[sniffer] catch more spam (in response to the current discussion)
Crew, If I might suggest something that has nothing to do with sniffer directly... I succesfully reduced the number of spams delivered to our server with 25% by automatically blacklisting the IP adresses which deliver spam. If the weight of an e-mail goes over the hold weight, I add the IP address to the list of blocked IP addresses for the next 60 minutes. During that time, connections from these IP's are denied or dropped (don't really know). After that, it's automatically removed. This is something you can do with the MDaemon content filter using the Add Line To A Text File action (combined with a script that creates tarpit.sem every minute), don't know if this can be done with Declude or other systems. Drawback is that false positives would generate a temporary blacklisting, but I have not had any problems so far (the rule is in place for two weeks now). Michiel -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 20 september 2006 16:43 To: Message Sniffer Community Subject: [sniffer] Re: Sniffer does not catch as much as it used to. Hello Fox,Thomas, I might ad that for a long while it has been a common recommendation for SNF to be weighted at 70-80% of your hold weight. Quite often, some result categories are weighted to hold on their own. These days blackhats are using a burst-mode delivery tactic that makes it virtually certain the IPs they are using are previously unknown and unlisted. As a result, if several IP blacklist hits are required in addition to SNF then you are much more likely to see leakage than in previous months. In testing our new GBUdb engine on our spamtrap servers I can see a constant stream of new IPs sourcing spam and I also see the rate of new IPs spike significantly when new variants of messages arrive. These spikes are much higher than previously measured and continue to grow. Hope this helps, _M PS: GBUdb is a real-time collaborative behavior analysis engine that tracks statistics on good, bad, unknown (ugly), and ignored IPs. The engine will be part of the next release of SNF due shortly. Wednesday, September 20, 2006, 10:02:36 AM, you wrote: Hi Rick, I've found that tuning for spam is a constant process. I am always tweaking settings, changing weights, etc., in response to spam leakage. Just yesterday I spent about 2 hours on it. I (very reluctantly) implemented some phrase filtering, using the filter function in Declude. I've been reluctant to do phrase filtering in the past, just because I'm so scared of false positives, but I was able to work with a phrase list I was pretty sure would be safe. I also increased the weighting of some of the other Sniffer tests we use, specifically the tests that scan for porn, get rich quick and stuff like that. The weighting isn't so high that any one test will cause the message to fail, but I did set it high enough on a few of the Sniffer result codes so that it fails that specific Sniffer test and just one other test, it will fail as spam. It comes down to, IMHO, how much time you want to spend on it, and how vigilant you want to be. I'd much rather spend a few hours a month tweaking settings, than dealing with lusers calling daily because they got an ad for Viagra. :-) I'd be happy to share my config files privately if you think it would help. Good luck! Tom I just signed my annual renewal for Sniffer but it seems that it used to catch lots of the email and now is only catching about 50% of the email Why when we are sending in our information does this continue to happen? We are getting lots of you won, Pharmacy spelled wrong and nonsense emails that sail through both Declude and Sniffer. Between the 2 of them that is over $1000 per year for spam/virus/hijack protection that seems not be happening like it used to. Any answers as to when we will get relief on these? Rick Hogue --- [This E-mail scanned for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list
[sniffer] Mdaemon plugin 'sleeping'
Dear all, Configuration: mdaemon 9.0.6 / included spamassasin (from mdaemon) / mdaemon plug-in (latest version) Trial account. We configured the plugin (scanning of emails and add 5 extra score point to Mdaemon's Spam Assasin in case of spam) and it's working fine most of the time, but: The plugin is working fine when we are logged on on the server (Windows 2003 Server). But as soon as we logoff, the plugin stops working. Apparently the plugin falls into sleep (mdaemon plugin tab indicates no activity during these periods). When we (interactively via RDP) logon to the server again, the plugin starts working again (without intervention from us) ... And the 'mdaemon plugin' tabpage is showing activity again. FYI: The mailserver is receiving thousands of mail/hour, so it's sure that there was mail coming in at those moments. Any idea how to solve this problem? (I just changed the ACL's on the files to everyone/full access and will check if this changes anything) kind regards, Sven # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Mdaemon plugin 'sleeping'
Hi Sven, My guess is that the plug-in is actually working but just not being logged when MD is minimized (or Windows logged-off). Check the MD Log Settings and enable Always log to screen. Setup|Logging|Options - Enable Always log to screen --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Sven De Troch Sent: Thursday, September 21, 2006 6:15 PM To: Message Sniffer Community Subject: [sniffer] Mdaemon plugin 'sleeping' Dear all, Configuration: mdaemon 9.0.6 / included spamassasin (from mdaemon) / mdaemon plug-in (latest version) Trial account. We configured the plugin (scanning of emails and add 5 extra score point to Mdaemon's Spam Assasin in case of spam) and it's working fine most of the time, but: The plugin is working fine when we are logged on on the server (Windows 2003 Server). But as soon as we logoff, the plugin stops working. Apparently the plugin falls into sleep (mdaemon plugin tab indicates no activity during these periods). When we (interactively via RDP) logon to the server again, the plugin starts working again (without intervention from us) ... And the 'mdaemon plugin' tabpage is showing activity again. FYI: The mailserver is receiving thousands of mail/hour, so it's sure that there was mail coming in at those moments. Any idea how to solve this problem? (I just changed the ACL's on the files to everyone/full access and will check if this changes anything) kind regards, Sven # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Mdaemon plugin 'sleeping'
Paul and Pete, Thanks for the tips, the 'always log to screen' has been enabled now (was disabled), so this should solve the problem of the logging (just checked it and logging is ok now). However (and that was the reason I thought that the plugin went to sleep mode), some spams that have been found by SNF receives a +5 score and other not (with the same config). It seems indeed that SNF is always working now (thanks), that is always inserting a header into the mail, but apparently not always passing the message the message to Mdaemon's SA, since the +5 score is not added to the header: The strange thing is that the config has not been changed between the time that the messages below has arrived at the mailserver. Seems to be an error in the communication between SNF and SA? My config in SA local.cf rule: header MESSAGE_SNIFFER X-SortMonster-MessageSniffer-Result =~ /([1-63])/ describe MESSAGE_SNIFFER Flagged by message sniffer (www.sortmonster.com) score MESSAGE_SNIFFER 5.0 So if I understand it well, all messages woth result 1 till 63 should add a score of 5 to the original headers? Example of email header: X-Spam-Status: No, score=0.3 required=6.1 tests=BAYES_00,HTML_MESSAGE, MESSAGE_SNIFFER autolearn=no version=3.1.3 X-SortMonster-MessageSniffer-Result: 52 -- no +5 score here (however with a result of 52 +5 should be added) And an example of a correct flagging and +5 score: ++ X-Spam-Status: Yes, score=16.8 required=6.1 tests=BAYES_99,BLANK_LINES_70_80, MESSAGE_SNIFFER autolearn=no version=3.1.3 X-Spam-Report: * 5.0 MESSAGE_SNIFFER Flagged by message sniffer * 10 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 1.8 BLANK_LINES_70_80 BODY: Message body has 70-80% blank lines -- +5 score correctly inserted And here is my config of the SNF plugin.cfg (fairly standard, I removed the comments to keep this mail small enough): #CtlFileLog: c:\ctlfile.log License: xx Authentication: # MaxMessageSize: 128000 Phantom-Received-Header-On # NoScan: Local # NoScan: Remote # NoScan: Lan # LogFormat: Full # LogFormat: NoDups LogFormat: SingleLine #XHeaderData: X-SortMonster-MessageSniffer-Rules XHeaderFinal: X-SortMonster-MessageSniffer-Result #XHeaderMessage: X-SortMonster-MessageSniffer-Message # XHeaderBlack: X-SNF-Black # XHeaderBlack: X-Spam-Flag: YES # XHeaderWhite: X-SNF-White # XHeaderClean: X-SNF-Clean # XHeaderNumbered: 63 X-SNF-Group: General-Black-Rules # XHeaderNumbered: 62 X-SNF-Group: Experimental-Abstract # XHeaderNumbered: 61 X-SNF-Group: Obfuscation-Techniques # XHeaderNumbered: 60 X-SNF-Group: Experimental-Received-ip # XHeaderNumbered: 59 X-SNF-Group: Casinos-Gambling # XHeaderNumbered: 58 X-SNF-Group: Debt-Credit # XHeaderNumbered: 57 X-SNF-Group: Get-Rich # XHeaderNumbered: 56 X-SNF-Group: Ink-Toner # XHeaderNumbered: 55 X-SNF-Group: Malware # XHeaderNumbered: 54 X-SNF-Group: Porn-Dating-Adult # XHeaderNumbered: 53 X-SNF-Group: Scam-Phishing # XHeaderNumbered: 52 X-SNF-Group: Snake-Oil # XHeaderNumbered: 51 X-SNF-Group: Spamware # XHeaderNumbered: 50 X-SNF-Group: Media-Theft # XHeaderNumbered: 49 X-SNF-Group: AV-Push # XHeaderNumbered: 48 X-SNF-Group: Insurance # XHeaderNumbered: 47 X-SNF-Group: Travel # RulePanic: 10001 # RulePanic: 10002 # RulePanic: 10003 # RulePanic: 10004 # RulePanic: 10005 # RulePanic: 10006 # RulePanic: 10007 # RulePanic: 10008 # RulePanic: 10009 # RulePanic: 10010 Thanks for any assistance! Kind regards, Sven -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) Sent: vrijdag 22 september 2006 1:03 To: Message Sniffer Community Subject: [sniffer] Re: Mdaemon plugin 'sleeping' Hi Sven, My guess is that the plug-in is actually working but just not being logged when MD is minimized (or Windows logged-off). Check the MD Log Settings and enable Always log to screen. Setup|Logging|Options - Enable Always log to screen --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Sven De Troch Sent: Thursday, September 21, 2006 6:15 PM To: Message Sniffer Community Subject: [sniffer] Mdaemon plugin 'sleeping' Dear all, Configuration: mdaemon 9.0.6 / included spamassasin (from mdaemon) / mdaemon plug-in (latest version) Trial account. We configured the plugin (scanning of emails and add 5 extra score point to Mdaemon's Spam Assasin in case of spam) and it's working fine most of the time, but: The plugin is working fine when we are logged on on the server (Windows 2003 Server). But as soon as we logoff, the plugin stops working. Apparently the plugin falls into sleep (mdaemon plugin tab indicates no activity during these periods). When we (interactively via RDP) logon to the server again, the plugin
