get fancy and apply scoring tests first.The only way to do this currently would be to create an external test to run after Sniffer which passes in the %WEIGHT% variable.MattAndy Schmidt wrote: Hi, I'm trying to detect mails weight >= 15 that did NOT fail "Sniffer". I have: Global.cfg: SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\.exe ?" 4 0SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\.exe ?" 1 0SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 In "NOTSNIFFEDfilter.txt" MINWEIGHT 15 TESTSFAILED END CONTAINS SNIFFERREMOTEIP 0 CONTAINS . Yet, the log doesn't show "NOTSNIFFed": 05/31/2004 17:48:59 Qa83f230c00e4d595 SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight = 26.05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=19 (26) and at least 1 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=14 (26) and at least 4 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=12 (26) and at least 6 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]: BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE WEIGHTKILL=DELETE 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED] Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Detect "Test NOT Failed"
Title: Message fgrep "Total weight = " dec0531.log | fgrep -v "SNIFFER" | gawk "$NF >=20" >result.txt sample contents of result.txt: 05/31/2004 00:01:44 Qd84b1ec600561d03 IPNOTINMX:2 HELOBOGUS:6 MAILFROM:9 REVDNS:4 CMDSPACE:5 COUNTRY:10 DSBL:6 SPAMCOP:3 SPAMCOP-DYNA:7 FIVETENSRC:2 FIVETENSRC-DYNA:3 . Total weight = 57.05/31/2004 00:04:13 Qd8d21ede005628b1 IPNOTINMX:2 BADHEADERS:6 CMDSPACE:5 SPAMDOMAINS:6 NOABUSE:3 NOPOSTMASTER:3 NJABL-DYNABLOCK:6 FIVETENSRC:2 FIVETENSRC-DYNA:3 SORBS-DYNA:7 DYNAMIC:4 TELUS-DYNA:1 . Total weight = 48. Andrew 8) -Original Message-From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, May 31, 2004 3:03 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Detect "Test NOT Failed" Hi, I'm trying to detect mails weight >= 15 that did NOT fail "Sniffer". I have: Global.cfg: SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\.exe ?" 4 0SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\.exe ?" 1 0SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 In "NOTSNIFFEDfilter.txt" MINWEIGHT 15 TESTSFAILED END CONTAINS SNIFFERREMOTEIP 0 CONTAINS . Yet, the log doesn't show "NOTSNIFFed": 05/31/2004 17:48:59 Qa83f230c00e4d595 SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight = 26.05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=19 (26) and at least 1 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=14 (26) and at least 4 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=12 (26) and at least 6 recipients (7).05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]: BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE WEIGHTKILL=DELETE 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED] Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
Re: [Declude.JunkMail] Detect "Test NOT Failed"
I'm trying to detect mails weight >= 15 that did NOT fail "Sniffer". In "NOTSNIFFEDfilter.txt" MINWEIGHT 15 TESTSFAILED END CONTAINS SNIFFER REMOTEIP 0 CONTAINS . The problem here is that the MINWEIGHT option in a filter determines a minimum weight at which filter processing will stop. This is a rarely used option. SKIPIFWEIGHT could be used for <=15 (by replacing the "MINWEIGHT 15" line with "SKIPIFWEIGHT 15"), but there is currently no option that works the opposite way (>= 15). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Detect "Test NOT Failed"
Andy, That's not how MINWEIGHT works. MINWEIGHT is used for a filter so that it doesn't subtract any more than the value that you give it, generally a negative number unless you get fancy and apply scoring tests first. The only way to do this currently would be to create an external test to run after Sniffer which passes in the %WEIGHT% variable. Matt Andy Schmidt wrote: Message Hi, I'm trying to detect mails weight >= 15 that did NOT fail "Sniffer". I have: Global.cfg: SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\.exe ?" 4 0 SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\.exe ?" 1 0 SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\.exe ?" 2 0 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 In "NOTSNIFFEDfilter.txt" MINWEIGHT 15 TESTSFAILED END CONTAINS SNIFFER REMOTEIP 0 CONTAINS . Yet, the log doesn't show "NOTSNIFFed": 05/31/2004 17:48:59 Qa83f230c00e4d595 SPAMCOP:7 XBL-DYNA:7 HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight = 26. 05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=19 (26) and at least 1 recipients (7). 05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=14 (26) and at least 4 recipients (7). 05/31/2004 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mail with weight >=12 (26) and at least 6 recipients (7). 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed [weight=26]: BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE SPAMCOP=WARN NJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE HELOBOGUS=WARN IPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN NOLEGITCONTENT=IGNORE WEIGHTKILL=DELETE 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] [EMAIL PROTECTED] Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
