Hi Dave (just in case this got overlooked - or I missed the answer),
>> Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. << I know that all 18 "SNF" rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 "SNFIP" rule lines are only one invocation - which is evaluated 3 different ways. And then there is the "SNFIPREP" rule. So I need to clarify this in my head. Will all 22 "SNF." rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is some possible overhead between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) will reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero "C:\Smartermail\Declude\Sniffer\xxxxxxx.exe xxxabc123xxxx" 12 0 SNIFFER-TRAVEL SNF x 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read "IPREPUTATION SNFIPREP " and I was simply working off an earlier copy. For the "SNF" test type, is there a way to have a "global" match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero "D:\IMAIL\Declude\SNF\SNFClient.exe" 10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATION SNFIP please update this to IPREPUTATION SNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1----- 0 ----- 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log 1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.000000 If final score is + the 3rd variable score is used in this case 10 dec0430.log 7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log 11926 04/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered "Good" if the result is to the left or "Bad" if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax <mailto:dbar...@declude.com> dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATION SNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of "5" - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add "20" when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero "D:\IMAIL\Declude\SNF\SNFClient.exe" 10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the "SNF" test have some way to configure ONE line for "nonzero" to create a baseline weight, and then just add "SNF" tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
