Rule(s) don't seem to work!!

Found a serious/minor bug in PopTray? Tell me about it.

Moderators: KY Dave, jojobear99, Rdsok

Locked
kaajee
First Timer
Posts: 3
Joined: Wed Sep 17, 2003 1:06 am

Rule(s) don't seem to work!!

Post by kaajee » Mon Nov 03, 2003 4:12 pm

Hi,
I created a rule to delete mail form the server directly, because i received a lot of crap from a certain user. I do have his ip address, so i created a filter to look for this ip-address (in the header field) but it does not work. I cannot use the from: field becasue this spammer is using one of my own -email address. I have the folllowing information to identify this spammer:
-
Received: from dslam124-2-166-62.adsl.zonnet.nl (HELO HOME.nl) (62.166.2.124)
by in3.mail.vuurwerk.net with SMTP; 1 Nov 2003 16:04:42 -0000
-
But i tried every field in the rule (header, from, from (name, address) with the contain & wildcard option) but no luck.......
How can i handle these mails ?? Or is it indeed a bug?
Or just not implemented yet.......
(there are no other filters/whitelists active)
thanks
KJ

Vanguard
Enthusiast
Posts: 40
Joined: Tue Oct 21, 2003 10:36 am

Post by Vanguard » Mon Nov 03, 2003 6:33 pm

I found the "header" rule unreliable. I run my clients (e-mail monitor and e-mail client) through SpamPal which will add its "X-SpamPal: SPAM" header onto spam e-mails. I then defined a rule in PopTray to delete e-mails on the server that had this header. Sometimes it worked, sometimes not. I had been using Magic Mail Monitor but then switched to PopTray, and then had to switch back to Magic. I needed an e-mail monitor with rules that could reliably detect the header so it would then delete that spam from the server. I didn't want to get notified of the new e-mail which was really spam nor did I want to waste time downloading it into my e-mail client (to use a rule there that would detect SpamPal's header to delete the spam locally). I think it was Vitoco who remarked in another topic by me that he noticed PT had problems with header rules.

I didn't see (or missed it) where RFC 2822, "Internet Message Format", mentions what delimits the headers from the body. My guess is that it is the first blank line (i.e., consists of just the CR LF characters). Maybe the substring search terminates prematurely at a CRLF at the end of a header line rather than at this separator line. My rules.ini file for my SpamPal rule looks like:

[Rule4]
Name=SpamPal Trap
Enabled=1
New=0
Account=0
Area=Header
Func=Contains
Text=X-SpamPal: SPAM
Wav=
Delete=1
Ignore=0
EXE=
Important=0
Spam=0
Protect=0
Log=1

Hmm, I wonder if I'm expected to add double quotes to delimit the search string shown as the Text value. I haven't had to do so for string search within the Subject header. I only got a quick check of the source code before getting interrupted. In umain.pas, I saw a CheckRule() function which called AnsiContainsText(area,text) for a "contains" rule (since my rule has Func=Contains). I didn't in any .pas file included in the source code .zip a definition of AnsiContainsText() so maybe it is an embedded function in Delphi or from a 3rd party library. It might not be something Renier can fix unless converting all CRLF sequences in non-blank lines into, say, a space in "area" would fix the problem.

kaajee
First Timer
Posts: 3
Joined: Wed Sep 17, 2003 1:06 am

indeed a bug!

Post by kaajee » Tue Nov 04, 2003 12:16 am

Indeed, now i know for sure that it is a bug, and that my posting was at the right place. (No offence Renier)
I tried Magic Mail Monitor as well, and he/she did the job perfectly!
Only i thought MMM was/is a lot slower then PopTray, and besides that: Reinier promised me for his next release that a 'date filter' is being added (delete mail older then x days), (this one is not included in MMM either). So i hope he is going to look into this 'bug' as well and fix it in the next release (together with my date/days filter :D )

good luck
KJ

User avatar
Renier
Site Admin
Posts: 1957
Joined: Mon Oct 15, 2001 12:54 pm
Location: Cape Town, South-Africa
Contact:

Re: indeed a bug!

Post by Renier » Tue Nov 04, 2003 11:19 am

kaajee wrote:Reinier promised me for his next release that a 'date filter' is being added
Putting something on my TODO list is not the same as a "promise".

voks
Still here
Posts: 8
Joined: Mon Mar 01, 2004 10:33 pm
Location: Kaiserslautern - Germany
Contact:

Post by voks » Sat Jan 15, 2005 9:11 pm

Vanguard wrote:I found the "header" rule unreliable. I run my clients (e-mail monitor and e-mail client) through SpamPal which will add its "X-SpamPal: SPAM" header onto spam e-mails. I then defined a rule in PopTray to delete e-mails on the server that had this header. Sometimes it worked, sometimes not.
Same here (as I described in another thread). Please fix it!
PopTray 3.2
NOD32 2.5 antivirus system
Microsoft Windows XP Home Edition (SP2), version 5.1.2600

User avatar
lemming
Groupie
Posts: 55
Joined: Sun Jan 09, 2005 3:51 am
Location: Malaysia

Re: Rule(s) don't seem to work!!

Post by lemming » Mon Jan 24, 2005 7:43 pm

Heh, looks like a classic spammer tactic. The address you listed is almost certainly a home adsl IP address.

So if you're filtering by specific addresses it won't work because for home adsl, the IP address will change every time they log on.

Based on the example you provided, dslam124-2-166-62.adsl.zonnet.nl, it looks like the addresses follow this pattern:

dslam followed by the IP address in reverse followed by adsl.zonnet.nl

You can easily match it by using this regular expression:

dslam(\d{1,3}\-){3}\d{1,3}\.adsl\.zonnet

this would match:

dslam1-2-3-4.adsl.zonnet.nl
dslam11-22-33-44.adsl.zonnet.nl
dslam222-222-444-333.adsl.zonnet.nl
dslam1-222-33-4.adsl.zonnet.nl

and all other number combinations. I left out the .nl section in the regex because the search is unique enough.

-Lemming 8)
kaajee wrote:Hi,
I created a rule to delete mail form the server directly, because i received a lot of crap from a certain user. I do have his ip address, so i created a filter to look for this ip-address (in the header field) but it does not work. I cannot use the from: field becasue this spammer is using one of my own -email address. I have the folllowing information to identify this spammer:
-
Received: from dslam124-2-166-62.adsl.zonnet.nl (HELO HOME.nl) (62.166.2.124)
by in3.mail.vuurwerk.net with SMTP; 1 Nov 2003 16:04:42 -0000
-
But i tried every field in the rule (header, from, from (name, address) with the contain & wildcard option) but no luck.......
...
KJ

Locked

Who is online

Users browsing this forum: No registered users and 5 guests