subject:"Re\[2\]\: \[sniffer\]"

Hello Darin,

Wednesday, June 7, 2006, 7:31:29 AM, you wrote:

   
  
 The one issue with this I have is
  
  
  
 1) Forward full  original source to Sniffer with license code.
  
 If we could do it without the license code, it  would be much
 easier to automate on our end.  I already have a process in  place
 to copy and reroute false positives by rewriting the Q file.  I'm 
 hesitant to alter the message itself to add the license code.  If we
 could  authenticate the FP report via some other means it would help
 greatly.  How  about connecting IP instead?

At the moment that is how it's done: a combination of email address
and source IP are matched with the license ID.

The reason we ask for the license ID is because folks submitting false
positives occasionally forget that we authenticate on their registered
email address and use some other address.

-- The rule is that if the system can't match the email address it
should/may drop the message rather than evaluating it. We get a lot of
spam and attempts to game the system at our false@ address... so when
it's heavy we do drop messages that can't be properly identified.

However, in an effort to provide the best service possible, if the
license ID is present and we have the time we will look to see if it
could be a legit FP submission by researching the source and domain -
and if we think it is likely to be legitimate we will process the FP
and respond with an additional code reminding the submitter that they
must use their registered email address or an authorized alias.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox

Hi Pete,

Can I interpret this as email address and matching source IP are sufficient
if the correct email address is used to submit?

If not, do you have any suggestions on how you would like to see us
inserting the license ID in the D file?

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, June 07, 2006 8:25 AM
Subject: [sniffer]Re[2]: [sniffer]FP suggestions


Hello Darin,

Wednesday, June 7, 2006, 7:31:29 AM, you wrote:



 The one issue with this I have is



 1) Forward full  original source to Sniffer with license code.

 If we could do it without the license code, it  would be much
 easier to automate on our end. I already have a process in  place
 to copy and reroute false positives by rewriting the Q file. I'm
 hesitant to alter the message itself to add the license code. If we
 could  authenticate the FP report via some other means it would help
 greatly. How  about connecting IP instead?

At the moment that is how it's done: a combination of email address
and source IP are matched with the license ID.

The reason we ask for the license ID is because folks submitting false
positives occasionally forget that we authenticate on their registered
email address and use some other address.

-- The rule is that if the system can't match the email address it
should/may drop the message rather than evaluating it. We get a lot of
spam and attempts to game the system at our false@ address... so when
it's heavy we do drop messages that can't be properly identified.

However, in an effort to provide the best service possible, if the
license ID is present and we have the time we will look to see if it
could be a legit FP submission by researching the source and domain -
and if we think it is likely to be legitimate we will process the FP
and respond with an additional code reminding the submitter that they
must use their registered email address or an authorized alias.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Hello Darin,

Wednesday, June 7, 2006, 8:44:26 AM, you wrote:

 Hi Pete,

 Can I interpret this as email address and matching source IP are sufficient
 if the correct email address is used to submit?

Yes.

 If not, do you have any suggestions on how you would like to see us
 inserting the license ID in the D file?

To clarify, nothing should be inserted in the D file. The original
message should be attached as an RFC 822 attachment is as close to the
original form as possible.

The license id, if included at all, should be in the subject line of
the submission message.

Remember also, we WILL be responding to the submission message so that
we can record a dialogue with you about the false positive in
question.

Hope this helps,

Thanks,

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]FP suggestions

Hello Scott,

Wednesday, June 7, 2006, 10:08:58 AM, you wrote:

   
  
 For me the pain of false positives submissions is  the research
 that happens when I get a no rule found return.
  
  
  
 I then need to find the queue-id of the original  message and then
 find the appropriate Sniffer log and pull out the log lines  from
 there and then submit it. Almost always in these cases, a rule is  removed.
  
  
  
 If this process could be improved that would really  be a time saver.

This depends on the email system you are using. On some systems
(MDaemon, and postfix, for example) X- headers from SNF can be emitted
into the message. When we see these we can identify the rules directly
without asking for the extra research.

It would be nice if Declude would offer a mechanism to pick up the
optional .xhdr file SNF can generate and include it in the X headers
that it already adds to the message.

I know this begs the question, why not have SNF add the headers for
SmarterMail and IMail platforms, and the reason is that it would
require writing an additional copy of the message to disk. Since these
systems tend to be io bound already (Declude/IMail anyhow) the
performance penalty would be prohibitive. If Declude picks up .xhdr
from SNF directly then it can be included in the ONE rewrite Declude
makes anyway.

I've asked them about this and other improved integration
opportunities for a while now (many months), and I get favorable
responses, but no action so far. I guess we will see :-)

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Matt





Pete,

An X-Header would be very, very nice to have. I understand the issues
related to waiting to see if something comes through, and because of
that, I would maybe suggest moving on your own.

Sniffer doesn't need to be run on every single message in a Declude
system. Through weight based skipping, many administrators (especially
the ones that could make the most use of this) could skip processing
Sniffer once a certain weight is reached, and in turn that would save
enough load that it should easily make up for needing to re-write the
message to the disk with the modified headers. On external tests that
allow for weight skipping on my system, I was skipping around 50% of
messages before lightening the load with pre-scanning.

Sniffer could do weight skipping with Declude by accepting the %WEIGHT%
variable in the command line.

SNIFFER-IP  external 063
"C:\IMail\Declude\Sniffer\customer-code.exe license-code WH=26 WL=-5
CW=%WEIGHT%" 5 0
...etc.

The WH setting says don't run if equal to or greater than, the WL says
don't run if equal to or less than, and the CW passes in the weight
from Declude at the time of calling Sniffer. It still launches
Sniffer, but it could be stopped immediately before any heavy lifting
is done.

The best solution of course would be for Declude to allow for
weight-based skipping in the config without calling the executable, but
I started asking about that back in the Scott days and I am not holding
out hope for that happening soon considering. The most realistic
option would seem to then have Sniffer do the heavy lifting of
rewriting itself, and save some CPU and disk I/O by improving
efficiencies with something as simple as weight-based skipping. I'm
pretty sure the net result would be less CPU and disk I/O overall if
both were done.

Another alternative may be to create a separate executable (with
weight-based skipping) that would only deal with adding headers from
the text file that Sniffer drops in the directory. There would be less
benefit overall to keeping this all in one app, but it would target the
primary need. This could easily be written by one of us in _vbscript_ as
a proof of concept. I have considered doing this before, but it isn't
at the top of my priorities.

BTW, you could maybe even encode links in the headers for FP reporting
through a Web interface, completely removing the forwarding mechanism
from the mix, though you wouldn't have the opportunity to see the
messages which may not be good as a whole.

Matt





Pete McNeil wrote:

  Hello Scott,

Wednesday, June 7, 2006, 10:08:58 AM, you wrote:

  
  
  
 
For me the pain of false positives submissions is  the research
that happens when I get a "no rule found" return.
 

 
I then need to find the queue-id of the original  message and then
find the appropriate Sniffer log and pull out the log lines  from
there and then submit it. Almost always in these cases, a rule is  removed.
 

 
If this process could be improved that would really  be a time saver.

  
  
This depends on the email system you are using. On some systems
(MDaemon, and postfix, for example) X- headers from SNF can be emitted
into the message. When we see these we can identify the rules directly
without asking for the extra research.

It would be nice if Declude would offer a mechanism to pick up the
optional .xhdr file SNF can generate and include it in the X headers
that it already adds to the message.

I know this begs the question, why not have SNF add the headers for
SmarterMail and IMail platforms, and the reason is that it would
require writing an additional copy of the message to disk. Since these
systems tend to be io bound already (Declude/IMail anyhow) the
performance penalty would be prohibitive. If Declude picks up .xhdr
from SNF directly then it can be included in the ONE rewrite Declude
makes anyway.

I've asked them about this and other improved integration
opportunities for a while now (many months), and I get favorable
responses, but no action so far. I guess we will see :-)

_M

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Hello Matt,

Wednesday, June 7, 2006, 3:37:36 PM, you wrote:


  Pete,
  
  An X-Header would be very, very nice to have.  I understand the
 issues related to waiting to see if something comes through, and
 because of that, I would maybe suggest moving on your own.

I've got it on the list to have a message rewriting option... it's
just not as high as some others. I hadn't thought about the weight
gating utility - though that seems like something that would be useful
in general for external tests...

weightgate -5 %WEIGHT% 20 command line to run 5 0

command line to run is executed if %WEIGHT% is in the range [-5,20]
and the exit code of command line to run is returned.

That seems like a pretty simple utility to knock out - perhaps I will
;-)

Also, on the FP reporting links idea, that would break the process -
it's important for us to see the message for many reasons, and it's
important for the FP resolution process to be interactive.

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:


  Pete,
  
  Since the %WEIGHT% variable is added by Declude, it might make
 sense to have a qualifier instead of making the values space
 delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

   Errors in Declude could cause values to not be inserted,
 and not everyone will want to skip at a low weight.  I haven't seen
 any bugs with %WEIGHT% since shortly after it was introduced, but
 you never know.  I have seen some issues with other Declude inserted 
 variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the program not found error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

  One other thing that I came across with the way that Declude calls
 external apps...you can't delimit the data with things like quotes. 
 There is no mechanism for escaping a functional quote from a quote
 that should appear in the data that you pass to it...so don't use
 quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe 
authenticationxx 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe 
authenticationxx 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate low weight hight program arg 1, arg 2,... arg n

Where:
  low = a number representing the lowest weight to run progra.
  weight = a number representing the actual weight to evaluate.
  high = a number representing the highest weight to run program.
  program = the program to be activated if weight is in range.
  arg 1, arg 2, ... arg n = arguments for program.

If weight is in the range [low,high] then WeightGate will run
program and pass all of arg 1, arg 2,... arg n to it. Then
WeightGate will collect the exit code of program and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If weight is not in range (less than low or greater than high)
then WeightGate will NOT launch program and will return FAIL_SAFE
(zero) as it's exit code.

As a deubgging aid, I was called with the following arguments:

arg[0] me = WeightGate

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Hello Darin,

Wednesday, June 7, 2006, 5:05:28 PM, you wrote:

snip/

 Uh, but the D file contains mime segments corresponding to attachments.

That's ok. SNF looks inside those, and w/ the FP scanning software
inside the rfc822 atachment also.

It's not perfect, but the majority of the time it does pick out the
rules that match and having the original helps us put those into
context.

The license id, if included at all, should be in the subject line of
the submission message.

 Good.  Subject line is easier and more reliable to parse out.  Not that it's
 needed per the original question.

:-)

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

Hello Darin,

Wednesday, June 7, 2006, 5:09:27 PM, you wrote:

snip/

That would be a bad idea, sorry. After 30 days (heck, after 2) spam is
usually long-since filtered, or dead. As a result, looking at 30 day
old spam would have a cost, but little benefit.

 You misinterpreted what I was saying.  I was not at all suggesting sending
 old spam.  What I was talking about was copying spam@ with spam that does
 not fail sniffer _as it comes in_, or _during same day/next day reviews_

Sorry, I did misinterpret then. _as it comes in_ is good, provided the
weights are high enough to prevent a lot of FPs. We're all trained
pretty well on how to skip those - but the more we see, the more
likely we are to slip up ;-)

What we do use from time to time are virtual spamtraps. In a virtual
spamtrap scenario, you can submit spam that reached a very high (very
low false positive) score but did not fail SNF. Generally this is done
by copying the message to a pop3 account that can be polled by our
bots.

 That is exactly what I was suggesting.  We'll put it on our list to write a
 filter to do so when time permits.  Just trying to help.

Thanks very much!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Colbeck, Andrew

(sniff) Aw, cut it out, Matt.

You're making me all weepy.

p.s. Pete, that's pretty darned
amazing!

From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer
CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]:
[sniffer]Re[2]: [sniffer]FP suggestions
Pete,I think that you just broke Scott's record with his
two hour feature request with your own a two hour program :)Anyone
remember those days???Thanks,MattPete McNeil
wrote:
Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:

Pete,

Since the %WEIGHT% variable is added by Declude, it might make
sense to have a qualifier instead of making the values space
delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

Errors in Declude could cause values to not be inserted,
and not everyone will want to skip at a low weight. I haven't seen
any bugs with %WEIGHT% since shortly after it was introduced, but
you never know. I have seen some issues with other Declude inserted variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the "program not found" error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

One other thing that I came across with the way that Declude calls
external apps...you can't delimit the data with things like quotes.
There is no mechanism for escaping a functional quote from a quote
that should appear in the data that you pass to it...so don't use
quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate low weight hight program arg 1, arg 2,... arg n

Where:
low = a number representing the lowest weight to run progra.
weight = a number representing the actual weight to evaluate.
high = a number representing the highest weight to run program.
program = the program to be activated if weight is in range.
arg 1, arg 2, ... arg n = arguments for program.

If weight is in the range [low,high] then WeightGate will run
program and pass all of arg 1, arg 2,... arg n to it. Then
WeightGate will collect the exit code of program and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If weight is not in range (less than low or greater than high)
then WeightGate will NOT

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox

Awesome.  Great job, Pete.

Darin.

- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, June 07, 2006 6:49 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions

Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:

  Pete,

  Since the %WEIGHT% variable is added by Declude, it might make
 sense to have a qualifier instead of making the values space
 delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

 Errors in Declude could cause values to not be inserted,
 and not everyone will want to skip at a low weight. I haven't seen
 any bugs with %WEIGHT% since shortly after it was introduced, but
 you never know. I have seen some issues with other Declude inserted
variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the program not found error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

  One other thing that I came across with the way that Declude calls
 external apps...you can't delimit the data with things like quotes.
 There is no mechanism for escaping a functional quote from a quote
 that should appear in the data that you pass to it...so don't use
 quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30
c:\SNF\sniffer.exe authenticationxx 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe
authenticationxx 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate low weight hight program arg 1, arg 2,... arg n

Where:
  low = a number representing the lowest weight to run progra.
  weight = a number representing the actual weight to evaluate.
  high = a number representing the highest weight to run program.
  program = the program to be activated if weight is in range.
  arg 1, arg 2, ... arg n = arguments for program.

If weight is in the range [low,high] then WeightGate will run
program and pass all of arg 1, arg 2,... arg n to it. Then
WeightGate will collect the exit code of program and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If weight is not in range (less than low or greater than high)
then WeightGate will NOT launch program and will return FAIL_SAFE
(zero) as it's exit code.

As a deubgging aid, I was called with the following arguments:

arg[0] me = WeightGate

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.

#
This message is sent to you because you are subscribed

Re: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox

Unfortunately, by the time the message gets to us it is sometimes just
different enough that the original pattern cannot be found. There are
some folks who consistently have success, and some who occasionally
have problems, and a few who always have a problem.

Different in what way?  Is the mail client encoding differently in the
forwarding process?  If so, do you know what clients are altering the
messages and how?  If there's one that's better for this, we could always
use it for forwarding since we currently send it to ourselves first, then
forward.

If we rewrite the Q file and queue directly from IMail, encoding shouldn't
change, correct?  If that avoids this issue, we could do that instead.

The best solution is to include the headers during the scan since they
will travel with the message.

What do you mean?  The XHDR?  We would love that for more several reasons,
but Declude is not the same company anymore.

The next best is to automate matching
the log entries with the message so they can be included with the
submission (some do this to prevent the second trip).

Yeah, we'd have to automate it.  I can't imagine taking the time to manually
match for each occurrence of no rule found.  Another item for the
automation list.



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Hello Darin,

Wednesday, June 7, 2006, 7:26:48 PM, you wrote:

Unfortunately, by the time the message gets to us it is sometimes just
different enough that the original pattern cannot be found. There are
some folks who consistently have success, and some who occasionally
have problems, and a few who always have a problem.

 Different in what way?  Is the mail client encoding differently in the
 forwarding process?  If so, do you know what clients are altering the
 messages and how?  If there's one that's better for this, we could always
 use it for forwarding since we currently send it to ourselves first, then
 forward.

It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.

 If we rewrite the Q file and queue directly from IMail, encoding shouldn't
 change, correct?  If that avoids this issue, we could do that instead.

That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...

The best solution is to include the headers during the scan since they
will travel with the message.

 What do you mean?  The XHDR?  We would love that for more several reasons,
 but Declude is not the same company anymore.

At some point perhaps they will include the SNF engine in DLL form and
all of these issues will become simpler. For now there's no definitive
answer on that possibility so we will have to find other solutions. I
don't like the idea of rewriting the message file more often than
absolutely necessary, but that is a feature that is on the todo list
and so it may make it into the next heavy update (work in progress).

The next best is to automate matching
the log entries with the message so they can be included with the
submission (some do this to prevent the second trip).

 Yeah, we'd have to automate it.  I can't imagine taking the time to manually
 match for each occurrence of no rule found.  Another item for the
 automation list.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

Hello Peer-to-Peer,

That's a good point.

Any kind, perhaps by category.

I was originally thinking of just RBLs of various types.

Thanks,

_M

Tuesday, June 6, 2006, 9:46:01 AM, you wrote:

 Hi _M,

 Do you mean like reverse PTR records, or HELO lookups, etc..?

 --Paul R.


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
 Behalf Of Pete McNeil
 Sent: Tuesday, June 06, 2006 9:26 AM
 To: Message Sniffer Community
 Subject: [sniffer]A design question - how many DNS based tests?


 Hello Sniffer Folks,

 I have a design question for you...

 How many DNS based tests do you use in your filter system?

 How many of them really matter?

 Thanks!

 _M




-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

Hello Nick,

What is your false positive rate with that pattern?

_M

Tuesday, June 6, 2006, 10:05:18 AM, you wrote:

 Hi Markus -

 Markus Gufler wrote:

There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.

 I am catching these fairly easily -
 a combo filter -
 #combo-stockspammer-png.txt
 SKIPIFWEIGHT26
 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
 BODY5CONTAINSContent-Type: image/png;
 #
 The body regex is this:
 src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@

 -Nick

  



 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

Hello Jonathan,

I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.

I'd love to be wrong - but I recall false positives with similar
attempts in the past.

Is there more to this than the two elements I just described -
something I'm not seeing?

_M

Tuesday, June 6, 2006, 10:19:36 AM, you wrote:

 Nick, very good method.  I have added that to my configuration as well now.

 - Original Message - 
 From: Nick Hayer [EMAIL PROTECTED]
 To: Message Sniffer Community sniffer@sortmonster.com
 Sent: Tuesday, June 06, 2006 10:05 AM
 Subject: Re: [sniffer]Numeric spam topic change to png stock spam


 Hi Markus -

 Markus Gufler wrote:

 There is also another type of spam (stock spam now with attached png
 image)
 this morning passing our filters.
 
 I am catching these fairly easily -
 a combo filter -
 #combo-stockspammer-png.txt
 SKIPIFWEIGHT26
 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
 BODY5CONTAINSContent-Type: image/png;
 #
 The body regex is this:
 src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@

 -Nick

 
 


 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]





 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

2006-06-06 Thread Nick Hayer





Pete McNeil wrote:

  Hello Nick,

What is your false positive rate with that pattern?
  

Hmm lets go to the MDLP for yesterday :)

   SS HH HS SH SA   
  SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506  0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547

The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam. So
far I have not see any fp. [ I combo it (the regex) with other tests as
well - which makes it much more reliable.]

-Nick



  
_M

Tuesday, June 6, 2006, 10:05:18 AM, you wrote:

  
  
Hi Markus -

  
  
  
  
Markus Gufler wrote:

  
  
  
  

  There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.

  

I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@

  
  
  
  
-Nick

  
  
  
  

   

  

  
  

  
  
#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

Hello Nick,

Thanks.

That's all good then :-)

_M

Tuesday, June 6, 2006, 10:46:55 AM, you wrote:


  Pete McNeil wrote: 
   
 Hello Nick,

 What is your false positive rate with that pattern? 
  
  Hmm lets go to the MDLP for yesterday  :)
  
                                             SS   HH  HS  SH   SA            SQ
  REGEX.STOCK.BODY    331    0    0    66    0.667506   0.445565
  COMBO.STOCK_PNG   16   0   0 1  0.882353  0.778547
  
  The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
  The png combo I just did it last night when I first saw the spam.
 So far I have not see any fp. [ I combo it (the regex) with other
 tests as well - which makes it much more reliable.]
  
  -Nick
  
  
  
   
 _M

 Tuesday, June 6, 2006, 10:05:18 AM, you wrote: 
   
   
 Hi Markus - 
   
   
  
   
   
 Markus Gufler wrote: 
   
   
  
   
   
   
 There is also another type of spam (stock spam now with attached png image)
 this morning passing our filters. 
   
   
 I am catching these fairly easily -
 a combo filter -
 #combo-stockspammer-png.txt
 SKIPIFWEIGHT26
 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
 BODY5CONTAINSContent-Type: image/png;
 #
 The body regex is this:
 src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ 
   
   
  
   
   
 -Nick 
   
   
  
   
   
   
   
   
   
   
  
   
   
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch
 to the DIGEST mode, E-mail to [EMAIL PROTECTED]To
 switch to the INDEX mode, E-mail to
 [EMAIL PROTECTED]Send administrative queries to
 [EMAIL PROTECTED] 
   
   
  
  
  



-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

Hello Andrew,

Tuesday, June 6, 2006, 11:44:46 AM, you wrote:

 David,

 Are you using the free version of sniffer? Or did you deliberately
 change your .exe name in your posting to sniffer.exe to hide your licence 
 number?

 I certainly expect that the rulebase lag with the free version will
 result in lower Message Sniffer hit rates.

Actually, since we've been offering production ready 30 day trials,
what once was the free version (as you put it) has been reduced to a
technology demonstrator. It is only useful for proving your system
configuration and barely catches spam at all ;-)

I believe the sniffer.snf rulebase has not been maintained in some
time.

 I've seen the free version with hit rates as low as 10% on the
 remaining messages that have been already filtered by a gateway,
 which I thought was still decent because these were the messages
 that had already evaded the blacklist tests.  And free is good.

 On the same system, I noted that this made Sniffer about half as
 effective as fresh SURBL/URIBL testing, but I had no way to compare their 
 overlap.

Interesting.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

2006-06-06 Thread Jonathan Hickman

Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.

- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:44 AM
Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock
spam

 Hello Jonathan,

 I urge caution from experience... png images are not entirely rare,
 and the cid: tag format in the regex is also common.

 I'd love to be wrong - but I recall false positives with similar
 attempts in the past.

 Is there more to this than the two elements I just described -
 something I'm not seeing?

 _M

 Tuesday, June 6, 2006, 10:19:36 AM, you wrote:

  Nick, very good method.  I have added that to my configuration as well
now.

  - Original Message - 
  From: Nick Hayer [EMAIL PROTECTED]
  To: Message Sniffer Community sniffer@sortmonster.com
  Sent: Tuesday, June 06, 2006 10:05 AM
  Subject: Re: [sniffer]Numeric spam topic change to png stock spam

  Hi Markus -

  Markus Gufler wrote:

  There is also another type of spam (stock spam now with attached png
  image)
  this morning passing our filters.

  I am catching these fairly easily -
  a combo filter -
  #combo-stockspammer-png.txt
  SKIPIFWEIGHT26
  TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
  BODY5CONTAINSContent-Type: image/png;
  #
  The body regex is this:
  src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@

  -Nick

  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
  Send administrative queries to  [EMAIL PROTECTED]

  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
  Send administrative queries to  [EMAIL PROTECTED]

 -- 
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.

 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

Hello Matt,

Tuesday, June 6, 2006, 12:37:56 PM, you wrote:

snip/

 appropriately and tend to hit less often, but the FP issues with
 Sniffer have grown due to cross checking automated rules with other
 lists that I use, causing two hits on a single piece of data.  For
 instance, if SURBL has an FP on a domain, it is possible that
 Sniffer will pick that up too based on an automated cross reference,
 and it doesn't take but one  additional minor test to push something
 into Hold on my system.

Please note. It has been quite some time now that the cross-reference
style rule-bots have been removed from our system. In fact, at the
present time we have no automated systems that add new domain rules.

Another observation I might point out is that many RBLs will register
a hit on the same IP - weighting systems using RBLs actually depend on
this. An IP rule hit in SNF should be treated similarly to other RBL
type tests. This is one of the reasons that we code IP rules to group
63 - so that they are tumped by a rule hit in any other group and
therefore are easily isolated from the other rules.

snip/

 handling false positive reports with Sniffer is cumbersome for both
 me and Sniffer.

The current process has a number of important goals:

* Capture as much information as possible about any false positive so
that we can improve our rule coding processes.

* Preserve the relationship with the customer and ensure that each
case reaches a well-informed conclusion with the customer's full
knowledge.

* Protect the integrity of the rulebase.

This link provides a good description of our false positive handling
process:

http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives

Can you recommend an alternate process, or changes to the existing
process that would be an improvement and would continue to achieve
these goals? We are always looking for ways to improve.

 I would hope that any changes
 seek to increase accuracy above all else.  Sniffer does a very good
 job of  keeping up with spam, and it's main issues with leakage are
 caused by  not being real-time, but that's ok with me.  At the same
 time Sniffer is the test most often a part of false positives, being
 a contributing  factor in about half of them.

Log data shows that SNF tags on average more than 74% of all email
traffic and a significantly higher percentage of spam typically.

It would seem that it is likely that SNF would also represent highly
in the percentage of false positives (relative to other tests with
lower capture rates) for any given system since it is represented
highly in email traffic as a whole.

You've also indicated that you weight SNF differently than your other
tests - presumably giving it more weight (this is frequently the case
on many systems).

How much do you feel these factors contribute to your findings?

   About 3/4 of all FP's (things that are  blocked by my system) are
 some form of automated or bulk E-mail.  That's not to say that other
 tests are more accurate; they are just scored more appropriately and
 tend to hit less often, but the FP issues with Sniffer have grown
 due to cross checking automated rules with other lists that I use,
 causing two hits on a single piece of data,

W/regard causing two hits on a single piece of data: SNF employs a
wide variety of techniques to classify messages so it is likely that a
match in SNF will coincide with a match in some other tests. In fact,
as I pointed out earlier, filtering systems that apply weights to
tests depend on this very fact to some extent.

What makes weighting systems powerful is that when more than one test
does trigger on a piece of data, such as an IP or URI fragment, that
the events leading up to that match were distinct for each of the
matching test. This is the critical component to reducing errors
through a voting process.

Test A uses process A to reach conclusion Z.

Test B uses process B to reach conclusion Z.

Process A is different from process B and so the inherent errors in
process A are different than the errors in process B and so we presume
it is unlikely that an error in Test A will occur under the same
conditions as the errors in Test B.

If a valid test result is the signal we want, and an erroneous test
result is noise on top of that signal then it follows:

By combining the results of Test A and Test B we have the opportunity
to increase the signal to noise ratio to the extent our assumptions
about errors are true. In fact, if no error occurs in both A and B
under the same circumstances, then defining a new test C as (A+B/2)
will produce a signal that is twice as clear as test A or B on it's
own.

If I follow what you have said about false positives and SNF matching
other tests, then you are describing a situation where the process for
SNF and the alternate tests are the same - or put another way, that
SNF somehow represents a copy of the other test and so will also
contain the same errors. If that's the case then the

[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through

2006-05-18 Thread Pete McNeil

Hello Andrew,

Wednesday, May 17, 2006, 5:35:36 PM, you wrote:

 Certainly, submitting samples to spam@ (or preferably your 
 local spam submission point polled by our bots) will put 
 these messages in front of us if we have not already created 
 rules for them.

 I've just manually submitted the ~35 messages that my filters triggered
 on for phishing that didn't trigger Message Sniffer today but ended up
 in my HOLD folder anyway due to their total spamminess.

 Most of them are against eBay and came from Germany.

If your overall false positive rate is low enough then it would be
great if you could automate that process to create a synthetic
spamtrap. Somehow, take the most spammy of the messages that get past
SNF and send them to a special account on your system from which our
robots could pull the messages Since we code rules 24x7x365 we
would be able to respond to these quickly and (from your perspective)
automatically.

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through

2006-05-17 Thread Pete McNeil

Hello Daniel,

Wednesday, May 17, 2006, 3:07:38 PM, you wrote:

 I've gotten one myself.

 The pharmacy ones, are still coming through too for that matter.

Here is what the latest wave has looked like from here (attached
image).

You can see, starting about 24 hours ago a jagged, but fairly regular
climbing series of spikes. Each is a new wave of variants on the
current campaigns. Most notably, the the medications drug spam,
chatty drugs, russian porn, phishing (especially localized versions),
and stuff-for-free* surveys.

Of course a variety of the usual players is well mixed in.

During the previous 24 hours things were _relatively_ quiet.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.

getchart.jsp.png
Description: PNG image
#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

2006-05-05 Thread Pete McNeil

On Friday, May 5, 2006, 11:02:00 AM, Darin wrote:

DC Not just drugs, but some others too have been slipping through the past
DC couple of days.  We've reported a little under 40 in the past couple of
DC days.

We saw a bit of a lull, then a rash of new campaigns bunched together
with some new obfuscation techniques. We're getting a handle on it
now. Looks like the burst started about 30 hours ago and is tailing
off now.

Attached image - new arrival rates last 2 days.



getchart.jsp.png
Description: PNG image

Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

2006-05-05 Thread Pete McNeil

We've had that rule before and had to pull it for false positives.

_M


On Friday, May 5, 2006, 11:41:50 AM, John wrote:

JTL FYI, I created a Declude Filter:

JTL Subject END NOTCONTAINS news
JTL BODY25  CONTAINShttp://geocities.com/

JTL Been catching every one like that.

JTL John T
JTL eServices For You

JTL Seek, and ye shall find!


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
JTL On
 Behalf Of Daniel Bayerdorffer
 Sent: Friday, May 05, 2006 7:38 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer
 
 Here too.
 
 --
 Daniel Bayerdorffer  [EMAIL PROTECTED]
 Numberall Stamp  Tool Co., Inc.
 PO Box 187 Sangerville, ME 04479 USA
 TEL 207-876-3541  FAX 207-876-3566
 www.numberall.com
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
  Sent: Friday, May 05, 2006 10:34 AM
  To: sniffer@sortmonster.com
  Subject: [sniffer] Lot of Drugs Spam getting through sniffer
 
  The last few days tons on Drus spam is coming in and sniffer
  is catching
  none of it.
 
  Chuck Schick
  Warp 8, Inc.
  (303)-421-5140
  www.warp8.com
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For
  information and (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
JTL and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



JTL This E-Mail came from the Message Sniffer mailing list. For
JTL information and (un)subscription instructions go to
JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

2006-05-05 Thread John T (Lists)

Well, I am at the point that I could care less about geocities false
positives. If GeoCities is going to allow this much spam junk then I could
care less about allowing them.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Friday, May 05, 2006 9:09 AM
 To: John T (Lists)
 Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer
 
 We've had that rule before and had to pull it for false positives.
 
 _M
 
 
 On Friday, May 5, 2006, 11:41:50 AM, John wrote:
 
 JTL FYI, I created a Declude Filter:
 
 JTL Subject END NOTCONTAINS news
 JTL BODY25  CONTAINShttp://geocities.com/
 
 JTL Been catching every one like that.
 
 JTL John T
 JTL eServices For You
 
 JTL Seek, and ye shall find!
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 JTL On
  Behalf Of Daniel Bayerdorffer
  Sent: Friday, May 05, 2006 7:38 AM
  To: sniffer@SortMonster.com
  Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer
 
  Here too.
 
  --
  Daniel Bayerdorffer  [EMAIL PROTECTED]
  Numberall Stamp  Tool Co., Inc.
  PO Box 187 Sangerville, ME 04479 USA
  TEL 207-876-3541  FAX 207-876-3566
  www.numberall.com
 
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
   Sent: Friday, May 05, 2006 10:34 AM
   To: sniffer@sortmonster.com
   Subject: [sniffer] Lot of Drugs Spam getting through sniffer
  
   The last few days tons on Drus spam is coming in and sniffer
   is catching
   none of it.
  
   Chuck Schick
   Warp 8, Inc.
   (303)-421-5140
   www.warp8.com
  
  
  
   This E-Mail came from the Message Sniffer mailing list. For
   information and (un)subscription instructions go to
   http://www.sortmonster.com/MessageSniffer/Help/Help.html
  
 
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For information
 JTL and
  (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 JTL This E-Mail came from the Message Sniffer mailing list. For
 JTL information and (un)subscription instructions go to
 JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Message loop

2006-04-20 Thread Pete McNeil

Yes, I'm sorry. I'm still working on that with the back-end server
guys over there. I am getting your messages though. Please ignore the
jsmith bounces for now. I will keep on them.

Thanks!

_M

On Thursday, April 20, 2006, 12:11:25 PM, Scott wrote:

SF Still happening when I reply to false positive messages from you:

SF Failed to deliver to '[EMAIL PROTECTED]'
SF mail loop: too many hops (too many 'Received:' header fields)

SF - Original Message - 
SF From: Pete McNeil [EMAIL PROTECTED]
SF To: Matt sniffer@SortMonster.com
SF Sent: Wednesday, April 19, 2006 7:03 PM
SF Subject: Re: [sniffer] Message loop


 On Wednesday, April 19, 2006, 7:20:01 PM, Matt wrote:

 M
 M  Pete,
 M
 M  I tried replying to some FP reports and I received back some loop 
 reports from your gateway:
 M
 M
 M
 M
 M Failed to deliver to '[EMAIL PROTECTED]'
 M mail loop: too many hops (too many 'Received:' header fields)

 I'm aware of the problem. It's actually a problem on our partners'
 servers. They are making a transition and the destination server is
 unhappy about the number of hops required to get there through our
 forwarding chain.

 I believe they have adjusted these settings this afternoon to
 compensate.

 Thanks!

 _M



 This E-Mail came from the Message Sniffer mailing list. For information 
 and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 



SF This E-Mail came from the Message Sniffer mailing list. For
SF information and (un)subscription instructions go to
SF http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False positive processing

2006-03-21 Thread Pete McNeil

On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote:

DC Nope.  None of them.

DC I haven't heard back from the replies to a couple of false positives on the
DC 10th, and we haven't heard anything from our submissions on the 16th (6) and
DC 17th (2).  I don't remember if we've heard anything from those on the 15th
DC (4).

Right now I'm preparing to process FPs. I have a total of 24. 15 from
you. I don't show any others pending. When I'm done I'll go back and
look at the 10th, 16th, and 17th to see if I received and responded.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] New Web Site!

2006-03-17 Thread Pete McNeil

On Friday, March 17, 2006, 11:53:58 AM, John wrote:

JTL What is the purpose of using a WIKI site?

A few things really -

* It's fast and easy to create, update, and correct the content.
Things happen quickly here and in the messaging security business in
general. It makes sense to use tools that can adapt just as quickly
and with as little friction as possible.

* Some of our user community contribute software and technical
knowledge on a regular basis. A wiki makes that process easier. This
is particularly useful where SNF overlaps with other software - The
folks who use, develop, or maintain that software can now participate
openly in developing documentation for that work.

* We've always maintained a collaborative relationship with our
customers and this helps to enforce that point.

* One of the things we've always encouraged is the sharing of
information related to, but not necessarily about SNF. For example, it
is not uncommon for a discussion about integrating SMF with a mail
server to branch off into a wide range of loosely related topics from
DNS, to server and network performance, to handy tools and tricks.

We have a lot of experts in our community. Quite Often, difficult to
find solutions lurk in the context of the discussions on and off our
list. Now those solutions can be captured here in the natural context
in which they came up so that they will be easy to find.

--

Consider this approach part of fostering a strong user community and
providing a resource that goes beyond our own products and services.

At the end of the day we are working shoulder to shoulder with the
developers, managers, administrators, and users of all kinds of
systems. We want this wiki to be a valuable resource for anybody who
uses SNF, and lots of folks who don't (yet).

_M





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] New RuleBot F002 Online

2006-03-13 Thread Darin Cox

Hi Pete,

Don't worry about customizing our local rulebase for this.  Just take this
as a simple suggestion for future segregation to make it easy for new
rulesets to be addressed differently in weighting schemes.

Thanks for all of your efforts!

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Monday, March 13, 2006 10:23 AM
Subject: Re[2]: [sniffer] New RuleBot F002 Online


On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:

DC Totally agree.  I'd like to see some separation between rules created by
DC newer rulebots and preexisting rules.  That way if there becomes an
issue
DC with a bot, we can turn off one group quickly and easily.

There is no way to do this without completely reorganizing the result
codes or defeating the competitive ranking mechanisms.

If you feel strongly about it I can move these rule groups to lower
numbers on your local rulebase or make some other numbering scheme -
but I don't recommend it. Moving these rule groups to lower numbers
would cause them to win competitions with other rules where they would
normally not win.

At some point in the future we might renumber the rule groups again,
but I like to avoid this since there are so many folks that just don't
get the message (no matter what we do to publish it) when we make
changes like this and so any large scale changes tend to cause
confusion for very long periods.

For example: I still, on occasion, have questions about the
gray-hosting group which has not existed for quite a long time.

So far there has not been one FP reported on bot F002 and extremely
few on F001 - the vast majority of those associated with the very
first group of listings prior to the last two upgrades for the bot.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] F001 Rule Bot Change

2006-03-09 Thread Pete McNeil

On Thursday, March 9, 2006, 8:48:43 AM, Nick wrote:

NH Hi Pete -

NH Pete McNeil wrote:

Hello Sniffer Folks,

  The F001 Rule Bot has been adjusted. 

NH Is it possible for you to recommend a percentage of accuracy or maybe 
NH better stated a percentage of delete weight for each rule?  I  am 
NH wondering which rules you feel are the weakest and which are the 
NH strongest.  I am well aware 'mileage may vary' but just your thoughts on
NH reliability would be insightful.  Currently the rules I trust the most
NH are at 90% of my hold weight which overall is less than 50% of my delete
NH weight. Rules that I trust the least like general and experimental are
NH at ~ 40% of my hold weight.

It's a bit too early to know about the reliability of F001. So far the
number of false positives has fallen quite sharply and continues to
fall from what I can see. In addition, the new constraints on F001
will cause it to be much more reliable still (w/ regard to FPs).

I would say that the most conservative weight for symbol 63 would be
to weight it at the same weight as your average IP based blacklist.

A more moderate position might have the lowest rated SNF tests at
about 70% of your hold weight (this seems to be fairly common).

Hope this helps,

_M


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] New Rulebot F001

2006-03-08 Thread Support Traction IT


I also have got a lot of false positives with code 063 which are HOLD now.
Ik know it's not very nice to set email on HOLD when failing sniffer but
I've got a major problem with spam and until a few days ago this was going
well, at least a few false positives in a week. 


03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message
failed SNIFFER: 63.). Action=HOLD.
l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
Match   672578  63  142 176 65
l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
Final   672578  63  0   281965


Could this please stop, sniffer was pretty reliable for us, but not at the
moment.


Regards,

Marcel Sangers
Traction IT



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: dinsdag 7 maart 2006 0:18
To: Darin Cox
Subject: Re[2]: [sniffer] New Rulebot F001

On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC We just reviewed this morning's logs and had a few false positives.  
DC Not sure if these are due to the new rulebot, but it's more than 
DC we've had for the entire day for the past month.

DC Rules
DC --
DC 873261
DC 866398
DC 856734
DC 284831
DC 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227


I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M





This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] declude tests

2006-03-07 Thread Harry Vanderzand

Thanks so much Pete

I got it all sorted out

Phew

It's humming along just fine with each individual test.

I look forward to the day that there are more gui's in products like this.

That way I can choose what I want done but the software does the configuring
for me and thus eliminates syntax errors and other misunderstandings.

Both declude and sniffer would benefit greatly from that.

I future wish

Thanks again



Harry Vanderzand 
inTown Internet  Computer Services 
519-741-1222


 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, March 07, 2006 6:28 PM
 To: Harry Vanderzand
 Subject: Re[2]: [sniffer] declude tests
 
 On Tuesday, March 7, 2006, 6:20:04 PM, Harry wrote:
 
 HV I guess I am not understanding something here after all this time
 
 HV So as I understand I leave the persistent word out of the declude 
 HV config and just run the service?
 
 YES. :-)
 
 The instances launched by Declude will recognize that the 
 service is running and will elect to be peer-client instances 
 automatically.
 
 Also, if the service fails for any reason then they will 
 automatically adopt peer-server mode.
 
 (In Peer-Server mode, instances take turns acting as a 
 service for short periods to improve performance.)
 
 Hope this helps,
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Pete McNeil


On Monday, March 6, 2006, 3:13:53 PM, Jay wrote:

JSHNL There's been at least one FP ;)

JSHNL --
JSHNL Rule - 861038
JSHNL NameF001 for Message 2888327: [216.239.56.131]
JSHNL Created 2006-03-02
JSHNL Source  216.239.56.131
JSHNL Hidden  false
JSHNL Blocked false
JSHNL Origin  Automated-SpamTrap
JSHNL TypeReceivedIP
JSHNL Created By  [EMAIL PROTECTED]
JSHNL Owner   [EMAIL PROTECTED]
JSHNL Strength2.08287379496965
JSHNL False Reports   0

Yes, sorry about the confusion. The original announcement happened
about 3 days before that FP. The note was a resend this afternoon so
that Karen (Tink) could update the web site with recent news.

In fact, both of those notes were resends... The originals didn't make
it because I transposed the s and n near the t in sortmonster.

Sorry again for the confusion.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Pete McNeil

On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC We just reviewed this morning's logs and had a few false positives.  Not
DC sure if these are due to the new rulebot, but it's more than we've had for
DC the entire day for the past month.

DC Rules
DC --
DC 873261
DC 866398
DC 856734
DC 284831
DC 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227


I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Colbeck, Andrew

Pete,

One of these was EarthLink [207.217.120.227], and one of these was
Google Mail [64.233.166.182].

SpamBag lists the EarthLink address as a source of bogus bounces, and I
posit that this would be the source of the mail to the spamtraps that
would trigger the F001 bot.

I would like to state that I don't need Message Sniffer to identify
servers that send bogus postmaster notifications.  This would be
entirely due to false positives such as the three examples above.

Given that spammers clearly recycle their email database as a
fake-mailfrom database, any spamtrap address will get bogus bounces and
therefore, the spamtraps will flag legitimate senders' IP addresses in
Rule 63.

I don't expect nor want you to discuss the details of the spamtraps as
the point of one class of your spamtraps is that their methods are
secret.  However, Matt has described a subset of the filters various
Decluders have used to filter out postmaster bounces and other reflected
noise, and I can certainly chip in on that conversation offline.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Monday, March 06, 2006 3:18 PM
 To: Darin Cox
 Subject: Re[2]: [sniffer] New Rulebot F001
 
 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:
 
 DC We just reviewed this morning's logs and had a few false 
 positives.  
 DC Not sure if these are due to the new rulebot, but it's more than 
 DC we've had for the entire day for the past month.
 
 DC Rules
 DC --
 DC 873261
 DC 866398
 DC 856734
 DC 284831
 DC 865663
 
 Three of these are from F001 and have been removed.
 
 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
  http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182
 
 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
  http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200
 
 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
  http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227
 
 
 I haven't yet processed the fps, only looked up the rules.
 
 There are currently 32820 rules authored by the F001 bot.
 
 Hope this helps,
 
 _M
 
 
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Darin Cox

Thanks, Pete.

Darin.

- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Monday, March 06, 2006 6:17 PM
Subject: Re[2]: [sniffer] New Rulebot F001

On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC We just reviewed this morning's logs and had a few false positives.  Not
DC sure if these are due to the new rulebot, but it's more than we've had
for
DC the entire day for the past month.

DC Rules
DC --
DC 873261
DC 866398
DC 856734
DC 284831
DC 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227

I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] New rulebase compilers online.

2006-03-06 Thread Pete McNeil

On Monday, March 6, 2006, 6:09:43 PM, Matt wrote:

M Pete,

M Does this mean that you are somehow supporting incremental rule base 
M updates, or is it that the compiler is just much faster so we will get
M the same number of updates, but generally get them 40-120 minutes 
M earlier in relation to the data that generated them?

The latter. Incremental updates are coming with the V3 engine. We will
have real time reporting and tuning before that.

The new behavior for the compiler bots is to seek out any eligible
rulebases that match the profile of the previously compiled rulebase
and to use the cached data to build the new rulebase provided it is
discovered within a short enough period (a matter of seconds). This is
called replication. Replication happens in seconds. Compiling a
rulebase takes between 5 and 35 minutes depending on the complexity.

While I have seen occasional spikes, I generally now see unfinished,
eligible rulebase counts in the low teens and estimated lag in the
single digits.

M Either way, definitely an improvement.  The closer to real-time we can
M get, the better.

:-)

_M


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Sniffer, MDLP, and invURIBL?

2006-02-25 Thread Pete McNeil

On Saturday, February 25, 2006, 1:38:53 PM, Joe wrote:

JW   
JW  
JW I would actually prefer that MDLP autotune the weight for 
JW invURIBL, but since the weights are managed by invURIBL and not
JW Declude I don't  know how this will work.

I'm not familiar enough with invURIBL to know how it is configured.
However, as long as it's maximum and minumum weights are in a
reasonable range, then if you exclude it from MDLP you should be ok.

MDLP's AI tries to optimize the weights of the tests it can manipulate
so that the most accurate total scores are provided. If there are
tests it cannot adjust then it is forced to work around those with the
other tests.

The results are not predictable (the task is far too dynamic and
contains far too many variables) but they should be sane and correct.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Running sniffer as a service

2006-02-24 Thread Pete McNeil

On Friday, February 24, 2006, 7:13:47 AM, Jeff wrote:

JP Do I need to modify anything in my Declude configuration file where it calls
JP the SNIFFER test in order for this to function ??

No. You set up a persistent instance outside of Declude and the other
SNF instances adapt automatically.

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] When to go persistent

2006-02-23 Thread Pete McNeil

On Thursday, February 23, 2006, 11:53:51 AM, LLC wrote:

JISL I'm investigating the persistant mode and read the info on the web site.
JISL Can't make heads or tails of it.

JISL How do enable persistant mode on a Windows 2003 Server?  The web site 
speaks
JISL hypothetically, but the information is not practical.

From the message at 
JISL http://www.mail-archive.com/sniffer@sortmonster.com/msg00165.html it would
JISL seem that you need an external utility to run Sniffer in persistant mode,
JISL but the link to
JISL http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html 
JISL is no longer valid.

JISL What exact steps are needed to run in persistant mode on Windows 2003 
JISL Server?

Sorry about that... the Judoscript site comes and goes lately. (Maybe
permanently gone this time).

To run in persistent mode, simply launch an instance of SNF from the
command line with the word persistent in place of the file to scan.

licenseid.exe authentication persistent

The persistent instance will be recognized by all of the other
instances (those are launched by your email server usually - one per
message).

When a persistent instance is present it will keep the rulebase loaded
in memory and the other instances will coordinate with it to get their
messages scanned. This eliminates the work of reloading the rulebase
and can help to optimize the timing of the message scans to improve
throughput.

If the persistent instance fails or is stopped for any reason then the
SNF software returns to it's native peer-server mode.

There are a number of utilities out there (some free) that allow you
to run an executable as a service. RunExeSvc is the one I used. Many
have recommended FireDaemon:

http://www.firedaemon.com/

There is also a windows toolkit that will let you run programs as
services - it requires some hacking in the registry as I recall.

I can't provide specifics for these approaches at this time, but I
believe the windows toolkit method was described well in the sniffer@
list archives, and Firedaemon will have it's own process that is
likely to be simpler.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] When to go persistent

2006-02-23 Thread Goran Jovanovic

Pete,

 To run in persistent mode, simply launch an instance of SNF from the
 command line with the word persistent in place of the file to scan.
 
 licenseid.exe authentication persistent
 

I am calling Sniffer from Declude. Could I just later my statement in my
config file to include persistent? That way the first time it is called
that instance will go persistent and all the rest will end up talking to
it?

Regardless of how the persistent instance is started should I have the
persistent keyword on the line that is called from Declude?

Goran Jovanovic



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positive - no reaction?

2006-02-21 Thread Pete McNeil

On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:

AS Sorry - didn't mean to be pushy. I just thought that false positives are
AS worse than missed spam, so I had assumed that they would always be at the
AS top of the queue.

It is a very tough balancing act. Don't feel bad at all - you're not
being pushy. The current goal is to respond in less than 24 hours and
if possible to review twice per day. Yesterday a number of urgent
tasks toppled that schedule. The first review happened (at around
0600) but there were no FPs at that time. I'm working to increase the
review cycle... there are just a lot of things going on right now.

Just so everyone knows, we do hear - loud and clear - that responding
to FPs is important, and we have been much better about it over the
recent past. I expect that service aspect to improve moving forward
along with other things.

AS I can wait (PS - would have calmed my nerves, if there had been some
AS automatic ticket number response that reassured me that my email was
AS received. The web site makes it sound as if there's a million reasons why a
AS false positive might not be accepted - so an automatic confirmation might be
AS a good self-service tool.

That's a good point. I'll look at that possibility when I rewrite the
false processing bot. We're getting a lot of spam lately at our false@
address and I would want to make sure that there was no outscatter.

I can tell the bot to only respond to validated senders, but then
there is the issue of email reliability in the response... what if you
don't get the response I mean. ... There are still folks that
occasionally (some frequently) send false reports from unauthorized
addresses --- those would not get a response... I'm overthinking this
now %^b

When I get to the false processing bot I will add a response
mechanism.

Thanks!

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] False Positive - no reaction?

2006-02-21 Thread Andy Schmidt

Hi Pete,

I agree that the email notification is tricky - because you might respond to
spam - and, you may NOT respond to someone who did not use an authorized
address.

On the other hand, if I KNEW there was an auto-response and I did NOT get a
response, it would be an indication to me, the user, that I must have done
something wrong. So - in a sense - no response is also a message I can
act on.

The only other suggestion I have is to create a 24 hour 'queue' display on
the web site. All you need to show is a column of the sender domain names of
the email (not the entire sender email address).  If I submit a false
positive I can confirm that it made it into your queue by checking the web
page.  This way, you don't need to send automated emails.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Tuesday, February 21, 2006 11:04 AM
To: Andy Schmidt
Subject: Re[2]: [sniffer] False Positive - no reaction?

On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:

AS Sorry - didn't mean to be pushy. I just thought that false 
AS positives are worse than missed spam, so I had assumed that they 
AS would always be at the top of the queue.

It is a very tough balancing act. Don't feel bad at all - you're not being
pushy. The current goal is to respond in less than 24 hours and if possible
to review twice per day. Yesterday a number of urgent tasks toppled that
schedule. The first review happened (at around
0600) but there were no FPs at that time. I'm working to increase the review
cycle... there are just a lot of things going on right now.

Just so everyone knows, we do hear - loud and clear - that responding to FPs
is important, and we have been much better about it over the recent past. I
expect that service aspect to improve moving forward along with other
things.

AS I can wait (PS - would have calmed my nerves, if there had been some 
AS automatic ticket number response that reassured me that my email 
AS was received. The web site makes it sound as if there's a million 
AS reasons why a false positive might not be accepted - so an automatic 
AS confirmation might be a good self-service tool.

That's a good point. I'll look at that possibility when I rewrite the false
processing bot. We're getting a lot of spam lately at our false@ address and
I would want to make sure that there was no outscatter.

I can tell the bot to only respond to validated senders, but then there is
the issue of email reliability in the response... what if you don't get the
response I mean. ... There are still folks that occasionally (some
frequently) send false reports from unauthorized addresses --- those would
not get a response... I'm overthinking this now %^b

When I get to the false processing bot I will add a response mechanism.

Thanks!

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] False Positive - no reaction?

2006-02-21 Thread Scott Fisher

I like this idea more than the email notification. I really don't need more 
emails.

- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]

To: sniffer@SortMonster.com
Sent: Tuesday, February 21, 2006 10:16 AM
Subject: RE: Re[2]: [sniffer] False Positive - no reaction?

Hi Pete,

I agree that the email notification is tricky - because you might respond 
to

spam - and, you may NOT respond to someone who did not use an authorized
address.

On the other hand, if I KNEW there was an auto-response and I did NOT get 
a

response, it would be an indication to me, the user, that I must have done
something wrong. So - in a sense - no response is also a message I can
act on.

The only other suggestion I have is to create a 24 hour 'queue' display on
the web site. All you need to show is a column of the sender domain names 
of

the email (not the entire sender email address).  If I submit a false
positive I can confirm that it made it into your queue by checking the web
page.  This way, you don't need to send automated emails.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Tuesday, February 21, 2006 11:04 AM
To: Andy Schmidt
Subject: Re[2]: [sniffer] False Positive - no reaction?

On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:

AS Sorry - didn't mean to be pushy. I just thought that false
AS positives are worse than missed spam, so I had assumed that they
AS would always be at the top of the queue.

It is a very tough balancing act. Don't feel bad at all - you're not being
pushy. The current goal is to respond in less than 24 hours and if 
possible

to review twice per day. Yesterday a number of urgent tasks toppled that
schedule. The first review happened (at around
0600) but there were no FPs at that time. I'm working to increase the 
review

cycle... there are just a lot of things going on right now.

Just so everyone knows, we do hear - loud and clear - that responding to 
FPs
is important, and we have been much better about it over the recent past. 
I

expect that service aspect to improve moving forward along with other
things.

AS I can wait (PS - would have calmed my nerves, if there had been some
AS automatic ticket number response that reassured me that my email
AS was received. The web site makes it sound as if there's a million
AS reasons why a false positive might not be accepted - so an automatic
AS confirmation might be a good self-service tool.

That's a good point. I'll look at that possibility when I rewrite the 
false
processing bot. We're getting a lot of spam lately at our false@ address 
and

I would want to make sure that there was no outscatter.

I can tell the bot to only respond to validated senders, but then there is
the issue of email reliability in the response... what if you don't get 
the

response I mean. ... There are still folks that occasionally (some
frequently) send false reports from unauthorized addresses --- those would
not get a response... I'm overthinking this now %^b

When I get to the false processing bot I will add a response mechanism.

Thanks!

_M

This E-Mail came from the Message Sniffer mailing list. For information 
and

(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information 
and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] False Positive - no reaction?

2006-02-21 Thread Darin Cox

That queue concept would be wonderful!  Hopefully it would have some simple
info extracted to show recipient, sender, subject, header info, and info on
the rule(s) it failed.  One of my ongoing challenges is matching responses
to reports and following up to see what additional actions are required.

Darin.


- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, February 21, 2006 11:16 AM
Subject: RE: Re[2]: [sniffer] False Positive - no reaction?


Hi Pete,

I agree that the email notification is tricky - because you might respond to
spam - and, you may NOT respond to someone who did not use an authorized
address.

On the other hand, if I KNEW there was an auto-response and I did NOT get a
response, it would be an indication to me, the user, that I must have done
something wrong. So - in a sense - no response is also a message I can
act on.

The only other suggestion I have is to create a 24 hour 'queue' display on
the web site. All you need to show is a column of the sender domain names of
the email (not the entire sender email address).  If I submit a false
positive I can confirm that it made it into your queue by checking the web
page.  This way, you don't need to send automated emails.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Tuesday, February 21, 2006 11:04 AM
To: Andy Schmidt
Subject: Re[2]: [sniffer] False Positive - no reaction?

On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:

AS Sorry - didn't mean to be pushy. I just thought that false
AS positives are worse than missed spam, so I had assumed that they
AS would always be at the top of the queue.

It is a very tough balancing act. Don't feel bad at all - you're not being
pushy. The current goal is to respond in less than 24 hours and if possible
to review twice per day. Yesterday a number of urgent tasks toppled that
schedule. The first review happened (at around
0600) but there were no FPs at that time. I'm working to increase the review
cycle... there are just a lot of things going on right now.

Just so everyone knows, we do hear - loud and clear - that responding to FPs
is important, and we have been much better about it over the recent past. I
expect that service aspect to improve moving forward along with other
things.

AS I can wait (PS - would have calmed my nerves, if there had been some
AS automatic ticket number response that reassured me that my email
AS was received. The web site makes it sound as if there's a million
AS reasons why a false positive might not be accepted - so an automatic
AS confirmation might be a good self-service tool.

That's a good point. I'll look at that possibility when I rewrite the false
processing bot. We're getting a lot of spam lately at our false@ address and
I would want to make sure that there was no outscatter.

I can tell the bot to only respond to validated senders, but then there is
the issue of email reliability in the response... what if you don't get the
response I mean. ... There are still folks that occasionally (some
frequently) send false reports from unauthorized addresses --- those would
not get a response... I'm overthinking this now %^b

When I get to the false processing bot I will add a response mechanism.

Thanks!

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] [Fwd: Diann Helms]

On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote:

BB Hi Pete,

BB []
 If you wish, it is possible to create a local black rule for any
 geocities link. On many ISP systems this would cause false positives,
 but on more private systems it may be a reasonable solution.


BB I think I could use such a black rulw without getting to may FPs, but in
BB which catagoeries would that rule then go? I score the several Sniffer
BB results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63
BB would put it several points below my hold weight. An extra hit would be
BB needed to get it held.

Normally when we make custom black rules we code them to a special
rule group (generally with a group symbol 5 by convention). Since 5 is
a lower number than all other rule groups (except for white rules = 0)
any message matching a local black rule will be distinct.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positives

On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote:

RG The X-SNF header. Sounds like a good idea.  Is there a cheat sheet someplace
RG for making that happen, if possible, in a Declude / Imail environment?

RG Thanks ahead of time,

In the distribution the option is described in the .cfg file. However,
in the Declude environment I don't know of any easy way to make use of
it. What would be best is if Declude could be persuaded to pick up the
.xhdr file SNF produces and add it to the headers it is already adding
to the the message. This way, the message would only need to be
altered once (less I/O) for all of the headers.

MDaemon systems using the plugin have the SNF headers by default.

Most *nix systems also use the .xhdr option and then allow the
programs that follow to respond to the headers planted by SNF.

A number of custom-built systems are also using it.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positives

Jim,

Not at this time. The two processes are entirely different. The False
Positives process is highly interactive. The standardized responses
were implemented to allow for some automation on both sides.

Spam submissions are always treated as anonymous for security reasons
and also because of the volume. At one point today we were processing
5000 spam per hour. At those rates it is not practical to respond to
each submission.

Advanced features near V4 (some time in the future) will allow us to
handle some spam submissions specifically for a particular license ID
--- so there are some plans for this later on. However, for the short
and medium term all spam submissions will remain anonymous.

If you have a chronic spam for which you would like a local black rule
added then you should send a zip'd copy to support@ along with your
requests. We will help you adjust your rulebase accordingly. For
example, some relatively closed systems are able to use broad rules
for certain character sets, file attachment types, or other features
to eliminate messages they simply will never see in practice.

_M

On Wednesday, February 15, 2006, 4:40:50 PM, Jim wrote:

JMJ Pete,
JMJ Is there anyway to get an automatic response similar to the one listed 
below
JMJ for the FP address, but for submissions to your spam@ address?  It would be
JMJ nice to get some feedback when submitting spam.  

JMJ Jim Matuska Jr.
JMJ Computer Tech2, CCNA
JMJ Nez Perce Tribe
JMJ Information Systems
JMJ [EMAIL PROTECTED]

JMJ  


JMJ -Original Message-
JMJ From: [EMAIL PROTECTED]
JMJ [mailto:[EMAIL PROTECTED]
JMJ On Behalf Of Pete McNeil
JMJ Sent: Wednesday, February 15, 2006 1:28 PM
JMJ To: Kevin Rogers
JMJ Subject: Re: [sniffer] False Positives

JMJ On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

JMJ Just to clarify a bit, here is the standard response you're probably
JMJ talking about:

JMJ [FPR:0]

JMJ The message did not match any active black rules as submitted. The rules
JMJ may have been modified or removed. If you provide matching log entries
JMJ from your system then we can research this further.

JMJ Note that sometimes our false processing system may not identify the
JMJ rules that matched this message on your system due to changes in the
JMJ submitted content that might occur during the forwarding process.

JMJ Please also be sure you are running the latest version, that your
JMJ rulebase file is up to date, and that you do not have any unresolved
JMJ errors in your Sniffer log file. Bug fixes in newer versions may resolve
JMJ false positive issues or reduce the risk of false positives through
JMJ enhanced features and new technologies. Certain errors in your log file
JMJ may indicate a corrupted rulebase.

JMJ ---

JMJ The software we use to scan false positive submissions is a version of
JMJ SNF that includes every rule we have in our system. If the messages
JMJ does not match any of these rules, MOST of the time it means that the
JMJ rule has been removed already.

JMJ If that is not the case, then the next step is to provide matching log
JMJ entries. On some systems this is not necessary because the headers may
JMJ already contain SNF x-header data that shows the rules involved.

JMJ This process is not intended to make things difficult, but to save
JMJ time. The majority of the time, our local scanner will identify the
JMJ rule or rules in question and we will respond accordingly.

JMJ When that is not the case we simply need more data to move forward
JMJ with the investigation.

JMJ Usually, when a rule is still in the system and it does not match a
JMJ false positive submission it is because the original message was
JMJ altered during the forwarding process or that some condition of being
JMJ attached has prevented the scanner on this end from reproducing the
JMJ result you had on your system.

JMJ Hope this helps,

JMJ _M



JMJ This E-Mail came from the Message Sniffer mailing list. For information and
JMJ (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html






JMJ This E-Mail came from the Message Sniffer mailing list. For
JMJ information and (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positives

On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote:

CHS I second the motion.  We have been submitting spam for over a year and I
CHS don't know if a single one was received.

In general, if you've not received an error during delivery, we most
certainly got your message... it may have even made it to the queue
(if it wasn't already filtered by new rules).

One way to be sure we receive your spam is to create a pop3 box on
your system for your spam submissions and provide us with the login
data (email address (as login), password, FQDN of the pop3 server).

This way, if the mail in that box gets deleted you know one of our
bots has pulled it in and added it to our queues.

_M





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] problems!!!!

2006-02-08 Thread Pete McNeil

On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote:

DC I have an idea.  These problems seem to stem  mostly from changes
DC in the methods of handling rulebase updates.

snip/

DC Would it be feasible to announce in advance when  such changes
DC are to be implemented?  With advance notice of a date and time 
DC for the switch we could choose to freeze our rulebases just before
DC that for a  day to make sure the kinks were worked out before
DC updating.  A few spam  messages that slip through are better than
DC a slough of false positives that  require review and are delayed in 
reaching the customer.

That's a good idea, and we do, in fact, follow that procedure.
Whenever we make any large scale changes we always announce them here
on this list,... we usually also put them on our web site.

There is an error in your comment however... the previous event (with
the rule-bots) was completely unforeseeable. There was no way to
announce that known good software would suddenly fail so spectacularly
when no changes within our control were made.

Thankfully, that kind of event is extremely unlikely also.

It is unfortunate that these two events would happen so closely
together.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] problems!!!!

2006-02-08 Thread Darin Cox

There was no error in my comment.  I completely understand that some issues
will not be foreseeable... I did say mostly, not entirely.  The switch to
the automated bots caused a rash of false positives in our system.  I'm not
pointing fingers, but instead want to make sure I have the ability to decide
what risks to take on my end.  While mistakes are always possible... we are
human after all... the more controls we have available to minimize possible
impact, the better.

What I would be looking for is an announcement of a specific date/time for a
cutover so we could freeze just before that, and unfreeze once it was clear
that no glut of false positives would result.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Wednesday, February 08, 2006 11:13 AM
Subject: Re[2]: [sniffer] problems


On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote:

DC I have an idea. These problems seem to stem  mostly from changes
DC in the methods of handling rulebase updates.

snip/

DC Would it be feasible to announce in advance when  such changes
DC are to be implemented? With advance notice of a date and time
DC for the switch we could choose to freeze our rulebases just before
DC that for a  day to make sure the kinks were worked out before
DC updating. A few spam  messages that slip through are better than
DC a slough of false positives that  require review and are delayed in
reaching the customer.

That's a good idea, and we do, in fact, follow that procedure.
Whenever we make any large scale changes we always announce them here
on this list,... we usually also put them on our web site.

There is an error in your comment however... the previous event (with
the rule-bots) was completely unforeseeable. There was no way to
announce that known good software would suddenly fail so spectacularly
when no changes within our control were made.

Thankfully, that kind of event is extremely unlikely also.

It is unfortunate that these two events would happen so closely
together.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] problems!!!!

2006-02-08 Thread Filippo Palmili



What is the correct Sniffer string in Declude Global.cfg
file.
SNIFFER external nonzero d:\imail\declude\sniffer\sniffer.exe
code12
0
of
SNIFFER external nonzero d:\imail\declude\sniffer\sniffer.exe
code10
0
Thanks
Filippo

Re[2]: [sniffer] problems!!!!

2006-02-08 Thread Pete McNeil

On Wednesday, February 8, 2006, 11:06:07 AM, Markus wrote:

MG If a experimental rule showed to be reliable they move them  in
MG the appropriate category (rich, fraud,...)
MG  
MG  
MG  
MG I'm not sure about this but I think it's so and so it  shouldn't
MG be necessary to do something like manualy block  updates.

This is not how it works.

Experimental rule groups contain abstract rules that may not
classify a particular type of message. Indeed, even rules that are
coded to more specific groups will likely match messages that are
outside of those categories because the blackhats frequently re-use
domains and other features in many different campaigns.

For example, the current chatty drugs, chatty loans, and chatty
watches campaigns all tend to share the same domains in their links.

Along the lines of delaying implementation of new rules, we can
configure rulebases and rule groups within them to only accept rules
with a specific minimum age in days. We might have to charge for this
kind of custom modification, and it would by it's nature increase spam
leakage.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] question on xhdr files

2006-02-08 Thread Pete McNeil

On Wednesday, February 8, 2006, 1:32:05 PM, David wrote:

 The .xhdr files are created by SNF and can be turned off in SNF's .cfg
 file. They contain text that could be added to the headers of the
 message to help debug false positives and/or to trigger other
 filtering systems.


DP Well I see this in the config file:
DP 
DP # XHeader File Output - When set to On the engine will create a new file
DP with
DP # each message scanned with the name scanfilename.xhdr that contains
DP x-header
DP # information that should be added to the message.

DP XHeaderData: X-MessageSniffer-Rules
DP XHeaderFinal: X-MessageSniffer-Result
DP 

DP I don't see the specific line to turn this off. Do I simply comment out the
DP XHeaderData and XHeaderFinal lines? If I do that will it still insert the
DP information in the header?

I'm sorry that's misleading.

Yes, comment out the two lines:

# XHeaderData: X-MessageSniffer-Rules
# XHeaderFinal: X-MessageSniffer-Result

That should prevent SNF from creating the .xhdr files.

According to what I see, the headers created in your messages are
actually generated by the script, so the .xhdr info generated by SNF
is largely redundant.

Best,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread Pete McNeil

I do most humbly apologize,

It was my intention to do it immediately, however I became embroiled
in related support issues and was delayed.

I don't expect more of these, but I will make announcing their
discovery the next event after removing them from the system.

Thanks,

_M

On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote:

CHS Dear Pete,

CHS In the future, please let us know immediately when you become aware of 
this.
CHS As it is, I will spend the next 3 hours picking out the fales positives 
from
CHS the mailbox and forwarding them to the clients.  If I could have put the
CHS rulepanic in place an hour ago it would have saved me a lot of work and
CHS confused customers.


CHS Thank you,

CHS Michael Stein
CHS Computer House


CHS - Original Message - 
CHS From: Pete McNeil [EMAIL PROTECTED]
CHS To: sniffer@sortmonster.com
CHS Sent: Tuesday, February 07, 2006 4:07 PM
CHS Subject: [sniffer] Bad Rule - 828931


CHS Hello Sniffer folks,

CHS   I'm sorry to report that another bad rule got past us today. The
CHS   rule has been removed (was in from about 1200-1500), but it may be
CHS   in some of your rulebases.

CHS   To avoid a problem with this rule you can enter a rule-panic entry
CHS   in your .cfg file for rule id: 828931

CHS   If it is not already, the rule will be gone from your rulebase after
CHS   your next update.

CHS Thanks,
CHS _M

CHS Pete McNeil (Madscientist)
CHS President, MicroNeil Research Corporation
CHS Chief SortMonster (www.sortmonster.com)
CHS Chief Scientist (www.armresearch.com)


CHS This E-Mail came from the Message Sniffer mailing list. For information and
CHS (un)subscription instructions go to 
CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html



CHS This E-Mail came from the Message Sniffer mailing list. For
CHS information and (un)subscription instructions go to
CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread Computer House Support

Dear Pete,

Please excuse my previous E-mail if it seemed a bit harsh.  I guess I am so 
used to your great service, that on the rare occasion when this happens, I 
panic.

Thanks for being there to walk me through the procedure.


Sincerely,

Michael Stein
Computer House



- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Computer House Support sniffer@SortMonster.com
Sent: Tuesday, February 07, 2006 4:24 PM
Subject: Re[2]: [sniffer] Bad Rule - 828931


I do most humbly apologize,

It was my intention to do it immediately, however I became embroiled
in related support issues and was delayed.

I don't expect more of these, but I will make announcing their
discovery the next event after removing them from the system.

Thanks,

_M

On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote:

CHS Dear Pete,

CHS In the future, please let us know immediately when you become aware of 
this.
CHS As it is, I will spend the next 3 hours picking out the fales positives 
from
CHS the mailbox and forwarding them to the clients.  If I could have put 
the
CHS rulepanic in place an hour ago it would have saved me a lot of work and
CHS confused customers.


CHS Thank you,

CHS Michael Stein
CHS Computer House


CHS - Original Message - 
CHS From: Pete McNeil [EMAIL PROTECTED]
CHS To: sniffer@sortmonster.com
CHS Sent: Tuesday, February 07, 2006 4:07 PM
CHS Subject: [sniffer] Bad Rule - 828931


CHS Hello Sniffer folks,

CHS   I'm sorry to report that another bad rule got past us today. The
CHS   rule has been removed (was in from about 1200-1500), but it may be
CHS   in some of your rulebases.

CHS   To avoid a problem with this rule you can enter a rule-panic entry
CHS   in your .cfg file for rule id: 828931

CHS   If it is not already, the rule will be gone from your rulebase after
CHS   your next update.

CHS Thanks,
CHS _M

CHS Pete McNeil (Madscientist)
CHS President, MicroNeil Research Corporation
CHS Chief SortMonster (www.sortmonster.com)
CHS Chief Scientist (www.armresearch.com)


CHS This E-Mail came from the Message Sniffer mailing list. For information 
and
CHS (un)subscription instructions go to
CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html



CHS This E-Mail came from the Message Sniffer mailing list. For
CHS information and (un)subscription instructions go to
CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Downloads are slow.

2006-02-07 Thread David Sullivan

Somebody please tell me I'm doing something wrong here. I use this
expression in Baregrep Final\t828931 and it yields 22,055 matching
lines across 3 of my 4 license's log files.

Since this is set to my hold weight, I'm assuming that means I've had
22,055 holds on this rule?

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread David Sullivan

Hello Matt,

Tuesday, February 7, 2006, 6:27:25 PM, you wrote:

M rule number, and I don't have the tools set up or the knowledge of grep
M yet to do a piped query of Sniffer's logs to extract the spool file names.

http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I
always used .* to represent any number of characters, white space or
non, but that didn't seem to work with baregrep. That's why I was
trying to confirm with anyone on the list my regex of Final\t828931
was an accurate regex to find every message that 'finaled' on that
rule. I'm praying that I screwed up the expression and I don't have
22,055 messages held by that rule.

M BTW, David, it is generally better not to hold or block on one single
M test, especially one that automates such listings (despite whatever
M safeguards there might be).

I know, shame on me. I guess I'm used to the days that we used to be
able to hold on sniffer alone. We have some safeguards in place now
and are transitioning our rule
methodologies but hadn't gotten to this one yet as this always
seems to hit back-burner.

This is also why I'd really like to see the content of the rule to see
how it made it passed our safeguards.

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread Landry, William (MED US)


Don't know about the proper syntax for baregrep, but for the standard UNIX
grep for Win32, the following would give you an accurate count:

grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log

Bill 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 4:12 PM
To: sniffer@SortMonster.com
Subject: Re[2]: [sniffer] Bad Rule - 828931

Hello Matt,

Tuesday, February 7, 2006, 6:27:25 PM, you wrote:

M rule number, and I don't have the tools set up or the knowledge of 
M grep yet to do a piped query of Sniffer's logs to extract the spool file
names.

http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I
always used .* to represent any number of characters, white space or non,
but that didn't seem to work with baregrep. That's why I was trying to
confirm with anyone on the list my regex of Final\t828931
was an accurate regex to find every message that 'finaled' on that rule. I'm
praying that I screwed up the expression and I don't have
22,055 messages held by that rule.

M BTW, David, it is generally better not to hold or block on one single 
M test, especially one that automates such listings (despite whatever 
M safeguards there might be).

I know, shame on me. I guess I'm used to the days that we used to be able to
hold on sniffer alone. We have some safeguards in place now and are
transitioning our rule methodologies but hadn't gotten to this one yet as
this always seems to hit back-burner.

This is also why I'd really like to see the content of the rule to see how
it made it passed our safeguards.

--
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread John Carter

Final\t828931 and Final.*828931 both found 850 entries in my current log
using Baregrep. 

John C

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 6:12 PM
To: sniffer@SortMonster.com
Subject: Re[2]: [sniffer] Bad Rule - 828931

Hello Matt,

Tuesday, February 7, 2006, 6:27:25 PM, you wrote:

M rule number, and I don't have the tools set up or the knowledge of 
M grep yet to do a piped query of Sniffer's logs to extract the spool file
names.

http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I
always used .* to represent any number of characters, white space or non,
but that didn't seem to work with baregrep. That's why I was trying to
confirm with anyone on the list my regex of Final\t828931
was an accurate regex to find every message that 'finaled' on that rule. I'm
praying that I screwed up the expression and I don't have
22,055 messages held by that rule.

M BTW, David, it is generally better not to hold or block on one single 
M test, especially one that automates such listings (despite whatever 
M safeguards there might be).

I know, shame on me. I guess I'm used to the days that we used to be able to
hold on sniffer alone. We have some safeguards in place now and are
transitioning our rule methodologies but hadn't gotten to this one yet as
this always seems to hit back-burner.

This is also why I'd really like to see the content of the rule to see how
it made it passed our safeguards.

--
Best regards,
 Davidmailto:[EMAIL PROTECTED]

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Downloads are slow.

2006-02-07 Thread Pete McNeil

I've had an internal note that our colo provider is working on a
networking problem. That's probably what you're seeing. Apparently it
doesn't effect all paths to the 'net equally and/or it may be solved
by now.

_M

On Tuesday, February 7, 2006, 5:53:35 PM, John wrote:

JC Agreed, my last report showed pretty slow times.  All today were slower now
JC that I look at them.  I normally see up to 1.3M with overall times around
JC 800-900K. 

JC John C

JC 0K .. .. .. .. ..   36.79 KB/s
JC50K .. .. .. .. ..   11.51 KB/s
JC   100K .. .. .. .. ..   19.76 KB/s
JC   150K .. .. .. .. ..   11.98 KB/s
JC   200K .. .. .. .. ..   37.20 KB/s
JC   250K .. .. .. .. ..   10.60 KB/s
JC   300K .. .. .. .. ..   16.00 KB/s
JC   350K .. .. .. .. ..   19.05 KB/s
JC   400K .. .. .. .. ..   22.22 KB/s
JC   450K .. .. .. .. ..   10.32 KB/s
JC   500K .. .. .. .. ..   13.50 KB/s
JC   550K .. .. .. .. ..2.74 KB/s
JC   600K .. .. .. .. ..8.40 KB/s
JC   650K .. .. .. .. ..6.00 KB/s
JC   700K .. .. .. .. ..9.97 KB/s
JC   750K .. .. .. .. ..6.07 KB/s
JC   800K .. .. .. .. ..5.89 KB/s
JC   850K .. .. .. .. ..9.20 KB/s
JC   900K .. .. .. .. ..6.46 KB/s
JC   950K .. .. .. .. ..4.94 KB/s
JC  1000K .. .. .. .. ..7.67 KB/s
JC  1050K .. .. .. .. ..9.97 KB/s
JC  1100K .. .. .. .. ..   13.28 KB/s
JC  1150K .. .. .. .. ..   24.61 KB/s
JC  1200K .. .. .. .. ..   12.36 KB/s
JC  1250K .. .. .. .. ..   31.06 KB/s
JC  1300K .. .. .. .. ..4.87 KB/s
JC  1350K .. .. .. .. ..   34.77 KB/s
JC  1400K .. .. .. .. ..   14.29 KB/s
JC  1450K .. . .. .. ..   16.24 KB/s
JC  1500K .. .. .. .. ..   33.33 KB/s
JC  1550K .. . .. .. ..   21.48 KB/s
JC  1600K .. .. .. .. ..   23.19 KB/s
JC  1650K .. .. .. .. ..   27.34 KB/s
JC  1700K .. .. .. .. ..   14.68 KB/s
JC  1750K .. .. .. .. ..   47.76 KB/s
JC  1800K .. .. .. .. ..   15.17 KB/s
JC  1850K .. .. .. .. ..   16.17 KB/s
JC  1900K .. .. .. .. ..   18.39 KB/s
JC  1950K .. .. .. .. ..   74.40 KB/s
JC  2000K .. .. .. .. ..   14.10 KB/s
JC  2050K .. .. .. .. ..   12.70 KB/s
JC  2100K .. .. .. .. ..   29.36 KB/s
JC  2150K .. .. .. .. ..   16.58 KB/s
JC  2200K .. .. .. .. ..   21.62 KB/s
JC  2250K .. .. .. .. ..   17.49 KB/s
JC  2300K .. .. .. .. ..   11.00 KB/s
JC  2350K .. .. .. .. ..   21.20 KB/s
JC  2400K .. .. .. .. ..   31.69 KB/s
JC  2450K .. .. .. .. ..   20.12 KB/s
JC  2500K .. .. .. .. ..   57.14 KB/s
JC  2550K .. .. .. 13.94 KB/s

JC 15:52:29 (12.45 KB/s) - `.new.gz' saved [2646653] 

JC -Original Message-
JC From: [EMAIL PROTECTED]
JC [mailto:[EMAIL PROTECTED]
JC On Behalf Of Pete McNeil
JC Sent: Tuesday, February 07, 2006 4:46 PM
JC To: Chuck Schick
JC Subject: Re: [sniffer] Downloads are slow.

JC I'm not showing this from my location and the server looks ok.

JC I just downloaded a few rulebases, each in under 3 seconds.

JC Please provide a traceroute -- that should show us where the issue

Re[2]: [sniffer] Bad Rule - 828931

2006-02-07 Thread David Sullivan

Hello Pete,

Tuesday, February 7, 2006, 7:43:52 PM, you wrote:

PM The rule would match the intended spam (and there was a lot of it, so
PM 22,055 most likely includes mostly spam.

On spot check I'm seeing about 30-40% of the messages are valid.

PM Unfortunately it would also match messages containing the listed
PM capital letters in that order throughout the message. Essentially, if
PM the text is long enough then it will probably match. A greater chance
PM of FP match if the text of the message is in all caps. Also if there
PM is a badly coded base64 segment and file attachment (badly coded
PM base64 might not be decoded... raw base64 will contain many of these
PM letters in mixed case and therefore increase the probability of
PM matching them all).

Not sure, can anyone think of a way to cross check this? What if I put
all the released messages back through sniffer?

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Stock SPAM now HTML

2006-02-02 Thread Goran Jovanovic

This is going to get harder and harder to identify and fight. Is it
worthwhile to put something like this in a new category which we are
very confident about and so if it fails on the new combined image/text
thing we can delete it outright?

Not sure if this is a good idea or not but I had to add extra static
filters to pop the older text only stock spam above my delete weight.
This combined image/text is going to make it tougher I think.

Thoughts?

Goran Jovanovic
Omega Network Solutions

 

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Thursday, February 02, 2006 11:40 AM
 To: Goran Jovanovic
 Subject: Re[2]: [sniffer] Stock SPAM now HTML
 
 There are some new mutations of the latest campaigns out today. These
 ones look like they were hand tweaked (not evolved by machine). They
 are a lot tougher, but I think we've got some abstracts coming out
 that will get them.
 
 This new trend - using embedded images, adding static to images to
 avoid hashing systems, stuffing text, and avoiding links and email
 addresses is going to increase.
 
 _M
 
 On Thursday, February 2, 2006, 11:12:59 AM, Goran wrote:
 
 GJ Will it ever stop :(
 
 GJ Probably not. Actually maybe I shouldn't be wishing that SPAM
stops
 GJ because then I would lose a revenue streamhmm conundrum
 
 GJ Goran Jovanovic
 GJ Omega Network Solutions
 
 GJ
 
  -Original Message-
  From: [EMAIL PROTECTED]
 GJ [mailto:[EMAIL PROTECTED]
  On Behalf Of Pete McNeil
  Sent: Thursday, February 02, 2006 7:20 AM
  To: Goran Jovanovic
  Subject: Re: [sniffer] Stock SPAM now HTML
 
  On Wednesday, February 1, 2006, 11:30:49 PM, Goran wrote:
 
  GJ
  GJ
  GJ
  GJ Well the plain text stock spam has just taken a turn to more
  GJ interesting and SNF is not capturing it yet as of 10:55 EST. I
 GJ have
  submitted a couple to spam@
  GJ
  GJ Now they are including part of a picture to make up the text.
  GJ Here is what the source looks like
 
  Isn't it amazing.
 
  I've coded some abstracts for this. More to come.
 
  _M
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For
 GJ information
  and (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 GJ This E-Mail came from the Message Sniffer mailing list. For
 GJ information and (un)subscription instructions go to
 GJ http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For
information
 and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] The SPAM bots?

2006-01-30 Thread Pete McNeil

On Monday, January 30, 2006, 11:07:26 AM, Michiel wrote:

MP G'day,

MP I'm just wandering... what CAN be done about this? If I send an embedded
MP picture to someone, how's sniffer gonna see the difference between my
MP holiday picture and the stock spam?

MP I reckon it's gonna be tough to block these?

We're very busy right now - big storm. The answer to these is usually
to create an abstract rule for the message structure. You may send a
picture to someone, but your message won't usually be structured like
the spam message. Later on we'll be adding fuzzy image classification
to the engine to help with this too.

Best,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Stock Market Spam Messages

2006-01-26 Thread Pete McNeil

I see. I misunderstood. We generally get text based stock-push
campaigns very quickly. We have seen an increase in these recently
tough.

If it's a plain text stock push then it's most likely that you saw it
before we did. I'll make sure that the rest of the team are watching
out for these just in case - (we have two new guys on the team,... if
they pushed it back then we might have been delayed in coding for
it).

Those guys are on this list too so they'll see this note when the get
a minute.

If you see the same one repeatedly then please .zip it and send a copy
to support as a chronic spam.

The other night I saw a burst of more than 5 new stock push campaigns
come out in the same 10 minute period across the spamtraps. I thought
that was unusual. It's possible, perhaps even likely, that you got
this burst before we saw it.

Please let use know if you're getting the same one repeatedly or
different ones.

Thanks,

_M

On Thursday, January 26, 2006, 11:55:52 AM, Jim wrote:

JMJ The ones I seem to be getting have no images, and are only plain text.

JMJ Jim Matuska Jr.
JMJ Computer Tech2, CCNA
JMJ Nez Perce Tribe
JMJ Information Systems
JMJ [EMAIL PROTECTED]

JMJ  


JMJ -Original Message-
JMJ From: [EMAIL PROTECTED]
JMJ [mailto:[EMAIL PROTECTED]
JMJ On Behalf Of Pete McNeil
JMJ Sent: Thursday, January 26, 2006 8:53 AM
JMJ To: Jim Matuska Jr.
JMJ Subject: Re: [sniffer] Stock Market Spam Messages

JMJ On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote:

JMJ I seem to be noticing a lot of spam messages recently that are stock
JMJ ads for
JMJ offshore companies; I seem to be getting a lot of these that are not
JMJ being
JMJ classified by sniffer.  I have been forwarding these to the spam@
JMJ address,
JMJ but have yet to notice any real changes.  Any thoughts on these?  

JMJ There has been a recent shift to using randomized images for these
JMJ which makes them a bit harder to defeat.

JMJ I'll take a look.

JMJ _M



JMJ This E-Mail came from the Message Sniffer mailing list. For information and
JMJ (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html






JMJ This E-Mail came from the Message Sniffer mailing list. For
JMJ information and (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Stock Market Spam Messages

2006-01-26 Thread Jim Matuska Jr.

They seem to be different ones sporadically over the last week or so.  I'll
keep an eye on any new ones and let you know if they change.  

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Thursday, January 26, 2006 10:54 AM
To: Jim Matuska Jr.
Subject: Re[2]: [sniffer] Stock Market Spam Messages

I see. I misunderstood. We generally get text based stock-push
campaigns very quickly. We have seen an increase in these recently
tough.

If it's a plain text stock push then it's most likely that you saw it
before we did. I'll make sure that the rest of the team are watching
out for these just in case - (we have two new guys on the team,... if
they pushed it back then we might have been delayed in coding for
it).

Those guys are on this list too so they'll see this note when the get
a minute.

If you see the same one repeatedly then please .zip it and send a copy
to support as a chronic spam.

The other night I saw a burst of more than 5 new stock push campaigns
come out in the same 10 minute period across the spamtraps. I thought
that was unusual. It's possible, perhaps even likely, that you got
this burst before we saw it.

Please let use know if you're getting the same one repeatedly or
different ones.

Thanks,

_M

On Thursday, January 26, 2006, 11:55:52 AM, Jim wrote:

JMJ The ones I seem to be getting have no images, and are only plain text.

JMJ Jim Matuska Jr.
JMJ Computer Tech2, CCNA
JMJ Nez Perce Tribe
JMJ Information Systems
JMJ [EMAIL PROTECTED]

JMJ  


JMJ -Original Message-
JMJ From: [EMAIL PROTECTED]
JMJ [mailto:[EMAIL PROTECTED]
JMJ On Behalf Of Pete McNeil
JMJ Sent: Thursday, January 26, 2006 8:53 AM
JMJ To: Jim Matuska Jr.
JMJ Subject: Re: [sniffer] Stock Market Spam Messages

JMJ On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote:

JMJ I seem to be noticing a lot of spam messages recently that are stock
JMJ ads for
JMJ offshore companies; I seem to be getting a lot of these that are not
JMJ being
JMJ classified by sniffer.  I have been forwarding these to the spam@
JMJ address,
JMJ but have yet to notice any real changes.  Any thoughts on these?  

JMJ There has been a recent shift to using randomized images for these
JMJ which makes them a bit harder to defeat.

JMJ I'll take a look.

JMJ _M



JMJ This E-Mail came from the Message Sniffer mailing list. For information
and
JMJ (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html






JMJ This E-Mail came from the Message Sniffer mailing list. For
JMJ information and (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Rollback of bot rules..

2006-01-19 Thread Pete McNeil

On Thursday, January 19, 2006, 6:50:32 PM, Dave wrote:

DK My bet is that either OB or WS trees of SURBL are the culprit.  I've seen
DK false postives from them before.  Can your bot isolate the subs of the multi
DK lookup and only use the more reliable ones like JP, SC, etc?

I'm not sure about that. I'll have to check. It's an interesting
theory. We have had some odd FPs like this before, but never in any
great numbers.

DK Also, these
DK are dynamic services and can change at any time... Sometimes in minutes.
DK What does your software do in terms of caching those results?

We keep them until they either fall off the map due to no hits or they
are removed for false positives. We've felt reasonably good about that
up 'till now given that we generally get to review the rules that are
coded, and that it's hard for them to get into the rulebase -- it
takes much more than just being in SURBL to get in, so we're only
coding a subset of the matches that hit clean spamtraps. -- again, in
theory...

The plan now is to rebuild the bots from scratch once we get the time
in our development schedule for that work.

In the mean time, we'll be looking for possible explanations for what
happened.

... keep in mind that SORBS tests went crazy at precisely the same
moment. The chances of that coincidence is pretty small. None the
less, at this point all theories are welcome...

One other piece of data is that the resolvers in question have been
running at nearly 100%... it is possible that under these conditions
they produced bad results, or perhaps produced some anomaly that
caused the results to be interpreted incorrectly - for example, as
pointed out in the pearl:DNS bug that was recently brought to my
attention, result packets might have been delivered out of order or
perhaps having some other unusual condition that caused the problems.

Resolving that for sure would require some lab time we're not going to
spend right now, but it does allow us to think about some things to
test on the new bots before pressing them into service.

Thanks,

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Help

2006-01-18 Thread Pete McNeil

Everything should be ok today.

Please visit:

http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html

and

http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html

Thanks,

_M

On Wednesday, January 18, 2006, 8:57:25 AM, Ali wrote:

AR   
AR  
AR Hi,
AR  
AR  
AR  
AR I am  experiencing the very same problem.
AR  
AR  
AR  
AR Regards,
AR  
AR  
AR  
AR Ali
AR  
AR   
AR -Original Message-
AR From: [EMAIL PROTECTED]
AR [mailto:[EMAIL PROTECTED]Behalf Of Filippo Palmili
AR Sent: Wednesday, January 18, 2006 3:34PM
AR To: [EMAIL PROTECTED]
AR Cc: sniffer@SortMonster.com
AR Subject: [sniffer]Help

AR Hello,

AR What's going on withrules? Today for 100 blocked by Sniffer
AR more than 10 where reallylegitimate.
AR Please advise.

AR Thanks
AR Filippo  

AR   


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positives

2006-01-18 Thread Pete McNeil

On Wednesday, January 18, 2006, 8:42:22 AM, Frederick wrote:

FS Same with me. Last night there was a rules update and it fixed the problem.

FS Check the date of your rules update.

Please visit

http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html

and

http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] False Positives

2006-01-18 Thread Pete McNeil

On Wednesday, January 18, 2006, 8:54:49 AM, Darin wrote:

DC Agreed.  We counted 100 false positives yesterday, compared to our normal
DC rate of less than 5.

DC No false positives since 6pm ET yesterday, though.  Thank goodness.

Please visit:

http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html

and

http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.

2006-01-17 Thread Pete McNeil

On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote:

M Pete,

M w3.org would be a huge problem because Outlook will insert this in the
M XML headers of any HTML generated E-mail.

M If you could give us an idea of when this started and possibly ended, 
M that would help in the process of review.

Indications are that the rule was in our system for only a couple of
hours this morning before we caught what was going on. Many folks
won't have ever seen the rule... though it may still be in surbl.

In fact, all of these rules that we know of followed very much the
same profile. Two of us were working in the rulebase at the time due
to heavy outscatter from a fake ph.d campaign and several new variants
of chatty_watches, chatty_drugs, and druglist.

We're continuing to look for any rules that might have entered our
system this way and we haven't found any new ones since about the time
I wrote my first post on it.

I'm about to run through false positives to see what might have been
reported and remove those.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.

2006-01-17 Thread Pete McNeil

On Tuesday, January 17, 2006, 8:10:44 AM, Darrell wrote:

Dsic Pete,

Dsic I just checked real quick hitting several DNS servers (mine and others) 
and
Dsic I am not seeing this - are you still seeing this now?


Nope... it was short lived.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-30 Thread Jonathan Hickman




I believe a new topic is in order. Quick, 
someone ask a newbie question!

  - Original Message - 
  From: 
  John W. 
  Enyart 
  To: sniffer@SortMonster.com 
  Sent: Thursday, December 29, 2005 11:27 
  AM
  Subject: RE: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  Amen. Keep this professional, or take me off the 
  list. My mailbox is filling up with this garbage.
  
  
  -
  John W. Enyart
  EAI, Inc.
  3259 Blackberry Lane
  Malvern, PA 19355-9670
  610/935/3085 FAX 
  610.935.3086
  [EMAIL PROTECTED]
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Wolf 
  TombeSent: Thursday, December 29, 2005 11:23 AMTo: 
  sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to 
  renew at the old price!
  
  
  What the heck is 
  going on with people posting to this list lately? People seem to be 
  jumping all over each other, jumping to a lot of conclusions and getting all 
  riled up. Its the Holiday Season for goodness sake! Its supposed 
  to be a time of good will to others. We can agree or disagree about the amount 
  of the price hike; but is all the other escalating banter really 
  necessary?
  
  Wolf
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 9:33 
  PMTo: 
  sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  Joe, you are 
  correct. I searched for and got out my agreement and it states Minimum 
  Advertised Price. 
  
  Memory does not 
  always work so well.
  
  It is no ECC you 
  know.
  
  
  John 
  T
  eServices For 
  You
  
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Wednesday, December 28, 2005 5:43 
  PMTo: 
  sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  
  FYI, a reseller agreement may 
  include a MAP (Minimum Advertised Price) but it is illegal in the 
  United 
  States for the agreement to determine a 
  minimum selling price. Any such stipulation in an agreement would put 
  both of you in violation of federal price-fixing 
  laws.
  
  
  
  -Joe
  

- Original Message - 


From: John T (Lists) 


To: sniffer@SortMonster.com 


Sent: 
Wednesday, December 28, 2005 7:29 PM

Subject: RE: 
Re[2]: [sniffer] Last chance to renew at the old 
price!


According to the 
Reseller agreement I signed when I became a reseller of Message Sniffer, I 
can not charge that low of a price.

As such, Pete or 
some one at Sniffer would need to notify me that I had permission to sell at 
such a low price.

What I mean is, 
be careful. 


John 
T
eServices For 
You


-Original 
Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On 
Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 
PMTo: 
sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last 
chance to renew at the old price!

After posting this, another reseller pm 
me their renewal rate of $269. I didn't know Sniffer had another reseller 
besides Declude.Anyways, for those who are interested and want to 
save money, it's https://www.computerhouse.com/ccsecure.html 
At 01:21 PM 12/28/2005, you wrote:
Can we renew at declude.com since their pricing is 
$292.50? I assume their prices will increase on Jan 1, 2006 
too.This E-Mail came from the Message Sniffer mailing list. 
For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-30 Thread Michiel Prins









Can I also use this
product on my snailmail? :p











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman
Sent: vrijdag 30 december 2005
16:58
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!







I believe a new topic is in order. Quick,
someone ask a newbie question!







- Original Message - 





From: John W. Enyart 





To: sniffer@SortMonster.com






Sent:
Thursday, December 29, 2005 11:27 AM





Subject:
RE: Re[2]: [sniffer] Last chance to renew at the old price!









Amen. Keep this
professional, or take me off the list. My mailbox is filling up with this
garbage.



-

John W. Enyart

EAI, Inc.

3259
  Blackberry Lane

Malvern,
 PA 19355-9670

610/935/3085 FAX 610.935.3086

[EMAIL PROTECTED]









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Wolf Tombe
Sent: Thursday, December 29, 2005
11:23 AM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

What the heck is going on
with people posting to this list lately? People seem to be jumping all
over each other, jumping to a lot of conclusions and getting all riled
up. Its the Holiday Season for goodness sake! Its
supposed to be a time of good will to others. We can agree or disagree about
the amount of the price hike; but is all the other escalating banter really
necessary?



Wolf











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Wednesday, December 28, 2005
9:33 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





Joe, you are correct. I
searched for and got out my agreement and it states Minimum Advertised Price. 



Memory does not always
work so well.



It is no ECC you know.





John T

eServices For
You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf
Sent: Wednesday, December 28, 2005
5:43 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!





FYI, a reseller agreement may include a MAP (Minimum
Advertised Price) but it is illegal in the United States for the agreement to
determine a minimum selling price. Any such stipulation in an agreement
would put both of you in violation of federal price-fixing laws.











-Joe







- Original Message - 





From: John
T (Lists) 





To: sniffer@SortMonster.com






Sent:
Wednesday, December 28, 2005 7:29 PM





Subject:
RE: Re[2]: [sniffer] Last chance to renew at the old price!









According to the
Reseller agreement I signed when I became a reseller of Message Sniffer, I can
not charge that low of a price.



As such, Pete or some
one at Sniffer would need to notify me that I had permission to sell at such a
low price.



What I mean is, be
careful. 





John T

eServices For
You







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday, December 28, 2005
5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting
this, another reseller pm me their renewal rate of $269. I didn't know Sniffer
had another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is
$292.50? I assume their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-30 Thread Jonathan



Yeah -- Ive been getting a lot of credit card offers in my postal mail
lately .. can we adapt a procmail filter to check my mail and wash my
dog?
Jonathan
At 04:03 PM 12/30/2005, you wrote:
Can
I also use this product on my snailmail? :p



From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan
Hickman
Sent: vrijdag 30 december 2005 16:58
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last chance to renew at the old
price!

I believe a new topic is in
order. Quick, someone ask a newbie question!


- Original Message - 

From: John W. Enyart


To:
sniffer@SortMonster.com


Sent: Thursday, December 29, 2005 11:27 AM

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!



Amen. Keep this professional, or
take me off the list. My mailbox is filling up with this garbage.



-

John W. Enyart

EAI, Inc.

3259 Blackberry Lane

Malvern, PA 19355-9670

610/935/3085 FAX 610.935.3086

[EMAIL PROTECTED]





From:

[EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Wolf
Tombe

Sent: Thursday, December 29, 2005 11:23 AM

To: sniffer@SortMonster.com

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!

What the heck is going on with people
posting to this list lately? People seem to be jumping all over
each other, jumping to a lot of conclusions and getting all riled
up. Its the Holiday Season for goodness sake! Its supposed
to be a time of good will to others. We can agree or disagree about the
amount of the price hike; but is all the other escalating banter really
necessary?



Wolf





From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of John T
(Lists)

Sent: Wednesday, December 28, 2005 9:33 PM

To: sniffer@SortMonster.com

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!



Joe, you are correct. I
searched for and got out my agreement and it states Minimum Advertised
Price. 



Memory does not always work so well.



It is no ECC you know.



John T

eServices For You



-Original Message-

From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Joe Wolf

Sent: Wednesday, December 28, 2005 5:43 PM

To: sniffer@SortMonster.com

Subject: Re: Re[2]: [sniffer] Last chance to renew at the old
price!



FYI, a reseller agreement may include a MAP (Minimum Advertised
Price) but it is illegal in the United States for the agreement to
determine a minimum selling price. Any such stipulation in an
agreement would put both of you in violation of federal price-fixing
laws.



-Joe


- Original Message - 

From: John T
(Lists) 

To:
sniffer@SortMonster.com


Sent: Wednesday, December 28, 2005 7:29 PM

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!



According to the Reseller
agreement I signed when I became a reseller of Message Sniffer, I can not
charge that low of a price.



As such, Pete or some one
at Sniffer would need to notify me that I had permission to sell at such
a low price.



What I mean is, be
careful. 



John T

eServices For You



-Original Message-

From:

[EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Kevin

Sent: Wednesday, December 28, 2005 5:00 PM

To: sniffer@SortMonster.com

Subject: Re: Re[2]: [sniffer] Last chance to renew at the old
price!



After posting this, another reseller pm me their renewal rate of
$269. I didn't know Sniffer had another reseller besides
Declude.

Anyways, for those who are interested and want to save money, it's

https://www.computerhouse.com/ccsecure.html 


At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.


This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to

http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-29 Thread Wolf Tombe









What the heck is going on with people
posting to this list lately? People seem to be jumping all over each
other, jumping to a lot of conclusions and getting all riled up. Its
the Holiday Season for goodness sake! Its supposed to be a time of
good will to others. We can agree or disagree about the amount of the price
hike; but is all the other escalating banter really necessary?



Wolf











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Wednesday, December 28, 2005
9:33 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





Joe, you are correct. I searched for and
got out my agreement and it states Minimum Advertised Price. 



Memory does not always work so well.



It is no ECC you know.





John T

eServices For You







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Joe Wolf
Sent: Wednesday, December 28, 2005
5:43 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!





FYI, a reseller agreement may include a MAP (Minimum
Advertised Price) but it is illegal in the United States for the agreement to
determine a minimum selling price. Any such stipulation in an agreement
would put both of you in violation of federal price-fixing laws.











-Joe







- Original Message - 





From: John
T (Lists) 





To: sniffer@SortMonster.com






Sent: Wednesday,
December 28, 2005 7:29 PM





Subject: RE: Re[2]:
[sniffer] Last chance to renew at the old price!









According to the Reseller agreement I
signed when I became a reseller of Message Sniffer, I can not charge that low
of a price.



As such, Pete or some one at Sniffer
would need to notify me that I had permission to sell at such a low price.



What I mean is, be careful. 





John T

eServices For You







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday, December 28, 2005
5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting this, another
reseller pm me their renewal rate of $269. I didn't know Sniffer had another
reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread Michael Murdoch

Yes, you can renew with Declude.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday, December 28, 2005 3:22 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price!

Can we renew at declude.com since their pricing is $292.50? I assume 
their prices will increase on Jan 1, 2006 too.

This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread Fox, Thomas




Are they a valid reseller, 
sniffer-folks??

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  KevinSent: Wednesday, December 28, 2005 8:00 PMTo: 
  sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to 
  renew at the old price!
  After posting this, another reseller pm me their renewal rate of 
  $269. I didn't know Sniffer had another reseller besides 
  Declude.Anyways, for those who are interested and want to save money, 
  it's https://www.computerhouse.com/ccsecure.html 
  At 01:21 PM 12/28/2005, you wrote:
  Can we renew at declude.com since 
their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 
too.This E-Mail came from the Message Sniffer mailing list. 
For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread Joe Wolf




FYI, a reseller agreement may include a MAP (Minimum 
Advertised Price) but it is illegal in the United States for the agreement to 
determine a minimum selling price. Any such stipulation in an agreement 
would put both of you in violation of federal price-fixing laws.

-Joe

  - Original Message - 
  From: 
  John T (Lists) 
  To: sniffer@SortMonster.com 
  Sent: Wednesday, December 28, 2005 7:29 
  PM
  Subject: RE: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  
  According to the 
  Reseller agreement I signed when I became a reseller of Message Sniffer, I can 
  not charge that low of a price.
  
  As such, Pete or 
  some one at Sniffer would need to notify me that I had permission to sell at 
  such a low price.
  
  What I mean is, be 
  careful. 
  
  
  John 
  T
  eServices For 
  You
  
  
  -Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On 
  Behalf Of KevinSent: Wednesday, December 
  28, 2005 5:00 
  PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  After posting this, another reseller pm me their 
  renewal rate of $269. I didn't know Sniffer had another reseller besides 
  Declude.Anyways, for those who are interested and want to save money, 
  it's https://www.computerhouse.com/ccsecure.html 
  At 01:21 PM 12/28/2005, you wrote:
  Can we renew at declude.com since their pricing is 
  $292.50? I assume their prices will increase on Jan 1, 2006 
  too.This E-Mail came from the Message Sniffer mailing list. 
  For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread Peer-to-Peer (Support)




You 
certainlycrossed a line of ethical integrity at the very 
least.

Pete: 
If you don't already have a 'non-compete' agreement in your reseller agreement 
its time.
I 
would never have believed someone would actually try to sell your reseller rates 
to your customer base.

It's 
simply appalling. And should be grounds for 
termination.



  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On 
  Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 8:46 
  PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: 
  [sniffer] Last chance to renew at the old price!
  
  Absolutely not. In 
  fact, if you read my post after this, I am questioning whether or not it can 
  be sold for a lower price.
  
  I am not here to 
  undermine any one, as after all where do you think the license that I sell 
  comes from?
  
  After all, we are 
  all here to help one another.
  
  
  John 
  T
  eServices For 
  You
  
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer 
  (Support)Sent: 
  Wednesday, December 28, 
  2005 5:41 
  PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance 
  to renew at the old price!
  
  
  John 
  T:Did you just solicit the ENTIRE sniffer community with pricing 
  that will undermine Pete?
  
  
  
  Never bit the hand 
  that feeds you my friend.
  
  
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)Sent: Wednesday, 
December 28, 2005 8:17 
PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last 
chance to renew at the old price!
Although I am a 
registered reseller, I normally only sell hardware and software to clients 
as part of my services.

However, if any 
one is interested in a price, contact me off list.


John 
T
eServices For 
You


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of KevinSent: Wednesday, 
December 28, 2005 5:00 
PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last 
chance to renew at the old price!

After posting this, another reseller pm 
me their renewal rate of $269. I didn't know Sniffer had another reseller 
besides Declude.Anyways, for those who are interested and want to 
save money, it's https://www.computerhouse.com/ccsecure.html 
At 01:21 PM 12/28/2005, you wrote:
Can we renew at declude.com since their pricing is 
$292.50? I assume their prices will increase on Jan 1, 2006 
too.This E-Mail came from the Message Sniffer mailing list. 
For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread John T (Lists)










1. What is YOUR motive for taking such a
tone?



2. I never made an out right
solicitation. It was done in for the benefit of others. I am a small business
and to my bottom line, every dollar or 5 dollars or 10 dollars count. I clearly
said I am not in the business of selling software or hardware. I have turned
away requests before from people that have contacted me off list about
software. It is extremely rare that I will sell to other than my clients.



3. How do you respond to the posting on
this very list by Pete just a bit ago that the seller selling at such a low rate
is a valid reseller?



4. How do you respond to the posting on
this very list by Michael Murdock that yes you can renew with Declude at a
lower cost?



Your responses are injecting that I am
taking advantage of something or trying to take away something from
SortMonster. That is not true at all.



Your comment about competing is very unusual,
in that in essence many of us are natural competitors to one anther, yet day
after day we help each other, in essence helping our competitor.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 6:01 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





You certainlycrossed a line of
ethical integrity at the very least.











Pete: If you don't already have a
'non-compete' agreement in your reseller agreement its time.





I would never have believed someone would
actually try to sell your reseller rates to your customer base.











It's simply appalling. And should be
grounds for termination.

















-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:46 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Absolutely not. In fact, if you read my
post after this, I am questioning whether or not it can be sold for a lower
price.



I am not here to undermine any one, as
after all where do you think the license that I sell comes from?



After all, we are all here to help one
another.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 5:41 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





John T:Did you just solicit
the ENTIRE sniffer community with pricing that will undermine Pete?











Never bit the hand that feeds you my
friend.











-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:17 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Although I am a registered reseller, I
normally only sell hardware and software to clients as part of my services.



However, if any one is interested in a
price, contact me off list.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread John T (Lists)










Joe, you are correct. I searched for and
got out my agreement and it states Minimum Advertised Price. 



Memory does not always work so well.



It is no ECC you know.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf
Sent: Wednesday,
 December 28, 2005 5:43 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!





FYI, a reseller agreement may include a MAP (Minimum
Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling
price. Any such stipulation in an agreement would put both of you in
violation of federal price-fixing laws.











-Joe







- Original Message - 





From: John
T (Lists) 





To: sniffer@SortMonster.com






Sent: Wednesday,
 December 28, 2005 7:29 PM





Subject: RE: Re[2]:
[sniffer] Last chance to renew at the old price!









According to the Reseller agreement I
signed when I became a reseller of Message Sniffer, I can not charge that low
of a price.



As such, Pete or some one at Sniffer
would need to notify me that I had permission to sell at such a low price.



What I mean is, be careful. 





John T

eServices For You







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread Jonathan



We should probably slow down here a bit .. I don't think it was John T
that solicited the guy off-list. John T was simply saying, if
anyone wants options, let me know.. oh, and this other guy could be shady
since the price is too low. Sure it was a sales tactic, but I don't
think he was the first guy ...
Jonathan
At 08:00 PM 12/28/2005, you wrote:
You
certainly crossed a line of ethical integrity at the very least.

Pete: If you don't already have a
'non-compete' agreement in your reseller agreement its time.
I would never have believed someone would actually try to sell your
reseller rates to your customer base.

It's simply appalling. And should be
grounds for termination.




-Original Message-

From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]]On Behalf Of John T
(Lists)

Sent: Wednesday, December 28, 2005 8:46 PM

To: sniffer@SortMonster.com

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!

Absolutely not. In fact,
if you read my post after this, I am questioning whether or not it can be
sold for a lower price.




I am not here to
undermine any one, as after all where do you think the license that I
sell comes from?




After all, we are all
here to help one another.




John T


eServices For You




-Original Message-

From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Peer-to-Peer
(Support)

Sent: Wednesday, December 28, 2005 5:41 PM

To: sniffer@SortMonster.com

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!




John T: Did you just solicit the
ENTIRE sniffer community with pricing that will undermine Pete?




Never bit the hand that feeds you my
friend.






-Original Message-

From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]]On Behalf Of John T
(Lists)

Sent: Wednesday, December 28, 2005 8:17 PM

To: sniffer@SortMonster.com

Subject: RE: Re[2]: [sniffer] Last chance to renew at the old
price!


Although I am a
registered reseller, I normally only sell hardware and software to
clients as part of my services.




However, if any one is
interested in a price, contact me off list.




John T


eServices For You




-Original Message-

From: [EMAIL PROTECTED]
[
mailto:[EMAIL PROTECTED]] On Behalf Of Kevin

Sent: Wednesday, December 28, 2005 5:00 PM

To: sniffer@SortMonster.com

Subject: Re: Re[2]: [sniffer] Last chance to renew at the old
price!




After posting this, another
reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's

https://www.computerhouse.com/ccsecure.html 


At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since
their pricing is $292.50? I assume their prices will increase on
Jan 1, 2006 too.


This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to

http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Last chance to renew at the old price!

I'm sorry that it wasn't more visible. We have been talking about this
for several months and have made a few announcements. It has also been
on the web site for several months.

My announcement today was just to make sure that anyone who had not
heard didn't get blind-sided. Sorry it didn't turn out that way. We
will be working on some better out-reach problems to help avoid this
in the future.

_M

On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote:

DC Wow... last minute notice.  It's difficult to budgets for these things with
DC so little notice.  Please consider a couple month's notice the next time.

DC Darin.


DC - Original Message - 
DC From: Pete McNeil [EMAIL PROTECTED]
DC To: sniffer@sortmonster.com
DC Sent: Tuesday, December 27, 2005 12:42 PM
DC Subject: [sniffer] Last chance to renew at the old price!


DC Hello Sniffer folks,

DC   This is just a friendly reminder that prices will be going up
DC   January 1.

DC   You can add a year to your SNF subscription at the current price if
DC   you renew before January 1.

DC   Details are here:
DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp

DC Thanks,
DC _M

DC Pete McNeil (Madscientist)
DC President, MicroNeil Research Corporation
DC Chief SortMonster (www.sortmonster.com)
DC Chief Scientist (www.armresearch.com)


DC This E-Mail came from the Message Sniffer mailing list. For information and
DC (un)subscription instructions go to
DC http://www.sortmonster.com/MessageSniffer/Help/Help.html



DC This E-Mail came from the Message Sniffer mailing list. For
DC information and (un)subscription instructions go to
DC http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Darin Cox

Great.  I've tracked ours and it is almost always 3 days, and sometimes up
to 5 days when it goes over a weekend.  This usually results in multiple
reports for false positives for a given rule.

Appreciate anything you can do to speed that up.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Tuesday, December 27, 2005 5:08 PM
Subject: Re[2]: [sniffer] Last chance to renew at the old price!


Part of the purpose for additional staff is to reach a goal of FP
processing measured in minutes to hours, never days as it is sometimes
now. We also have some automated tools on the drawing board that will
help to mitigate many FP cases on a self-serve basis. These will be
coming in this next year.

_M

On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote:

DC Hi Michael,

DC How about false positive processing?  That's our biggest headache, but
it
DC would be drastically reduced by faster processing than the 3-5 days we
DC currently see.

DC Darin.


DC - Original Message - 
DC From: Michael Murdoch [EMAIL PROTECTED]
DC To: sniffer@SortMonster.com
DC Cc: Pete McNeil [EMAIL PROTECTED]
DC Sent: Tuesday, December 27, 2005 2:13 PM
DC Subject: RE: [sniffer] Last chance to renew at the old price!


DC Hi Folks,

DC Actually, here is some more detail as to the reasons for the price
DC increase.  In addition, please bear in mind that that prices haven't
DC been raised in approximately 2 years and even with this increase we are
DC priced very competitively.

DC The new feature/benefits and more to come are as follows:

DC * In the past 6 months we have more than doubled the number of updates
DC per day and we will continue to increase our bandwidth and the speed of
DC our updates.

DC * We have more than tripled our staff to improve our monitoring,
DC support, and rule generation capabilities.  Come January, we are again
DC doubling this staff as the black-hats have gotten much more
DC sophisticated and this has become a 24x7 battle.  Even Pete needs to
DC sleep sometimes. :-)

DC * We are adding new RD programs for AFF/419 spam and Malware mitigation
DC (many of the results from these projects have already been implemented).

DC * During this next year as part of our continuous improvement policy we
DC will continue to roll out new features and enhancements such as fully
DC automated reporting, in-band real-time updates, an optimized message
DC processing pipeline, image and file attachment tagging, advanced header
DC structure analysis, enhanced adaptive heuristics, improved machine
DC learning systems, real-time wave-front threat detection, and many
DC more...

DC It's important to recognize that many of our improvements don't require
DC new software to be installed on the client side since they are delivered
DC through rulebase enhancements. Though this often causes our work to go
DC unnoticed, it is actually a design feature since it means that your
DC installation requires very little maintenance. This translates to
DC lowered administration costs and higher reliability.

DC As a result of this reliability-first design strategy, it may not
DC always be obvious that our service is constantly being improved and
DC enhanced - we never stand still ;-)

DC We'd hate to see any of you go, but please do compare us with other
DC services.
DC I'm sure that you'll find we're well worth the money, but it's always
DC good to keep your options open. In fact, best practice these days for
DC spam filtering is to use a blended approach that leverages many
DC services. We personally encourage that for best results.

DC Please let me know if you have any questions.  Thank you for your
DC feedback and business!

DC Sincerely

DC Michael Murdoch
DC The Sniffer Team
DC ARM Research Labs, LLC
DC Tel. 850-932-5338 x303


DC -Original Message-
DC From: [EMAIL PROTECTED]
DC [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas
DC Sent: Tuesday, December 27, 2005 1:03 PM
DC To: sniffer@SortMonster.com
DC Subject: RE: [sniffer] Last chance to renew at the old price!

DC I said the same thing, and the response was, basically,
DC We haven't raised the price in a long time, we need
DC the money, like it or lump it.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz
 Sent: Tuesday, December 27, 2005 1:57 PM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Last chance to renew at the old price!

 Pete, why over a 50% increase?  That seems rather drastic


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 12:42 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Last chance to renew at the old price!

 Hello Sniffer folks,

   This is just a friendly reminder that prices will be going up
   January 1.

   You can add a year to your SNF subscription at the current price if
   you renew before January 1.

   Details

Re[2]: [sniffer] Last chance to renew at the old price!

I can assure you that is not the case - quite the opposite in fact. I
would never suggest that you don't keep a plan B handy - everyone,
IMO, should always have a plan B, C and D handy - In fact, that MO is
one of the reasons we're still at it ;-)

None the less, what's really going on here is that we are finally
expanding to reach our potential, and I feel it's important to do that
sooner rather than later. It took a while to find a partner that was
up to the task.

I've had a lot of important enhancements and new technologies planned
and waiting on the shelf for some time now.

The count-down is over. Now it is time to get these things deployed. I
know that once you've seen some of the things that are coming you will
be well pleased with the results. I know I will.

_M

On Tuesday, December 27, 2005, 4:25:02 PM, J.D. wrote:

JDS
JDS  The short notice is a little disappointing. 
JDS  However it is the justifications that are indicating that the
JDS provider of this solution is may no longer a viable business that really 
concerns me.
JDS  Sounds like we need to start looking for Plan B today.
JDS  
JDS  J.D.
JDS  
JDS  Michael Murdoch wrote:
JDS  
JDS   
JDS Hi Dave,

JDS Your license is set to expire on 01/26/2006, so if receive the renewal
JDS before the end of the year.  Your cost will be the same as your last
JDS renewal.  Again, we are grandfathering and giving consideration to our
JDS existing clients.  If you wait until after the 1st, your educational
JDS cost will be 10% off the new retail of $ 495.00.

JDS Again and finally, this increase is needed if we are to remain a viable
JDS business that is able to provide you with a quality product/service and
JDS enhancements.  And, just to clarify the percentage of the price
JDS increase, it is actually a 34% increase in retail or $ 170.00 per year.
JDS I know that they may still seem like a lot to some of you, but it is
JDS either this or get out of the business.  

JDS I trust and hope you will all understand.  That's all that I have left
JDS to say as we have to get back to work keeping your in-boxes clean. ;-)

JDS Thank you all for your business and support.  Have a great New Year!

JDS Best wishes,
JDS Mike Murdoch
JDS ARM Research Labs, LLC
JDS The Sniffer Team
JDS Tel. 850-932-5338 x303



JDS -Original Message-
JDS From:
JDS [EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Dave Koontz
JDS Sent: Tuesday, December 27, 2005 1:42 PM
JDS To: [EMAIL PROTECTED]: 'Pete McNeil'
JDS Subject: RE: [sniffer] Last chance to renew at the old price!

JDS Thanks for the explaination.  While this is all fine and good, the
JDS reality
JDS is that many IT shops are on fixed budgets outside of their control.  I
JDS can
JDS justify a 10-15% increase to our CFO, but over 50% will get shot down
JDS immediately.

JDS The fact that you haven't raised prices in years is noble, but if you
JDS need
JDS additional revenue, you should phase the increases in over a period of
JDS time,
JDS or a modest increase each year.  Some customers simply can not turn up
JDS the
JDS cash buckets into over-drive whenever you deem you need a substantial
JDS cash
JDS influx.

JDS You've got a great product, and I would really hate to lose it as a
JDS tool.
JDS What will the Educational Institution pricing look like?


JDS -Original Message-
JDS From:
JDS [EMAIL PROTECTED]:[EMAIL PROTECTED]
JDS On Behalf Of Michael Murdoch
JDS Sent: Tuesday, December 27, 2005 2:14 PM
JDS To: [EMAIL PROTECTED]: Pete McNeil
JDS Subject: RE: [sniffer] Last chance to renew at the old price!
JDS Importance: High

JDS Hi Folks,

JDS Actually, here is some more detail as to the reasons for the price
JDS increase.
JDS In addition, please bear in mind that that prices haven't been raised in
JDS approximately 2 years and even with this increase we are priced very
JDS competitively. 

JDS The new feature/benefits and more to come are as follows:

JDS * In the past 6 months we have more than doubled the number of updates
JDS per
JDS day and we will continue to increase our bandwidth and the speed of our
JDS updates.  

JDS * We have more than tripled our staff to improve our monitoring,
JDS support,
JDS and rule generation capabilities.  Come January, we are again doubling
JDS this
JDS staff as the black-hats have gotten much more sophisticated and this has
JDS become a 24x7 battle.  Even Pete needs to sleep sometimes. :-)

JDS * We are adding new RD programs for AFF/419 spam and Malware mitigation
JDS (many of the results from these projects have already been implemented).

JDS * During this next year as part of our continuous improvement policy we
JDS will
JDS continue to roll out new features and enhancements such as fully
JDS automated
JDS reporting, in-band real-time updates, an optimized message processing
JDS pipeline, image and file attachment tagging, advanced header structure
JDS analysis, enhanced adaptive heuristics, improved machine learning
JDS systems,
JDS real-time wave-front threat

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Michael Murdoch











Thanks Dean - And thanks to all of you who have been
very supportive and understanding of what we are doing here! 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Lawrence
Sent: Tuesday, December 27, 2005
4:18 PM
To: sniffer@sortmonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!







You know, I just don't get
where all of the doom and gloom comes from. Yes, it is a large percentage
increase, but it's still only 2
bucksa day to run the best piece of software on my server. I'm sure that they have taken these comments into
consideration and will try to give more advanced notice in the future. But, to
start with the Time to start looking for another solutions talk is
rediculous. Reading Michael's
description of what is going on over there suggests that their business is
exploding, not imploding. And to keep on top of it, they need to increase their
cash flow, not to buy nicer cars. I think everyone needs to look at how much
Sniffer saves you everyday instead of griping about how much it costs you. 











Just my 2 cents.











Dean







On 12/27/05, Pete McNeil [EMAIL PROTECTED]
wrote: 

Part of the purpose for additional staff is to reach a goal of FP
processing measured in minutes to hours, never days as it is sometimes 
now. We also have some automated tools on the drawing board that will
help to mitigate many FP cases on a self-serve basis. These will be
coming in this next year.

_M

On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: 

DC Hi Michael,

DC How about false positive processing?That's our biggest headache, but it
DC would be drastically reduced by faster processing than the 3-5 days we
DC currently see.

DC Darin.


DC - Original Message -
DC From: Michael Murdoch [EMAIL PROTECTED]
DC To: 
sniffer@SortMonster.com
DC Cc: Pete McNeil
[EMAIL PROTECTED]
DC Sent: Tuesday, December 27, 2005 2:13 PM
DC Subject: RE: [sniffer] Last chance to renew at the old price! 


DC Hi Folks,

DC Actually, here is some more detail as to the reasons for the price
DC increase.In addition, please bear in mind that that prices
haven't
DC been raised in approximately 2 years and even with this increase we are 
DC priced very competitively.

DC The new feature/benefits and more to come are as follows:

DC * In the past 6 months we have more than doubled the number of updates
DC per day and we will continue to increase our bandwidth and the speed of 
DC our updates.

DC * We have more than tripled our staff to improve our monitoring,
DC support, and rule generation capabilities.Come January, we
are again
DC doubling this staff as the black-hats have gotten much more 
DC sophisticated and this has become a 24x7 battle.Even Pete
needs to
DC sleep sometimes. :-)

DC * We are adding new RD programs for AFF/419 spam and Malware
mitigation
DC (many of the results from these projects have already been implemented).


DC * During this next year as part of our continuous improvement policy we
DC will continue to roll out new features and enhancements such as fully
DC automated reporting, in-band real-time updates, an optimized message 
DC processing pipeline, image and file attachment tagging, advanced header
DC structure analysis, enhanced adaptive heuristics, improved machine
DC learning systems, real-time wave-front threat detection, and many 
DC more...

DC It's important to recognize that
many of our improvements don't
require
DC new software to be installed on the client side since they are delivered
DC through rulebase enhancements. Though this often causes our work to go 
DC unnoticed, it is actually a design feature since it means that your
DC installation requires very little maintenance. This translates to
DC lowered administration costs and higher reliability.

DC As a result of this reliability-first design strategy, it
may not
DC always be obvious that our service is constantly being improved and
DC enhanced - we never stand still ;-)

DC We'd hate to see any of you
go, but please do compare us with other 
DC services.
DC I'm sure that you'll find we're
well worth the money, but it's
always
DC good to keep your options open. In fact, best practice these days for
DC spam filtering is to use a blended approach that leverages many 
DC services. We personally encourage that for best results.

DC Please let me know if you have any questions.Thank you for
your
DC feedback and business!

DC Sincerely

DC Michael Murdoch 
DC The Sniffer Team
DC ARM Research Labs, LLC
DC Tel. 850-932-5338 x303


DC -Original Message-
DC From: [EMAIL PROTECTED]

DC [mailto:[EMAIL PROTECTED]]
On Behalf Of Fox, Thomas
DC Sent: Tuesday, December 27, 2005 1:03 PM
DC To: sniffer@SortMonster.com
DC Subject: RE: [sniffer] Last chance to renew at the old price!

DC I said the same thing, and the response was, basically,
DC We haven't raised the
price in a long time, we need 
DC the money, like it or lump it.

 -Original Message-
 From: [EMAIL

Re[2]: [sniffer] Last chance to renew at the old price!

On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch

 If you don't feel that's the case, then you
 are free to decide if you think otherwise.  Thanks and take care! 

FT EASY FOX TRANSLATION:

FT Like it, or lump it.

Translated another way...

We could keep things as they are, stand still while spam generation
technology advances rapidly, whither away, and die.

OR

We could charge a bit more, accelerate development and make sure that
SNF stays out in front and even expands the gap.

I, for one, am not willing to make the first choice, and I doubt that
it would be in anyone's best interests - except, perhaps, the
blackhats.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Rick Robeson

The thought does occur to me of how other companies have dealt with similar
issues.
That issue being how to address a market requiring internal expansion (i.e.
expanded reinvestment) while not alienating an existing satisifed customer
base. Many companies simply split their product line into 'basic' and
'premium' services. If the need is as great as Michael says, and the new
revisions will result in vastly improved service, than most of their
existing customers should want to move forward. However, giving people the
option to 'stand still' is viable, good marketing, and good strategy. At
this point, you have a certain catch 22. Everyone that pays now (for next
year) is still paying you at the same rate (meaning no expanded funds), but
is now wondering if they're doing the right thing. Almost seems like the
only way to make the current strategy pay off would have been to demand the
increased fees from all clients and not given the grace period for renewing
at the old rate. At least that way, you'd have gotten something in return
for any perceived customer dissatisfaction.

Consider expanding to a two-tier service option. It really can work well,
especially when in the future you might want to charge even more, but not
alienate 'new' customers who need a lower buy-in.


Rick Robeson
getlocalnews.com
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas
Sent: Tuesday, December 27, 2005 2:40 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!


Your interpretation of a bit as being 50+%
is disingenuous at best, and thievery at the
worst.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 5:34 PM
 To: Fox, Thomas
 Subject: Re[2]: [sniffer] Last chance to renew at the old price!

 On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
 
  If you don't feel that's the case, then you
  are free to decide if you think otherwise.  Thanks and take care!

 FT EASY FOX TRANSLATION:

 FT Like it, or lump it.

 Translated another way...

 We could keep things as they are, stand still while spam generation
 technology advances rapidly, whither away, and die.

 OR

 We could charge a bit more, accelerate development and make sure that
 SNF stays out in front and even expands the gap.

 I, for one, am not willing to make the first choice, and I doubt that
 it would be in anyone's best interests - except, perhaps, the
 blackhats.

 _M



 This E-Mail came from the Message Sniffer mailing list. For
 information and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 ---
 [This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Landry, William (MED US)




Agree wholeheartedly!

Bill


From: Dean Lawrence [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 27, 2005 2:18 PMTo: 
sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to 
renew at the old price!

You know, I just don't get where all of the doom and gloom comes from. Yes, 
it is a large percentage increase, but it's still only 2 bucksa day to run 
the best piece of software on my server. I'm sure that they have taken these 
comments into consideration and will try to give more advanced notice in the 
future. But, to start with the "Time to start looking for another solutions" 
talk is rediculous. Reading Michael's description of what is going on over there 
suggests that their business is exploding, not imploding. And to keep on top of 
it, they need to increase their cash flow, not to buy nicer cars. I think 
everyone needs to look at how much Sniffer saves you everyday instead of griping 
about how much it costs you. 

Just my 2 cents.

Dean
On 12/27/05, Pete 
McNeil [EMAIL PROTECTED] 
wrote: 
Part 
  of the purpose for additional staff is to reach a goal of FPprocessing 
  measured in minutes to hours, never days as it is sometimes now. We also 
  have some automated tools on the drawing board that willhelp to mitigate 
  many FP cases on a self-serve basis. These will becoming in this next 
  year._MOn Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: 
  DC Hi Michael,DC How about false positive 
  processing?That's our biggest headache, but itDC would be 
  drastically reduced by faster processing than the 3-5 days weDC 
  currently see.DC Darin.DC - Original Message 
  -DC From: "Michael Murdoch" [EMAIL PROTECTED]DC 
  To:  
  sniffer@SortMonster.comDC Cc: "Pete McNeil" [EMAIL PROTECTED]DC 
  Sent: Tuesday, December 27, 2005 2:13 PMDC Subject: RE: [sniffer] Last 
  chance to renew at the old price! DC Hi Folks,DC 
  Actually, here is some more detail as to the reasons for the priceDC 
  increase.In addition, please bear in mind that that prices 
  haven'tDC been raised in approximately 2 years and even with this 
  increase we are DC priced very competitively.DC The new 
  feature/benefits and more to come are as follows:DC * In the past 
  6 months we have more than doubled the number of updatesDC per day and 
  we will continue to increase our bandwidth and the speed of DC our 
  updates.DC * We have more than tripled our staff to improve our 
  monitoring,DC support, and rule generation 
  capabilities.Come January, we are againDC doubling this 
  staff as the black-hats have gotten much more DC sophisticated and 
  this has become a 24x7 battle.Even Pete needs toDC sleep 
  sometimes. :-)DC * We are adding new RD programs for AFF/419 
  spam and Malware mitigationDC (many of the results from these projects 
  have already been implemented). DC * During this next year as part 
  of our continuous improvement policy weDC will continue to roll out 
  new features and enhancements such as fullyDC automated reporting, 
  in-band real-time updates, an optimized message DC processing 
  pipeline, image and file attachment tagging, advanced headerDC 
  structure analysis, enhanced adaptive heuristics, improved machineDC 
  learning systems, real-time wave-front threat detection, and many DC 
  more...DC It's important to recognize that many of our 
  improvements don't requireDC new software to be installed on the 
  client side since they are deliveredDC through rulebase enhancements. 
  Though this often causes our work to go DC unnoticed, it is actually a 
  design feature since it means that yourDC installation requires very 
  little maintenance. This translates toDC lowered administration costs 
  and higher reliability.DC As a result of this "reliability-first" 
  design strategy, it may notDC always be obvious that our service is 
  constantly being improved andDC enhanced - we never stand still 
  ;-)DC We'd hate to see any of you go, but please do compare us 
  with other DC services.DC I'm sure that you'll find we're well 
  worth the money, but it's alwaysDC good to keep your options open. In 
  fact, best practice these days forDC spam filtering is to use a 
  blended approach that leverages many DC services. We personally 
  encourage that for best results.DC Please let me know if you have 
  any questions.Thank you for yourDC feedback and 
  business!DC SincerelyDC Michael Murdoch DC The 
  Sniffer TeamDC ARM Research Labs, LLCDC Tel. 850-932-5338 
  x303DC -Original Message-DC From: [EMAIL PROTECTED] 
  DC [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Fox, ThomasDC Sent: Tuesday, December 27, 2005 1:03 
  PMDC To: sniffer@SortMonster.comDC 
  Subject: RE: [sniffer] Last chance to renew at the old price!DC I 
  said the same thing, and the response was, basically,DC "We haven't 
  raised the price in a long time, we need DC the money, like it or lump 
  it." -Original Message- From: [EMAIL PROT

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Landry, William (MED US)


Thomas, if your company cannot afford the rather small monetary increase,
and you are running that close to the edge, then maybe you should not be in
business.  I for one am glad to hear the SNF is adding resources and has
mapped out a list of future feature enhancements.  Please quit your gripping
or take it off list.

Bill 

-Original Message-
From: Fox, Thomas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 27, 2005 2:40 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!

Your interpretation of a bit as being 50+% is disingenuous at best, and
thievery at the worst.
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 5:34 PM
 To: Fox, Thomas
 Subject: Re[2]: [sniffer] Last chance to renew at the old price!
 
 On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
 
  If you don't feel that's the case, then you
  are free to decide if you think otherwise.  Thanks and take care! 
 
 FT EASY FOX TRANSLATION:
 
 FT Like it, or lump it.
 
 Translated another way...
 
 We could keep things as they are, stand still while spam generation
 technology advances rapidly, whither away, and die.
 
 OR
 
 We could charge a bit more, accelerate development and make sure that
 SNF stays out in front and even expands the gap.
 
 I, for one, am not willing to make the first choice, and I doubt that
 it would be in anyone's best interests - except, perhaps, the
 blackhats.
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 

---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread John T (Lists)

The only problem with that, and one which I do not know how large of a
problem it is, is if you have always provided a single product, and suddenly
divide it into 2 levels, you end up with twice the amount of critics: Those
that pay less but expect more, those that pay more and then expect even
more.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Rick Robeson
 Sent: Tuesday, December 27, 2005 2:54 PM
 To: sniffer@SortMonster.com
 Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
 
 The thought does occur to me of how other companies have dealt with
similar
 issues.
 That issue being how to address a market requiring internal expansion
(i.e.
 expanded reinvestment) while not alienating an existing satisifed customer
 base. Many companies simply split their product line into 'basic' and
 'premium' services. If the need is as great as Michael says, and the new
 revisions will result in vastly improved service, than most of their
 existing customers should want to move forward. However, giving people the
 option to 'stand still' is viable, good marketing, and good strategy. At
 this point, you have a certain catch 22. Everyone that pays now (for next
 year) is still paying you at the same rate (meaning no expanded funds),
but
 is now wondering if they're doing the right thing. Almost seems like the
 only way to make the current strategy pay off would have been to demand
the
 increased fees from all clients and not given the grace period for
renewing
 at the old rate. At least that way, you'd have gotten something in return
 for any perceived customer dissatisfaction.
 
 Consider expanding to a two-tier service option. It really can work well,
 especially when in the future you might want to charge even more, but not
 alienate 'new' customers who need a lower buy-in.
 
 
 Rick Robeson
 getlocalnews.com
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas
 Sent: Tuesday, December 27, 2005 2:40 PM
 To: sniffer@SortMonster.com
 Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
 
 
 Your interpretation of a bit as being 50+%
 is disingenuous at best, and thievery at the
 worst.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
  Sent: Tuesday, December 27, 2005 5:34 PM
  To: Fox, Thomas
  Subject: Re[2]: [sniffer] Last chance to renew at the old price!
 
  On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
  
   If you don't feel that's the case, then you
   are free to decide if you think otherwise.  Thanks and take care!
 
  FT EASY FOX TRANSLATION:
 
  FT Like it, or lump it.
 
  Translated another way...
 
  We could keep things as they are, stand still while spam generation
  technology advances rapidly, whither away, and die.
 
  OR
 
  We could charge a bit more, accelerate development and make sure that
  SNF stays out in front and even expands the gap.
 
  I, for one, am not willing to make the first choice, and I doubt that
  it would be in anyone's best interests - except, perhaps, the
  blackhats.
 
  _M
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For
  information and (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
  ---
  [This E-mail scanned for viruses by Declude Virus]
 
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread John T (Lists)

Pete, I am both a Sniffer reseller and user, and I was blind sided by this
announcement.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 2:11 PM
 To: Darin Cox
 Subject: Re[2]: [sniffer] Last chance to renew at the old price!
 
 I'm sorry that it wasn't more visible. We have been talking about this
 for several months and have made a few announcements. It has also been
 on the web site for several months.
 
 My announcement today was just to make sure that anyone who had not
 heard didn't get blind-sided. Sorry it didn't turn out that way. We
 will be working on some better out-reach problems to help avoid this
 in the future.
 
 _M
 
 On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote:
 
 DC Wow... last minute notice.  It's difficult to budgets for these things
with
 DC so little notice.  Please consider a couple month's notice the next
time.
 
 DC Darin.
 
 
 DC - Original Message -
 DC From: Pete McNeil [EMAIL PROTECTED]
 DC To: sniffer@sortmonster.com
 DC Sent: Tuesday, December 27, 2005 12:42 PM
 DC Subject: [sniffer] Last chance to renew at the old price!
 
 
 DC Hello Sniffer folks,
 
 DC   This is just a friendly reminder that prices will be going up
 DC   January 1.
 
 DC   You can add a year to your SNF subscription at the current price if
 DC   you renew before January 1.
 
 DC   Details are here:
 DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp
 
 DC Thanks,
 DC _M
 
 DC Pete McNeil (Madscientist)
 DC President, MicroNeil Research Corporation
 DC Chief SortMonster (www.sortmonster.com)
 DC Chief Scientist (www.armresearch.com)
 
 
 DC This E-Mail came from the Message Sniffer mailing list. For
information and
 DC (un)subscription instructions go to
 DC http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 DC This E-Mail came from the Message Sniffer mailing list. For
 DC information and (un)subscription instructions go to
 DC http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Last chance to renew at the old price!