[sniffer] Re: I got a strong attack today
3) then be able to create a temporary rule to help block messages - must be viable until SNF has an updated ruleset to start clearing out the attack - I don't think declude (what I use w/SNF) has rule expirations (but would be a nice feature) What I do when I create a temp rule is to call it T_date_A and then B and then C and so forth. I then keep a rule_readme.txt file in the spool\declude directory that I update. John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Excessive amounts of spam
I have not noticed any increase on FPs on the one server that is running it. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, December 20, 2007 1:29 PM To: Message Sniffer Community Subject: [sniffer] Re: Excessive amounts of spam I've heard comments that it has a higher catch rate... how about FP rate? Higher, the same, or lower? Darin. - Original Message - From: Pi-Web - Frank Jensen [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, December 20, 2007 4:17 PM Subject: [sniffer] Re: Excessive amounts of spam We have been running it for - I guess - 2 month now without any trouble. How stable is the beta version? Regards David Moore [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Pete McNeil *Sent:* Friday, 21 December 2007 8:10 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Imail Upgrade
Yes, there is a difference. Webmail is different. Additional features in the SMTP service. Vulnerabilities fixed. Bugs fixed. There is indeed a patch for version 8, it is called 8.22 + HF2. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sent: Saturday, November 03, 2007 5:31 PM To: Message Sniffer Community Subject: [sniffer] Imail Upgrade I'm running an older ver of Imail (8.05) and considering an upgrade. Is there much of a difference. The only issue I'm currently having is there is an exploit that some yahoo is crashing the server a couple times a month. Imail won't patch it so I either have to upgrade or move to another platform. I know this isn't Sniffer related but looking for some advice from someone running Imail. Thanks # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Reporting False Positives
To clarify something that came up in another post a couple of weeks ago, is it necessary to send false positive reports from the specified email address, or any address as long as it includes the proper information such as the license in the subject line? John T
[sniffer] Re: Beta
Thanks as always Pete for a great explination. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 17, 2007 5:35 AM To: Message Sniffer Community Subject: [sniffer] Re: Beta Hello John, Wednesday, October 17, 2007, 1:41:18 AM, you wrote: Our SYNC server software rejects connections by default. If an SNF node follows the expected connection protocols and authenticates properly and consistently then it will be allowed to communicate with the system. If it fails to do any of these things or looks suspicious in any way then it will be automatically black listed for increasingly extended periods and potentially null routed by our fire-walls. The security mechanisms are fully automatic and constantly monitored. If something goes wrong on my server, either by a mistake I make in a configuration file or a bug or whatever, and my server in connecting to the SYNC server should be rejected and subsequently black listed, is there a notification that takes place that some one will review to see if that sniffer license is otherwise valid and otherwise no known problems are seen so that I will then be notified saying hey there is a problem contact us so that the problem can be resolved? Yes. The system is completely automated and reliable. There is nothing to be concerned about. Quite simply, nothing can go wrong, go wrong, go wrong... go.. Seriously though-- In order to be black-listed by our system you would have to be abusing the SNF software or using some alternative software to attempt to gain access or deny access to the SYNC servers. Otherwise the most you could do would be to loose contact for some time. That said, if any system does something to become black-listed then you can be sure it will have our attention. It is basically impossible for you to cause a properly functioning SNF node to become black-listed by altering the configuration file. It is far more likely that your SNF node would simply fail to connect. Chances are that if you were making an adjustment that could cause this you would also be watching to make sure that things were working correctly when you finished. In case you did cause the system to lose it's connection with us, the system is designed so that SNF nodes will remain reliable and effective for extended periods even if they are unable to contact the SYNC server. It is also designed to recover gracefully when the problem is corrected. The GBUdb system is highly effective even when it does not share it's information with the other SNF nodes. Each GBUdb node learns first about it's local traffic. As long as your SNF rulebase file is up to date - or even close to being up to date, your system is likely to be very effective at filtering spam. If your SNF/GBUdb node becomes detached from the main system for an extended period, it will degrade in it's performance. Once the problem is corrected it should recover in a very short time. In the event we detect any IPs being black listed or acting suspiciously we will be watching closely so that we can analyze any potential threats and take appropriate actions. If we can identify a customer involved in such a case we will contact them to investigate and correct the problem. Locally, your status reports indicate when the last sync event occurred. This is one of the ways you can check the status of your system. Consider this example from recent telemetry: timers run started=20070928174736 elapsed=1620714/ sync latest=20071017115919 elapsed=11/ save latest=20071017111334 elapsed=2756/ condense latest=20071017081746 elapsed=13304/ /timers You can see when the last sync event occurred (about 11 seconds ago in this case): sync latest=20071017115919 elapsed=11/ We plan to encourage the development of third party tools for monitoring and analyzing SNF system data. In addition we plan to build monitoring and analysis services of our own to include features that will notify system administrators when something doesn't look quite right. If you (anyone) develop something nice for displaying and/or monitoring SNF status data then please share it with the SNF community. In the mean time - we have done extensive testing and monitoring throughout the development process. High availability is (has always been) a design requirement and we're confident SNF can deliver that. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Beta
Our SYNC server software rejects connections by default. If an SNF node follows the expected connection protocols and authenticates properly and consistently then it will be allowed to communicate with the system. If it fails to do any of these things or looks suspicious in any way then it will be automatically black listed for increasingly extended periods and potentially null routed by our fire-walls. The security mechanisms are fully automatic and constantly monitored. If something goes wrong on my server, either by a mistake I make in a configuration file or a bug or whatever, and my server in connecting to the SYNC server should be rejected and subsequently black listed, is there a notification that takes place that some one will review to see if that sniffer license is otherwise valid and otherwise no known problems are seen so that I will then be notified saying hey there is a problem contact us so that the problem can be resolved? John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New Server/Client configuration
3) The logs are rotating according to UTC time. How can that be configured to rotate in local time? John T From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Thursday, October 11, 2007 11:05 AM To: Message Sniffer Community Subject: [sniffer] New Server/Client configuration A couple of notes I have noticed: 1)When SNFServer starts and creates the file id_snf_engine_cfg.log, would it be a good idea to list the version of the SNFServer? 2)In your announcement about the version 1.4 beta, you said to upgrade the snf_engine.xml as well. Why? Since there are many configuration options in the snf_engine.xml, I would not want to take a chance replacing it and forgetting a setting that had been made/changed. John Tolmachoff eServices For You [EMAIL PROTECTED] (626) 737-6003 Fax (626) 737-6004
[sniffer] New Server/Client configuration
A couple of notes I have noticed: 1)When SNFServer starts and creates the file id_snf_engine_cfg.log, would it be a good idea to list the version of the SNFServer? 2)In your announcement about the version 1.4 beta, you said to upgrade the snf_engine.xml as well. Why? Since there are many configuration options in the snf_engine.xml, I would not want to take a chance replacing it and forgetting a setting that had been made/changed. John Tolmachoff eServices For You mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] (626) 737-6003 Fax (626) 737-6004
[sniffer] Re: Updates to log rotation scripts
I think he was asking about the log rotate script that also FTPs a copy up to sniffer. Do we still need to FTP a log to Sniffer? John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, October 09, 2007 9:28 PM To: Message Sniffer Community Subject: [sniffer] Re: Updates to log rotation scripts Hello tfox, Tuesday, October 9, 2007, 10:23:46 PM, you wrote: What updates/file name changes would be necessary for the log rotation scripts? It is possible to generate old style log files from the new version if you wish. Your current scripts can be used as-is in that case. Hopefully you will be able to make the switch to the new XML based logs. Both log types can be rotated daily by the new engine. Specifically, today's date can be prepended to the log file names. How can we monitor the status of SNF in real time, via the XML pages? The first answer is that the new engine produces a number of status reports - every second, every minute, or every hour. These status reports and logs, though formatted as XML, have been designed to be relatively easy to see in a simple text editor. It does take a little bit of getting used to - but not too much. Is there such a thing as an XML reader? Yep. Your web browser. Just about every web browser can read and translate XML data these days. The trick is -- translate how? You may want to use an XSLT utility, or more likely the XSLT capabilities in your web server environment or even in your web browser alone. For example, you could take one of the status files, copy it to a new file. Add a few lines of text - specifically to add a style-sheet definition and document type so that the XML is complete. Then you should be able to open the resulting file in your favorite browser. (You will have to create an XSL file (style sheet) to translate the XML file into what you want to see.) [[ This is the approach I used to create the rate chart shown in nowSimplePrescale.png, then I moved the whole thing to our web server to make it more automatic. ]] Another way you might go is to import the XML from the log or status report into a database. (Here again you may want/need to prepend a line or two of text to make the XML completely compatible with your environment) Then you would be able to extract reports from your database in the usual way. We're hopeful that folks who are savvy about XML and XSL will create and share useful translations and tools for SNF users. We look forward to supporting that effort. Internally we've done a few quick things to watch the telemetry we get from SNF nodes and our own servers. The approach we've taken is to use the inherent XSLT capabilities of our web/jsp servers and the basic capabilities in IE and Firefox. Attached are some screen shots of live data I am looking at right now. This telemetry comes from one of our spamtrap pre-filters. nowSimplePrescale.png uses a simple XSL file that took me about 20 minutes to throw together while thumbing through a text book. nowNodeDashbaord.png took a bit more work and leverages a flash based live gauge tool that periodically pulls xml data from our internal servers (so it's animated). The flash gadget came from here: http://www.maani.us/gauge/ We will also be creating some monitoring tools and services on our web site to take advantage of the live data provided by the new SNF engine and some of our new back-end tools. If anyone creates any useful XSL, tools, etc then please let us know and we will be happy to post them on our site and create appropriate reciprocal links. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: All about GBUdb
OK, a couple of questions. If an IP is found to be BAD, the website states a non-zero code will be returned. Well, I know that those of us using Declude and using listed return codes other than non-zero will have a problem with this. Can this be set to a specific return code that we can then use with Declude? Same question on the UGLY, can it be set to return a specific return code so that we can use that with Declude? John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, October 06, 2007 6:06 PM To: Message Sniffer Community Subject: [sniffer] All about GBUdb Hello Sniffer Folks, At your convenience please review the following: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.G BUdb This page describes one of the key features of the new SNF engine (currently in wide beta testing). GBUdb is an IP reputation system built on a collaborative learning engine. Each SNF node equipped with GBUdb learns the behavior of the message sources it encounters and shares that information with other SNF/GBUdb nodes in the cloud. This learning and sharing process happens in near real-time (zero-minute) and allows the new SNF engine to improve both filtering accuracy and system efficiency (with a little help from it's friends). Let us know if you have any questions or comments. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Address
Some of the spammers are apparently using my email address as the sender. Any way to defeat that or capitalize on it? I get several bounces a week from all over the world. Ah, the American spirit at work. If you can't stop it, make money on it. ;-) (And yes, I know that is not what you meant. At least I hope not.) John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Category idea
I have been asked by a client to help find a way to catch headhunters and such that attempt to recruit currant employees. I have yet to spend time on this as it seems creating a filter in Declude for this while maintaining low/no false positives would be some what difficult. While this is outside of what normally would be considered SPAM, I was wondering if Message Sniffer ever considered a category for such things. John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Appriver issue
Inserting my 2 cents here since that is all that it is worth. In backing up what Matt said, let me relate a similar example of a problem that occurred a year and a half ago to a major IT security products vendor: At about 6:15 AM PT on a week day in the middle of a normal busy week, their content filtering servers begin to become unresponsive. At first, it was intermittent and hard to pinpoint. But within about 45 minutes, they stopped responding completely. Well, their appliances did what they were designed to do by default configuration, fail safe. Block all access if the content filtering server does not respond. All one had to do though was to log onto the appliance and change the failsafe block to allow. But this is where the fun (not) began. There are hundreds or more of library's, both public and private, as well as schools, that are using those appliances and that content filtering service. Guess what? They are bound by law to have content filtering in place, meaning they could not turn the fail safe off. Companies and schools and libraries started screaming bloody murder and demanded a resolution an hour ago. The content filtering service was finally restored about 2:30 PM if I recall correctly. So, what happened? I mean this is a big company and it should have things in place to prevent this. Right? They did. As much as some one would expect them to. They had 4 servers. The servers were fine, they were still running. There were no software changes, and in fact their tests showed the servers were still responding. They were located at a location with multiple internet connections, and all tests showed the internet connections were all up and working. Power was flowing fine and all UPSs as well as the generator were all fine. Finally, after about 2 hours, the problem was found: My understanding is that a single module in a enterprise router failed but in a way that was hard to find. Once found, the hardware vendor sent a replacement part by courier to replace. My understanding is that it cost them well over 10 grand to eliminate that one single point of failure. And that was just for the hardware. Just goes to prove once again that in IT, 80% of the result is 20% of the cost. That remain 20% of result is what costs the 80%. John T From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, May 18, 2007 9:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Appriver issue I have something that I would also like to clear up. When I indicated that AppRiver had removed it's contact page, it likely just wasn't operating at the time that I was attempting to access it. Considering their issues, it would not be a surprise to see other issues like this caused, but it seemed suspicious since their home page was working and not their contact page. I did note that it was working by the time that it was pointed out that it was up. In no way did I ever believe that Pete or Sniffer had any direct involvement in the system that created these problems, and in no way should this reflect badly on Pete or Sniffer as far as I am concerned. I was slightly miffed after getting off the phone with them where their reaction quite clearly indicated that they were aware of the issue. I suggested that they take their servers off-line due to the issues that were being caused, but I was probably barking up the wrong tree. The servers weren't taken off line for another hour or so, or maybe this is when the delivery servers caught up with the queued E-mail destined for my client. I'm not sure why they didn't act on this sooner. When you have a loop, it is important to stop it, and their multi-homing made it difficult for others to block. One user received about 500 copies of the same message (and also called them), and there were other examples that we saw which were much more limited. I do hope that they didn't choose to introduce new software at 11 a.m. ET on the busiest E-mail day of the week, and that this was only when the problems surfaced... Everyone that deals with significant volumes of E-mail has issues from time to time, and I wouldn't draw conclusions about AppRiver based on just this one circumstance. I would imagine that it is hard to plan for how to deal with a broad scale looping issue, and I'm sure this was a learning experience for them. Matt
[sniffer] Re: Sniffer as passthrough filter
Yes, it is called email gateway service and many of us do that and it is fairly straightforward to setup but there are a number of steps. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of K Mitchell Sent: Thursday, March 08, 2007 6:16 PM To: Message Sniffer Community Subject: [sniffer] Sniffer as passthrough filter I've been running Message Sniffer here with IMail and mxGuard for a number of the domains we service. I have another customer that runs their own Exchange server, and wishes to continue doing so, but inquired as to the possibility of us doing pass-through filtering for them. Is this possible with the setup I have? Thanks, -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Blocking emails with Cyrillic characters
As some one who speaks Russian, it would be more productive for you to forward those spams to sniffer for processing rather than create a rule based on normal common language characters. Besides, that is not what I expect from Sniffer. My understand of the premise of Message Sniffer is to create rules that search for a pattern in spam messages that can be reliably duplicated. Having a rule solely based on inclusion of common language characters would under-mind that trust we have in Message Sniffer. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Wednesday, December 13, 2006 12:43 PM To: Message Sniffer Community Subject: [sniffer] Blocking emails with Cyrillic characters Hello Comrades, Could we get a rule that looks for various common Russian words (or Cyrillic characters) and then gives them a spam value? Do you sell much Sniffer Product to Russia? If not, rules that focus on common russian words would be great for blocking much of the spam that makes it's way past Sniffer. You could always create a way for people that want Russian emails to exclude this rule. No? Not that I know all the details of how you guys create your rules but a rule looking for common Cyrillic characters could catch all spam formatted in Russian as well as other languages that use similar characters. Otherwise you should hire some coders that understand these languages as I get a heap of spam that passes Sniffer by using what looks like Russian or Cyrillic characters. I run iMail 8.22 so if anyone has any other ideas that could block these please post your suggestions, I guess we could create a phrase list from some of the Cyrillic spams..? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Yahoo! Is Retarded
;) John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, October 26, 2006 8:48 AM To: Message Sniffer Community Subject: [sniffer] Re: Yahoo! Is Retarded I like your new sig, John. How's this for an addendum? Experience is that which you acquire, just after you needed it. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, October 26, 2006 8:13 AM To: Message Sniffer Community Subject: [sniffer] Re: Yahoo! Is Retarded Youre preaching to the choir. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Thursday, October 26, 2006 7:24 AM To: Message Sniffer Community Subject: [sniffer] Yahoo! Is Retarded Now, myword choice of 'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this issue and the severity of their decision and not to indicate that they are mentally handicapped which is an accusation for which I have no basis. However, as evidence of this, please review the following URLs: http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah Jonathan Hickman
[sniffer] Re: Declude header not modified correctly
Declude is not ignoring the problem. David Barker is aware of it and has responded discussion concerning this problem on the Declude Junkmail list. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Herb Guenther Sent: Tuesday, October 24, 2006 4:11 PM To: Message Sniffer Community Subject: [sniffer] Re: Declude header not modified correctly Just as a follow up, I have not had any email returned from Declude in the last 4 business days. So, they are just ignoring the problem even tho the tools are all doing their part to identify the messages are spam, the header mod is useless so it goes right thru the filters. So their answer was to have me update to the latest version, which did not solve the problem, and then I did not hear back from them after any email and a call. Herb Kami Razvan wrote: We see that a lot too.. we run 2.14 Kami From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Darin Cox Sent: Monday, October 16, 2006 5:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Significant increase in false positives We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb -- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 DirectThis e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Declude header not modified correctly
http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Integration John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Tuesday, October 24, 2006 4:17 PM To: Message Sniffer Community Subject: [sniffer] Re: Declude header not modified correctly I have this problem as well, but I'm running an older version of Declude. As far as I know there's no way to fix the problem other than supposedly the newest version fixes the issue. I'm not going to spend another penny on Declude so I'm stuck with the problem unless I switch mail servers. Declude went down hill when the new owners took over. They have a group of worshopers on their list that attacks anyone critical of management which makes it impossible to give critical information on the product. I love Sniffer. I wish all products worked as good as Sniffer does. I just wish it didn't run underneath a third party plug in (Declude) to run on Imail or Smartermail. Does anyone know of a different mail server that's EASY to use that offers the features of Imail and doesn't require Declude to run Sniffer? Thanks, -Joe - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Tuesday, October 24, 2006 6:11 PM Subject: [sniffer] Re: Declude header not modified correctly Just as a follow up, I have not had any email returned from Declude in the last 4 business days. So, they are just ignoring the problem even tho the tools are all doing their part to identify the messages are spam, the header mod is useless so it goes right thru the filters. So their answer was to have me update to the latest version, which did not solve the problem, and then I did not hear back from them after any email and a call. Herb Kami Razvan wrote: We see that a lot too.. we run 2.14 Kami From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Darin Cox Sent: Monday, October 16, 2006 5:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Significant increase in false positives We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin; Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue? Herb -- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 DirectThis e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.#This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com.To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FW: Retest (KMM38446283V14479L0KM)
HA HA HO HO ROFLOL Do you really think Yahoo and the other big ego head companies care about us? It would take a mass amount of paid Yahoo users to make some thing happen. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Wednesday, October 18, 2006 6:58 PM To: Message Sniffer Community Subject: [sniffer] Re: FW: Retest (KMM38446283V14479L0KM) The time and resources spent dealing with this add up to serious cash I'm thinking class action lawsuit :) - Original Message - From: Matrosity Hosting [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, October 18, 2006 8:36 PM Subject: [sniffer] FW: Retest (KMM38446283V14479L0KM) Whatever, yahoo. You can't just admit your system was hosed and actually still is. Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 -Original Message- From: Yahoo! Customer Support [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 7:39 PM To: [EMAIL PROTECTED] Subject: Re: Retest (KMM38446283V14479L0KM) Hello, Thank you for contacting Yahoo! Customer Care. We have investigated the issue described in your report and believe the problem has been resolved. We apologize for any inconvenience. Emails from the mail server(s) you are using have recently become deprioritized due to potential issues with its mailings. These deprioritizations were temporary but may be re-triggered if the sending IP profile continues to be poor. Typically, deprioritizations are triggered by bad individual sender or MAIL FROM profiles. To continue to receive prioritized delivery or if your servers are being delivered to Yahoo! Mail's Bulk Mail folder, please visit the following URL's for more information: http://help.yahoo.com/help/us/mail/spam/spam-18.html http://help.yahoo.com/help/us/mail/bulk/bulk-01.html If you are not the administrator for the mail server(s) affected, we encourage you to contact the administrator so they can address the possible issues regarding mailings from the mail server. If you notice any further difficulties with delivering to Yahoo! Mail accounts after this time, please let us know by replying to this email. Please provide the text of any error messages you may have received and a copy of the email (with the full headers). Also, by providing the specific IP address of the mail server that experienced the delivery issue, it will help us to troubleshoot the issue efficiently. Thank you again for contacting Yahoo! Customer Care. Regards, Raoul Yahoo! Customer Care http://www.yahoo.com/ 27129662 Original Message Follows: - Mail-Id: 1161088172-2180 Name: Bill Foresman IPs in the form 255.255.255.255 (separate multiple IP submissions by new lines): 69.8.234.8 Indicate the error message(s) you have received. 10:17 00:24 SMTP-(373302740f62) Trying yahoo.com (0) 10:17 00:24 SMTP-(278301774a27) Trying yahoo.com (0) 10:17 00:24 SMTP-(3b5b01fb0583) Trying yahoo.com (0) 10:17 00:24 SMTP-(31dc0257057c) Trying yahoo.com (0) 10:17 00:24 SMTP-(306301c6026c) Trying yahoo.com (0) 10:17 00:24 SMTP-(27c101704a84) Trying yahoo.com (0) 10:17 00:24 SMTP-(370f01ce0f1b) Trying yahoo.com (0) 10:17 00:24 SMTP-(367c02540dfe) Trying yahoo.com (0) 10:17 00:24 SMTP-(3215025705df) Trying yahoo.com (0) 10:17 00:24 SMTP-(37f301fe10c1) Trying yahoo.com (0) 10:17 00:24 SMTP-(2d3e016f53e1) Trying yahoo.com (0) 10:17 00:24 SMTP-(37e5027410aa) Trying yahoo.com (0) 10:17 00:24 SMTP-(39ad01de02b3) Trying yahoo.com (0) 10:17 00:24 SMTP-(2ea30212569a) Trying yahoo.com (0) 10:17 00:24 SMTP-(373302740f62) 451 Message temporarily deferred - 4.16.50 Optionally, add a comment to your submission. No clue why this is happening to us! I've checked multiple poen relay test and all come back negative. While Viewing: http://help.yahoo.com/help/us/mail/defer/defer-02.html Form Name: http://add2.dir.scd.yahoo.com/fast/help/us/mail/cgi_retest --- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the
[sniffer] Re: email
I have seen reports that Network Non-Solutions is having DNS Server issues today. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, October 17, 2006 2:29 PM To: Message Sniffer Community Subject: [sniffer] Re: email Hello Computer, Tuesday, October 17, 2006, 3:20:18 PM, you wrote: Dear Pete, I sent an E-mail to the Sniffer Community over an hour ago, and it has not yet been received by anyone. I noticed that 2pm was the last sniffer mail I got. Are these being held up for some reason? I don't think so - at least not on purpose. There have been a lot of odd DNS based things going on today. I will look into it, but at the moment things seem to be working. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Thanks Sniffer
I have noticed in the last couple of weeks a greatly improved response time in reports of false positives. Just want to say thanks. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Experimental Abstract
I concur Pete in that I have been thinking about upping the weight for the EXP tests. I recently changed ABST from 20 to 25. I attach at 25, hold at 30 and delete at 35. SNIFFER-TRAVEL 47 20 SNIFFER-INSURANCE 48 20 SNIFFER-AV-PUSH 49 20 SNIFFER-WAREZ 50 30 SNIFFER-SPAMWARE51 40 SNIFFER-SNAKEOIL52 40 SNIFFER-SCAMS 53 40 SNIFFER-PORN54 40 SNIFFER-MALWARE 55 25 SNIFFER-INKPRINTING 56 20 SNIFFER-SCHEMES 57 30 SNIFFER-CREDIT 58 30 SNIFFER-GAMBLING59 30 SNIFFER-GENERAL 60 25 SNIFFER-EXP-ABST61 25 SNIFFER-OBFUSCATION 62 25 SNIFFER-EXP-IP 63 20 John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 09, 2006 3:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Experimental Abstract Hello Alberto, In earlier times we had a philosophy that no single test should trap a message. The idea was that my combining tests the accuracy of the filter system would always (qualified) be improved. The blackhats have become extremely aggressive about burning IPs and generating image spam and/or other abstracted, short lived, and narrowly targeted campaigns. As a result of these changes, it is often the case that our abstract rules are the only thing that will fire on a message. The bad news is that holding on any single test will probably lead to more false positives. The good news is that SNF:Experimental/Abstract has a very low false positive rate. It may be time to alter our philosophy w/ regard to the experimental/abstract rules group and recommend that wherever practical, messages should probably be held (not deleted) based on a hit in this rule group. Hope this helps, _M Monday, October 9, 2006, 5:59:44 PM, you wrote: Hello I'm getting storms of spam and Sniffer sets them as (Experimental Abstract) Can someone explain how have I to treat them? Many thanks in advance Alberto # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [Fwd: keep up with the jones']
???/ John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Kim W. Premuda Sent: Tuesday, October 03, 2006 6:00 PM To: Message Sniffer Community Subject: [sniffer] [Fwd: keep up with the jones'] Original Message Subject: keep up with the jones' Date: Tue, 03 Oct 2006 17:52:39 -0800 From: Larry Swinton [EMAIL PROTECTED] To: [EMAIL PROTECTED] tips to live by... 2: And he said, Behold now, I am old, I know not the day of my death: 31: And the plenty shall not be known in the land by reason of that famine following; for it shall be very grievous. 7: And the sons of Jacob came out of the field when they heard it: and the men were grieved, and they were very wroth, because he had wrought folly in Israel in lying with Jacob's daughter; which thing ought not to be done. 4: Unstable as water, thou shalt not excel; because thou wentest up to thy father's bed; then defiledst thou it: he went up to my couch. 24: And God said, Let the earth bring forth the living creature after his kind, cattle, and creeping thing, and beast of the earth after his kind: and it was so. 31: And the plenty shall not be known in the land by reason of that famine following; for it shall be very grievous. 5: And in the fourteenth year came Chedorlaomer, and the kings that were with him, and smote the Rephaims in Ashteroth Karnaim, and the Zuzims in Ham, and the Emims in Shaveh Kiriathaim, 32: And the man came into the house: and he ungirded his camels, and gave straw and provender for the camels, and water to wash his feet, and the men's feet that were with him. 5: And Abraham said unto his young men, Abide ye here with the ass; and I and the lad will go yonder and worship, and come again to you, 17: And these are the sons of Reuel Esau's son; duke Nahath, duke Zerah, duke Shammah, duke Mizzah: these are the dukes that came of Reuel in the land of Edom; these are the sons of Bashemath Esau's wife. 30: And Joseph made haste; for his bowels did yearn upon his brother: and he sought where to weep; and he entered into his chamber, and wept there. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sharon Daniels is out of the office.
Bleeping wonderful. We have to put up with this for a week? I guess a nice little Outlook rule is called for. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 07, 2006 10:02 AM To: Message Sniffer Community Subject: [sniffer] Sharon Daniels is out of the office. I will be out of the office starting 07/08/2006 and will not return until 15/08/2006. I will respond to your message when I return. If your request is urgent please resend your message to [EMAIL PROTECTED] or call 623-5700. Have a great day! Sharon # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Fwd: Re: ------------------------------------------------
As Pete has said before, do not send spam reports to the list. There is a separate appropriate email address for that. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Thursday, August 03, 2006 2:08 AM To: Message Sniffer Community Subject: [sniffer] Fwd: Re: Prima esperienza di striptease e poi sesso anale trovi qui Hello, please include in rules this SPAM. regards Filippo
[sniffer] Re: Help
Stop using the silly WHITELIST TODOMAIN for one thing. What is the IP address they are coming from? Could be a compromised client? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Thursday, July 27, 2006 9:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Help Whese: #= WHITELISTS === #WHITELISTHABEAS PREWHITELIST ON WHITELISTAUTH #WHITELISTLOCAL #(PRO version only) enables addresses in the web address book to automatically be white listed. #AUTOWHITELISTON # - Domain Example -WHITELIST FROM @declude.com # - User Example -WHITELIST FROM [EMAIL PROTECTED] # - IP Example - #WHITELISTIP 63.246.13.90 # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ WHITELIST TO [EMAIL PROTECTED] WHITELIST TO [EMAIL PROTECTED] WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain Filippo At 18:06 27/07/2006, you wrote: *** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: My rulebase download and log upload script
Reading through the updated script, I notice you are uploading the log file whenever the script runs. I currently upload the log file once per day. Pete, what is the preferred timing for uploading the log file? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 07, 2006 6:24 PM To: Message Sniffer Community Subject: [sniffer] My rulebase download and log upload script The last thing before I leave for the weekend... I finally got around to updating my download/upload script so that I can upload compressed logs. In the course of doing that, I found that my upgraded version of wget has changed its behaviour; as of the 1.10.x series, if you specify -O to specify the target filename, various options are ignored including the -N for download only if server side is newer. Therefore, ever since I upgraded my wget, I've been downloading a compressed rulebase file on *each* run. Some of this script is antique and some of it is new. I just downloaded the standard download script that Bill Landry ushered into this world, and my script was certainly informed by the discussions of that on this list. (I'm not trying to replace that script, I'm just giving credit where credit is due.) My .cmd file script is attached as a .txt file; as I mentioned a while back, I use both the IMail external script mailbox method to launch this file when SortMonster/ARM sends me my notification, and I also run it on a schedule with the AT command so that one of them will work to get timely updates. Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Well, I figured out what the problem is, sort of. This last Monday I finally reconfigured the network at my Data Center for using 2 Internet connections. For some reason, DNS queries going out the secondary connection are timing out. Fun Fun Fun. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 02, 2006 3:57 PM To: Message Sniffer Community Subject: Re: [sniffer]Sniffer updates down? Hi John, I got my Sniffer update at 5:03 pm no problem from Toronto Goran Jovanovic Omega Network Solutions -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 5:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
Disregard my last post. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
That is what has me worried. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Wednesday, May 24, 2006 9:51 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing The owner of a domain need not authorize a reverse DNS PTR record in any way, shape or form. If the netblock was owned, or the netblock owner had delegated rDNS to a malicious customer, they could easily set rDNS to whatever they wanted. Aol.com, paypal.com, ebay.com, chase.com ... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 12:38 PM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
But how is PayPal's DNS involved in this as at what point are the Paypal DNS servers queried? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: [sniffer] Test
Pong John T eServices For You Seek, and ye shall find! -Original Message- From: sniffer@sortmonster.com [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 15, 2006 10:12 PM To: sniffer@sortmonster.com Subject: Test Hello sniffer, Just testing. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
Well, I am at the point that I could care less about geocities false positives. If GeoCities is going to allow this much spam junk then I could care less about allowing them. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, May 05, 2006 9:09 AM To: John T (Lists) Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer We've had that rule before and had to pull it for false positives. _M On Friday, May 5, 2006, 11:41:50 AM, John wrote: JTL FYI, I created a Declude Filter: JTL Subject END NOTCONTAINS news JTL BODY25 CONTAINShttp://geocities.com/ JTL Been catching every one like that. JTL John T JTL eServices For You JTL Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Daniel Bayerdorffer Sent: Friday, May 05, 2006 7:38 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
Just when you think we won the battle, they move the targets and change the rules. This is why we need people like Pete and Darrell to help us fight this ever changing war. A big thanks. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, May 05, 2006 11:37 AM To: John T (Lists) Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer On Friday, May 5, 2006, 1:08:14 PM, John wrote: JTL Well, I am at the point that I could care less about geocities false JTL positives. If GeoCities is going to allow this much spam junk then I could JTL care less about allowing them. That's fine. There are probably a number of systems that feel that way. I only meant to say that we've tried a block-first strategy w/ geocities before and had to remove it. YMMV. You should also know (may remember) that the blackhats experimented a while ago with using several other hosting sites, including msn, and seeding them in round-robin fashion so that they all appeared in each campaign. Since this experiment stopped abruptly I doubt that it has been abandoned - rather, it was put on the shelf for a while. At the time it was clearly effective for them. I think it likely they will do that again (don't know when) since they are putting some new effort into this path. I don't have any evidence of it yet. I discovered that on 20060503 the blackhats made some significant changes to their use of geocities links and their transmission patterns. I've re-tuned the F002 bot to compensate and it is currently reviewing a handful of new geocities links every minute and adding approximately 1.2 new rules per minute. I suspect that the lull we observed may have had something to do with their tooling up for this set of campaigns. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Updates slow
It seems today that updates have been slow to retrieve, the last one being averaging 54 Kbps. Updates are triggered on the e-mail update notice. John T eServices For You Seek, and ye shall find! This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Web Site!
What is the purpose of using a WIKI site? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, March 17, 2006 8:07 AM To: sniffer@sortmonster.com Subject: [sniffer] New Web Site! Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New add compain
I am seeing a log of spam with a subject line of with fw: or re: followed by the username portion of the reciepient. Any way to create a rule for this? John T eServices For You Seek, and ye shall find! This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
1. What is YOUR motive for taking such a tone? 2. I never made an out right solicitation. It was done in for the benefit of others. I am a small business and to my bottom line, every dollar or 5 dollars or 10 dollars count. I clearly said I am not in the business of selling software or hardware. I have turned away requests before from people that have contacted me off list about software. It is extremely rare that I will sell to other than my clients. 3. How do you respond to the posting on this very list by Pete just a bit ago that the seller selling at such a low rate is a valid reseller? 4. How do you respond to the posting on this very list by Michael Murdock that yes you can renew with Declude at a lower cost? Your responses are injecting that I am taking advantage of something or trying to take away something from SortMonster. That is not true at all. Your comment about competing is very unusual, in that in essence many of us are natural competitors to one anther, yet day after day we help each other, in essence helping our competitor. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) Sent: Wednesday, December 28, 2005 6:01 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! You certainlycrossed a line of ethical integrity at the very least. Pete: If you don't already have a 'non-compete' agreement in your reseller agreement its time. I would never have believed someone would actually try to sell your reseller rates to your customer base. It's simply appalling. And should be grounds for termination. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:46 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Absolutely not. In fact, if you read my post after this, I am questioning whether or not it can be sold for a lower price. I am not here to undermine any one, as after all where do you think the license that I sell comes from? After all, we are all here to help one another. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) Sent: Wednesday, December 28, 2005 5:41 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! John T:Did you just solicit the ENTIRE sniffer community with pricing that will undermine Pete? Never bit the hand that feeds you my friend. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:17 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Although I am a registered reseller, I normally only sell hardware and software to clients as part of my services. However, if any one is interested in a price, contact me off list. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
The only problem with that, and one which I do not know how large of a problem it is, is if you have always provided a single product, and suddenly divide it into 2 levels, you end up with twice the amount of critics: Those that pay less but expect more, those that pay more and then expect even more. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Robeson Sent: Tuesday, December 27, 2005 2:54 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! The thought does occur to me of how other companies have dealt with similar issues. That issue being how to address a market requiring internal expansion (i.e. expanded reinvestment) while not alienating an existing satisifed customer base. Many companies simply split their product line into 'basic' and 'premium' services. If the need is as great as Michael says, and the new revisions will result in vastly improved service, than most of their existing customers should want to move forward. However, giving people the option to 'stand still' is viable, good marketing, and good strategy. At this point, you have a certain catch 22. Everyone that pays now (for next year) is still paying you at the same rate (meaning no expanded funds), but is now wondering if they're doing the right thing. Almost seems like the only way to make the current strategy pay off would have been to demand the increased fees from all clients and not given the grace period for renewing at the old rate. At least that way, you'd have gotten something in return for any perceived customer dissatisfaction. Consider expanding to a two-tier service option. It really can work well, especially when in the future you might want to charge even more, but not alienate 'new' customers who need a lower buy-in. Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 2:40 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Your interpretation of a bit as being 50+% is disingenuous at best, and thievery at the worst. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 5:34 PM To: Fox, Thomas Subject: Re[2]: [sniffer] Last chance to renew at the old price! On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Pete, I am both a Sniffer reseller and user, and I was blind sided by this announcement. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 2:11 PM To: Darin Cox Subject: Re[2]: [sniffer] Last chance to renew at the old price! I'm sorry that it wasn't more visible. We have been talking about this for several months and have made a few announcements. It has also been on the web site for several months. My announcement today was just to make sure that anyone who had not heard didn't get blind-sided. Sorry it didn't turn out that way. We will be working on some better out-reach problems to help avoid this in the future. _M On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote: DC Wow... last minute notice. It's difficult to budgets for these things with DC so little notice. Please consider a couple month's notice the next time. DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: sniffer@sortmonster.com DC Sent: Tuesday, December 27, 2005 12:42 PM DC Subject: [sniffer] Last chance to renew at the old price! DC Hello Sniffer folks, DC This is just a friendly reminder that prices will be going up DC January 1. DC You can add a year to your SNF subscription at the current price if DC you renew before January 1. DC Details are here: DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp DC Thanks, DC _M DC Pete McNeil (Madscientist) DC President, MicroNeil Research Corporation DC Chief SortMonster (www.sortmonster.com) DC Chief Scientist (www.armresearch.com) DC This E-Mail came from the Message Sniffer mailing list. For information and DC (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html DC This E-Mail came from the Message Sniffer mailing list. For DC information and (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Joe Jobs...
Because the vendors are so lame as to have that enabled by default. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Thursday, December 15, 2005 10:11 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Joe Jobs... That brings a question up...why do some/many/most postmasters feel that it is so important to notify senders of a virus to a spoofed email address? Also, I have yet to see a legitimate email that contained a virus..so why not turn the notification off all together? Just curious... Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, December 15, 2005 11:30 AM To: sniffer@sortmonster.com Subject: [sniffer] Joe Jobs... Hello Sniffer Folks, Please be aware that there are several spam and possibly virus (other malware?) campaigns being transmitted with my madscientist address and possibly other addresses from our company in the From: headers and SMTP envelope. Though this has happened in the past at low levels, I have noted recently a very high level of bounces and warnings returning to me (erroneously) from systems that claim they have received viruses and spam from my address. I suspect that this might have been triggered by recent press activity, - especially a Washington Post article which included my email address without modification. If you receive any of these messages, please treat them as the spam/malware that they are and ignore the source. I have verified that we are not sending any such messages ( unintentionally) from any of our systems. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Large amounts of spam still getting through
5 minutes would hardily be noticed. Discussions I was having with others involved delays of an hour or two. I do not see how greylisting a message for 5 minutes would help except when fighting harvesting or dictionary type spam attacks. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Van Hefner Sent: Saturday, October 15, 2005 12:22 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through John, I have no clue what the legal implications would be, as long as both my customers know that I'm using it and the sender is notified appropriately via SMTP. I use greylisting via IMGate/Postfix and it works like a charm. It takes a good couple of weeks to build up decent whitelist (both manual whitelisting and automated whitelisting are recommended), but after that it is pretty much smooth sailing. I've yet to have a single complaint from my users over greylisting, other than the fact that it delayed their e-mails by around 5 minutes for the first couple of weeks. If I had planned it better, even those delays would largely not have occurred. I know of no way to implement greylisting on a Windows box. See greylisting.org for more info. William Van Hefner Network Administrator Vantek Communications, Inc. 555 H Street, Ste. C Eureka, CA 95501 707.476.0833 ph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, October 14, 2005 12:55 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through There has been a good amount of discussion about temporarily grey listing an e-mail message and there are many questions surrounding it, one of which is legal. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice Sent: Friday, October 14, 2005 12:43 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Large amounts of spam still getting through getting much better at what they do. When a spammer uses Geocities links, hijacks real accounts on major providers to send spam through, and changes their techniques every few hours, it makes it difficult for Sniffer to proactively block them, and the delay between rulebase updates means a delay in catching things that have been tagged. This brings to mind a technique with optional adaptive delay - enabled by the user. Each mail is assigned a 'triplicate': (To_Email, From_Email, and domain_of_sending_server). Previously unknown triplicates are held for a period of time before being examined for spam. The delay is long enough that SpamCop, Sniffer, and InvURIBL mailtraps see copies of the spam and update the blacklists. This would be hard to do with the stock IMail, but possibly could be done by Declude with the V3 architecture and a database. It still doesn't provide a good answer to the problem of spammers hijacking a computer and sending spam through legitimate servers. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Large amounts of spam still getting through
On a very off topic note, why are we still both up? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Van Hefner Sent: Saturday, October 15, 2005 1:01 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through John, This may be slightly OT. Hope Pete doesn't mind. :-) The default in greylisting that comes with Postfix is 300 seconds, although you can change that value to whatever you want. The first reason that greylisting was implemented was because almost no spamware ever tried resending messages at the time the idea was originally brought about. Now, I would say that about 85% of spamware and zombies never retry. It is the BIG spamhauses that always retry, and Sniffer is an excellent companion for catching those. It is currently best suited for stopping zombie spamware, and the majority of small spammers that never retry sending messages. As far as the delay timing goes, that is really up to each individual admin and should be fine tuned depending upon what kind of traffic patterns you are dealing with. I could certainly see the need for some admins to crank the delay up to 15-20 minutes, while I have other hosting customers that are whitelisted entirely (you can whitelist individual domains or just users using greylisting). The best use may be to whitelist some user addresses, and leave others with significant delays. I always believe that users should use a personal e-mail address, and another one that is strictly for mailing lists, online ordering, and stuff like that. There is a lot of tweaking that can be done with greylisting, but it is only one part of the overall antispam picture. One of its biggest advantages is the bandwidth and CPU processing it can save you, as it rejects a substantial amount of spam with very little bandwidth consumption. There are also technically no false positives, as all mail (even spam) will eventually be passed through. Obviously, it only works best for SOME spam though, and other things like Sniffer solve different parts of the puzzle. Between the different methods I am using, which don't even include Bayesian at the moment, I am seeing far better than a 99% success (rejecting or deleting spam) rate, with very few false positives. William Van Hefner Network Administrator Vantek Communications, Inc. 555 H Street, Ste. C Eureka, CA 95501 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, October 15, 2005 12:41 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through 5 minutes would hardily be noticed. Discussions I was having with others involved delays of an hour or two. I do not see how greylisting a message for 5 minutes would help except when fighting harvesting or dictionary type spam attacks. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Van Hefner Sent: Saturday, October 15, 2005 12:22 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through John, I have no clue what the legal implications would be, as long as both my customers know that I'm using it and the sender is notified appropriately via SMTP. I use greylisting via IMGate/Postfix and it works like a charm. It takes a good couple of weeks to build up decent whitelist (both manual whitelisting and automated whitelisting are recommended), but after that it is pretty much smooth sailing. I've yet to have a single complaint from my users over greylisting, other than the fact that it delayed their e-mails by around 5 minutes for the first couple of weeks. If I had planned it better, even those delays would largely not have occurred. I know of no way to implement greylisting on a Windows box. See greylisting.org for more info. William Van Hefner Network Administrator Vantek Communications, Inc. 555 H Street, Ste. C Eureka, CA 95501 707.476.0833 ph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, October 14, 2005 12:55 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Large amounts of spam still getting through There has been a good amount of discussion about temporarily grey listing an e-mail message and there are many questions surrounding it, one of which is legal. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice Sent: Friday, October 14, 2005 12:43 PM To: sniffer@SortMonster.com Subject: Re: [sniffer
RE: [sniffer] New virus...
No need to block zips, with Declude just add BANZIPEXTSON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
