John and John, I'm not familiar with SpamReview, but here's the dilemma I see. IP and Domain tests fail a single test of each kind. A given message has a single sender domain name so FROMFILE test logs show a single culprit. Content filters can hit dozens of words/phrases from a single message. Here's an edited sample from this morning:
12/13/2002 01:24:42 Qa75904db00c2e1d0 Triggered filter on etracks.com [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on bring the best that the Internet has to offer [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on one of our marketing partners [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on through one of our marketing partners [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on e-klk.com [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on eluckyday.com [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on bad credit [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on Debt Consolidation [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on Equity loan [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Triggered filter on Tired of paying [weight->0]. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (Message failed FilterC test (1187)). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Subject: Conseco Finance may be able to help lower your monthly payments 12/13/2002 01:24:43 Qa75904db00c2e1d0 From: [EMAIL PROTECTED] To: me If it can be made to look like this, would SpamReview still work?: 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (etracks.com). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (bring the best that the Internet has to offer). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (one of our marketing partners). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (through one of our marketing partners). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (e-klk.com). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (eluckyday.com). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (bad credit). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (Debt Consolidation). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (Equity loan). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Msg failed FilterC (Tired of paying). Action=ROUTETO. 12/13/2002 01:24:43 Qa75904db00c2e1d0 Subject: Conseco Finance may be able to help lower your monthly payments 12/13/2002 01:24:43 Qa75904db00c2e1d0 From: [EMAIL PROTECTED] To: me Dan On Friday, December 13, 2002 14:40, John Shacklett <[EMAIL PROTECTED]> wrote: >Here's my take on why I endorse John's request. I understand Dan's >suggestion and agree with its intent, I just don't want to raise my log >level yet. I'm a MID loglevel person, and happy to be there >otherwise. > >When Declude calls my IPFILE test and nabs a message for failing, the >logfile line includes the comment from the line in my IPFILE that failed. >When Declude calls my FROMFILE test and nabs the message for failing, the >logfile line includes the comment from the line in my FROMFILE that failed. >My IPFILE has comments which identify the presumed domain of the IP address, >and my FROMFILE has other comments that are similarly relevant and which >remind me why I blacklisted them. > >When Declude runs one of my filter tests and nabs a message for failing, the >logfile tells which line in the filter caused the match. [Caused isn't the >right word, but work with me here.] So then, if I'm curious, I open the >filter file in Notepad and manually count the lines until I find the one >that matched, and then I can take corrective action if it's called for. I do >this frequently, and I'm saddened that John's suggestion never occurred to >me previously. > ><rant> >And before someone chimes in and tells me that I should be using a better >text editor that contains automatic line counting, let me say THAT'S NOT THE >POINT. The point is trying to bring Declude's admittedly awesome >capabilities into balance. ></rant> > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode >Sent: Friday, 13 December 2002 5:19 PM >To: [EMAIL PROTECTED] >Subject: Re: [Declude.JunkMail] Comments in filters > > >Put your log level to HIGH and it shows each phrase that caught something. >While its not intuitive to see which of multiple tests a given phrase >belongs to, because a given email can fail multiple tests in the same >package, you actually get more info. > >Dan > > >On Friday, December 13, 2002 12:38, John Tolmachoff ><[EMAIL PROTECTED]> wrote: >>>>Or, can the headers or log show what the filter was instead of a test >line >>>>number? Say, add a comment after the line. >>>> >>>>Example: >>>>SUBJECT 5 CONTAINS FREE "Subject contains free." >>> >>>No, that is not possible. >> >>Feature request! :)) That could be useful to see in the logs why it was >>caught instead of just the line number. >> >>John Tolmachoff MCSE, CSSA >>IT Manager, Network Engineer >>RelianceSoft, Inc. >>Fullerton, CA 92835 >>www.reliancesoft.com >> >> >> >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.JunkMail mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.JunkMail". The archives can be found >>at http://www.mail-archive.com. >> > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
