I think I found a solution. Global.cfg:
SNIFFER external nonzero "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 4 0 SNIFFER-SNAKE external 052 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 1 0 SNIFFER-SCAMS external 053 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-PORN external 054 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-MALWARE external 055 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFER-OBFUSC external 061 "D:\IMAIL\Sniffer\Win32\????????.EXE ????????????????" 2 0 SNIFFERREPORT weightrange x x 0 15 NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 NOTSNIFFEDfilter.txt: TESTSFAILED END CONTAINS SNIFFER REMOTEIP 0 CONTAINS . The result will be that the filter will "end", if EITHER sniffer tagged the mail OR if the weightrage is 0-15. So - the only mail that should be tagged as "NOTSNIFFED" are emails that are NOT "sniffed" and that are above 15 in weight. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 31, 2004 09:15 PM To: Matt Subject: Re[2]: [Declude.JunkMail] Detect "Test NOT Failed" I'm just curious... Wouldn't the following work for the intended purpose (in this case)... NOTSNIFFED external 0 "....." ... Specifically - an external test that fails on a zero result should work right Scott? _M On Monday, May 31, 2004, 7:01:50 PM, Matt wrote: M> I believe that MINWEIGHT 15 always exits the filter since it M> startswith a score of zero. M> If Andrew's suggestion doesn't work for your purposes, there's likely M> akludge that can be written with multiple filter files that can do M> this. M> Matt M> Andy Schmidt wrote: M> Hi Matt: M> M> Uh - I see. We would need a"SKIPIFWEIGHTLESS" option. Scott? M> M> But - I still don't understand why I don'tsee lots of entries for M> "NOTSNIFFed". If anything, now I should seelots of legitimate mail M> "match" that test? M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone: +1 201 934-3414x20 (Business) M> Fax: +1 201 934-9206 M> http://www.HM-Software.com/ M> -----Original Message----- M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-owner M> @declude.com] M> On Behalf Of Matt M> Sent: Monday, May 31, 2004 06:18 PM M> To:[EMAIL PROTECTED] M> Subject: Re: [Declude.JunkMail] Detect "Test NOT Failed" M> Andy, M> That's not how MINWEIGHT works. MINWEIGHT is used for a filter so M> thatit doesn't subtract any more than the value that you give it, M> generallya negative number unless you get fancy and apply scoring M> tests first. M> The only way to do this currently would be to create an external M> testto run after Sniffer which passes in the %WEIGHT% variable. M> Matt M> Andy Schmidt wrote: M> Hi, M> M> I'mtrying to detect mails weight >= 15 that did NOT fail "Sniffer". M> M> Ihave: M> M> Global.cfg: M> M> SNIFFER external M> nonzero"D:\IMAIL\Sniffer\Win32\????????.exe ?????" 4 0 SNIFFER-SNAKE M> external M> 052 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 1 0 SNIFFER-SCAMS M> external M> 053 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-PORN M> external M> 054 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-MALWARE M> external M> 055 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 SNIFFER-OBFUSC M> external M> 061 "D:\IMAIL\Sniffer\Win32\????????.exe?????" 2 0 M> M> NOTSNIFFed filter D:\IMail\Declude\NOTSNIFFEDfilter.txt x 0 0 M> M> In"NOTSNIFFEDfilter.txt" M> M> MINWEIGHT 15 M> TESTSFAILED END CONTAINS SNIFFER M> REMOTEIP 0 CONTAINS . M> M> Yet,the log doesn't show "NOTSNIFFed": M> M> 05/31/2004 17:48:59 Qa83f230c00e4d595SPAMCOP:7 XBL-DYNA:7 M> HELOBOGUS:3 REVDNS:5 SPAMROUTING:4 . Total weight= 26. 05/31/2004 M> 17:48:59 Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith M> weight >=19 (26) and at least 1 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=14 M> (26) and at least 4 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Bypassing whitelisting of E-mailwith weight >=12 M> (26) and at least 6 recipients (7). 05/31/2004 17:48:59 M> Qa83f230c00e4d595 Deleting spam from [EMAIL PROTECTED] to M> [EMAIL PROTECTED] 05/31/2004 17:48:59 Qa83f230c00e4d595 M> From: [EMAIL PROTECTED] M> To: [EMAIL PROTECTED] IP: 61.73.93.27 ID: M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Tests failed M> [weight=26]:BYPASS19=IGNORE BYPASS14=IGNORE BYPASS12=IGNORE M> SPAMCOP=WARNNJABLDYNA=LOG SORBS=WARN SORBS-DUHL=LOG XBL-DYNA=IGNORE M> HELOBOGUS=WARNIPNOTINMX=IGNORE REVDNS=ALERT SPAMROUTING=WARN M> NOLEGITCONTENT=IGNOREWEIGHTKILL=DELETE M> 05/31/2004 17:48:59 Qa83f230c00e4d595 Deleting spam from M> [EMAIL PROTECTED] to M> [EMAIL PROTECTED]@alloysinternational.com M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone: +1 201934-3414 x20 (Business) M> Fax: +1 201 934-9206 M> http://www.HM-Software.com/ M> M> -- M> ===================================================== M> MailPure custom filters for Declude JunkMail M> Pro.http://www.mailpure.com/software/======================================= ============== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
