Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Usenet filter won't work during updating headers, needs to be run manually

10 views
Skip to first unread message

Matilda

unread,
Nov 6, 2009, 2:04:02 PM11/6/09
to
I'm trying to filter out mass malware postings that all have the same
line lengths -- in this case 2732 lines. In the Add Usenet Filter
window, in the filter expression field, I put [2732,2732]. The other
options include Kill action: delete, Scope: Global, Apply filters
immediately.

When I click OK the filter works fine. But a few hours later, when I
update the headers, new malware posts with the same line length show
up as if there was no filter. I have to right-click on the folder and
select "Apply filters to folder" to get the filter to work.

Why doesn't Agent do this during the header retrieval? Why do I have
to do this manually?

I'm using Agent 5, but had the same problem before with other
versions.

Matilda

Message has been deleted

Matilda

unread,
Nov 6, 2009, 6:01:20 PM11/6/09
to
On Fri, 06 Nov 2009 16:49:50 -0600, Spender <Spe...@Mars.org> wrote:

>On Fri, 06 Nov 2009 12:04:02 -0700, Matilda <Mat...@fakeaddress.com>
>wrote:


>
>>I'm trying to filter out mass malware postings that all have the same
>>line lengths -- in this case 2732 lines. In the Add Usenet Filter
>>window, in the filter expression field, I put [2732,2732]. The other
>>options include Kill action: delete, Scope: Global, Apply filters
>>immediately.
>>
>>When I click OK the filter works fine. But a few hours later, when I
>>update the headers, new malware posts with the same line length show
>>up as if there was no filter. I have to right-click on the folder and
>>select "Apply filters to folder" to get the filter to work.
>

>Have you tried increasing the priority of the filter?

Yes, no difference.

pyotr filipivich

unread,
Nov 7, 2009, 1:26:58 AM11/7/09
to
Let the Record show that Matilda <Mat...@fakeaddress.com> on or about
Fri, 06 Nov 2009 16:01:20 -0700 did write/type or cause to appear in
alt.usenet.offline-reader.forte-agent the following:

Is the filter set to run? I know I've had some problems when I
create a filter "for future use" and disable "Apply Filter
immediately" - and get odd results.
-
pyotr filipivich.
Just about the time you finally see light at the end of the tunnel,
you find out it's a Government Project to build more tunnel.

Matilda

unread,
Nov 7, 2009, 1:17:38 PM11/7/09
to

The filter is not disabled.

I made another filter for the same messages, but based on a string in
the subject line. That one works as it should. I can't see any
difference in the two filters except that one has [2732,2732] in the
filter expression field and the other has Subject: /3494. (The string
I'm filtering on is "/3494").

Maybe there is a bug in Agent where filtering on the number of lines
does not work automatically, only manually.

Matilda

pyotr filipivich

unread,
Nov 7, 2009, 5:35:46 PM11/7/09
to
Let the Record show that Matilda <Mat...@fakeaddress.com> on or about
Sat, 07 Nov 2009 11:17:38 -0700 did write/type or cause to appear in

alt.usenet.offline-reader.forte-agent the following:
>On Fri, 06 Nov 2009 22:26:58 -0800, pyotr filipivich
><ph...@mindspring.com> wrote:
>
>>Let the Record show that Matilda <Mat...@fakeaddress.com> on or about
>>Fri, 06 Nov 2009 16:01:20 -0700 did write/type or cause to appear in
>>alt.usenet.offline-reader.forte-agent the following:
>>>On Fri, 06 Nov 2009 16:49:50 -0600, Spender <Spe...@Mars.org> wrote:
>>>
>>>>On Fri, 06 Nov 2009 12:04:02 -0700, Matilda <Mat...@fakeaddress.com>
>>>>wrote:
>>>>
>>>>>I'm trying to filter out mass malware postings that all have the same
>>>>>line lengths -- in this case 2732 lines. In the Add Usenet Filter
>>>>>window, in the filter expression field, I put [2732,2732]. The other
>>>>>options include Kill action: delete, Scope: Global, Apply filters
>>>>>immediately.
>>>>>
>>>>>When I click OK the filter works fine. But a few hours later, when I
>>>>>update the headers, new malware posts with the same line length show
>>>>>up as if there was no filter. I have to right-click on the folder and
>>>>>select "Apply filters to folder" to get the filter to work.
>>>>
>>>>Have you tried increasing the priority of the filter?
>>>
>>>Yes, no difference.
>>
>> Is the filter set to run? I know I've had some problems when I
>>create a filter "for future use" and disable "Apply Filter
>>immediately" - and get odd results.
>
>The filter is not disabled.
>
>I made another filter for the same messages, but based on a string in
>the subject line. That one works as it should. I can't see any
>difference in the two filters except that one has [2732,2732] in the
>filter expression field and the other has Subject: /3494. (The string
>I'm filtering on is "/3494").

Ah, hmmm, no ... It struck me that [1234,1234] isn't a "range"
except in the very narrowest sense. Opening the range to [1233,1234]
or [1234,1235] would give it a range.
Yes that might catch the occasional file which is in that range,
but it does work.
I had to check, I knew I had something in there like that. Only
that was a specific filter [2000,*]


>
>Maybe there is a bug in Agent where filtering on the number of lines
>does not work automatically, only manually.

Matilda

unread,
Nov 7, 2009, 9:42:58 PM11/7/09
to
On Sat, 07 Nov 2009 14:35:46 -0800, pyotr filipivich
<ph...@mindspring.com> wrote:

My filter works manually, it just doesn't work automatically when
retrieving new headers. So it's not a syntax error.

pyotr filipivich

unread,
Nov 8, 2009, 3:48:05 AM11/8/09
to
Let the Record show that Matilda <Mat...@fakeaddress.com> on or about
Sat, 07 Nov 2009 19:42:58 -0700 did write/type or cause to appear in

Hmmm, I'm stumped completely. Which I'm pretty sure you realized
as well.

Nick Spalding

unread,
Nov 8, 2009, 4:08:19 AM11/8/09
to
Matilda wrote, in <evbcf5lodnhl8rndj...@4ax.com>
on Sat, 07 Nov 2009 19:42:58 -0700:

Are you automatically getting bodies for that group? It so it is
possible that the message headers as originally received have a zero
line count and what you see is generated by Agent when it gets the
bodies. The filtering works on the original headers.
--
Nick Spalding
Agent 5.0/32.1171 IE8
Vista Home Premium SP2, Intel Viiv dual core E6300 (1.86Ghz, 1066MHz FSB),
2GB RAM, 320GB NTFS HD, Video Nvidia GeForce 7900GS LCD 1024x768x75Hz

Matilda

unread,
Nov 8, 2009, 11:34:28 AM11/8/09
to
On Sun, 08 Nov 2009 09:08:19 +0000, Nick Spalding <spal...@iol.ie>
wrote:

Nope, not retrieving any bodies. Those posts are malware!

Don Kirkman

unread,
Nov 8, 2009, 1:15:45 PM11/8/09
to
It seems to me I heard somewhere that Matilda wrote in article
<uksdf5p511tpr896j...@4ax.com>:

>On Sun, 08 Nov 2009 09:08:19 +0000, Nick Spalding <spal...@iol.ie>
>wrote:

>>Matilda wrote, in <evbcf5lodnhl8rndj...@4ax.com>
>> on Sat, 07 Nov 2009 19:42:58 -0700:

>>> On Sat, 07 Nov 2009 14:35:46 -0800, pyotr filipivich
>>> <ph...@mindspring.com> wrote:

[Snip history or problem]

>>> My filter works manually, it just doesn't work automatically when
>>> retrieving new headers. So it's not a syntax error.

>>Are you automatically getting bodies for that group? It so it is
>>possible that the message headers as originally received have a zero
>>line count and what you see is generated by Agent when it gets the
>>bodies. The filtering works on the original headers.

>Nope, not retrieving any bodies. Those posts are malware!

Are you able to copy/cut and paste the full headers here without
endangering your system? If so maybe someone will have sharp enough
eyes (or brains) to see the problem.
--
Don Kirkman
don...@charter.net

Nick Spalding

unread,
Nov 8, 2009, 4:09:16 PM11/8/09
to
Don Kirkman wrote, in <4n0ef5pqq1nu3gkg2...@4ax.com>
on Sun, 08 Nov 2009 10:15:45 -0800:

Matilda (nice name) won't have the full headers without the bodies and
it is the partial headers that the on-the-fly filtering works on.

Matilda

unread,
Nov 8, 2009, 11:13:34 PM11/8/09
to
On Sun, 08 Nov 2009 21:09:16 +0000, Nick Spalding <spal...@iol.ie>
wrote:

>Don Kirkman wrote, in <4n0ef5pqq1nu3gkg2...@4ax.com>


> on Sun, 08 Nov 2009 10:15:45 -0800:
>>

>> Are you able to copy/cut and paste the full headers here without
>> endangering your system? If so maybe someone will have sharp enough
>> eyes (or brains) to see the problem.
>
>Matilda (nice name) won't have the full headers without the bodies and
>it is the partial headers that the on-the-fly filtering works on.

These malware posts are being posted pretty well daily to some of the
binary NGs... for instance, a.b.warez. ... hundreds of posts all with
the same line count but with different subjects, ostensibly useful
apps but actually malware.

They often can't be filtered on author because they use generic names.
The best way should be to filter on line count but that doesn't seem
to work right....

I can't easily post the header info now because my filters just
deleted them all (I switched to filtering on Subject). Maybe in a day
or two when a new batch gets posted...

Matilda

Don Kirkman

unread,
Nov 9, 2009, 2:07:56 AM11/9/09
to
It seems to me I heard somewhere that Matilda wrote in article
<2u4ff5l74ve8roupd...@4ax.com>:

>On Sun, 08 Nov 2009 21:09:16 +0000, Nick Spalding <spal...@iol.ie>
>wrote:

>>Don Kirkman wrote, in <4n0ef5pqq1nu3gkg2...@4ax.com>
>> on Sun, 08 Nov 2009 10:15:45 -0800:

>>> Are you able to copy/cut and paste the full headers here without
>>> endangering your system? If so maybe someone will have sharp enough
>>> eyes (or brains) to see the problem.

>>Matilda (nice name) won't have the full headers without the bodies and
>>it is the partial headers that the on-the-fly filtering works on.

Thanks, Nick. You young whippersnappers always save my bacon. :-)

>These malware posts are being posted pretty well daily to some of the
>binary NGs... for instance, a.b.warez. ... hundreds of posts all with
>the same line count but with different subjects, ostensibly useful
>apps but actually malware.

>They often can't be filtered on author because they use generic names.
>The best way should be to filter on line count but that doesn't seem
>to work right....
>
>I can't easily post the header info now because my filters just
>deleted them all (I switched to filtering on Subject). Maybe in a day
>or two when a new batch gets posted...

Nick points out that you may not be able to unless you're actually
downloading at least a sample of them. My brain on idle again. :-{
--
Don Kirkman
don...@charter.net

Ralph Fox

unread,
Nov 9, 2009, 2:48:34 AM11/9/09
to
On Fri, 06 Nov 2009 12:04:02 -0700, in message <a8s8f5d7oig1hn4qo...@4ax.com>,
Matilda wrote:

> I'm trying to filter out mass malware postings that all have the same
> line lengths -- in this case 2732 lines. In the Add Usenet Filter
> window, in the filter expression field, I put [2732,2732]. The other
> options include Kill action: delete, Scope: Global, Apply filters
> immediately.
>
> When I click OK the filter works fine.

This does a manual "Apply Filters" to the folder.


> But a few hours later, when I
> update the headers, new malware posts with the same line length show
> up as if there was no filter. I have to right-click on the folder and
> select "Apply filters to folder" to get the filter to work.

So it appears that a manual "Apply Filters" works, but automatic filtering
when retrieving new headers does not.


> Why doesn't Agent do this during the header retrieval? Why do I have
> to do this manually?

One of the things which can cause this is that you have a check-mark
in at least one of the following boxes

A. (*select folder*) � Folder � Properties � Receiving Messages � Usenet Filters
[x] Disable filtering for this folder

B. Folder � Property Schemes � (*select scheme*) � Edit � Receiving Messages � Usenet Filters
[x] Disable filtering for this folder

C. Folder � Default Properties � Receiving Messages � Usenet Filters
[x] Disable filtering for all folders

When filtering is disabled via one of these check-boxes, it stops automatic
filtering when messages are downloaded -- but it does not stop a manual
"Apply Filters" from working.


> I'm using Agent 5, but had the same problem before with other
> versions.

Disabling filtering works the same way in previous versions.


> Matilda

--
Regards
Ralph

Matilda

unread,
Nov 9, 2009, 1:37:40 PM11/9/09
to
On Mon, 09 Nov 2009 20:48:34 +1300, Ralph Fox <-rf-nz-@-.invalid>
wrote:

>One of the things which can cause this is that you have a check-mark
>in at least one of the following boxes
>
>A. (*select folder*) � Folder � Properties � Receiving Messages � Usenet Filters
> [x] Disable filtering for this folder
>
>B. Folder � Property Schemes � (*select scheme*) � Edit � Receiving Messages � Usenet Filters
> [x] Disable filtering for this folder
>
>C. Folder � Default Properties � Receiving Messages � Usenet Filters
> [x] Disable filtering for all folders

I checked carefully and none of those Disable boxes are checked.
Anyway, filters that act on Subject: work fine. It's just the
[1234,1234] ones that don't work when retrieving headers.

Thanks for your post.

Matilda

Ralph Fox

unread,
Nov 9, 2009, 4:09:20 PM11/9/09
to
On Mon, 09 Nov 2009 11:37:40 -0700, in message <i4ogf553stdanek1g...@4ax.com>,
Matilda wrote:

> I checked carefully and none of those Disable boxes are checked.
> Anyway, filters that act on Subject: work fine. It's just the
> [1234,1234] ones that don't work when retrieving headers.
>
> Thanks for your post.

Other replies have already covered off and eliminated most other possible
causes. I suspect someone else would need direct access to your own news
server to analyze what was going on.

--
Cheers
Ralph

0 new messages