Brute force works well for this particular virus, because it has so few possibilities and doesn't use common enough attachment names for me to consider it any risk for false positives:
#Jul-20-2004 AC broken BAGLE.AH and so forth BODY 0 CONTAINS filename="cat. BODY 0 CONTAINS filename="Cool_MP3. BODY 0 CONTAINS filename="Dog. BODY 0 CONTAINS filename="Doll. BODY 0 CONTAINS filename="Fish. BODY 0 CONTAINS filename="Garry. BODY 0 CONTAINS filename="MP3. BODY 0 CONTAINS filename="Music_MP3. BODY 0 CONTAINS filename="New_MP3_Player. I put this in a JunkMail Pro filter file with a HOLD action. Andrew 8) -----Original Message----- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 8:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Njabl test? Here are my NJABL results for June: Test Count Delete SPAM Held SPAM Poss SPAM Not SPAM CATCHALLMAILS 273983 84.0% 3.2% 0.4% 12.3% NJABL-DUL 12668 98.9% 1.1% 0.0% 0.0% NJABL-DYNABLOCK 88903 98.9% 1.0% 0.1% 0.0% NJABL-FORMMAIL-ALL 10 60.0% 0.0% 0.0% 40.0% NJABL-FORMMAIL-LAST 10 60.0% 0.0% 0.0% 40.0% NJABL-HELO-DYNABLOCK 83 96.4% 3.6% 0.0% 0.0% NJABL-PROXIES-ALL 42501 99.7% 0.2% 0.0% 0.1% NJABL-PROXIES-LAST 42064 99.9% 0.1% 0.0% 0.0% NJABL-RELAYS-ALL 353 87.3% 2.5% 1.4% 8.8% NJABL-RELAYS-LAST 349 86.8% 2.6% 1.7% 8.9% NJABL-SOURCES 6371 99.0% 0.7% 0.1% 0.2% NJABL-SOURCES-ALL 1285 99.5% 0.4% 0.0% 0.1% NJABL-SOURCES-LAST 1281 99.6% 0.3% 0.0% 0.1% Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 07/20/04 09:54AM >>> I notice the njabl test is not a "standard" test in the sample Declude JunkMail config file: # The following tests are commented out by default because they are not commonly used # NJABL ip4r dnsbl.njabl.org 127.0.0.2 5 0 Is this test worth the machine time doing the lookup? [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
