Thank you.

Ah, well, it was worth a try.

The reason I am trying to do this is because we use MessageLabs for two of our three domains, and as I mentioned here http://community.pmail.com/forums/thread/24407.aspx we are having problems with undesirable mail (spam-bots) using the lowest MX record to deliver mail directly to our IP address.

I know I can remove the last MX record, but I wanted to avoid doing this if possible. 

Hi, folks 

We use MessageLabs to filter mail from two of three domains. Filtered messages have a text banner appended.

I want to create a filter that checks for the text banner in incoming mail from two of the domains and if it is not present to move the messages to a local user account.

I guess the rules would have to take the form:

IF To:*domain1 OR domain2 is present in the message headers AND *text to look for* IS NOT present in the message body MOVE the message to user1

I don't quite understand how I can accomplish this and I don't want to experiment because I can't afford to get it wrong.

I've looked at the help but don't know how to set this up. For example, when I select the logical AND option when creating a rule, nothing happens.

Can anyone offer any advice, please?

Thanks

I'm not sure where your text banner is so I used Subject in the example below.

 I think you'll need to create this as a global rule so it will need segragating from any other global rules you have set up, but I think you should first check if the mail is from domain1 or domain2. If it is go on to the next rule otherwise quit processing.

Then check if the text DOES exist. If it does quit processing, otherwise move the mail to the local user.

Here's the rule I created as above:

If header "F" contains "domain1.com" Goto "next_step"
If header "F" contains "domain2.com" Goto "next_step"
Always Goto "last_step"
Label "next_step"
If header "S" contains "the text I want to check on" Goto "last_step"
Always Move "user1"
Label "last_step"
Always Exit ""

Good luck,

Dave.

Hi, Dave

Many thanks for helping me with this.

Crikey - that's pretty simple.

I have the following which I have amended. Can you see anything wrong with this:

Always - copy to another user [this is our catchall account for archiving]

Headers: If T contains domain1 goto Label1
Headers: If T contains domain2 goto Label1
Always: goto Label2
Label: Label1
Expression: If *banner text* exists in the body move to user1 [NOT]
Label: Label2
Followed by other Header rules that forward mail to other users.

If I include the Always: Exit will that disregard all subsequent filtering rules? I used 'T' because I want to filter incoming mail addressed to the two domains.

Thanks again for your help, I appreciate it!

Your code looks fine, I don't think I've ever used 'NOT' but including it make the code a bit shorter which can only be better.

You're right in thinking to include the Always Exit will disregard subsequent rules.

Happy to help any time.

Dave.

Thanks, Dave

I was off work last week and implemented the rules this morning.

One thing that I had not taken into consideration is that we use Mercury/32's mailing lists feature to send email to all users in the office. The mailing lists require full username@domain-name.com entries for the addresses. This means that messages sent to the mailing list destined for local users are moved to the holding account. This also means that where a local user's address occurs in a mailing list that includes external addresses, the message is not delivered to anyone.

So, although the rules are working as they should, my attempt at sorting this out has been stymied.

Does anyone know if there is a way to exclude mail that originates locally from filtering, please?

Sorted it, I think:

Headers: If T contains domain1 goto Label1

Headers: If T contains domain2 goto Label1

Always: goto Label2

Label: Label1

Headers: If F contains domain1.com goto Label2

Headers: If F contains domain2.com goto Label2

Expression [NOT]: If *banner text* exists in the body move to user1

Label: Label2

Followed by other Header rules that forward mail to other users. 

Seems to work so far. 

OK, here's something that the devs can hopefully answer for me.

The rules are working fine. But, I have just seen a message moved to the holding account that has the banner text.

When I look at the message in raw view, the banner text is not there. In fact the entire body is missing, replaced by garbage.

Here's the message:

http://img138.imageshack.us/img138/8745/filter1l.jpg

And here's the Raw view:

http://img227.imageshack.us/img227/2818/filter2.jpg

I don't know what I can do about this. Anyone know why the body text is not appearing in the raw view, please? 

I don't know what I can do about this. Anyone know why the body text is not appearing in the raw view, please?

The whole body is being encoded Base64 and so that what you see in the raw view.  The message view decodes the enclosed Base64 since the MIME type transfer -encoding tells the program it's encoded.

You really can't do anything about this one since the filter does not decode this Base64.

Well, it says that the text in the raw view is base64 encoded, so it will presumably be more readable if you decode it.

/Rolf

Thanks to both of you for your replies.

@Rolf

Is there a way to decode this and pass the decoded data to the filter for checking?

Also, presumably, the banner text begins with the fX19 so could I configure a filter to check for part of the data contained within the two sets of fX19's? I'm wondering if this will be presented the same way in each message that uses Base64 encoding. I don't really know if this is a valid approach.

Any thoughts, please?

Thanks 

Is there a way to decode this and pass the decoded data to the filter for checking?

Nope, as I said before the filters do not decode.

Also,

presumably, the banner text begins with the fX19 so could I configure a

filter to check for part of the data contained within the two sets of

fX19's? I'm wondering if this will be presented the same way in each

message that uses Base64 encoding. I don't really know if this is a

valid approach.

Any thoughts, please?

You can pass the file to a program using an "Always" filter with the "Run a program" action and have the program decode the file and then add an X-header to the file if the decoded text contains the desired string.  This program would decode the base64 data to a text file, parse the text file for the string and then pass the file back with the added header.  A real pain in the rear to get right and it does take a lot of CPU cycles.

Thanks for replying. 

I can't use an expression to check for a string between the two groups of fX19's? That's what I was wondering - is the banner text always represented the same way in raw view? Is the raw view what the filter sees?

[quote user="Greenman"]That's what I was wondering - is the banner text always represented the same way in raw view? Is the raw view what the filter sees?[/quote]

Not always. In base64, 3 input (8-bit) characters are converted into 4 output (6-bit) characters. (That's the reason attachments are usually a third bigger than the raw files.)   Since the banner is at the end of some variable text, there are 3 possible starting positions for it within the 3 char group, and so there can be 3 representations of the encoded banner.

I've never tried to filter on encoded text, so I don't know how successful it will be.