RE: Re[2]: [sniffer] Bad Rule - 828931
Don't know about the proper syntax for baregrep, but for the standard UNIX grep for Win32, the following would give you an accurate count: grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 4:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Agree wholeheartedly! Bill From: Dean Lawrence [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:18 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! You know, I just don't get where all of the doom and gloom comes from. Yes, it is a large percentage increase, but it's still only 2 bucksa day to run the best piece of software on my server. I'm sure that they have taken these comments into consideration and will try to give more advanced notice in the future. But, to start with the "Time to start looking for another solutions" talk is rediculous. Reading Michael's description of what is going on over there suggests that their business is exploding, not imploding. And to keep on top of it, they need to increase their cash flow, not to buy nicer cars. I think everyone needs to look at how much Sniffer saves you everyday instead of griping about how much it costs you. Just my 2 cents. Dean On 12/27/05, Pete McNeil [EMAIL PROTECTED] wrote: Part of the purpose for additional staff is to reach a goal of FPprocessing measured in minutes to hours, never days as it is sometimes now. We also have some automated tools on the drawing board that willhelp to mitigate many FP cases on a self-serve basis. These will becoming in this next year._MOn Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: DC Hi Michael,DC How about false positive processing?That's our biggest headache, but itDC would be drastically reduced by faster processing than the 3-5 days weDC currently see.DC Darin.DC - Original Message -DC From: "Michael Murdoch" [EMAIL PROTECTED]DC To: sniffer@SortMonster.comDC Cc: "Pete McNeil" [EMAIL PROTECTED]DC Sent: Tuesday, December 27, 2005 2:13 PMDC Subject: RE: [sniffer] Last chance to renew at the old price! DC Hi Folks,DC Actually, here is some more detail as to the reasons for the priceDC increase.In addition, please bear in mind that that prices haven'tDC been raised in approximately 2 years and even with this increase we are DC priced very competitively.DC The new feature/benefits and more to come are as follows:DC * In the past 6 months we have more than doubled the number of updatesDC per day and we will continue to increase our bandwidth and the speed of DC our updates.DC * We have more than tripled our staff to improve our monitoring,DC support, and rule generation capabilities.Come January, we are againDC doubling this staff as the black-hats have gotten much more DC sophisticated and this has become a 24x7 battle.Even Pete needs toDC sleep sometimes. :-)DC * We are adding new RD programs for AFF/419 spam and Malware mitigationDC (many of the results from these projects have already been implemented). DC * During this next year as part of our continuous improvement policy weDC will continue to roll out new features and enhancements such as fullyDC automated reporting, in-band real-time updates, an optimized message DC processing pipeline, image and file attachment tagging, advanced headerDC structure analysis, enhanced adaptive heuristics, improved machineDC learning systems, real-time wave-front threat detection, and many DC more...DC It's important to recognize that many of our improvements don't requireDC new software to be installed on the client side since they are deliveredDC through rulebase enhancements. Though this often causes our work to go DC unnoticed, it is actually a design feature since it means that yourDC installation requires very little maintenance. This translates toDC lowered administration costs and higher reliability.DC As a result of this "reliability-first" design strategy, it may notDC always be obvious that our service is constantly being improved andDC enhanced - we never stand still ;-)DC We'd hate to see any of you go, but please do compare us with other DC services.DC I'm sure that you'll find we're well worth the money, but it's alwaysDC good to keep your options open. In fact, best practice these days forDC spam filtering is to use a blended approach that leverages many DC services. We personally encourage that for best results.DC Please let me know if you have any questions.Thank you for yourDC feedback and business!DC SincerelyDC Michael Murdoch DC The Sniffer TeamDC ARM Research Labs, LLCDC Tel. 850-932-5338 x303DC -Original Message-DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED]] On Behalf Of Fox, ThomasDC Sent: Tuesday, December 27, 2005 1:03 PMDC To: sniffer@SortMonster.comDC Subject: RE: [sniffer] Last chance to renew at the old price!DC I said the same thing, and the response was, basically,DC "We haven't raised the price in a long time, we need DC the money, like it or lump it." -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Thomas, if your company cannot afford the rather small monetary increase, and you are running that close to the edge, then maybe you should not be in business. I for one am glad to hear the SNF is adding resources and has mapped out a list of future feature enhancements. Please quit your gripping or take it off list. Bill -Original Message- From: Fox, Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:40 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Your interpretation of a bit as being 50+% is disingenuous at best, and thievery at the worst. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 5:34 PM To: Fox, Thomas Subject: Re[2]: [sniffer] Last chance to renew at the old price! On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Large amounts of spam still getting through
We do exactly this at our Postfix gateways, it's called greylisting. See http://isg.ee.ethz.ch/tools/postgrey/. You may want to consider setting up a gateway in front of your IMail server that supports greylisting. Bill -Original Message- From: Mike Nice [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:43 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Large amounts of spam still getting through getting much better at what they do. When a spammer uses Geocities links, hijacks real accounts on major providers to send spam through, and changes their techniques every few hours, it makes it difficult for Sniffer to proactively block them, and the delay between rulebase updates means a delay in catching things that have been tagged. This brings to mind a technique with optional adaptive delay - enabled by the user. Each mail is assigned a 'triplicate': (To_Email, From_Email, and domain_of_sending_server). Previously unknown triplicates are held for a period of time before being examined for spam. The delay is long enough that SpamCop, Sniffer, and InvURIBL mailtraps see copies of the spam and update the blacklists. This would be hard to do with the stock IMail, but possibly could be done by Declude with the V3 architecture and a database. It still doesn't provide a good answer to the problem of spammers hijacking a computer and sending spam through legitimate servers. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Auto Sniffer Updates
Have you checked out ImailSnifferUpdateTools.zip? It contains detailed instructions and can be downloaded from http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Bill From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 12:43 PMTo: sniffer@SortMonster.comSubject: [sniffer] Auto Sniffer Updates I've been doing Sniffer updates via a scheduled task. Am trying to get it working via a Program Alias in response to update notifications. Thealias and .cmd fileare in place, butit won't activate via the notifications, even when I send a test message to it. I get acopy of the notification (or test message), and I get an emailed report that the update ran, but my .snf file does NOT change. The update DOES work when the .cmd file is executed manually, so the .cmd file apparently is not the problem. Is there a trick on Program Aliases that I'm missing? Imail 7.15. G.Z. ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
RE: [sniffer] Auto Sniffer Updates
Strange, the script does not leave any temp files in my spool directory. Bill -Original Message- From: George Kulman [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:55 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Auto Sniffer Updates There seemed to be a problem with IMail running a cmd file and since the bat file worked so I didn't bother checking further. I did two other things which might be of interest to you: I set the Alias that receives the notification email (in my case [EMAIL PROTECTED]) as a standard alias that forwards the email to two addresses. One is my regular email address so that I actually receive a copy of the notification message and the other is [EMAIL PROTECTED] which is the Program Alias that triggers the .bat file. A also added a line to Bill Landry's script to get rid of the tmp file that IMail leaves behind when the script uses the IMail1 program to generate the script results by email. This goes after the script line which generates the email: del %IMailDir%\spool\*.tmp George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, June 15, 2005 5:31 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Auto Sniffer Updates Well blow me down. That did the trick, least-wise it does for triggering by a test message! I'll know for sure when the next notification arrives. Thanks!!! G.Z. - Original Message - From: George Kulman [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, June 15, 2005 4:06 PM Subject: RE: [sniffer] Auto Sniffer Updates You might want to try the following which resolved this problem for me (a while ago) 1. The IMail program alias is: c:\Sniffer\snfupd.bat 2. I created a .bat file which is: echo off cd\ c:\sniffer snfupd.cmd All of my Sniffer programs and files are in the c:\sniffer folder (directory) which isn't required but happens to be the way I chose to do it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Morgan Sent: Wednesday, June 15, 2005 4:54 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Auto Sniffer Updates That is what I'm using. I tried editing the .cmd file to do away with the variables and hard-wire my parameters into it. It works either way (before or after eliminating the variables) when executed manually. It does not work via Program Alias -- my .snf file does not change when an update notification arrives. Procedure: I send a test message to the update address. I get back a copy of the test message, and a S n i f f e r update notice indicating that an update occurred . . but, in fact, an update does NOT occur, the .snf file is still date/time stamped the same (I'm not using the -N option on WGET at this point, so a download should always occur). My guess would be either a permissions problem or a path problem. Verify that the account that runs the program alias has permissions to all of the data locations and verify that you are not relying on the PATH environment variable which may be different in each context. Regards, Brad Morgan IT Manager Horizon Interactive Inc. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Auto Sniffer Updates
Did you happen to comment out or not change either of the following variables in your script to point to the correct drive\directory paths?: SET SnifferDrive=c: SET SnifferDir=c:\imail\declude\sniffer Which cause the calls to these variables later in the script's execution to fail: %SnifferDrive% cd %SnifferDir% If IMail cannot change to the proper script drive\directory location, then that would cause the script's failure to run, and would account for why you would need to execute a second batch file to get to the correct script file location. Bill -Original Message- From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:31 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Auto Sniffer Updates Well blow me down. That did the trick, least-wise it does for triggering by a test message! I'll know for sure when the next notification arrives. Thanks!!! G.Z. - Original Message - From: George Kulman [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, June 15, 2005 4:06 PM Subject: RE: [sniffer] Auto Sniffer Updates You might want to try the following which resolved this problem for me (a while ago) 1. The IMail program alias is: c:\Sniffer\snfupd.bat 2. I created a .bat file which is: echo off cd\ c:\sniffer snfupd.cmd All of my Sniffer programs and files are in the c:\sniffer folder (directory) which isn't required but happens to be the way I chose to do it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Morgan Sent: Wednesday, June 15, 2005 4:54 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Auto Sniffer Updates That is what I'm using. I tried editing the .cmd file to do away with the variables and hard-wire my parameters into it. It works either way (before or after eliminating the variables) when executed manually. It does not work via Program Alias -- my .snf file does not change when an update notification arrives. Procedure: I send a test message to the update address. I get back a copy of the test message, and a S n i f f e r update notice indicating that an update occurred . . but, in fact, an update does NOT occur, the .snf file is still date/time stamped the same (I'm not using the -N option on WGET at this point, so a download should always occur). My guess would be either a permissions problem or a path problem. Verify that the account that runs the program alias has permissions to all of the data locations and verify that you are not relying on the PATH environment variable which may be different in each context. Regards, Brad Morgan IT Manager Horizon Interactive Inc. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
Hmmm, a day and a half later this shows up on the list...??? Bill -Original Message- From: Landry William Sent: Saturday, January 29, 2005 6:51 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
Well, after a second look (reviewing the headers), it looks like the message got hung-up in the convoluted mess of internal mail gateways that Siemens maintains (which I have no control over). Sorry for the noise...! Bill -Original Message- From: Landry William Sent: Monday, January 31, 2005 9:19 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... Hmmm, a day and a half later this shows up on the list...??? Bill -Original Message- From: Landry William Sent: Saturday, January 29, 2005 6:51 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Weak rule removal work...
Thanks Pete, these are the kind of proactive notification I wish some of our other vendors followed. Bill -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 04, 2005 1:35 PM To: sniffer@SortMonster.com Subject: [sniffer] Weak rule removal work... Hello Sniffer Folks, I have been doing some work in the database today to make the rule strength analysis and weak rule removal process more efficient. Along the way I discovered an appreciable number of rules that had somehow been left with high strength numbers even though their recent activity values were zero. I have corrected this code. I expect that this will reduce the size of the rulebase files, though I am not yet certain how big the change will be. I am hopeful that the change will be large enough to yield a performance increase. There should be only positive impacts from the changes that I have made, but just in case I will be watching things very closely. Please let me know right away if you sense any drastic changes other than, perhaps, the size of the rulebase files. I've made arrangements to put everything back the way it was if need be ;-) Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] RuleBase ktk82hrr
Yep, just checked mine rulebase too, went from 17mb to just under 25mb. Things still appear to be functioning okay. Bill -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 04, 2005 9:49 PM To: Computer House Support Subject: Re[2]: [sniffer] RuleBase ktk82hrr On Wednesday, January 5, 2005, 12:41:34 AM, Computer wrote: CHS Correction, make that 23 meg! Thanks for the heads up --- something is wrong, I'll figure it out. You compiled with 231000 rules! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Hello - New to sniffer
Bennie, I will send you my updated scripts and a couple of necessary open-source utilities off-list (hopefully you can receive zipped executable files - let me know if you don't receive my off-list message). Also, as Pete mentioned, we have had some discussion on the list the past couple of days about the best approach to managing scripts, so I would appreciate feedback on your experience with implementing these scripts. Bill -Original Message- From: Bennie [mailto:[EMAIL PROTECTED] Sent: Thursday, December 30, 2004 3:17 AM To: sniffer@SortMonster.com Subject: [sniffer] Hello - New to sniffer Hello, I am new to sniffer and was just wondering. Are they any utilities that do automatic uploads of the log files? Does everyone upload their log files to sortmonster? Is there a way to automaticly download the new rule base? Bennie Culpepper PepperLink --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Triggered rulebase update instructions
There are many ways to skin this cat. For Declude JunkMail Pro users, you could also setup a COPYTO action to notify the program alias. However, the dual alias setup appeared to be the simplest way for the novice mail admin to get this working. More experienced admins will have the ability to tweak the scripts and setup their configurations to meet their own specific needs. Again, I am attempting to make the process as simple as possible so that anyone using IMail/Declude/Sniffer can setup triggered updates. More experienced users are always going to do things their own way. Bill -Original Message- From: Woody G Fussell [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 29, 2004 7:57 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Bill This would apply to Imail users. I suggest that rather than creating two aliases that you use only a program alias. Trigger it using an inbound Imail subject rule to send a copy to the alias. Everyone has a unique subject line based on your rule base ID therefore you can create a unique rule to trigger the updates. The uniqueness of the subject may reduce the frequency of spam triggering an update. Example subject rule S~abcde123.snf Update:[EMAIL PROTECTED] This eliminates having to contact sortmonster to change the address where your updates are delivered (also allows flexibility to change your programs alias name as necessary with out involving sortmonster) You will also continue to receive the notifications where ever you were getting them before. Woody Fussell Wilbur Smith Associates -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 9:08 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions Attached is an updated instructions file to fix some typos and missed information. I'll send out another update after receiving feedback from others. Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Triggered rulebase update instructions
Documenting and troubleshooting rule creation/configuration I think would only add to the complexity. Also, many admins do not host their corporate domains on IMail. For example, SortMonster was sending my update notifications to my corporate Exchange server, so I had to request a change anyway. Pete, what are your thoughts on this? Would you rather not get a load of requests to change notification e-mail addresses? Bill -Original Message- From: Woody G Fussell [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 29, 2004 12:20 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions I agree on the simplicity, just thought it would be a bonus not to involve sortmonster with the address changes. Woody -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Wednesday, December 29, 2004 2:37 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions There are many ways to skin this cat. For Declude JunkMail Pro users, you could also setup a COPYTO action to notify the program alias. However, the dual alias setup appeared to be the simplest way for the novice mail admin to get this working. More experienced admins will have the ability to tweak the scripts and setup their configurations to meet their own specific needs. Again, I am attempting to make the process as simple as possible so that anyone using IMail/Declude/Sniffer can setup triggered updates. More experienced users are always going to do things their own way. Bill -Original Message- From: Woody G Fussell [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 29, 2004 7:57 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Bill This would apply to Imail users. I suggest that rather than creating two aliases that you use only a program alias. Trigger it using an inbound Imail subject rule to send a copy to the alias. Everyone has a unique subject line based on your rule base ID therefore you can create a unique rule to trigger the updates. The uniqueness of the subject may reduce the frequency of spam triggering an update. Example subject rule S~abcde123.snf Update:[EMAIL PROTECTED] This eliminates having to contact sortmonster to change the address where your updates are delivered (also allows flexibility to change your programs alias name as necessary with out involving sortmonster) You will also continue to receive the notifications where ever you were getting them before. Woody Fussell Wilbur Smith Associates -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 9:08 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions Attached is an updated instructions file to fix some typos and missed information. I'll send out another update after receiving feedback from others. Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Triggered rulebase update instructions
Attached is an updated instructions file to fix some typos and missed information. I'll send out another update after receiving feedback from others. Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you== Sniffer triggered rulebase update instructions == By [EMAIL PROTECTED] These are instructions on how to setup triggered downloads of new rulebase files from the Sniffer rulebase update e-mail notifications. Included with this distribution are the open-source wget and gzip files. They are needed to support the download and uncompression of rulebase files. Step one: = Copy all files from this distribution into your sniffer directory. Step two: = Edit the snfupd.cmd file (this is the rulebase download script). 1. Open the snfupd.cmd file in you sniffer directory with a text editor like Notepad. 2. Edit all entries labeled EDIT NEXT LINE with your specific configuration information. 3. Save your changes. Step three: === Create an IMail Program Alias account 1. Open the IMail Administrator 2. Select the domain to create the program alias account under 3. Click on Aliases under the chosen domain 4. Click on the Add Alias... button 5. Type in the Alias ID for this account (something like: snifferupdate), then click Next 6. Select Program as the alias type and click Next 7. Click Browse... and browse to the location of your sniffer directory and select snfupd.cmd, then click Next 8. Click Finish and you're done setting up your Sniffer Program Alias account Step four (optional): = Create a Standard Alias account (only necessary if you want to receive a copy of the Sniffer update notifications). 1. Open the IMail Administrator 2. Select the domain to create the standard alias account under 3. Click on Aliases under the chosen domain 4. Click on the Add Alias... button 5. Type in the Alias ID for this account (something like: snfupd), then click Next 6. Select Standard as the alias type and click Next 7. Add the e-mail address that you would like the Sniffer update messages to be forwarded to. Also add the program alias address you created in Step Three above. This will send a copy of the update notification to all listed accounts, including the program alias, which will trigger the new rulebase download. 8. Click Finish and you're done setting up your Sniffer Standard Alias account Step five: == Test the new program alias account. 1. If you setup a standard alias, as defined in Step four above, send a test message to your standard alias e-mail address. This should trigger a copy of the test message to your e-mail forwarding address and set-off the rulebase download. 2. Check to see that you received a copy of the test message to your forwarding address. 3. Check to see that a rulebase download was triggered (check the timestamp of your rulebase file - you can also view the snfupd.txt file to see the complete status of the update. Also, if you opted to receive the update results via e-mail (via the snfupd.cmd download script), check to see that you received the results e-mail. 4. If you skipped Step four above, send a test message to your program alias address and check to see if it triggered a rulebase download. Step six: = Advise SortMonster of the new e-mail address to send update notifications to. 1. If you created a standard alias account as defined in Step four, send an e-mail to Sniffer Support ([EMAIL PROTECTED]) and ask them to send your rulebase update notifications to your standard alias e-mail address. 2. If you skipped Step four above, ask Sniffer Support to send your rulebase update notifications to your program alias address. 3. Monitor to make sure your rulebase update e-mails are successfully triggering your rulebase downloads. That's it...
RE: [sniffer] Triggered rulebase update instructions
Title: Message Thanks for all of the suggestions, Matt. See my comments below: -Original Message-From: Matt [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:17 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Triggered rulebase update instructionsBill,I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners. I agree, it might make sense to move most of the instructional comments out of the scriptto a separate file that someone could review if they needed additional help. 2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe. What do others think about this? My goal was to keep things as simple as possible for the end user of the script. However, if people think that a separate "updates" directory makes more sense, then I can make this change. 3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose. Yes, but this script was focused only on IMail users. Does it make more sense to create different scripts for different platforms, or a single script with a platform specification variable? 4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list. I agree, but then why section 3 above? 5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a second language to them (or only translated by a tool of some sort). Again, this script is focused only on IMail users. If we follow your suggestion in section 4 above, then why move the e-mail report out of the basic script? Most of this stuff is somewhat minor taken in isolation from each other, but I believe that it could be a bit tighter in one way or another for a better result. I'll volunteer my own services if you would like for me to provide examples of any one of these things, but I'll wait for your direction before doing so. I think the most important thing would be
RE: [sniffer] Triggered rulebase update instructions
Title: Message John, since you have not implemented a trigger program alias yet, would you be willing to test the setup instructions and provide feedback? Bill -Original Message-From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:30 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Triggered rulebase update instructions Matt, you think too much. ;) (From one who needs to implement better scripts, including a triggered script for Sniffer.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, December 28, 2004 10:17 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Triggered rulebase update instructions Bill,I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners.2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe.3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose.4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list.5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a second language to them (or only translated by a tool of some sort). Most of this stuff is somewhat minor taken in isolation from each other, but I believe that it could be a bit tighter in one way or another for a better result. I'll volunteer my own services if you would like for me to provide examples of any one of these things, but I'll wait for your direction before doing so. I think the most important thing would be for Pete to provide some guidance for the preferred directory structure (independent of the app), so that this could be used for the default settings in this and other scripts.MattLandry William wrote: Attached is an updated instructions file to fix some typos and missedinformation. I'll send out another update after receiving feedback
RE: Re[2]: [sniffer] Sniffer Updates
Title: Re: Re[2]: [sniffer] Sniffer Updates See http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htmlfor some sample scripts. Bill -Original Message-From: Jim Matuska [mailto:[EMAIL PROTECTED]Sent: Monday, December 27, 2004 10:51 AMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Sniffer Updates Does anyone have any good instructions on how to modify your update scripts to use gzip? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Tom Baker | Netsmith Inc To: sniffer@SortMonster.com Sent: Monday, December 27, 2004 10:43 AM Subject: Re: Re[2]: [sniffer] Sniffer Updates Automate harassment reminders to those of us not using it. :)I think I'll go enable gzip tonight-Original Message-From: [EMAIL PROTECTED] [EMAIL PROTECTED]To: Landry William sniffer@SortMonster.comSent: Mon Dec 27 12:36:06 2004Subject: Re[2]: [sniffer] Sniffer UpdatesOn Monday, December 27, 2004, 12:46:19 PM, Landry wrote:LW Are folks taking advantage of the "wget" compression option beforeLW downloading their rulebase updates? If the slow download speeds are aLW bandwidth saturation issue on the Sniffer end, this would certainly cut downLW on the bandwidth requirements on their end and increase the download timesLW for everyone.LW Also, I've got to ask, if the downloads are happening "behind the scenes",LW by an automated or triggered download, why the concern about speeds, as longLW as your downloads are successful?From what I've seen in the logs, only about 5% of folks are takingadvantage of gzip right now.Also, I did some incantations on the log (grep, awk, uniq etc) andcame up with just under half of our customers downloading theirrulebase between 1200 and 1300 today. That's between 2 and 3 times asmany as should have done it ;-) -- so the backlog is explainable.This kind of thing happens for lots of reasons and there are a lot ofways to mitigate the problem.A big one on the list - certainly - is using the gzip capability. Withonly 5% of folks using this and average compression ratios well above50% there is plenty of room to "make a big dent" in this._MThis E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
RE: [sniffer] Conditional Sniffer Updates
Curl is an awesome application that we also use for automating downloads. Wget also supports conditional downloads based on time/date stamp when using the -N switch. In ether case, please also use the compression support built into each application, the sniffer rulebase files can be compressed down to about 25% of their normal size before the download by using these switches. Here is an example of how to use wget to check for rulebase updates and if a new file exists, request file compression before the file is downloaded: wget -N http://www.sortmonster.net/Sniffer/Updates/LicenseID.snf -O LicenseID.new.gz --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd=ki11sp8m Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, December 27, 2004 11:20 AM To: sniffer@SortMonster.com Subject: [sniffer] Conditional Sniffer Updates Hi, The one thing I have not seen mentioned is the ability to do CONDITIONAL downloads - which is crucial for timed downloads when most of the time there may not even BE a more current .SNF file. Just like your browser, the HTTP Request for your latest .SNF file should ALWAYS provide the date/time stamp of your CURRENTLY active .SNF file. This way, the server will compare both dates and a download will occur ONLY, if there is LATER .SNF file on the server. (This is how your web browser controls, whether it needs to download new pages/images from sites you visited before.) Here is how CURL is used to do conditional downloads: curl http://www.sortmonster.net/Sniffer/Updates/[mylicensecode].snf -o [mylicensecode].snf.new -s -S -R -z [mylicensecode].snf -u [mywebuserid]:[mywebpassword] The -o option defines the output file. The -R option makes sure that the output file will inherit the timestamp from the Sniffer Server (if one is downloaded at all). The -z option sends the timestamp of the CURRENT SNF file to the server (in the GET request!) Since my local .SNF file has the same timestamp as the SERVER, and since every new GET request will allow the server to recognize if/that there may me no LATER .SNF file, I am only downloading when a new file is actually present! Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, December 27, 2004 12:50 PM To: Russ Uhte Subject: Re[2]: [sniffer] Sniffer Updates On Monday, December 27, 2004, 11:45:59 AM, Russ wrote: RU Kevin Stanford wrote: Our updates seem to be taking a very long time. I am 85% updated and the ETA shows 07:00. Is it me? RU I see stuff like this come and go... Our updates are (finally) RU triggered from the email notifications... Below is a snippet of the RU last update that shows exactly what speeds we saw, which ran at 10:45 RU EST this morning... Every once in a while, I will see it slow down to RU about 8KB/s, but rarely slower than that... There are going to be random events like this for a while - as long as some folks still download based on a schedule rather than responding to update notifications. What happens is that sometimes a group of systems will agree to all download their rulebase files at the same time - when that happens our bandwidth gets saturated and things go slowly. (We are working on this in a number of ways.) Most of the time there is plenty of bandwidth, and if everyone always downloaded only when there was an update notification then there would always be plenty (our system paces updates to make sure this is the case as much as possible). We are in a transitional period where existing connectivity contracts prevent us from moving without incurring a significant cost (a cost we would rather not pass on to our customers). Over the next 6-9 months we will make the transition to a new rulebase format and distribution method and we will also be migrating to new hosting facilities (already running in case we encounter a serious DL problem). Since rulebase downloads should always be automated in some way, the occasional slow download should not be a problem. We will continue to monitor the situation closely - and we appreciate the reports we get. The things that you can do to help are: 1. If you haven't already, please upgrade your scripting so that your automated downloads are triggered from our update notifications. 2. If you are not going to use update notifications please be sure to use the staggered schedule we've posted here: http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html#When 3. AVOID using accelerated download software! This is the kind of software that downloads large files by opening multiple connections to the same server. Almost all of the slowdowns we experience have been associated with someone downloading a rulebase with this
RE: [sniffer] Change in coding policies
Title: Message -Original Message-From: Chris Ulrich [mailto:[EMAIL PROTECTED]] OK, being a new (and very happy) customer ... For example, we will be introducing rules that watch for bounces that contain large numbers of failed addresses - indicating a probable dictionary attack / joe-job ... What is a joe-job? Spam from Billy Bob?http://catb.org/~esr/jargon/html/J/joe-job.html Send coffee... ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
[sniffer] Sniffer rulebase download server down?
Title: Sniffer rulebase download server down? Pete, I am no longer able to download my rulebase files on either of our Sniffer servers. When I execute my download script, I immediately get: gzip: LicenseID.new.gz: unexpected end of file Is the rulebase download server down? Thanks for looking into this... Bill ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
RE: [sniffer] How are folks doing with the latest version?
So far so good... Bill -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:28 PM To: [EMAIL PROTECTED] Subject: [sniffer] How are folks doing with the latest version? Hello Sniffer Folks, I am curious to know how many folks have been using Version 2-3.1i2. I have not heard any problem reports, so I'm assuming it's going well with you as it is on our systems... or, perhaps, nobody has tried it yet?? I would like to move this interim to the official version. If I can get a show of hands on how many folks are using the new version successfully then I would really appreciate it. Thanks! _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool
Oh, and yes, net start shows the Sniffer service running and I have a LicenseID.persistent.stat fine on both of my IMail/Declude/Sniffer servers and it is periodically updated (cat or type the file and you will see that the data it contains updates every second, I believe). Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool I suspect you typed your application startup parameters into the services control panel window? That's one way to do it - although the SrvAny documentation seemed to imply, that these startup parameters (if typed into the Control Panel window, would only apply to manual starts, not automatic starts. Of course, mine is Windows 2000 Server Resource Kit - yours may be different. And, I assume you have checked your sniffer folder to confirm a presence of the persistent.stat file with the very current time-stamp? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Monday, November 01, 2004 02:15 AM To: '[EMAIL PROTECTED]' Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool Hmmm, that's strange, since I use SrvAny, as well. And it has worked with all Sniffer updates since the first persistent version was released. Also, my Parameters registry entry does not look anything like yours: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters] Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode persistent Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool Hi, I had set up the previous version of Sniffer in persistent mode using the Win2k Server Resource Kit tool SrvAny (I don't like to install forth party utilities on my production machines, if Microsoft tools are readily available). In the NEW Sniffer version I noticed that my log files were not rotating. Upon further investigation it became clear, that Sniffer was no longer running in persistent mode since the upgrade (thus ignoring the rotate command). The clue was a missing *.persistent.stat file. After some experimenting I determined that the problem was that (at least on MY machine) Sniffer now requires the explicit specification of a an application working directory. Here is my updated SrvAny configuration: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters] Application=D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe AppParameters=MyAuthorizationCode persistent AppDirectory=D:\\IMAIL\\Sniffer\\Win32 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Sunday, October 31, 2004 09:19 PM To: [EMAIL PROTECTED] Subject: [sniffer] LogRotate no longer working? Hi, After 10/28 the log files have not been rotation. I even logged into the server and executed the send-rotate - but the current log files just continues to grow: 10/24/2004 11:00p 1,324,321 x.log.20041025040052 10/25/2004 05:44a 1,303,683 x.log.20041025104510 10/25/2004 01:37p 1,711,062 x.log.20041025183751 10/25/2004 08:25p 1,403,988 x.log.20041026012528 10/26/2004 03:19a 1,100,582 x.log.20041026082022 10/26/2004 11:17a 2,158,910 x.log.20041026161756 10/26/2004 07:11p 1,999,926 x.log.20041027001129 10/27/2004 01:53a 1,619,614 x.log.20041027065310 10/27/2004 09:52a 1,689,744 x.log.20041027145244 10/27/2004 04:41p 1,591,043 x.log.20041027214159 10/28/2004 01:11a 1,598,140 x.log.20041028061150 10/28/2004 07:22a 1,137,471 x.log.20041028122216 10/28/2004 02:27p 1,518,661 x.log.20041028192727 10/31/2004 09:09p 16,790,875 x.log Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding
RE: [sniffer] Your Sniffer Setup
See http://support.microsoft.com/default.aspx?scid=kb;en-us;137890 for simplified instructions. Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, November 01, 2004 6:26 AM To: 'Keith Johnson' Subject: RE: [sniffer] Your Sniffer Setup Hi Keith, It's pretty straightforward: A) Download the Windows 2000 Server Resource Kit utilities. B) Locate the path to srvany.exe. C) run: instsrv Sniffer c:\path-to-resource-kit\srvany.exe Sniffer is just the name that will appear in the services applet later D) Start RegEedit and add the following entries to the new Sniffer service you just created: Add a new Parameters subkey in the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer Add new subkeys to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters as follows: Application: REG_SZ: C:\Your.Path.to.your\sniffer-license-code.exe AppParameters: REG_SZ: sniffer-license-code.exe your-authorization-code AppDirectory: REG_SZ: C:\Your.Path.to.sniffer\ E) Start the Service Control Panel application, and START the service. Soon, you should see a *.Persistant.stat file in your sniffer folder. Once that appears, you are running in persistent mode. F) Change the Service from manual start to automatic start. Other list-members seem to have different ways to use SRVANY.exe - I followed the instructions from the Resource Kit Tool Help that I was able to find. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] Sent: Monday, November 01, 2004 08:54 AM To: Andy Schmidt Subject: Your Sniffer Setup Andy, I saw your posting on the Sniffer forum and wanted to contact you regarding your Sniffer Persistent setup. We push over 200K emails on 3 servers (Win2K SP4) and are still running Sniffer in the general sense. I noticed you were using SrvAny and the like, do you have any documentation you don't mind sharing on your steps to get sniffer in a persistent mode? Thanks for the aid and time. --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Your Sniffer Setup
Andy, these simplified instructions work just fine with Sniffer, as I can certainly attest. Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, November 01, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Your Sniffer Setup Hi Landry: These simplified instructions only apply if the application needs no parameters, as it only covers the application key: Value Name: Application Data Type : REG_SZ String : path\application.ext If there was a SnifferPersistent.exe that needed no further options, these simplified instructions would work For Sniffer however, you (supposedly) do need to pass along the authorizaton code and the persistent option, which are defined in the AppParameters value in the registry. That's how the previous version worked for me. Immediately upon upgrading to the latest version, Sniffer would no longer find its directory when executed as a service, so I had to add the AppDirectory key to set the working directory. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Monday, November 01, 2004 11:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [sniffer] Your Sniffer Setup See http://support.microsoft.com/default.aspx?scid=kb;en-us;137890 for simplified instructions. Bill This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool
Hmmm, that's strange, since I use SrvAny, as well. And it has worked with all Sniffer updates since the first persistent version was released. Also, my Parameters registry entry does not look anything like yours: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters] Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode persistent Bill -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool Hi, I had set up the previous version of Sniffer in persistent mode using the Win2k Server Resource Kit tool SrvAny (I don't like to install forth party utilities on my production machines, if Microsoft tools are readily available). In the NEW Sniffer version I noticed that my log files were not rotating. Upon further investigation it became clear, that Sniffer was no longer running in persistent mode since the upgrade (thus ignoring the rotate command). The clue was a missing *.persistent.stat file. After some experimenting I determined that the problem was that (at least on MY machine) Sniffer now requires the explicit specification of a an application working directory. Here is my updated SrvAny configuration: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters] Application=D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe AppParameters=MyAuthorizationCode persistent AppDirectory=D:\\IMAIL\\Sniffer\\Win32 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Sunday, October 31, 2004 09:19 PM To: [EMAIL PROTECTED] Subject: [sniffer] LogRotate no longer working? Hi, After 10/28 the log files have not been rotation. I even logged into the server and executed the send-rotate - but the current log files just continues to grow: 10/24/2004 11:00p 1,324,321 x.log.20041025040052 10/25/2004 05:44a 1,303,683 x.log.20041025104510 10/25/2004 01:37p 1,711,062 x.log.20041025183751 10/25/2004 08:25p 1,403,988 x.log.20041026012528 10/26/2004 03:19a 1,100,582 x.log.20041026082022 10/26/2004 11:17a 2,158,910 x.log.20041026161756 10/26/2004 07:11p 1,999,926 x.log.20041027001129 10/27/2004 01:53a 1,619,614 x.log.20041027065310 10/27/2004 09:52a 1,689,744 x.log.20041027145244 10/27/2004 04:41p 1,591,043 x.log.20041027214159 10/28/2004 01:11a 1,598,140 x.log.20041028061150 10/28/2004 07:22a 1,137,471 x.log.20041028122216 10/28/2004 02:27p 1,518,661 x.log.20041028192727 10/31/2004 09:09p 16,790,875 x.log Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rulebase download script
Sure, executing the script via the e-mail notification would work fine. However, in that case you will not really need to test that the rulebase file has changed, so you could remove the -N switch from the wget line. Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Saturday, October 30, 2004 5:08 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Rulebase download script You will need to rename the script file from .txt to .cmd in order to use (used .txt in order to bypass filter rules and virus scanners). You can then schedule the script to run via Scheduled Tasks Bill, Can it also be run from the Imail command via email notifications? Sheldon This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?
Here is what I've been using for several months now, compiled from the original Sniffer autosnf.cmd file and suggestions found on this list: = rem First, get the updated rules file from the web site. wget -N http://www.sortmonster.net/Sniffer/Updates/rulebase.snf -O rulebase.new.gz --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd=ki11sp8m -o snfupd.txt rem Uncompress the rulebase file. gzip -d -f rulebase.new.gz rem If that worked, then there will be a sniffer.new file. if exist rulebase.new goto Replace rem If the above test fails, then we skip to the end of the file rem and take no further action. Everything stays as it is. goto Done rem If the test didn't fail we'll replace our file. :Replace rem The check utility gets the ID from the name but it ignores the rem extension so we'll rename it for the test. rename rulebase.new rulebase.tst rem Now we need to test the file and check our error level. If the rem check fails we'll skip to the end snf2check.exe rulebase.tst license-id if errorlevel 1 goto Done echo New File Tested GOOD! rem If we didn't fail then we can go ahead and make the switch. if exist rulebase.old del rulebase.old rename rulebase.snf rulebase.old rename rulebase.tst rulebase.snf rem Handle any additional successful system updates here (before Done). :Done rem If things went well we're all ok. rem If something went wrong then we'll do a bit of cleanup. if exist rulebase.tst del rulebase.tst = Copy everything between the equal signs and paste it into your autosnf.cmd file. Rename rulebase everywhere in the script with your Sniffer rulebase name and rename license-id to your actual Sniffer License ID. Then you can set it to check hourly via Task Scheduler and it will only download if the file has changed, and if it has, it will send a request to the Sniffer server to compress the file before downloading. Also, watch for word-wrapping, the wget line should be one long line. The snfupd.txt file will allow you to check the status of each download attempt, as it is created (overwriting the existing file) with each download attempt. Bill -Original Message- From: Darrell ([EMAIL PROTECTED]) [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 6:47 PM To: [EMAIL PROTECTED] Subject: Re: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you? Does anyone have a little dissertation on how they have this setup. Darrell --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[5]: [sniffer] Version 2-3.1 Official Release
It should be included in the zip/gzip file you downloaded. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:28 PM To: Pete McNeil Subject: Re[5]: [sniffer] Version 2-3.1 Official Release Hi, I have no .cfg in the sniffer directory. Would it be located anywhere else? I'm really behind here...can you get me up to speed as to what the .cfg file does and what changes I would want to make to it if I decide to use it? Thanks, Andrew Baldwin [EMAIL PROTECTED] http://www.thumpernet.com 315-282-0020 Thursday, October 28, 2004, 5:38:20 PM, you wrote: On Thursday, October 28, 2004, 5:20:43 PM, Scott wrote: SF Does the cfg file need to be renamed with your license id also? Yes, sorry I missed that step. The program identifies all of it's important files by the license ID, so yes, the .cfg file must also be named for the license ID as in [licensid.cfg]. Thanks for the catch! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New test version 2-3.0i7
This is from Pete's message of 10/14/2004, announcing Version 2-3.0i5 to the Sniffer list: MDaemon users should see a significant improvement in performance. Please let me know if this is true. The reason is that since most MDaemon system integrate Message Sniffer through the content filter and the content filter in MDaemon is apparently single threaded. The performance tuning features of this version allow the client and persistent server instances to coordinate much more closely with regard to the available computing power in the system so that polling delays _should be_ reduced significantly. _IN THEORY_ the improved signaling between client and persistent server instances will allow polling synchronization such that the highest possible performance for the hardware and load conditions can be achieved. I would guess that this is still true of Version 2-3.0i7 Bill -Original Message- From: Michiel Prins [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] New test version 2-3.0i7 Does this version have speed improvements over the previous official release, when NOT using the persistent option (with Mdaemon)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: zondag 17 oktober 2004 21:39 To: [EMAIL PROTECTED] Subject: [sniffer] New test version 2-3.0i7 Hello Sniffer Folks, Here is the latest interim/beta version. Everyone who is using an interim version is encouraged strongly to move to this one (2-3.0i7). This version fixes a client recovery bug. The client recovery bug prevented client instances from recovering if something went wrong with the client-server process. Under normal circumstances the client will load the rulebase and process the message itself if it detects a problem with the result it should receive from a server instance. The bug would cause this to fail resulting in a Fail Safe return value - thus causing additional spam to get through. Though the problem with the recovery logic is fixed now, the main source of recovery cases is not yet resolved. At random intervals and to varying degrees on different systems, the client instance in a persistent server configuration will be unable to open the job file with it's result. The server instance does not report an error. Retrying the open operation after a delay does not result in success. I'm still working on that one. In any case, this version handles those cases. http://www.sortmonster.com/MessageSniffer/Betas/MessageSniffer2-3.0i7-Distr ibution.zip This version also includes new Diagnostics code which will produce a diagnostics file containing all of the major peer-server coordination events. The diagnostics can be turned on/off in the configuration file. Note that the configuration file has changed in this distribution. The changes are only additions, so your old .cfg file will work if you do not wish to use any of the new features. This version is backward compatible as a drop-in replacement. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New beta v2-3.0i4
It works for me. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] New beta v2-3.0i4 Link not working - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 11:55 AM Subject: [sniffer] New beta v2-3.0i4 Hello Sniffer Folks, I have a new version of Message Sniffer ready for wide beta testing. * This version has some tighter timing mechanisms for better performance under heavy loads. * This version has a new feature that will produce a .xhdr file containing X-Header information that Message Sniffer would like to emit into the message. Folks running *nix systems or otherwise customizing sniffer will find this useful. Check the .cfg file for details. NOTE: If you have sniffer generate a .xhdr file you must delete it when you have finished processing your message. You can find the beta distribution at: http://www.sortmonster.com/MessageSniffer/Betas/MessageSniffer2-3.0i4.zip Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Test ordering/precedence
-Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] I've actually been thinking very strongly of reorganizing the rule group IDs recently. Especially in light of the new changes we've made with robots et al. The accuracy of the Experimental IP group has gone up considerably - and most of the false positives you've discussed should be eliminated over time (bounces especially). All that said, I think the first step to reordering the groups might be to change the sequence of the 4 highest numbers as follows: 63: Experimental Received [IP] 62: Obfuscation 61: Experimental Abstract 60: General This order is based on a least to most specific order. It turns out that the majority of General rules are simply specific patterns that don't fit existing rule groups; Experimental Abstract tend to be either abstracted patterns from specific or general patterns - or automatically generated URI candidates; Obfuscation are patterns that detect obfuscation techniques that are not specific to any particular kind of spam, and since Received [IP] rules only identify a source they are the most generalized (whether manually or automatically generated). According to a recent spam test quality analysis the accuracy and coverage for these groups in this order follows like this: 63: Experimental Received [IP]SA = 0.81 Coverage = 7.63% 62: Obfuscation SA = 1.00 Coverage = 2.58% 61: Experimental Abstract SA = 0.92 Coverage = 25.82% 60: General SA = 0.81 Coverage = 1.82% How would you feel about this order? ++ I'm not Matt, but I very much like this idea. Please let us know when you plan to make this change so we can adjust our tests accordingly. Thanks! Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Sniffer misses NIGERIAN type spams
Title: Sniffer misses NIGERIAN type spams Pete, I am wondering why Sniffer has such a problem detecting the so-called NIGERIAN types of spam. It seems that I have been forwarding several of them daily to the spam@ address for weeks, but Sniffer still consistently misses them. There must be some kind of pattern that Sniffer can trigger on to catch these types of spam. It hasn't been a real problem for me since SpamAssassin always catches them, but for those that are not running SpamAssassin, they must see lots of these types of spam showing up in their inboxes daily. Bill ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
[sniffer] Increase in FPs
Title: Increase in FPs I have seen a fairly substantial increase on false positives today. I have submitted several FPs to the false@ address. Has there been a big change in the core rulebase today? I wouldn't think that upgrading to the new code this morning would cause this, would it? Bill ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
RE: [sniffer] Increase in FPs
-Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] LW I have seen a fairly substantial increase on false positives today. LW I have submitted several FPs to the false@ address. Has there been LW a big change in the core rulebase today? I wouldn't think that LW upgrading to the new code this morning would cause this, would it? No, the upgrade should not have this effect. It appears that a number of secondary services we reference have had problems recently such as SORBS and SURBL. I've been pushing false processing to mitigate the problems quickly, we are adjusting our tuning parameters for candidate generation, and will continue to monitor conditions closely. Thanks for the quick updates Pete, I've already received my rulebase updates. As always, your quick support is very much appreciated! Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] FIN File
It's an orphan, you can safely delete it. Bill -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] Sent: Thursday, July 29, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: [sniffer] FIN File I found a .fin file in my sniffer directory and didn't know if anyone knew what it was and how it is produced. It is dated several days ago. Thanks for the aid. Keith This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[6]: [sniffer] Effectiveness (lately)
That's strange, our Exchange server does not strip off any of the Declude headers. Bill -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 29, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: RE: Re[6]: [sniffer] Effectiveness (lately) Should I continue to forward spam that is not caught then? I problem I have, is on the gatewayed domains, which are running Exchange, Exchange strips out the Header that Declude puts in, making it difficult to see what happened and caught by what tests. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, July 29, 2004 10:52 AM To: John Tolmachoff (Lists) Subject: Re[6]: [sniffer] Effectiveness (lately) On Thursday, July 29, 2004, 1:23:11 PM, John wrote: JTL Would the new attached fall under the same rule? Yes. It looks like the same domain is involved. I've launched a compile of your rulebase - you should be updated very quickly. In this case it seems that you started receiving these a few days before we got our first copy. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam submissions
-Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] LW Pete, I put together a little script that modifies the Q*.SMD file LW for identified spam messages that were held in my spam directory, LW but were not tagged by Sniffer, and can forward a copy of these LW messages to your spam@ address. However, the messages will look LW like they came from the original sender and will also show the LW original recipient on the To line. For example, queue-file LW Qff1e0159007addb3.SMD could originally look like (all sender and LW recipient domains masked): snip/ LW This script is not automated so it is not going to be sending you LW unconfirmed spam. We will only forward messages that have been LW confirmed by one of our staff to be spam and that Sniffer did not LW tag. This way I can forward specific messages that end up in my LW spam directory to you from a remote command line on the server, and LW you will receive the message in its original intended format, LW including sender and recipient information. I will not start LW forwarding spam to your spam@ address until I hear that this process LW would be okay with you. This sounds great! Thanks! _M PS: It is possible to create virtual spam traps on systems that use a sufficient number of additional tests. Essentially, if the message would normally be held or dropped based on the other tests and it still failed Sniffer then it would be reasonable to automatically forward that to spam@ in the way you describe. In many cases this content is clean enough to be processed with the same rules we use for normal spamtraps. We have been considering the creation of a new class of processing for this kind of virtual spamtrap. = Let me look into it a bit to see how I might be able to accomplish this. I'll report back soon... Bill --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude configuration
Here is a sample of what I use: = SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 05 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SPAMWAREexternal 051 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SNAKEOILexternal 052 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-PORNexternal 054 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 15 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GAMBLINGexternal 059 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GREYMAILexternal 060 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 05 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-EXPERIMENTALexternal 062 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 = Bill -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: [sniffer] Declude configuration I am new to Sniffer, and have it up and running with the basic line looking for a nonzero return code. I would now like to start setting different weights for different return codes. Does some one have a example configuration I can use? John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
Pete, am I correct in assuming that the configuration file (snfrv2r3.cfg) should also be renamed for your license ID, as well? Bill -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 2:08 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! At 12:35 PM 5/9/2004, you wrote: Are there step-by-step upgrade instructions posted anywhere? Our configuration is Windows 2000 server with Declude. I don't quite understand what needs to be done to enable the Persistent Instance option. Step-by-step instructions will depend on how you intend to run the persistent instance. The first step in all cases is simply to replace your .exe files with the ones in the new distribution. Be sure to rename (brand) the snfrv2r3.exe file for your license ID of course. The way I run a persistent instance is using RunSvcExe, others have reported good results with Fire Daemon. Links to these are on the SnifferBasics page along with the basic command line for starting a Message Sniffer instance in persistent mode. Essentially, launch sniffer with the word persistent in place of the usual file name to be scanned. Here is a link to earlier discussions along with some more detailed information about getting a persistent instance set up. Follow the thread through and you will find more than one example: http://www.mail-archive.com/[EMAIL PROTECTED]/msg00165.html Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
Thanks Pete! One other question. I am now downloading my rulebase files as .gz files (much faster downloads now). Are you prepared to receive our log file uploads either zipped or gzipped? Bill -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! At 05:19 PM 5/9/2004, you wrote: Pete, am I correct in assuming that the configuration file (snfrv2r3.cfg) should also be renamed for your license ID, as well? Bill Yes, that is correct. .cfg files are branded in the same way as the scanner (.exe) file. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
It seems to be working fine for me. I have it running as a service, per Matt's instructions using the W2K resource kit files, and it has been running fine all day. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! The persistent mode stopped working after installing new program. Revert back to old one and it works??? Start xx.exe x persistent - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 4:59 AM Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! At 11:36 AM 5/9/2004, you wrote: Pete. Should we be able to just replace our .exe file with this one Yes. It will act just like the current version. The persistent server option doesn't take effect until you launch an instance in persistent mode. Until then (or if the persistent server fails) the program will act exactly like version 2-2, except that you can still configure the log format if you wish. Most importantly the snf2check.exe utility is much improved with this new version. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
Fredrick, I stopped the Sniffer service and tested from the command prompt with: Start xx.exe x persistent and this is working fine, as well. These messages have come in since starting sniffer persistence from the command prompt: LicenseID 20040510024905 Ded96001d093c201a.SMD 40 150 Clean 0 0 03720 60 LicenseID 20040510024908 Ded96003f080c201b.SMD 10 20 Clean 0 0 0 149451 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Match 117330 57 3301331578 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Final 117330 57 0 661178 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Match 117330 57 2478249273 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Final 117330 57 0 264373 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Match 118825 52 1560157266 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Final 118825 52 0 528566 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Match 118825 52 1588160059 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Final 118825 52 0 184759 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Match 54070 52 884 924 70 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Final 54070 52 0 617970 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Match 54070 52 1103116862 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Final 54070 52 0 274862 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Match 40539 62 5135517867 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Final 40539 62 0 579167 Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! I am having problems getting it started from the command prompt. - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 10:30 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! It seems to be working fine for me. I have it running as a service, per Matt's instructions using the W2K resource kit files, and it has been running fine all day. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! The persistent mode stopped working after installing new program. Revert back to old one and it works??? Start xx.exe x persistent - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 4:59 AM Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! At 11:36 AM 5/9/2004, you wrote: Pete. Should we be able to just replace our .exe file with this one Yes. It will act just like the current version. The persistent server option doesn't take effect until you launch an instance in persistent mode. Until then (or if the persistent server fails) the program will act exactly like version 2-2, except that you can still configure the log format if you wish. Most importantly the snf2check.exe utility is much improved with this new version. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
Same here, but if you check your logs, I think you will find that it is working. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 8:04 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! When I do it the window pop-up is blank - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 10:59 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! Fredrick, I stopped the Sniffer service and tested from the command prompt with: Start xx.exe x persistent and this is working fine, as well. These messages have come in since starting sniffer persistence from the command prompt: LicenseID 20040510024905 Ded96001d093c201a.SMD 40 150 Clean 0 0 03720 60 LicenseID 20040510024908 Ded96003f080c201b.SMD 10 20 Clean 0 0 0 149451 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Match 117330 57 3301331578 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Final 117330 57 0 661178 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Match 117330 57 2478249273 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Final 117330 57 0 264373 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Match 118825 52 1560157266 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Final 118825 52 0 528566 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Match 118825 52 1588160059 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Final 118825 52 0 184759 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Match 54070 52 884 924 70 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Final 54070 52 0 617970 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Match 54070 52 1103116862 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Final 54070 52 0 274862 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Match 40539 62 5135517867 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Final 40539 62 0 579167 Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! I am having problems getting it started from the command prompt. - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 10:30 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! It seems to be working fine for me. I have it running as a service, per Matt's instructions using the W2K resource kit files, and it has been running fine all day. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! The persistent mode stopped working after installing new program. Revert back to old one and it works??? Start xx.exe x persistent - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 4:59 AM Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! At 11:36 AM 5/9/2004, you wrote: Pete. Should we be able to just replace our .exe file with this one Yes. It will act just like the current version. The persistent server option doesn't take effect until you launch an instance in persistent mode. Until then (or if the persistent server fails) the program will act exactly like version 2-2, except that you can still configure the log format if you wish. Most importantly the snf2check.exe utility is much improved with this new version. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only
RE: [sniffer] Message Sniffer Version 2-3 Official Release!
Don't know, since I have not been running the persistence feature until today, and I am running it as a service rather than executing it from the command prompt. Pete? Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 8:11 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! Is this by design - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 11:08 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! Same here, but if you check your logs, I think you will find that it is working. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 8:04 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! When I do it the window pop-up is blank - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 10:59 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! Fredrick, I stopped the Sniffer service and tested from the command prompt with: Start xx.exe x persistent and this is working fine, as well. These messages have come in since starting sniffer persistence from the command prompt: LicenseID 20040510024905 Ded96001d093c201a.SMD 40 150 Clean 0 0 03720 60 LicenseID 20040510024908 Ded96003f080c201b.SMD 10 20 Clean 0 0 0 149451 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Match 117330 57 3301331578 LicenseID 20040510025416 Deecf003708b6201f.SMD 10 190 Final 117330 57 0 661178 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Match 117330 57 2478249273 LicenseID 20040510025417 Deecf003d094e2020.SMD 10 30 Final 117330 57 0 264373 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Match 118825 52 1560157266 LicenseID 20040510025437 Deee7003908b62023.SMD 10 50 Final 118825 52 0 528566 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Match 118825 52 1588160059 LicenseID 20040510025445 Deee70041094e2024.SMD 10 20 Final 118825 52 0 184759 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Match 54070 52 884 924 70 LicenseID 20040510025508 Def05007c04c02027.SMD 10 81 Final 54070 52 0 617970 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Match 54070 52 1103116862 LicenseID 20040510025523 Def05007d04c02029.SMD 10 30 Final 54070 52 0 274862 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Match 40539 62 5135517867 LicenseID 20040510025639 Def62008204c0202c.SMD 10 60 Final 40539 62 0 579167 Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! I am having problems getting it started from the command prompt. - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 10:30 PM Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release! It seems to be working fine for me. I have it running as a service, per Matt's instructions using the W2K resource kit files, and it has been running fine all day. Bill -Original Message- From: Frederick Samarelli [mailto:[EMAIL PROTECTED] Sent: Sunday, May 09, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! The persistent mode stopped working after installing new program. Revert back to old one and it works??? Start xx.exe x persistent - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 4:59 AM Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release! At 11:36 AM 5/9/2004, you wrote: Pete. Should we be able to just replace our .exe file with this one Yes. It will act just like the current version. The persistent server option doesn't take effect until you launch an instance in persistent mode. Until then (or if the persistent server fails) the program will act exactly like version 2-2, except that you can still configure the log
RE: [sniffer] F-Prot and netsky
Title: Message ClamAV works very well, and is lightening fast when run daemonized (clamd).It's also hard to beat the price! I run is along with F-Prot and McAfee's uvscan, and Clam seems to keep up with the commercial scanners as far as virus updates. Bill -Original Message-From: Fred [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] F-Prot and netsky Does anyone run ClamAV? I've been hearing a lot of good reviews on it.. Frederic TaraseviciusInternet Information Services, Inc. --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you