[MBF] Re: Gauntlet addition suggestion
Hi David Any competing product for message sniffer, I need to renew it. Thanks Stephan -Message d'origine- De : community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] De la part de David Barker Envoyé : 15 août 2015 21:38 À : community@mailsbestfriend.com Objet : [MBF] Re: Gauntlet addition suggestion Based on the header you provided the following should work fine unless you have another variation? HEADERS 0 PCRE(?im:X-GBUdb-Analysis.+Source New) David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 6:39 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Gauntlet addition suggestion Here are the lines added by SNIFFER: X-MessageSniffer-Identifier: C:\Interceptor\Alligate\spool\proc\work\002343458.dta X-GBUdb-Analysis: 0, 157.7.188.124, Ugly c=0 p=0 Source New X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2087-c The email in question is indeed SPAM and/or malicious, with the body being a http link to a website. -Original Message- From: "David Barker" <david.bar...@mailsbestfriend.com> Sent: Wednesday, August 12, 2015 2:01pm To: community@mailsbestfriend.com Subject: [MBF] Re: Gauntlet addition suggestion If SNF has already triggered and scored the message there is no real reason to move it to the GAUNTLET as it has already been identified, however you could use a filter as you suggest below. Can you provide an actual line from a header line you want to trigger on so I can validate the PCRE ? David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: community@mailsbestfriend.com Subject: [MBF] Gauntlet addition suggestion With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with "Source New" as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>
[MBF] Re: Gauntlet addition suggestion
In trying to capture DOC attachments, some one provided the following line a while back: BODY 0 PCRE (?i:filename=[a-z0-9-_ ]\.doc) That was not working. After my fumbling around and testing, the correct line is as follows: BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc) Note the quotation marks which are there in the email as well as the number of characters possibly present. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Gauntlet addition suggestion
Thanks David. A question, why is the following line in GAUNTLET? I realize it can have a high hit rate but with the proliferation of malicious emails that are playing with the encoding, shouldn't this line be removed? BODYEND PCRE(?i:Content-Transfer-Encoding: base64) # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Gauntlet addition suggestion
Based on the header you provided the following should work fine unless you have another variation? HEADERS 0 PCRE(?im:X-GBUdb-Analysis.+Source New) David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 6:39 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Gauntlet addition suggestion Here are the lines added by SNIFFER: X-MessageSniffer-Identifier: C:\Interceptor\Alligate\spool\proc\work\002343458.dta X-GBUdb-Analysis: 0, 157.7.188.124, Ugly c=0 p=0 Source New X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2087-c The email in question is indeed SPAM and/or malicious, with the body being a http link to a website. -Original Message- From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, August 12, 2015 2:01pm To: community@mailsbestfriend.com Subject: [MBF] Re: Gauntlet addition suggestion If SNF has already triggered and scored the message there is no real reason to move it to the GAUNTLET as it has already been identified, however you could use a filter as you suggest below. Can you provide an actual line from a header line you want to trigger on so I can validate the PCRE ? David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: community@mailsbestfriend.com Subject: [MBF] Gauntlet addition suggestion With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with Source New as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Gauntlet addition suggestion
If SNF has already triggered and scored the message there is no real reason to move it to the GAUNTLET as it has already been identified, however you could use a filter as you suggest below. Can you provide an actual line from a header line you want to trigger on so I can validate the PCRE ? David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: community@mailsbestfriend.com Subject: [MBF] Gauntlet addition suggestion With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with Source New as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Gauntlet addition suggestion
Here are the lines added by SNIFFER: X-MessageSniffer-Identifier: C:\Interceptor\Alligate\spool\proc\work\002343458.dta X-GBUdb-Analysis: 0, 157.7.188.124, Ugly c=0 p=0 Source New X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2087-c The email in question is indeed SPAM and/or malicious, with the body being a http link to a website. -Original Message- From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, August 12, 2015 2:01pm To: community@mailsbestfriend.com Subject: [MBF] Re: Gauntlet addition suggestion If SNF has already triggered and scored the message there is no real reason to move it to the GAUNTLET as it has already been identified, however you could use a filter as you suggest below. Can you provide an actual line from a header line you want to trigger on so I can validate the PCRE ? David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: community@mailsbestfriend.com Subject: [MBF] Gauntlet addition suggestion With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with Source New as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com