[sniffer] Re: How to incorporate a white list?
I do not think that anyone was asking the F001 bot to be disabled. Are you doing this for upgrading purposes or because there appeared to be an error with it? A single false positive as described, in my opinion, is no cause for alarm. Any time something changes, there is a potential for error, so please be careful in any attempts to implement suggestions from the community without evaluating all of the possibilities. Personally, I like the way the system is working. However, if it is possible to decrease FPs while maintaining the high level of accuracy in blocking spam, that is always welcome. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Wednesday, April 04, 2007 10:26 AM Subject: [sniffer] Re: How to incorporate a white list? The F001 bot will be disabled until further notice. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Files in Sniffer Directory
Would it be a good idea in a future version to delete files that are older than a certain date automatically? For example, if the file date is older than the current date minus [Insert Number of Days Here] days, it could automatically remove it. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, March 08, 2007 12:24 PM Subject: [sniffer] Re: Files in Sniffer Directory Hello Keith Johnson, Thursday, March 8, 2007, 10:55:27 AM, you wrote: Periodically I will check the Sniffer directory for misc. files that may be there and remove them. These files include .FIN .ERR .WRK, etc. I only remove those that have older time stamps on them. Yesterday when I logged in, I had well over 150 of .AMT files. Does anyone know what these files are and what causes them? By them being present as well as old .FIN, etc., would it have an impact on Sniffer's processing performance? Thanks for the aid on this. .AMT ?? Could you mean .ABT ? If so - then .ABT indicates a job that was aborted by a client instance of SNF. The extensions to SNF job files change to represent the status of the job. http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.Peer-Server#What_file_extensions_that_are_used_for_the_various_temporary_files_that_are_created_in_the_Sniffer_folder.3F explanation about=where these files come from and how cellular peer-server technology works When an SNF instance is launched it looks to see if there are any instances currently acting as servers. If there is a server present then it will submit it's job to be processed (.QUE) -- it has become a client instance. It takes a look around to see how busy the system is by checking the number of job files present and the information in the .stat file (if present). Based on what it sees it sets an alarm clock and goes to sleep - expecting to find it's job has been completed when it wakes up. If it wakes up and the job is not done - it will give it another try, maybe a few,... but if it decides it's waited too long then it gives up-- (ABT). An aborting SNF instance will try to take out the server instance that failed to respond by changing that server's job file from .SVR to .ERR -- this prevents other instances from seeing that server instance and trying to use it; and it lets the server instance know that it's got a problem (if it is still alive). Next, the client instance will load the rulebase itself and scan it's own message. After that - it _SHOULD_ remove it's job file. HOWEVER -- if something kills off the instance before it has a chance to finish then the .ABT file will be left behind (if it's gotten to this stage). (In some cases, Windows will fail to delete the file at all even though it will tell the client instance it has deleted the file!) When a system gets too busy to handle the load it may start to kill off SNF instances before they are finished - this leaves orphaned job files in the workspace. /explanation Deleting old job files that have been left behind is a good thing. It shouldn't be necessary on most systems. However, as long as you only delete older files that are not active you will not get into any trouble. If you leave orphaned job files to build up in the SNF workspace then SNF client instances will sleep longer than they should because they will see the extra files as evidence of a heavy traffic load. This can effect performance by increasing the number of active processes on the system. Also, the extra files slow down directory scanning and this can also reduce performance and bring the system closer to having a problem. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New web server
http://www.armresearch.com./ If you put a . at the end, it comes up with your Resin Default Home Page. You should specify the default IP address to redirect to the site as well in case someone uses an odd host header. - Original Message - From: Karen Perry To: Message Sniffer Community Sent: Tuesday, November 14, 2006 3:24 PM Subject: [sniffer] New web server Sniffer Folks, On Friday, we upgraded the web server that hostswww.armresearch.com.We think we have everything ported to the new site correctly, but just in case - please keep an eye out and let us know if you see any problems. For example, if you have any trouble finding a page (such as a 404), first check the file extension of the page (pages should all now be .jsp) and please let us know so we can fix it. Thanks! k
[sniffer] Yahoo! Is Retarded
Now, myword choice of 'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this issue and the severity of their decision and not to indicate that they are mentally handicapped which is an accusation for which I have no basis. However, as evidence of this, please review the following URLs: http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah Jonathan Hickman
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:44 AM
Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock
spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
Nick, very good method. I have added that to my configuration as well
now.
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png
image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer] New Web Site!
A wiki is a site that is publically editable. Anyone can add to the site as long as they have a valid account. - Original Message - From: Harry Vanderzand [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Friday, March 17, 2006 11:15 AM Subject: RE: [sniffer] New Web Site! What is a wiki? Harry Vanderzand inTown Internet Computer Services 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, March 17, 2006 11:07 AM To: sniffer@sortmonster.com Subject: [sniffer] New Web Site! Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf TombeSent: Thursday, December 29, 2005 11:23 AMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 9:33 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Wednesday, December 28, 2005 5:43 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Last chance to renew at the old price!
[ROTFL] - Original Message - From: Fox, Thomas [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, December 27, 2005 4:14 PM Subject: RE: [sniffer] Last chance to renew at the old price! Might I suggest a visit to: http://www.lexus.com/cpo/ and a graduated price increase over the next two years? A one or two year old Lexus is just as nice as a brand new one, and would be a lot easier on our already strained IT budgets. Thanks, --tlf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 3:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! 1) The monthly rate is going to $ 45.00. 2) It would be a one year extension to your current subscription and then your next renewal would be at the new price. For example, if your license expires 02/08/2006, your next renewal would be on 02/08/2007. This is offer is completely optional and is available to all existing customers. Thanks, MM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:47 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Last chance to renew at the old price! 1) what will the monthly rate be after 2005? 2) If we where to renew at the current rate, how long will that rate be good for? As you mentioned grandfathered - is this forever or just one year. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[6]: [sniffer] POP3 Account Question
I would agree that the dictionary method may be a good idea; however, I am the type of person that will commonly guess at addresses such as sales, support, webmaster, etc. so you may want to exclude those types of addresses as Pete suggested. Addresses such as csmith, rjones, etc. are commonly used in brute force methods, though, and would be useful. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: William Van Hefner sniffer@SortMonster.com Sent: Tuesday, December 06, 2005 3:25 PM Subject: Re[6]: [sniffer] POP3 Account Question On Tuesday, December 6, 2005, 2:13:43 PM, William wrote: WVH Pete, WVH How about just creating some accounts that are commonly targeted by WVH dictionary attacks, but that were never actually valid accounts on our WVH server? I could redirect all of them to a common mailbox. There are also a WVH few other common (non-role) addresses that we do not use, which always get WVH targeted by spammers. I am thinking of sales@, info@, etc. I have WVH accumulated quite a list of common dictionary attack names from my logs. I WVH wouldn't have to seed the addresses anywhere. They get hit just by virtue of WVH how common they are. That is definitely another good strategy -- more limited and better structured than using a nobody account. The only caveat is making sure that nobody on the outside would ever have reason to expect an info@ or sales@ address existed... sometimes folks will guess. If this happens, it's usually not a fatal problem, but it's worth thinking about on a case-by-case basis. Do you have a histogram for your list? That would be interesting to see. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Declude.JunkMail] 3.05.5 issues
I had the exact same problem. I increased the process threads for Declude, and it fixed the problem. I set it to 100 for the number of threads. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 1:46 PM To: Declude.JunkMail@declude.com Cc: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I have got it down to 15 and tried to set sniffer back to persistent mode again However I find that with sniffer in persistent mode as David suggested, the proc directory starts back logging. which means the system is not keeping up with the flow of mail. Within 20 minutes I had 1400 files in the proc directory. I stopped the sniffer service and now it is gradually catching up. Any more suggestions as to what can get tuned? I appreciate the assistance Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Trial and error is best. Set it to some thing like 20 and watch what happens. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 9:27 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues thank you I was under the understanding given me by David from Declude that it was appropriate given the amount of power my hardware has. What would you recommend for my hardware? Thanks John, I always appreciate your active involvement in the list Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Your threads is way too high, and I suspect that there are time outs occurring and not all scanning is being done. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 6:17 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 3.05.5 issues I find that since being on the new version that more spam is slipping through. We have imail v8.05, declude and sniffer on win 2000 server dual xeon 3.4Ghz with 2Gb ram. Threads are set to 50 with no other setting in declude.cfg Any advice you can give me to tighten it to where we had it before? I have had several clients complaining Other than changing from V2.06.16 to 3.05 nothing else has changed on the server thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] reporting spam in bulk
I would be interested in the script if you are willing to share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 05, 2005 7:50 PM To: Matt Subject: Re[2]: [sniffer] reporting spam in bulk On Wednesday, January 5, 2005, 7:16:50 PM, Matt wrote: M Pete, M I've been meaning to add a link to a script from within Killer M WebMail that will allow me to report things to you with a single M click. If I do this, am I correct in assuming that I should just use M something like CDONTS to construct a mail and place the original M source as the body? If not, what would be the preferred method? I think that should work fine for reporting spam. M Note that I have original D*.SMD files for everything in the range of M E-mails that I would consider reporting (using Declude's COPYFILE). M Generally speaking, this would be a customized setup, although M achievable by anyone with IMail and Declude. The hack to KWM is just M some JavaScript to extract the spool data file name from my message M headers that I insert (full headers must be turned on in Web mail), M and this links to an ASP script on my server that handles everything M else. This all sounds like a good idea. There are likely to be a few IMail/WebMail folks around for a while. This sounds like it's not for the technically timid though. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Surprising missed spam
How does a user go about modifying the custom sniffer rules? Must Sort Monster be contacted or is it possible to do this with some other system (such as a web based interface)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, September 14, 2004 3:28 PM To: Landry William Subject: Re[4]: [sniffer] Surprising missed spam On Tuesday, September 14, 2004, 1:05:29 PM, Landry wrote: LW Pete, I started running the new code this morning, and so far, so LW good. I'll let you know if I see anything strange. Thanks. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
