[sniffer] increase in missed spam
For the last week or 10 days I have seen an increase in missed spam in Sniffer, Declude seems to be picking it up but I require more than a single hit to filter. Anyone else seeing this? Herb -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)789-0966x200 (off hours or if out of office) This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Sniffer Helper App?
Steve; Declude works well, but any comprehensive set of filters will take some horsepower to run. Declude will do the country filtering I think you wanted. Herb Steve Guluk wrote: On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen Rob, If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good suggestions but I still need to get that program that can appreciate them. Regards, *Steve Guluk* SGDesign (949) 661-9333 ICQ: 7230769 -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Cell (off hours or if out of office) This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: REVDNS
Yup, same here X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED]) From: () mismatch. X-RBL-Warning: HELOBOGUS: Domain UnknownHost returns a server failure for MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 74.205.4.85 with no reverse DNS entry. george kulman wrote: Pete, Rulebase Update Notifications from BI.Arm1.armresearch.com [74.205.4.85] are failing Decludes REVDNS. Might a PTR be in order? DNSSTUFF doesnt show one. George -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Stock spam
We went from about 40K total messages a day on about 10K good at the beginning of the year, to 60K over summer, 90K in Sept, and about 180K now with about 13K good, w about a 20% increase in mailboxes. Had to upgrade our server a few weeks ago. We also for the first time went to deleting messages that scored 2X the marked as spam level. So we now delete about 120K messages a day with Declude level. We are also having sniffers point by itself mark as spam, used to take at least one other test to fail. I don't know what we will do if we see another 5X increase next year, I guess buy another server and move some domains. Herb David Waller wrote: On the sub topic of increased spam rates we're seen a 10x increase from 30-40k per day to 250-450k per day in over the last 3 months, none of this due to increased customer count :( -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 12 December 2006 17:43 To: Message Sniffer Community Subject: [sniffer] Re: Stock spam # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Significant increase in false positives
Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb Darin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Significant increase in false positives
Not sure, this is what my declude diags.txt says Declude 4.1.0 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2005 Declude, Inc. Herb Darin Cox wrote: We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb Darin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Significant increase in false positives
Since we have almost all business users and they do a lot of intl biz we just mark the subject as "Probable SPAM:" so no email is deleted. Oh well, I am off topic anyway, thanks for the feedback all. Herb Robert Grosshandler wrote: That's been a problem for a long time, but for us, it still treats that e-mail as spam, with the appropriate weight. 100% of the time if Declude does that, the e-mail is beyond our delete weight. Rob From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Herb Guenther Sent: Monday, October 16, 2006 4:35 PM To: Message Sniffer Community Subject: [sniffer] Re: Significant increase in false positives Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb Darin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Declude header not modified correctly
Me either, I guess I will have to call them in the AM as it seems to be a general problem. As an aside, I am largely happy with the product but this one has been a long term issue and seems from my experience to be getting exploited by spammers. Andy Schmidt wrote: What's the magic trick to OPENING a ticket on Declude's site. I logged into the customer area, and see no way to open a ticket. But, ifI go to the support page, it specifically instructs me to log into the customer area to open a ticket? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Herb Guenther Sent: Monday, October 16, 2006 05:58 PM To: Message Sniffer Community Subject: [sniffer] Re: Declude header not modified correctly It is frustrating because sniffer is catching them and they are not getting marked so they still end up in the ol inbox. Have opened some tickets at declude a few times and never got a response. So no one has a magic bullet on this one? Herb Kami Razvan wrote: We see that a lot too.. we run 2.14 Kami From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Darin Cox Sent: Monday, October 16, 2006 5:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Significant increase in false positives We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Help
Don't you have your mail server set to require login to send mail? This is not a sniffer/declude issue but a mail server setup issue. Herb Filippo Palmili wrote: Hello Pete, my Ipswitch IMail Server is under attack since yesterday. It relays emails coming from an external host. The sender of these mails is a random name @ the ip address of my mail server (for example [EMAIL PROTECTED]) and is automatically whitelisted by the declude server. Do you know anything about these attacks? Is there a way to stop it? Until now I banned the generating ip address and manually delete the queue, but the generating address changes. Ad example of mail: Received: from ameillpu-7jat6i [200.127.81.225] by odino.logos.it with ESMTP (SMTPD32-8.05) id AB60DC5500D0; Thu, 27 Jul 2006 17:27:28 +0200 From: "bjsytb" [EMAIL PROTECTED] Subject: =?GB2312?B?usN+zsR+ubJ+yc0=?= To: [EMAIL PROTECTED] Content-Type: TEXT/HTML Date: Thu, 27 Jul 2006 23:27:23 +0800 X-Mailer: AOL 7.0 for Windows US sub 118 Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [200.127.81.225] X-Declude-Spoolname: DDB60DC5500D0D472.SMD X-Declude-Scan: Score [0] at 17:28:19 on 27 Jul 2006 X-Declude-Tests: Whitelisted Please let me know. Filippo Logos S.p.A. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
Re: [sniffer] A lot of Porn Spam getting through.
not here Herb Chuck Schick wrote: Anyone else seeing this? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] How are folks doing with the latest version?
We updated an imail server and it is fine, did not do the postfix mail server update yet. Herb Pete McNeil wrote: Hello Sniffer Folks, I am curious to know how many folks have been using Version 2-3.1i2. I have not heard any problem reports, so I'm assuming it's going well with you as it is on our systems... or, perhaps, nobody has tried it yet?? I would like to move this interim to the official version. If I can get a show of hands on how many folks are using the new version successfully then I would really appreciate it. Thanks! _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] spam leakage up
In the last couple days we are seeing quite an increase in the amount of spam leaking past sniffer and declude. Anyone else seeing this? Herb -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] spam leakage up
5,766 5,526 5,767 40,275 5,684 Cable/Satellite descramblers 1,250 1,340 1,190 1,384 1,277 1,710 1,554 9,705 867 Norton/McAfee offers 17 61 4 7 11 19 25 144 68 Insurance quotes, etc. 706 493 374 354 526 552 547 3,552 649 Travel/vacation offers 216 135 82 61 87 160 121 862 238 Viruses Detected 649 440 223 201 537 498 493 3,041 344 Virus Vulnerabilities 581 431 365 304 531 518 580 3,310 406 Dan Stratton wrote: Yes I have seen an increase in spam not tagged by sniffer or in a lot of cases by any other of the declude tests that I am using. I also have notice quite a large increase in overall spam and attribute at least some of the leakage to this increase. Some day's I am seeing 94% spam and 6 % legitimate email which I find incredible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Herb Guenther Sent: Thursday, June 24, 2004 7:51 AM To: [EMAIL PROTECTED] Subject: [sniffer] spam leakage up In the last couple days we are seeing quite an increase in the amount of spam leaking past sniffer and declude. Anyone else seeing this? Herb -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. inline: icon_env_green.gifinline: icon_env_blue.gifinline: icon_env_red.gifinline: icon_env_yello.gifinline: icon_env_pink.gifinline: icon_env_black.gif
Re: [sniffer] spam leakage up
I wrote a coldfusion page that parses the logs into a sql database every night, and then the display page you saw. If you have a coldfusion server I would be happy to give you the code. Herb Aaron J.Caviglia wrote: Herb, How did you generate that SPAM report? Thanks, Aaron Caviglia www.vantech.net On Jun 24, 2004, at 8:46 AM, Herb Guenther wrote: wow, that is even worse than we are seeing, we are at about 80%, but should really be at about 85% if all were tagged. Here is our last weeks stats, we did not see an increase in volume, so much as the amount gettig thru in the last couple days and continuing today. Herb SPAM Report Statistics are based on the last 6,150,612 email messages received. You are viewing Server 1 Stats View Server 2 stats Statistic 06/17 06/18 06/19 06/20 06/21 06/22 06/23 Weekly Total Daily Avg. image.tiffDelivered Messages 34,291 30,762 22,331 22,484 31,245 33,588 33,582 208,283 25,311 image.tiffGood Messages 6,493 5,101 1,595 1,721 6,209 6,772 6,170 34,061 5,221 image.tiffSpam Messages 27,798 25,661 20,736 20,763 25,036 26,816 27,412 174,222 20,090 image.tiffSpam Percent 81% 83% 92% 92% 80% 79% 81% 84% 79% image.tiffMal Formed Headers 3,845 4,277 3,193 3,555 4,094 4,286 4,459 27,709 4,949 image.tiffSpam Headers 4,544 4,081 3,665 3,367 4,800 5,712 6,129 32,298 3,308 image.tiffSpam Routing 6,351 5,697 5,200 5,613 5,718 6,072 5,616 40,267 3,375 image.tiffNo Reverse DNS 6,864 7,787 6,529 6,729 7,742 6,783 5,023 47,457 2,446 image.tiffWhite Listed 1,157 968 116 162 1,237 1,245 1,229 6,114 785 image.tiffGeneral Spam 1,021 958 736 851 1,012 1,045 1,122 6,745 1,490 image.tiffExperimental 1,543 1,190 951 970 1,284 1,342 1,472 8,752 900 image.tiffObfuscation 240 183 158 189 196 336 151 1,453 352 image.tiffGrey Hosts 355 196 29 33 213 343 315 1,484 166 image.tiffGambling 272 202 263 261 215 303 161 1,677 124 image.tiffRefinancing/Loans 2,293 2,216 1,809 1,659 2,167 2,013 1,975 14,132 1,765 image.tiffBusiness opportunities 1,989 1,991 1,546 1,547 1,990 2,089 2,163 13,315 1,464 image.tiffInk and toner cartridges 159 124 41 91 100 89 63 667 121 image.tiffPornography 2,296 1,874 2,189 1,798 2,120 2,224 2,333 14,834 1,731 image.tiffSend money scams 57 63 66 57 85 84 82 494 65 image.tiffOnline pharmacies 6,792 6,098 5,419 4,907 5,766 5,526 5,767 40,275 5,684 image.tiffCable/Satellite descramblers 1,250 1,340 1,190 1,384 1,277 1,710 1,554 9,705 867 image.tiffNorton/McAfee offers 17 61 4 7 11 19 25 144 68 image.tiffInsurance quotes, etc. 706 493 374 354 526 552 547 3,552 649 image.tiffTravel/vacation offers 216 135 82 61 87 160 121 862 238 image.tiffViruses Detected 649 440 223 201 537 498 493 3,041 344 image.tiffVirus Vulnerabilities 581 431 365 304 531 518 580 3,310 406 Dan Stratton wrote: Yes I have seen an increase in spam not tagged by sniffer or in a lot of cases by any other of the declude tests that I am using. I also have notice quite a large increase in overall spam and attribute at least some of the leakage to this increase. Some day's I am seeing 94% spam and 6 % legitimate email which I find incredible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Herb Guenther Sent: Thursday, June 24, 2004 7:51 AM To: [EMAIL PROTECTED] Subject: [sniffer] spam leakage up In the last couple days we are seeing quite
[sniffer] rule idea
At one time we had floated the idea of a rule that would mark any email that was more than 24-48 hrs ahead or behind the actual current time and date as spam. I just got two You've been invited to a blind date messages that were dated last summer. 99.9% of these off date messages are spam, and anyone real who has there date that far off should fix it. Would it be hard to add such a rule to sniffer? Herb -- Herb Guenther Lanex, LLC (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s) only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html