Page 59 - Mercury Manual.book

P. 59

Content Control 54
Mercury's Content Control Filtering Language

IF HEADER "headername" MATCHES "regular_expression" WEIGHT x
IF EXISTS "headername" WEIGHT x

Wordlist tests - HAS and HASALL There are also some more specialized tests you can use to
test for groups of words in a message - HAS and HASALL:

IF xx HAS "wordlist" WEIGHT x
IF xx HASALL "wordlist" WEIGHT x

(Note that “xx” can be “subject”, “sender”, “recipient”, “header”, “content” or “body”) Both
of these tests accept a list of words separated by commas as their parameter. The HAS test will
succeed if the message contains any of the words in the list, while the HASALL test will suc-
ceed if the message contains all the words in the list, in any order.

Example: to detect a message containing "viagra", "prescription" and "erectile"
IF BODY HASALL "Viagra, prescription, erectile" weight 50
Specialized, or arbitrary tests Mercury has a number of specialized tests that are specifically
designed for detecting spam (unsolicited commercial e-mail); these tests examine special
characteristics of the message that could not otherwise be easily detected using standard reg-
ular expressions. Specialized tests are entered like any other rule in the rule set, and have the
following general form:

IF TEST "Testname-and-parameters" WEIGHT x
The name of the test and any parameters it requires are entered as a single string after the key-
word TEST: if Mercury does not recognize the name of the test, it ignores the rule. Doing
things this way allows tests to be added in future without breaking existing copies of Mercu-
ry/32. Tests are case-insensitive unless specifically noted below.

The following tests are available at present:

Some eCommerce sites LazyHTML This test will trigger if the message is an HTML message that contains an IMG
generate Lazy HTML data link to a remote graphic - apart from being extraordinarily rude and annoying, this type of
in notifications. This is a
bad practice, but you link is a very reliable indicator of spam. Two parameters are available for this test - Tolerant
should be aware that it and Strict; the Tolerant parameter tells Mercury that a message may contain one (and no
may occur and may re-
quire some whitelisting. more than one) Lazy HTML graphic link without triggering, while the Strict parameter tells
Mercury that any Lazy HTML is to cause a trigger.

Example: If Test "LazyHTML Tolerant" weight 51
HasIFrame This test will trigger if the message contains an HTML IFrame tag - this is an
almost 100% certain indication of a virus-generated message containing viral payload de-
signed to take advantage of an infamous activation bug in Microsoft Outlook. There is no im-
aginable justification for a valid e-mail message to contain an IFrame tag. This test takes no
parameters.

Example: If Test "HasIFrame" weight 51
HTMLComments This test allows you to trigger if a message has more than a certain number
This test may catch legiti- of HTML comments. Spam often uses HTML comments to break up keywords that would
mate mail from some us-
ers who have opted to use otherwise be detected as "naughty": because Mercury strips HTML tags before applying con-
Microsoft Word as their tent control testing, this type of trick won't work with it, but the presence of all those com-
mail editor, because it
generates a significant ments is a dead giveaway that the message is spam. The parameter to this test is the number
number of comments. of comments above which Mercury should trigger the test.

54 55 56 57 58 59 60 61 62 63 64