PLEASE add IMAP filtering

Please knock it off.  He's answered you a long time ago and knows you want this.  If you want to do this put it into the wish list forum that's ok since I do not follow that one.

We are getting lots of emails with this in the subject:

To stop ALL email from ABCNews Newsletters

We also get them as above but difference names in the from.. ie: CPA Newsletter.

In content filter I have added:

if body contains "*CPA Newsletter*" ob weight 999
if body contains "*CPA Newsletter*" weight 999
if body contains "*ABCNews Newsletters*" ob weight 999
if body contains "*ABCNews Newsletters*" weight 999

Yet they still get through... What have I missed ??

 Thanks

 
PLEASE add IMAP filtering
 

The CONTAINS directive does not support regular expressions or wildcards. Besides, OB does't want spaces between the keywords. Strip the '*' char's and spaces or use MATCHES instead (without the OB obfuscated text detection then) and the rule should work.

Best regards,

Nico

FWIW spamhalter has got all of these with no input from me. I gave up the CC arms race a long time ago. [:)]

[quote user="dilberts_left_nut"]FWIW spamhalter has got all of these with no input from me. I gave up the CC arms race a long time ago. [:)]

[/quote]

Multi-stage filtering is a good thing. See for example SpamAssassin, probably the most used spamfilter on the planet. SpamAssassin uses by default at least 6 different types of anti-spam tests (among the tests is also Bayesian filtering like SpamHalter does) and one of the tests is still regular expression filtering :)

Best regards,

Nico

No argument from me, multi-stage filtering is a good thing.

Just pointing out that I haven't needed it since I put Spamhalter on the front line.

I have spamhalter installed... and it hasn't got them.

Even when I email it back to our server as 'spam'.. they still keep coming !!

I'll try Nico's idea !! 

I've changed the filtering to:

if body MATCHES "CPA Newsletter" weight 999

if body MATCHES "ABCNews Newsletters" weight 999

Yet I'm still getting the SPAM..[:@]
Any ideas ?

Thanks

PLEASE ADD IMAP FILTERING SUPPORT [Y] 

Read Nico's post again :)

If you use 'contains', the quoted string is a straight comparison of text anywhere in the message. So an asterisk will match a real asterisk.

If you use 'matches', the quoted string is a regular expression, so you must use asterisks to match text before and after your string.

Your tests look for a message body that contains only "CPA Newsletter" and nothing else. Put the '*'s back in.

ah...[:P] Must engage brain first..

Thank You.

PLEASE ADD SUPPORT FOR IMAP FILTERING  

Hi

I've amended my rules to: 

if body MATCHES "*CPA Newsletter*" weight 999
if body MATCHES "*ABCNews Newsletters*" weight 999

And this seems to be working.. Thanks 

The mail headers show:

X-SPAMWALL: Passed through antiSPAM test by SpamHalter 4.4.0 on xxxxx.co.uk (785)
X-SPAMWALL: probability - 0.0%
X-CLAMWALL: Passed through antiviral test by ClamWall 1.3.0.95 on xxxxx.co.uk (79)

Why isn't SpamHalter stopping them ? I keep emailing back to 'spam@xxxxx.co.uk' and mercury is getting the updates..

Strange ! 

I have made these modifications to the spamhalter settings:

bayNoSpamBoost=1
bayUnknownProb=80
baySpamProb=40

The db has been training for a fairly long time and we use Train Always, so it has a very good idea of what our good mail looks like.

Any unknown tokens are very likely to indicate spam (misspelled / obfuscated words etc designed to get around filters [:D]) so I set the probability for these unknown tokens to 80% and dropped the overall trigger weight to 40%

This works extremely well (for us, YMMV) and have had NO spam get through to users for many months.

It does catch 'some' first time newsletters & confirmation mails (2-3 per month), but one correction fixes it, and no mail from a real person has been wrongly classified for ages.

I still have CC rules in place (but now turned off) from before I got spamhalter tooled up right (for us) but nothing has even got to them for a long time.

Why isn't SpamHalter stopping them ? I keep emailing back to 'spam@xxxxx.co.uk' and mercury is getting the updates..

However do the SpamHalter logs show that the messages are being processed properly and the correction applied?  If your system is actually rejecting the updates or seeing no changes then they will never be changed to spam.

This is what the logs show:

D 20081006 090348.750 MG000004 Mercury version >= 4.1
D 20081006 090348.750 MG000004 jobfile: C:\MERCURY\QUEUE\MG000004.QDF
D 20081006 090348.750 MG000004 spamdir: C:\MERCURY\MAIL\Spam
D 20081006 090348.750 MG000004 nospamdir: C:\MERCURY\MAIL\nospam
D 20081006 090348.750 MG000004 IP: 192.168.4.10
D 20081006 090348.750 MG000004 > Match ACL
  20081006 090348.750 MG000004 from: <martin@xxxxx.co.uk>
D 20081006 090348.750 MG000004 > Local sender
D 20081006 090348.750 MG000004 > for Whitelist
_ 20081006 090348.765 MG000004 Correction request saved as: C:\MERCURY\MAIL\Spam\AAEZ6AF9.CNM

SpamHalter is set as:

[SpamHalter]
Queue=
Debug=1
BayDebug=0
CleanTime=20
StatRate=1
SpamAddr=spam
NoSpamAddr=nospam
HoneyPot=
LocalIP=127.0.0.1/8,192.168.4.0/24
DynamicHost=
Password=password
BlockTag=
VirusTag=attach removed
LogVirWall=0
subject=** SPAM **
tagname=X-SPAMWALL
WhitelistText=Whitelisted
BlockText=Blocked SPAM!
DebugText=Debug -
ProbText=probability -
SpamText=SPAM detected!
bayDataDir=C:\MERCURY\spamhalter\
logfile=C:\MERCURY\logs\spamhalter\sh~Y~W.LOG
Enabled=1
SpamTrack=1
TrainAlways=1
ImageParser=1
IgnoreWhite=0

[bayDynamic]
bayForcedWrites=1
bayNoSpamBoost=3
bayClasifyMaxTokens=20
bayUnknownProb=40
baySpamProb=80
bayMaxCorrCnt=50
bayOldDays=30
bayExpire=180
bayWhiteOldDays=60
CustomHeaders=

[bayStatic]
bayMaxLength=8192
bayMinTokenLength=3
bayMaxTokenLength=25

Any ideas ?

Thanks 

That's the message being saved for correction.  Do you later see the correction logged with a 'C' flag?

It looks something like this:

[quote]D 20080908 150329.207 MG000341 > Internet sender
D 20080908 150329.207 MG000341 > Need to test
C 20080908 150329.227 MG000341 corrections to SPAM
C 20080908 150329.227 MG000341 AAAGLSFQ.CNM
A 20080908 150329.237 MG000341 BL+: sharlenecarbonaceouschampagne@washingtonpost.com
C 20080908 150329.237 MG000341 from: sharlenecarbonaceouschampagne@washingtonpost.com
C 20080908 150329.247 MG000341 Rounds: 2
C 20080908 150329.257 MG000341 AAAGLSFV.CNM
A 20080908 150329.267 MG000341 BL+: secure@abbey.co.uk
C 20080908 150329.277 MG000341 from: secure@abbey.co.uk
C 20080908 150329.327 MG000341 Rounds: 21
[/quote]

I've got this which seems to relate to the messages:

C 20081006 092951.109 MG000006 corrections to SPAM
C 20081006 092951.109 MG000006 AA68JAHL.CNM
A 20081006 092951.296 MG000006 BL+: PillFactory23@snyderschwarz.com
C 20081006 092951.312 MG000006 from: bob@xxxxx.co.uk
C 20081006 092951.937 MG000006 Rounds: 21
C 20081006 092951.968 MG000006 AADXCJFH.CNM
A 20081006 092952.140 MG000006 BL+: lupu-snoredec@2dozenroses.com
A 20081006 092952.296 MG000006 BL+: sales@xxxxx.co.uk&token
C 20081006 092952.828 MG000006 from: bob@xxxxx.co.uk
C 20081006 092952.984 MG000006 Rounds: 6
C 20081006 092953.000 MG000006 AAEZ6AF9.CNM
C 20081006 092953.765 MG000006 from: bob@xxxxx.co.uk
C 20081006 092953.781 MG000006 Not needed!

IS that right ? 

Yep, that is your corrections being processed.

AFAIK the "not needed" means the tokens are already in your database.

Change your "noSpamBoost=3" to 2 or 1 as this multiplies the weight of "good" tokens in the SPAM calculation.

Having it at 3 means that a spam that has a small number of good words (tokens) gets passed as not SPAM.

Also have a fiddle with the unknown tokens setting as I think 40 is too low, (see my reasons above).

There is no "correct" setting, you just need to tune it to your particular environment.

Thanks I've amended my ini and will see how it goes over the next few days..

 DAVID - Please Add IMAP Filtering Support