[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:42:42 AM, you wrote: Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M This seems to be working ok, Thanks for your patience. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Pete, My understanding was that Declude treats different arguments to an executable as just being other forms of that executable so it only processes it once. I'm not positive one way or another. It's worth testing though. Matt Pete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 11:52:56 PM, you wrote: Pete, Just two more cents for the masses... If people use this for two different external tests in Declude, they need to create two differently named executables because Declude will assume the calling executable to be part of the same test and only run it once (or possibly create an error depending on one's configuration). This may not be necessary if you have different test types defined, i.e. nonzero, weight, external, and bitmask, but better safe than sorry. I think this might not be correct. IIRC, the design spec for that feature was that if the command line was different in the test then it would be executed again and if the command line was identical it would not. This was to allow for calling the same program with different parameters. I'm pretty sure that's how it works --- it might be worth a few tests if you're sure it's not that way, but I strongly suspect that if one of the parameters are different in the test line (inside the quotes) then it will be executed again as a different test. Also, I noted that the Subjects on this list are being repeated. I saw that you changed to a new server, but I also noted that there is no space after "[sniffer]" in the Subject and thought that maybe this is what is throwing things off. Maybe adding that space will correct the issue??? It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M
[sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 7:31:29 AM, you wrote: The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? At the moment that is how it's done: a combination of email address and source IP are matched with the license ID. The reason we ask for the license ID is because folks submitting false positives occasionally forget that we authenticate on their registered email address and use some other address. -- The rule is that if the system can't match the email address it should/may drop the message rather than evaluating it. We get a lot of spam and attempts to game the system at our false@ address... so when it's heavy we do drop messages that can't be properly identified. However, in an effort to provide the best service possible, if the license ID is present and we have the time we will look to see if it could be a legit FP submission by researching the source and domain - and if we think it is likely to be legitimate we will process the FP and respond with an additional code reminding the submitter that they must use their registered email address or an authorized alias. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 8:25 AM Subject: [sniffer]Re[2]: [sniffer]FP suggestions Hello Darin, Wednesday, June 7, 2006, 7:31:29 AM, you wrote: The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? At the moment that is how it's done: a combination of email address and source IP are matched with the license ID. The reason we ask for the license ID is because folks submitting false positives occasionally forget that we authenticate on their registered email address and use some other address. -- The rule is that if the system can't match the email address it should/may drop the message rather than evaluating it. We get a lot of spam and attempts to game the system at our false@ address... so when it's heavy we do drop messages that can't be properly identified. However, in an effort to provide the best service possible, if the license ID is present and we have the time we will look to see if it could be a legit FP submission by researching the source and domain - and if we think it is likely to be legitimate we will process the FP and respond with an additional code reminding the submitter that they must use their registered email address or an authorized alias. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 8:44:26 AM, you wrote: Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? Yes. If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? To clarify, nothing should be inserted in the D file. The original message should be attached as an RFC 822 attachment is as close to the original form as possible. The license id, if included at all, should be in the subject line of the submission message. Remember also, we WILL be responding to the submission message so that we can record a dialogue with you about the false positive in question. Hope this helps, Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]FP suggestions
Hello Scott, Wednesday, June 7, 2006, 10:08:58 AM, you wrote: For me the pain of false positives submissions is the research that happens when I get a no rule found return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver. This depends on the email system you are using. On some systems (MDaemon, and postfix, for example) X- headers from SNF can be emitted into the message. When we see these we can identify the rules directly without asking for the extra research. It would be nice if Declude would offer a mechanism to pick up the optional .xhdr file SNF can generate and include it in the X headers that it already adds to the message. I know this begs the question, why not have SNF add the headers for SmarterMail and IMail platforms, and the reason is that it would require writing an additional copy of the message to disk. Since these systems tend to be io bound already (Declude/IMail anyhow) the performance penalty would be prohibitive. If Declude picks up .xhdr from SNF directly then it can be included in the ONE rewrite Declude makes anyway. I've asked them about this and other improved integration opportunities for a while now (many months), and I get favorable responses, but no action so far. I guess we will see :-) _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Pete, An X-Header would be very, very nice to have. I understand the issues related to waiting to see if something comes through, and because of that, I would maybe suggest moving on your own. Sniffer doesn't need to be run on every single message in a Declude system. Through weight based skipping, many administrators (especially the ones that could make the most use of this) could skip processing Sniffer once a certain weight is reached, and in turn that would save enough load that it should easily make up for needing to re-write the message to the disk with the modified headers. On external tests that allow for weight skipping on my system, I was skipping around 50% of messages before lightening the load with pre-scanning. Sniffer could do weight skipping with Declude by accepting the %WEIGHT% variable in the command line. SNIFFER-IP external 063 "C:\IMail\Declude\Sniffer\customer-code.exe license-code WH=26 WL=-5 CW=%WEIGHT%" 5 0 ...etc. The WH setting says don't run if equal to or greater than, the WL says don't run if equal to or less than, and the CW passes in the weight from Declude at the time of calling Sniffer. It still launches Sniffer, but it could be stopped immediately before any heavy lifting is done. The best solution of course would be for Declude to allow for weight-based skipping in the config without calling the executable, but I started asking about that back in the Scott days and I am not holding out hope for that happening soon considering. The most realistic option would seem to then have Sniffer do the heavy lifting of rewriting itself, and save some CPU and disk I/O by improving efficiencies with something as simple as weight-based skipping. I'm pretty sure the net result would be less CPU and disk I/O overall if both were done. Another alternative may be to create a separate executable (with weight-based skipping) that would only deal with adding headers from the text file that Sniffer drops in the directory. There would be less benefit overall to keeping this all in one app, but it would target the primary need. This could easily be written by one of us in _vbscript_ as a proof of concept. I have considered doing this before, but it isn't at the top of my priorities. BTW, you could maybe even encode links in the headers for FP reporting through a Web interface, completely removing the forwarding mechanism from the mix, though you wouldn't have the opportunity to see the messages which may not be good as a whole. Matt Pete McNeil wrote: Hello Scott, Wednesday, June 7, 2006, 10:08:58 AM, you wrote: For me the pain of false positives submissions is the research that happens when I get a "no rule found" return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver. This depends on the email system you are using. On some systems (MDaemon, and postfix, for example) X- headers from SNF can be emitted into the message. When we see these we can identify the rules directly without asking for the extra research. It would be nice if Declude would offer a mechanism to pick up the optional .xhdr file SNF can generate and include it in the X headers that it already adds to the message. I know this begs the question, why not have SNF add the headers for SmarterMail and IMail platforms, and the reason is that it would require writing an additional copy of the message to disk. Since these systems tend to be io bound already (Declude/IMail anyhow) the performance penalty would be prohibitive. If Declude picks up .xhdr from SNF directly then it can be included in the ONE rewrite Declude makes anyway. I've asked them about this and other improved integration opportunities for a while now (many months), and I get favorable responses, but no action so far. I guess we will see :-) _M
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Matt, Wednesday, June 7, 2006, 3:37:36 PM, you wrote: Pete, An X-Header would be very, very nice to have. I understand the issues related to waiting to see if something comes through, and because of that, I would maybe suggest moving on your own. I've got it on the list to have a message rewriting option... it's just not as high as some others. I hadn't thought about the weight gating utility - though that seems like something that would be useful in general for external tests... weightgate -5 %WEIGHT% 20 command line to run 5 0 command line to run is executed if %WEIGHT% is in the range [-5,20] and the exit code of command line to run is returned. That seems like a pretty simple utility to knock out - perhaps I will ;-) Also, on the FP reporting links idea, that would break the process - it's important for us to see the message for many reasons, and it's important for the FP resolution process to be interactive. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the program not found error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return FAIL_SAFE (zero) as it's exit code. As a deubgging aid, I was called with the following arguments: arg[0] me = WeightGate -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 5:05:28 PM, you wrote: snip/ Uh, but the D file contains mime segments corresponding to attachments. That's ok. SNF looks inside those, and w/ the FP scanning software inside the rfc822 atachment also. It's not perfect, but the majority of the time it does pick out the rules that match and having the original helps us put those into context. The license id, if included at all, should be in the subject line of the submission message. Good. Subject line is easier and more reliable to parse out. Not that it's needed per the original question. :-) -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Darin, Wednesday, June 7, 2006, 5:09:27 PM, you wrote: snip/ That would be a bad idea, sorry. After 30 days (heck, after 2) spam is usually long-since filtered, or dead. As a result, looking at 30 day old spam would have a cost, but little benefit. You misinterpreted what I was saying. I was not at all suggesting sending old spam. What I was talking about was copying spam@ with spam that does not fail sniffer _as it comes in_, or _during same day/next day reviews_ Sorry, I did misinterpret then. _as it comes in_ is good, provided the weights are high enough to prevent a lot of FPs. We're all trained pretty well on how to skip those - but the more we see, the more likely we are to slip up ;-) What we do use from time to time are virtual spamtraps. In a virtual spamtrap scenario, you can submit spam that reached a very high (very low false positive) score but did not fail SNF. Generally this is done by copying the message to a pop3 account that can be polled by our bots. That is exactly what I was suggesting. We'll put it on our list to write a filter to do so when time permits. Just trying to help. Thanks very much! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
(sniff) Aw, cut it out, Matt. You're making me all weepy. p.s. Pete, that's pretty darned amazing! From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Pete,I think that you just broke Scott's record with his two hour feature request with your own a two hour program :)Anyone remember those days???Thanks,MattPete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the "program not found" error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Awesome. Great job, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 6:49 PM Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the program not found error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return FAIL_SAFE (zero) as it's exit code. As a deubgging aid, I was called with the following arguments: arg[0] me = WeightGate -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail client encoding differently in the forwarding process? If so, do you know what clients are altering the messages and how? If there's one that's better for this, we could always use it for forwarding since we currently send it to ourselves first, then forward. If we rewrite the Q file and queue directly from IMail, encoding shouldn't change, correct? If that avoids this issue, we could do that instead. The best solution is to include the headers during the scan since they will travel with the message. What do you mean? The XHDR? We would love that for more several reasons, but Declude is not the same company anymore. The next best is to automate matching the log entries with the message so they can be included with the submission (some do this to prevent the second trip). Yeah, we'd have to automate it. I can't imagine taking the time to manually match for each occurrence of no rule found. Another item for the automation list. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 7:26:48 PM, you wrote: Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail client encoding differently in the forwarding process? If so, do you know what clients are altering the messages and how? If there's one that's better for this, we could always use it for forwarding since we currently send it to ourselves first, then forward. It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. If we rewrite the Q file and queue directly from IMail, encoding shouldn't change, correct? If that avoids this issue, we could do that instead. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... The best solution is to include the headers during the scan since they will travel with the message. What do you mean? The XHDR? We would love that for more several reasons, but Declude is not the same company anymore. At some point perhaps they will include the SNF engine in DLL form and all of these issues will become simpler. For now there's no definitive answer on that possibility so we will have to find other solutions. I don't like the idea of rewriting the message file more often than absolutely necessary, but that is a feature that is on the todo list and so it may make it into the next heavy update (work in progress). The next best is to automate matching the log entries with the message so they can be included with the submission (some do this to prevent the second trip). Yeah, we'd have to automate it. I can't imagine taking the time to manually match for each occurrence of no rule found. Another item for the automation list. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Peer-to-Peer, That's a good point. Any kind, perhaps by category. I was originally thinking of just RBLs of various types. Thanks, _M Tuesday, June 6, 2006, 9:46:01 AM, you wrote: Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, What is your false positive rate with that pattern? _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common. I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: Nick, very good method. I have added that to my configuration as well now. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to png stock spam Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday :) SS HH HS SH SA SQ REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] The png combo I just did it last night when I first saw the spam. So far I have not see any fp. [ I combo it (the regex) with other tests as well - which makes it much more reliable.] -Nick _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, Thanks. That's all good then :-) _M Tuesday, June 6, 2006, 10:46:55 AM, you wrote: Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday :) SS HH HS SH SA SQ REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] The png combo I just did it last night when I first saw the spam. So far I have not see any fp. [ I combo it (the regex) with other tests as well - which makes it much more reliable.] -Nick _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hello Andrew, Tuesday, June 6, 2006, 11:44:46 AM, you wrote: David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. Actually, since we've been offering production ready 30 day trials, what once was the free version (as you put it) has been reduced to a technology demonstrator. It is only useful for proving your system configuration and barely catches spam at all ;-) I believe the sniffer.snf rulebase has not been maintained in some time. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Interesting. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for tilting the scales on more occurrences than other image types. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:44 AM Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common. I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: Nick, very good method. I have added that to my configuration as well now. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to png stock spam Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Matt, Tuesday, June 6, 2006, 12:37:56 PM, you wrote: snip/ appropriately and tend to hit less often, but the FP issues with Sniffer have grown due to cross checking automated rules with other lists that I use, causing two hits on a single piece of data. For instance, if SURBL has an FP on a domain, it is possible that Sniffer will pick that up too based on an automated cross reference, and it doesn't take but one additional minor test to push something into Hold on my system. Please note. It has been quite some time now that the cross-reference style rule-bots have been removed from our system. In fact, at the present time we have no automated systems that add new domain rules. Another observation I might point out is that many RBLs will register a hit on the same IP - weighting systems using RBLs actually depend on this. An IP rule hit in SNF should be treated similarly to other RBL type tests. This is one of the reasons that we code IP rules to group 63 - so that they are tumped by a rule hit in any other group and therefore are easily isolated from the other rules. snip/ handling false positive reports with Sniffer is cumbersome for both me and Sniffer. The current process has a number of important goals: * Capture as much information as possible about any false positive so that we can improve our rule coding processes. * Preserve the relationship with the customer and ensure that each case reaches a well-informed conclusion with the customer's full knowledge. * Protect the integrity of the rulebase. This link provides a good description of our false positive handling process: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives Can you recommend an alternate process, or changes to the existing process that would be an improvement and would continue to achieve these goals? We are always looking for ways to improve. I would hope that any changes seek to increase accuracy above all else. Sniffer does a very good job of keeping up with spam, and it's main issues with leakage are caused by not being real-time, but that's ok with me. At the same time Sniffer is the test most often a part of false positives, being a contributing factor in about half of them. Log data shows that SNF tags on average more than 74% of all email traffic and a significantly higher percentage of spam typically. It would seem that it is likely that SNF would also represent highly in the percentage of false positives (relative to other tests with lower capture rates) for any given system since it is represented highly in email traffic as a whole. You've also indicated that you weight SNF differently than your other tests - presumably giving it more weight (this is frequently the case on many systems). How much do you feel these factors contribute to your findings? About 3/4 of all FP's (things that are blocked by my system) are some form of automated or bulk E-mail. That's not to say that other tests are more accurate; they are just scored more appropriately and tend to hit less often, but the FP issues with Sniffer have grown due to cross checking automated rules with other lists that I use, causing two hits on a single piece of data, W/regard causing two hits on a single piece of data: SNF employs a wide variety of techniques to classify messages so it is likely that a match in SNF will coincide with a match in some other tests. In fact, as I pointed out earlier, filtering systems that apply weights to tests depend on this very fact to some extent. What makes weighting systems powerful is that when more than one test does trigger on a piece of data, such as an IP or URI fragment, that the events leading up to that match were distinct for each of the matching test. This is the critical component to reducing errors through a voting process. Test A uses process A to reach conclusion Z. Test B uses process B to reach conclusion Z. Process A is different from process B and so the inherent errors in process A are different than the errors in process B and so we presume it is unlikely that an error in Test A will occur under the same conditions as the errors in Test B. If a valid test result is the signal we want, and an erroneous test result is noise on top of that signal then it follows: By combining the results of Test A and Test B we have the opportunity to increase the signal to noise ratio to the extent our assumptions about errors are true. In fact, if no error occurs in both A and B under the same circumstances, then defining a new test C as (A+B/2) will produce a signal that is twice as clear as test A or B on it's own. If I follow what you have said about false positives and SNF matching other tests, then you are describing a situation where the process for SNF and the alternate tests are the same - or put another way, that SNF somehow represents a copy of the other test and so will also contain the same errors. If that's the case then the
[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through
Hello Andrew, Wednesday, May 17, 2006, 5:35:36 PM, you wrote: Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that didn't trigger Message Sniffer today but ended up in my HOLD folder anyway due to their total spamminess. Most of them are against eBay and came from Germany. If your overall false positive rate is low enough then it would be great if you could automate that process to create a synthetic spamtrap. Somehow, take the most spammy of the messages that get past SNF and send them to a special account on your system from which our robots could pull the messages Since we code rules 24x7x365 we would be able to respond to these quickly and (from your perspective) automatically. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through
Hello Daniel, Wednesday, May 17, 2006, 3:07:38 PM, you wrote: I've gotten one myself. The pharmacy ones, are still coming through too for that matter. Here is what the latest wave has looked like from here (attached image). You can see, starting about 24 hours ago a jagged, but fairly regular climbing series of spikes. Each is a new wave of variants on the current campaigns. Most notably, the the medications drug spam, chatty drugs, russian porn, phishing (especially localized versions), and stuff-for-free* surveys. Of course a variety of the usual players is well mixed in. During the previous 24 hours things were _relatively_ quiet. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
On Friday, May 5, 2006, 11:02:00 AM, Darin wrote: DC Not just drugs, but some others too have been slipping through the past DC couple of days. We've reported a little under 40 in the past couple of DC days. We saw a bit of a lull, then a rash of new campaigns bunched together with some new obfuscation techniques. We're getting a handle on it now. Looks like the burst started about 30 hours ago and is tailing off now. Attached image - new arrival rates last 2 days. getchart.jsp.png Description: PNG image
Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
We've had that rule before and had to pull it for false positives. _M On Friday, May 5, 2006, 11:41:50 AM, John wrote: JTL FYI, I created a Declude Filter: JTL Subject END NOTCONTAINS news JTL BODY25 CONTAINShttp://geocities.com/ JTL Been catching every one like that. JTL John T JTL eServices For You JTL Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Daniel Bayerdorffer Sent: Friday, May 05, 2006 7:38 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
Well, I am at the point that I could care less about geocities false positives. If GeoCities is going to allow this much spam junk then I could care less about allowing them. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, May 05, 2006 9:09 AM To: John T (Lists) Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer We've had that rule before and had to pull it for false positives. _M On Friday, May 5, 2006, 11:41:50 AM, John wrote: JTL FYI, I created a Declude Filter: JTL Subject END NOTCONTAINS news JTL BODY25 CONTAINShttp://geocities.com/ JTL Been catching every one like that. JTL John T JTL eServices For You JTL Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Daniel Bayerdorffer Sent: Friday, May 05, 2006 7:38 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Message loop
Yes, I'm sorry. I'm still working on that with the back-end server guys over there. I am getting your messages though. Please ignore the jsmith bounces for now. I will keep on them. Thanks! _M On Thursday, April 20, 2006, 12:11:25 PM, Scott wrote: SF Still happening when I reply to false positive messages from you: SF Failed to deliver to '[EMAIL PROTECTED]' SF mail loop: too many hops (too many 'Received:' header fields) SF - Original Message - SF From: Pete McNeil [EMAIL PROTECTED] SF To: Matt sniffer@SortMonster.com SF Sent: Wednesday, April 19, 2006 7:03 PM SF Subject: Re: [sniffer] Message loop On Wednesday, April 19, 2006, 7:20:01 PM, Matt wrote: M M Pete, M M I tried replying to some FP reports and I received back some loop reports from your gateway: M M M M M Failed to deliver to '[EMAIL PROTECTED]' M mail loop: too many hops (too many 'Received:' header fields) I'm aware of the problem. It's actually a problem on our partners' servers. They are making a transition and the destination server is unhappy about the number of hops required to get there through our forwarding chain. I believe they have adjusted these settings this afternoon to compensate. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html SF This E-Mail came from the Message Sniffer mailing list. For SF information and (un)subscription instructions go to SF http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False positive processing
On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote: DC Nope. None of them. DC I haven't heard back from the replies to a couple of false positives on the DC 10th, and we haven't heard anything from our submissions on the 16th (6) and DC 17th (2). I don't remember if we've heard anything from those on the 15th DC (4). Right now I'm preparing to process FPs. I have a total of 24. 15 from you. I don't show any others pending. When I'm done I'll go back and look at the 10th, 16th, and 17th to see if I received and responded. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Web Site!
On Friday, March 17, 2006, 11:53:58 AM, John wrote: JTL What is the purpose of using a WIKI site? A few things really - * It's fast and easy to create, update, and correct the content. Things happen quickly here and in the messaging security business in general. It makes sense to use tools that can adapt just as quickly and with as little friction as possible. * Some of our user community contribute software and technical knowledge on a regular basis. A wiki makes that process easier. This is particularly useful where SNF overlaps with other software - The folks who use, develop, or maintain that software can now participate openly in developing documentation for that work. * We've always maintained a collaborative relationship with our customers and this helps to enforce that point. * One of the things we've always encouraged is the sharing of information related to, but not necessarily about SNF. For example, it is not uncommon for a discussion about integrating SMF with a mail server to branch off into a wide range of loosely related topics from DNS, to server and network performance, to handy tools and tricks. We have a lot of experts in our community. Quite Often, difficult to find solutions lurk in the context of the discussions on and off our list. Now those solutions can be captured here in the natural context in which they came up so that they will be easy to find. -- Consider this approach part of fostering a strong user community and providing a resource that goes beyond our own products and services. At the end of the day we are working shoulder to shoulder with the developers, managers, administrators, and users of all kinds of systems. We want this wiki to be a valuable resource for anybody who uses SNF, and lots of folks who don't (yet). _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New RuleBot F002 Online
Hi Pete, Don't worry about customizing our local rulebase for this. Just take this as a simple suggestion for future segregation to make it easy for new rulesets to be addressed differently in weighting schemes. Thanks for all of your efforts! Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 13, 2006 10:23 AM Subject: Re[2]: [sniffer] New RuleBot F002 Online On Friday, March 10, 2006, 3:41:00 PM, Darin wrote: DC Totally agree. I'd like to see some separation between rules created by DC newer rulebots and preexisting rules. That way if there becomes an issue DC with a bot, we can turn off one group quickly and easily. There is no way to do this without completely reorganizing the result codes or defeating the competitive ranking mechanisms. If you feel strongly about it I can move these rule groups to lower numbers on your local rulebase or make some other numbering scheme - but I don't recommend it. Moving these rule groups to lower numbers would cause them to win competitions with other rules where they would normally not win. At some point in the future we might renumber the rule groups again, but I like to avoid this since there are so many folks that just don't get the message (no matter what we do to publish it) when we make changes like this and so any large scale changes tend to cause confusion for very long periods. For example: I still, on occasion, have questions about the gray-hosting group which has not existed for quite a long time. So far there has not been one FP reported on bot F002 and extremely few on F001 - the vast majority of those associated with the very first group of listings prior to the last two upgrades for the bot. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] F001 Rule Bot Change
On Thursday, March 9, 2006, 8:48:43 AM, Nick wrote: NH Hi Pete - NH Pete McNeil wrote: Hello Sniffer Folks, The F001 Rule Bot has been adjusted. NH Is it possible for you to recommend a percentage of accuracy or maybe NH better stated a percentage of delete weight for each rule? I am NH wondering which rules you feel are the weakest and which are the NH strongest. I am well aware 'mileage may vary' but just your thoughts on NH reliability would be insightful. Currently the rules I trust the most NH are at 90% of my hold weight which overall is less than 50% of my delete NH weight. Rules that I trust the least like general and experimental are NH at ~ 40% of my hold weight. It's a bit too early to know about the reliability of F001. So far the number of false positives has fallen quite sharply and continues to fall from what I can see. In addition, the new constraints on F001 will cause it to be much more reliable still (w/ regard to FPs). I would say that the most conservative weight for symbol 63 would be to weight it at the same weight as your average IP based blacklist. A more moderate position might have the lowest rated SNF tests at about 70% of your hold weight (this seems to be fairly common). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] New Rulebot F001
I also have got a lot of false positives with code 063 which are HOLD now. Ik know it's not very nice to set email on HOLD when failing sniffer but I've got a major problem with spam and until a few days ago this was going well, at least a few false positives in a week. 03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Match 672578 63 142 176 65 l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Final 672578 63 0 281965 Could this please stop, sniffer was pretty reliable for us, but not at the moment. Regards, Marcel Sangers Traction IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: dinsdag 7 maart 2006 0:18 To: Darin Cox Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. DC Not sure if these are due to the new rulebot, but it's more than DC we've had for the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] declude tests
Thanks so much Pete I got it all sorted out Phew It's humming along just fine with each individual test. I look forward to the day that there are more gui's in products like this. That way I can choose what I want done but the software does the configuring for me and thus eliminates syntax errors and other misunderstandings. Both declude and sniffer would benefit greatly from that. I future wish Thanks again Harry Vanderzand inTown Internet Computer Services 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, March 07, 2006 6:28 PM To: Harry Vanderzand Subject: Re[2]: [sniffer] declude tests On Tuesday, March 7, 2006, 6:20:04 PM, Harry wrote: HV I guess I am not understanding something here after all this time HV So as I understand I leave the persistent word out of the declude HV config and just run the service? YES. :-) The instances launched by Declude will recognize that the service is running and will elect to be peer-client instances automatically. Also, if the service fails for any reason then they will automatically adopt peer-server mode. (In Peer-Server mode, instances take turns acting as a service for short periods to improve performance.) Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:13:53 PM, Jay wrote: JSHNL There's been at least one FP ;) JSHNL -- JSHNL Rule - 861038 JSHNL NameF001 for Message 2888327: [216.239.56.131] JSHNL Created 2006-03-02 JSHNL Source 216.239.56.131 JSHNL Hidden false JSHNL Blocked false JSHNL Origin Automated-SpamTrap JSHNL TypeReceivedIP JSHNL Created By [EMAIL PROTECTED] JSHNL Owner [EMAIL PROTECTED] JSHNL Strength2.08287379496965 JSHNL False Reports 0 Yes, sorry about the confusion. The original announcement happened about 3 days before that FP. The note was a resend this afternoon so that Karen (Tink) could update the web site with recent news. In fact, both of those notes were resends... The originals didn't make it because I transposed the s and n near the t in sortmonster. Sorry again for the confusion. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. Not DC sure if these are due to the new rulebot, but it's more than we've had for DC the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] New Rulebot F001
Pete, One of these was EarthLink [207.217.120.227], and one of these was Google Mail [64.233.166.182]. SpamBag lists the EarthLink address as a source of bogus bounces, and I posit that this would be the source of the mail to the spamtraps that would trigger the F001 bot. I would like to state that I don't need Message Sniffer to identify servers that send bogus postmaster notifications. This would be entirely due to false positives such as the three examples above. Given that spammers clearly recycle their email database as a fake-mailfrom database, any spamtrap address will get bogus bounces and therefore, the spamtraps will flag legitimate senders' IP addresses in Rule 63. I don't expect nor want you to discuss the details of the spamtraps as the point of one class of your spamtraps is that their methods are secret. However, Matt has described a subset of the filters various Decluders have used to filter out postmaster bounces and other reflected noise, and I can certainly chip in on that conversation offline. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:18 PM To: Darin Cox Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. DC Not sure if these are due to the new rulebot, but it's more than DC we've had for the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Rulebot F001
Thanks, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 06, 2006 6:17 PM Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. Not DC sure if these are due to the new rulebot, but it's more than we've had for DC the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New rulebase compilers online.
On Monday, March 6, 2006, 6:09:43 PM, Matt wrote: M Pete, M Does this mean that you are somehow supporting incremental rule base M updates, or is it that the compiler is just much faster so we will get M the same number of updates, but generally get them 40-120 minutes M earlier in relation to the data that generated them? The latter. Incremental updates are coming with the V3 engine. We will have real time reporting and tuning before that. The new behavior for the compiler bots is to seek out any eligible rulebases that match the profile of the previously compiled rulebase and to use the cached data to build the new rulebase provided it is discovered within a short enough period (a matter of seconds). This is called replication. Replication happens in seconds. Compiling a rulebase takes between 5 and 35 minutes depending on the complexity. While I have seen occasional spikes, I generally now see unfinished, eligible rulebase counts in the low teens and estimated lag in the single digits. M Either way, definitely an improvement. The closer to real-time we can M get, the better. :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Sniffer, MDLP, and invURIBL?
On Saturday, February 25, 2006, 1:38:53 PM, Joe wrote: JW JW JW I would actually prefer that MDLP autotune the weight for JW invURIBL, but since the weights are managed by invURIBL and not JW Declude I don't know how this will work. I'm not familiar enough with invURIBL to know how it is configured. However, as long as it's maximum and minumum weights are in a reasonable range, then if you exclude it from MDLP you should be ok. MDLP's AI tries to optimize the weights of the tests it can manipulate so that the most accurate total scores are provided. If there are tests it cannot adjust then it is forced to work around those with the other tests. The results are not predictable (the task is far too dynamic and contains far too many variables) but they should be sane and correct. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Running sniffer as a service
On Friday, February 24, 2006, 7:13:47 AM, Jeff wrote: JP Do I need to modify anything in my Declude configuration file where it calls JP the SNIFFER test in order for this to function ?? No. You set up a persistent instance outside of Declude and the other SNF instances adapt automatically. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] When to go persistent
On Thursday, February 23, 2006, 11:53:51 AM, LLC wrote: JISL I'm investigating the persistant mode and read the info on the web site. JISL Can't make heads or tails of it. JISL How do enable persistant mode on a Windows 2003 Server? The web site speaks JISL hypothetically, but the information is not practical. From the message at JISL http://www.mail-archive.com/sniffer@sortmonster.com/msg00165.html it would JISL seem that you need an external utility to run Sniffer in persistant mode, JISL but the link to JISL http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html JISL is no longer valid. JISL What exact steps are needed to run in persistant mode on Windows 2003 JISL Server? Sorry about that... the Judoscript site comes and goes lately. (Maybe permanently gone this time). To run in persistent mode, simply launch an instance of SNF from the command line with the word persistent in place of the file to scan. licenseid.exe authentication persistent The persistent instance will be recognized by all of the other instances (those are launched by your email server usually - one per message). When a persistent instance is present it will keep the rulebase loaded in memory and the other instances will coordinate with it to get their messages scanned. This eliminates the work of reloading the rulebase and can help to optimize the timing of the message scans to improve throughput. If the persistent instance fails or is stopped for any reason then the SNF software returns to it's native peer-server mode. There are a number of utilities out there (some free) that allow you to run an executable as a service. RunExeSvc is the one I used. Many have recommended FireDaemon: http://www.firedaemon.com/ There is also a windows toolkit that will let you run programs as services - it requires some hacking in the registry as I recall. I can't provide specifics for these approaches at this time, but I believe the windows toolkit method was described well in the sniffer@ list archives, and Firedaemon will have it's own process that is likely to be simpler. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] When to go persistent
Pete, To run in persistent mode, simply launch an instance of SNF from the command line with the word persistent in place of the file to scan. licenseid.exe authentication persistent I am calling Sniffer from Declude. Could I just later my statement in my config file to include persistent? That way the first time it is called that instance will go persistent and all the rest will end up talking to it? Regardless of how the persistent instance is started should I have the persistent keyword on the line that is called from Declude? Goran Jovanovic This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false positives are AS worse than missed spam, so I had assumed that they would always be at the AS top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email was AS received. The web site makes it sound as if there's a million reasons why a AS false positive might not be accepted - so an automatic confirmation might be AS a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] False Positive - no reaction?
Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] False Positive - no reaction?
I like this idea more than the email notification. I really don't need more emails. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 10:16 AM Subject: RE: Re[2]: [sniffer] False Positive - no reaction? Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] False Positive - no reaction?
That queue concept would be wonderful! Hopefully it would have some simple info extracted to show recipient, sender, subject, header info, and info on the rule(s) it failed. One of my ongoing challenges is matching responses to reports and following up to see what additional actions are required. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 11:16 AM Subject: RE: Re[2]: [sniffer] False Positive - no reaction? Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote: BB Hi Pete, BB [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. BB I think I could use such a black rulw without getting to may FPs, but in BB which catagoeries would that rule then go? I score the several Sniffer BB results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 BB would put it several points below my hold weight. An extra hit would be BB needed to get it held. Normally when we make custom black rules we code them to a special rule group (generally with a group symbol 5 by convention). Since 5 is a lower number than all other rule groups (except for white rules = 0) any message matching a local black rule will be distinct. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote: RG The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace RG for making that happen, if possible, in a Declude / Imail environment? RG Thanks ahead of time, In the distribution the option is described in the .cfg file. However, in the Declude environment I don't know of any easy way to make use of it. What would be best is if Declude could be persuaded to pick up the .xhdr file SNF produces and add it to the headers it is already adding to the the message. This way, the message would only need to be altered once (less I/O) for all of the headers. MDaemon systems using the plugin have the SNF headers by default. Most *nix systems also use the .xhdr option and then allow the programs that follow to respond to the headers planted by SNF. A number of custom-built systems are also using it. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
Jim, Not at this time. The two processes are entirely different. The False Positives process is highly interactive. The standardized responses were implemented to allow for some automation on both sides. Spam submissions are always treated as anonymous for security reasons and also because of the volume. At one point today we were processing 5000 spam per hour. At those rates it is not practical to respond to each submission. Advanced features near V4 (some time in the future) will allow us to handle some spam submissions specifically for a particular license ID --- so there are some plans for this later on. However, for the short and medium term all spam submissions will remain anonymous. If you have a chronic spam for which you would like a local black rule added then you should send a zip'd copy to support@ along with your requests. We will help you adjust your rulebase accordingly. For example, some relatively closed systems are able to use broad rules for certain character sets, file attachment types, or other features to eliminate messages they simply will never see in practice. _M On Wednesday, February 15, 2006, 4:40:50 PM, Jim wrote: JMJ Pete, JMJ Is there anyway to get an automatic response similar to the one listed below JMJ for the FP address, but for submissions to your spam@ address? It would be JMJ nice to get some feedback when submitting spam. JMJ Jim Matuska Jr. JMJ Computer Tech2, CCNA JMJ Nez Perce Tribe JMJ Information Systems JMJ [EMAIL PROTECTED] JMJ JMJ -Original Message- JMJ From: [EMAIL PROTECTED] JMJ [mailto:[EMAIL PROTECTED] JMJ On Behalf Of Pete McNeil JMJ Sent: Wednesday, February 15, 2006 1:28 PM JMJ To: Kevin Rogers JMJ Subject: Re: [sniffer] False Positives JMJ On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. JMJ Just to clarify a bit, here is the standard response you're probably JMJ talking about: JMJ [FPR:0] JMJ The message did not match any active black rules as submitted. The rules JMJ may have been modified or removed. If you provide matching log entries JMJ from your system then we can research this further. JMJ Note that sometimes our false processing system may not identify the JMJ rules that matched this message on your system due to changes in the JMJ submitted content that might occur during the forwarding process. JMJ Please also be sure you are running the latest version, that your JMJ rulebase file is up to date, and that you do not have any unresolved JMJ errors in your Sniffer log file. Bug fixes in newer versions may resolve JMJ false positive issues or reduce the risk of false positives through JMJ enhanced features and new technologies. Certain errors in your log file JMJ may indicate a corrupted rulebase. JMJ --- JMJ The software we use to scan false positive submissions is a version of JMJ SNF that includes every rule we have in our system. If the messages JMJ does not match any of these rules, MOST of the time it means that the JMJ rule has been removed already. JMJ If that is not the case, then the next step is to provide matching log JMJ entries. On some systems this is not necessary because the headers may JMJ already contain SNF x-header data that shows the rules involved. JMJ This process is not intended to make things difficult, but to save JMJ time. The majority of the time, our local scanner will identify the JMJ rule or rules in question and we will respond accordingly. JMJ When that is not the case we simply need more data to move forward JMJ with the investigation. JMJ Usually, when a rule is still in the system and it does not match a JMJ false positive submission it is because the original message was JMJ altered during the forwarding process or that some condition of being JMJ attached has prevented the scanner on this end from reproducing the JMJ result you had on your system. JMJ Hope this helps, JMJ _M JMJ This E-Mail came from the Message Sniffer mailing list. For information and JMJ (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ This E-Mail came from the Message Sniffer mailing list. For JMJ information and (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote: CHS I second the motion. We have been submitting spam for over a year and I CHS don't know if a single one was received. In general, if you've not received an error during delivery, we most certainly got your message... it may have even made it to the queue (if it wasn't already filtered by new rules). One way to be sure we receive your spam is to create a pop3 box on your system for your spam submissions and provide us with the login data (email address (as login), password, FQDN of the pop3 server). This way, if the mail in that box gets deleted you know one of our bots has pulled it in and added it to our queues. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] problems!!!!
On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote: DC I have an idea. These problems seem to stem mostly from changes DC in the methods of handling rulebase updates. snip/ DC Would it be feasible to announce in advance when such changes DC are to be implemented? With advance notice of a date and time DC for the switch we could choose to freeze our rulebases just before DC that for a day to make sure the kinks were worked out before DC updating. A few spam messages that slip through are better than DC a slough of false positives that require review and are delayed in reaching the customer. That's a good idea, and we do, in fact, follow that procedure. Whenever we make any large scale changes we always announce them here on this list,... we usually also put them on our web site. There is an error in your comment however... the previous event (with the rule-bots) was completely unforeseeable. There was no way to announce that known good software would suddenly fail so spectacularly when no changes within our control were made. Thankfully, that kind of event is extremely unlikely also. It is unfortunate that these two events would happen so closely together. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] problems!!!!
There was no error in my comment. I completely understand that some issues will not be foreseeable... I did say mostly, not entirely. The switch to the automated bots caused a rash of false positives in our system. I'm not pointing fingers, but instead want to make sure I have the ability to decide what risks to take on my end. While mistakes are always possible... we are human after all... the more controls we have available to minimize possible impact, the better. What I would be looking for is an announcement of a specific date/time for a cutover so we could freeze just before that, and unfreeze once it was clear that no glut of false positives would result. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:13 AM Subject: Re[2]: [sniffer] problems On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote: DC I have an idea. These problems seem to stem mostly from changes DC in the methods of handling rulebase updates. snip/ DC Would it be feasible to announce in advance when such changes DC are to be implemented? With advance notice of a date and time DC for the switch we could choose to freeze our rulebases just before DC that for a day to make sure the kinks were worked out before DC updating. A few spam messages that slip through are better than DC a slough of false positives that require review and are delayed in reaching the customer. That's a good idea, and we do, in fact, follow that procedure. Whenever we make any large scale changes we always announce them here on this list,... we usually also put them on our web site. There is an error in your comment however... the previous event (with the rule-bots) was completely unforeseeable. There was no way to announce that known good software would suddenly fail so spectacularly when no changes within our control were made. Thankfully, that kind of event is extremely unlikely also. It is unfortunate that these two events would happen so closely together. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] problems!!!!
What is the correct Sniffer string in Declude Global.cfg file. SNIFFER external nonzero d:\imail\declude\sniffer\sniffer.exe code12 0 of SNIFFER external nonzero d:\imail\declude\sniffer\sniffer.exe code10 0 Thanks Filippo
Re[2]: [sniffer] problems!!!!
On Wednesday, February 8, 2006, 11:06:07 AM, Markus wrote: MG If a experimental rule showed to be reliable they move them in MG the appropriate category (rich, fraud,...) MG MG MG MG I'm not sure about this but I think it's so and so it shouldn't MG be necessary to do something like manualy block updates. This is not how it works. Experimental rule groups contain abstract rules that may not classify a particular type of message. Indeed, even rules that are coded to more specific groups will likely match messages that are outside of those categories because the blackhats frequently re-use domains and other features in many different campaigns. For example, the current chatty drugs, chatty loans, and chatty watches campaigns all tend to share the same domains in their links. Along the lines of delaying implementation of new rules, we can configure rulebases and rule groups within them to only accept rules with a specific minimum age in days. We might have to charge for this kind of custom modification, and it would by it's nature increase spam leakage. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] question on xhdr files
On Wednesday, February 8, 2006, 1:32:05 PM, David wrote: The .xhdr files are created by SNF and can be turned off in SNF's .cfg file. They contain text that could be added to the headers of the message to help debug false positives and/or to trigger other filtering systems. DP Well I see this in the config file: DP DP # XHeader File Output - When set to On the engine will create a new file DP with DP # each message scanned with the name scanfilename.xhdr that contains DP x-header DP # information that should be added to the message. DP XHeaderData: X-MessageSniffer-Rules DP XHeaderFinal: X-MessageSniffer-Result DP DP I don't see the specific line to turn this off. Do I simply comment out the DP XHeaderData and XHeaderFinal lines? If I do that will it still insert the DP information in the header? I'm sorry that's misleading. Yes, comment out the two lines: # XHeaderData: X-MessageSniffer-Rules # XHeaderFinal: X-MessageSniffer-Result That should prevent SNF from creating the .xhdr files. According to what I see, the headers created in your messages are actually generated by the script, so the .xhdr info generated by SNF is largely redundant. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS Dear Pete, CHS In the future, please let us know immediately when you become aware of this. CHS As it is, I will spend the next 3 hours picking out the fales positives from CHS the mailbox and forwarding them to the clients. If I could have put the CHS rulepanic in place an hour ago it would have saved me a lot of work and CHS confused customers. CHS Thank you, CHS Michael Stein CHS Computer House CHS - Original Message - CHS From: Pete McNeil [EMAIL PROTECTED] CHS To: sniffer@sortmonster.com CHS Sent: Tuesday, February 07, 2006 4:07 PM CHS Subject: [sniffer] Bad Rule - 828931 CHS Hello Sniffer folks, CHS I'm sorry to report that another bad rule got past us today. The CHS rule has been removed (was in from about 1200-1500), but it may be CHS in some of your rulebases. CHS To avoid a problem with this rule you can enter a rule-panic entry CHS in your .cfg file for rule id: 828931 CHS If it is not already, the rule will be gone from your rulebase after CHS your next update. CHS Thanks, CHS _M CHS Pete McNeil (Madscientist) CHS President, MicroNeil Research Corporation CHS Chief SortMonster (www.sortmonster.com) CHS Chief Scientist (www.armresearch.com) CHS This E-Mail came from the Message Sniffer mailing list. For information and CHS (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS This E-Mail came from the Message Sniffer mailing list. For CHS information and (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Bad Rule - 828931
Dear Pete, Please excuse my previous E-mail if it seemed a bit harsh. I guess I am so used to your great service, that on the rare occasion when this happens, I panic. Thanks for being there to walk me through the procedure. Sincerely, Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Computer House Support sniffer@SortMonster.com Sent: Tuesday, February 07, 2006 4:24 PM Subject: Re[2]: [sniffer] Bad Rule - 828931 I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS Dear Pete, CHS In the future, please let us know immediately when you become aware of this. CHS As it is, I will spend the next 3 hours picking out the fales positives from CHS the mailbox and forwarding them to the clients. If I could have put the CHS rulepanic in place an hour ago it would have saved me a lot of work and CHS confused customers. CHS Thank you, CHS Michael Stein CHS Computer House CHS - Original Message - CHS From: Pete McNeil [EMAIL PROTECTED] CHS To: sniffer@sortmonster.com CHS Sent: Tuesday, February 07, 2006 4:07 PM CHS Subject: [sniffer] Bad Rule - 828931 CHS Hello Sniffer folks, CHS I'm sorry to report that another bad rule got past us today. The CHS rule has been removed (was in from about 1200-1500), but it may be CHS in some of your rulebases. CHS To avoid a problem with this rule you can enter a rule-panic entry CHS in your .cfg file for rule id: 828931 CHS If it is not already, the rule will be gone from your rulebase after CHS your next update. CHS Thanks, CHS _M CHS Pete McNeil (Madscientist) CHS President, MicroNeil Research Corporation CHS Chief SortMonster (www.sortmonster.com) CHS Chief Scientist (www.armresearch.com) CHS This E-Mail came from the Message Sniffer mailing list. For information and CHS (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS This E-Mail came from the Message Sniffer mailing list. For CHS information and (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Downloads are slow.
Somebody please tell me I'm doing something wrong here. I use this expression in Baregrep Final\t828931 and it yields 22,055 matching lines across 3 of my 4 license's log files. Since this is set to my hold weight, I'm assuming that means I've had 22,055 holds on this rule? -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of grep M yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Don't know about the proper syntax for baregrep, but for the standard UNIX grep for Win32, the following would give you an accurate count: grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 4:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Final\t828931 and Final.*828931 both found 850 entries in my current log using Baregrep. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 6:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Downloads are slow.
I've had an internal note that our colo provider is working on a networking problem. That's probably what you're seeing. Apparently it doesn't effect all paths to the 'net equally and/or it may be solved by now. _M On Tuesday, February 7, 2006, 5:53:35 PM, John wrote: JC Agreed, my last report showed pretty slow times. All today were slower now JC that I look at them. I normally see up to 1.3M with overall times around JC 800-900K. JC John C JC 0K .. .. .. .. .. 36.79 KB/s JC50K .. .. .. .. .. 11.51 KB/s JC 100K .. .. .. .. .. 19.76 KB/s JC 150K .. .. .. .. .. 11.98 KB/s JC 200K .. .. .. .. .. 37.20 KB/s JC 250K .. .. .. .. .. 10.60 KB/s JC 300K .. .. .. .. .. 16.00 KB/s JC 350K .. .. .. .. .. 19.05 KB/s JC 400K .. .. .. .. .. 22.22 KB/s JC 450K .. .. .. .. .. 10.32 KB/s JC 500K .. .. .. .. .. 13.50 KB/s JC 550K .. .. .. .. ..2.74 KB/s JC 600K .. .. .. .. ..8.40 KB/s JC 650K .. .. .. .. ..6.00 KB/s JC 700K .. .. .. .. ..9.97 KB/s JC 750K .. .. .. .. ..6.07 KB/s JC 800K .. .. .. .. ..5.89 KB/s JC 850K .. .. .. .. ..9.20 KB/s JC 900K .. .. .. .. ..6.46 KB/s JC 950K .. .. .. .. ..4.94 KB/s JC 1000K .. .. .. .. ..7.67 KB/s JC 1050K .. .. .. .. ..9.97 KB/s JC 1100K .. .. .. .. .. 13.28 KB/s JC 1150K .. .. .. .. .. 24.61 KB/s JC 1200K .. .. .. .. .. 12.36 KB/s JC 1250K .. .. .. .. .. 31.06 KB/s JC 1300K .. .. .. .. ..4.87 KB/s JC 1350K .. .. .. .. .. 34.77 KB/s JC 1400K .. .. .. .. .. 14.29 KB/s JC 1450K .. . .. .. .. 16.24 KB/s JC 1500K .. .. .. .. .. 33.33 KB/s JC 1550K .. . .. .. .. 21.48 KB/s JC 1600K .. .. .. .. .. 23.19 KB/s JC 1650K .. .. .. .. .. 27.34 KB/s JC 1700K .. .. .. .. .. 14.68 KB/s JC 1750K .. .. .. .. .. 47.76 KB/s JC 1800K .. .. .. .. .. 15.17 KB/s JC 1850K .. .. .. .. .. 16.17 KB/s JC 1900K .. .. .. .. .. 18.39 KB/s JC 1950K .. .. .. .. .. 74.40 KB/s JC 2000K .. .. .. .. .. 14.10 KB/s JC 2050K .. .. .. .. .. 12.70 KB/s JC 2100K .. .. .. .. .. 29.36 KB/s JC 2150K .. .. .. .. .. 16.58 KB/s JC 2200K .. .. .. .. .. 21.62 KB/s JC 2250K .. .. .. .. .. 17.49 KB/s JC 2300K .. .. .. .. .. 11.00 KB/s JC 2350K .. .. .. .. .. 21.20 KB/s JC 2400K .. .. .. .. .. 31.69 KB/s JC 2450K .. .. .. .. .. 20.12 KB/s JC 2500K .. .. .. .. .. 57.14 KB/s JC 2550K .. .. .. 13.94 KB/s JC 15:52:29 (12.45 KB/s) - `.new.gz' saved [2646653] JC -Original Message- JC From: [EMAIL PROTECTED] JC [mailto:[EMAIL PROTECTED] JC On Behalf Of Pete McNeil JC Sent: Tuesday, February 07, 2006 4:46 PM JC To: Chuck Schick JC Subject: Re: [sniffer] Downloads are slow. JC I'm not showing this from my location and the server looks ok. JC I just downloaded a few rulebases, each in under 3 seconds. JC Please provide a traceroute -- that should show us where the issue
Re[2]: [sniffer] Bad Rule - 828931
Hello Pete, Tuesday, February 7, 2006, 7:43:52 PM, you wrote: PM The rule would match the intended spam (and there was a lot of it, so PM 22,055 most likely includes mostly spam. On spot check I'm seeing about 30-40% of the messages are valid. PM Unfortunately it would also match messages containing the listed PM capital letters in that order throughout the message. Essentially, if PM the text is long enough then it will probably match. A greater chance PM of FP match if the text of the message is in all caps. Also if there PM is a badly coded base64 segment and file attachment (badly coded PM base64 might not be decoded... raw base64 will contain many of these PM letters in mixed case and therefore increase the probability of PM matching them all). Not sure, can anyone think of a way to cross check this? What if I put all the released messages back through sniffer? -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Stock SPAM now HTML
This is going to get harder and harder to identify and fight. Is it worthwhile to put something like this in a new category which we are very confident about and so if it fails on the new combined image/text thing we can delete it outright? Not sure if this is a good idea or not but I had to add extra static filters to pop the older text only stock spam above my delete weight. This combined image/text is going to make it tougher I think. Thoughts? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 02, 2006 11:40 AM To: Goran Jovanovic Subject: Re[2]: [sniffer] Stock SPAM now HTML There are some new mutations of the latest campaigns out today. These ones look like they were hand tweaked (not evolved by machine). They are a lot tougher, but I think we've got some abstracts coming out that will get them. This new trend - using embedded images, adding static to images to avoid hashing systems, stuffing text, and avoiding links and email addresses is going to increase. _M On Thursday, February 2, 2006, 11:12:59 AM, Goran wrote: GJ Will it ever stop :( GJ Probably not. Actually maybe I shouldn't be wishing that SPAM stops GJ because then I would lose a revenue streamhmm conundrum GJ Goran Jovanovic GJ Omega Network Solutions GJ -Original Message- From: [EMAIL PROTECTED] GJ [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 02, 2006 7:20 AM To: Goran Jovanovic Subject: Re: [sniffer] Stock SPAM now HTML On Wednesday, February 1, 2006, 11:30:49 PM, Goran wrote: GJ GJ GJ GJ Well the plain text stock spam has just taken a turn to more GJ interesting and SNF is not capturing it yet as of 10:55 EST. I GJ have submitted a couple to spam@ GJ GJ Now they are including part of a picture to make up the text. GJ Here is what the source looks like Isn't it amazing. I've coded some abstracts for this. More to come. _M This E-Mail came from the Message Sniffer mailing list. For GJ information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html GJ This E-Mail came from the Message Sniffer mailing list. For GJ information and (un)subscription instructions go to GJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] The SPAM bots?
On Monday, January 30, 2006, 11:07:26 AM, Michiel wrote: MP G'day, MP I'm just wandering... what CAN be done about this? If I send an embedded MP picture to someone, how's sniffer gonna see the difference between my MP holiday picture and the stock spam? MP I reckon it's gonna be tough to block these? We're very busy right now - big storm. The answer to these is usually to create an abstract rule for the message structure. You may send a picture to someone, but your message won't usually be structured like the spam message. Later on we'll be adding fuzzy image classification to the engine to help with this too. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Stock Market Spam Messages
I see. I misunderstood. We generally get text based stock-push campaigns very quickly. We have seen an increase in these recently tough. If it's a plain text stock push then it's most likely that you saw it before we did. I'll make sure that the rest of the team are watching out for these just in case - (we have two new guys on the team,... if they pushed it back then we might have been delayed in coding for it). Those guys are on this list too so they'll see this note when the get a minute. If you see the same one repeatedly then please .zip it and send a copy to support as a chronic spam. The other night I saw a burst of more than 5 new stock push campaigns come out in the same 10 minute period across the spamtraps. I thought that was unusual. It's possible, perhaps even likely, that you got this burst before we saw it. Please let use know if you're getting the same one repeatedly or different ones. Thanks, _M On Thursday, January 26, 2006, 11:55:52 AM, Jim wrote: JMJ The ones I seem to be getting have no images, and are only plain text. JMJ Jim Matuska Jr. JMJ Computer Tech2, CCNA JMJ Nez Perce Tribe JMJ Information Systems JMJ [EMAIL PROTECTED] JMJ JMJ -Original Message- JMJ From: [EMAIL PROTECTED] JMJ [mailto:[EMAIL PROTECTED] JMJ On Behalf Of Pete McNeil JMJ Sent: Thursday, January 26, 2006 8:53 AM JMJ To: Jim Matuska Jr. JMJ Subject: Re: [sniffer] Stock Market Spam Messages JMJ On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ I seem to be noticing a lot of spam messages recently that are stock JMJ ads for JMJ offshore companies; I seem to be getting a lot of these that are not JMJ being JMJ classified by sniffer. I have been forwarding these to the spam@ JMJ address, JMJ but have yet to notice any real changes. Any thoughts on these? JMJ There has been a recent shift to using randomized images for these JMJ which makes them a bit harder to defeat. JMJ I'll take a look. JMJ _M JMJ This E-Mail came from the Message Sniffer mailing list. For information and JMJ (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ This E-Mail came from the Message Sniffer mailing list. For JMJ information and (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Stock Market Spam Messages
They seem to be different ones sporadically over the last week or so. I'll keep an eye on any new ones and let you know if they change. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 26, 2006 10:54 AM To: Jim Matuska Jr. Subject: Re[2]: [sniffer] Stock Market Spam Messages I see. I misunderstood. We generally get text based stock-push campaigns very quickly. We have seen an increase in these recently tough. If it's a plain text stock push then it's most likely that you saw it before we did. I'll make sure that the rest of the team are watching out for these just in case - (we have two new guys on the team,... if they pushed it back then we might have been delayed in coding for it). Those guys are on this list too so they'll see this note when the get a minute. If you see the same one repeatedly then please .zip it and send a copy to support as a chronic spam. The other night I saw a burst of more than 5 new stock push campaigns come out in the same 10 minute period across the spamtraps. I thought that was unusual. It's possible, perhaps even likely, that you got this burst before we saw it. Please let use know if you're getting the same one repeatedly or different ones. Thanks, _M On Thursday, January 26, 2006, 11:55:52 AM, Jim wrote: JMJ The ones I seem to be getting have no images, and are only plain text. JMJ Jim Matuska Jr. JMJ Computer Tech2, CCNA JMJ Nez Perce Tribe JMJ Information Systems JMJ [EMAIL PROTECTED] JMJ JMJ -Original Message- JMJ From: [EMAIL PROTECTED] JMJ [mailto:[EMAIL PROTECTED] JMJ On Behalf Of Pete McNeil JMJ Sent: Thursday, January 26, 2006 8:53 AM JMJ To: Jim Matuska Jr. JMJ Subject: Re: [sniffer] Stock Market Spam Messages JMJ On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ I seem to be noticing a lot of spam messages recently that are stock JMJ ads for JMJ offshore companies; I seem to be getting a lot of these that are not JMJ being JMJ classified by sniffer. I have been forwarding these to the spam@ JMJ address, JMJ but have yet to notice any real changes. Any thoughts on these? JMJ There has been a recent shift to using randomized images for these JMJ which makes them a bit harder to defeat. JMJ I'll take a look. JMJ _M JMJ This E-Mail came from the Message Sniffer mailing list. For information and JMJ (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ This E-Mail came from the Message Sniffer mailing list. For JMJ information and (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Rollback of bot rules..
On Thursday, January 19, 2006, 6:50:32 PM, Dave wrote: DK My bet is that either OB or WS trees of SURBL are the culprit. I've seen DK false postives from them before. Can your bot isolate the subs of the multi DK lookup and only use the more reliable ones like JP, SC, etc? I'm not sure about that. I'll have to check. It's an interesting theory. We have had some odd FPs like this before, but never in any great numbers. DK Also, these DK are dynamic services and can change at any time... Sometimes in minutes. DK What does your software do in terms of caching those results? We keep them until they either fall off the map due to no hits or they are removed for false positives. We've felt reasonably good about that up 'till now given that we generally get to review the rules that are coded, and that it's hard for them to get into the rulebase -- it takes much more than just being in SURBL to get in, so we're only coding a subset of the matches that hit clean spamtraps. -- again, in theory... The plan now is to rebuild the bots from scratch once we get the time in our development schedule for that work. In the mean time, we'll be looking for possible explanations for what happened. ... keep in mind that SORBS tests went crazy at precisely the same moment. The chances of that coincidence is pretty small. None the less, at this point all theories are welcome... One other piece of data is that the resolvers in question have been running at nearly 100%... it is possible that under these conditions they produced bad results, or perhaps produced some anomaly that caused the results to be interpreted incorrectly - for example, as pointed out in the pearl:DNS bug that was recently brought to my attention, result packets might have been delivered out of order or perhaps having some other unusual condition that caused the problems. Resolving that for sure would require some lab time we're not going to spend right now, but it does allow us to think about some things to test on the new bots before pressing them into service. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Help
Everything should be ok today. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M On Wednesday, January 18, 2006, 8:57:25 AM, Ali wrote: AR AR AR Hi, AR AR AR AR I am experiencing the very same problem. AR AR AR AR Regards, AR AR AR AR Ali AR AR AR -Original Message- AR From: [EMAIL PROTECTED] AR [mailto:[EMAIL PROTECTED]Behalf Of Filippo Palmili AR Sent: Wednesday, January 18, 2006 3:34PM AR To: [EMAIL PROTECTED] AR Cc: sniffer@SortMonster.com AR Subject: [sniffer]Help AR Hello, AR What's going on withrules? Today for 100 blocked by Sniffer AR more than 10 where reallylegitimate. AR Please advise. AR Thanks AR Filippo AR This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:42:22 AM, Frederick wrote: FS Same with me. Last night there was a rules update and it fixed the problem. FS Check the date of your rules update. Please visit http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:54:49 AM, Darin wrote: DC Agreed. We counted 100 false positives yesterday, compared to our normal DC rate of less than 5. DC No false positives since 6pm ET yesterday, though. Thank goodness. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.
On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote: M Pete, M w3.org would be a huge problem because Outlook will insert this in the M XML headers of any HTML generated E-mail. M If you could give us an idea of when this started and possibly ended, M that would help in the process of review. Indications are that the rule was in our system for only a couple of hours this morning before we caught what was going on. Many folks won't have ever seen the rule... though it may still be in surbl. In fact, all of these rules that we know of followed very much the same profile. Two of us were working in the rulebase at the time due to heavy outscatter from a fake ph.d campaign and several new variants of chatty_watches, chatty_drugs, and druglist. We're continuing to look for any rules that might have entered our system this way and we haven't found any new ones since about the time I wrote my first post on it. I'm about to run through false positives to see what might have been reported and remove those. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.
On Tuesday, January 17, 2006, 8:10:44 AM, Darrell wrote: Dsic Pete, Dsic I just checked real quick hitting several DNS servers (mine and others) and Dsic I am not seeing this - are you still seeing this now? Nope... it was short lived. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf TombeSent: Thursday, December 29, 2005 11:23 AMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 9:33 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Wednesday, December 28, 2005 5:43 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Can I also use this product on my snailmail? :p From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: vrijdag 30 december 2005 16:58 To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Thursday, December 29, 2005 11:23 AM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 9:33 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Yeah -- Ive been getting a lot of credit card offers in my postal mail lately .. can we adapt a procmail filter to check my mail and wash my dog? Jonathan At 04:03 PM 12/30/2005, you wrote: Can I also use this product on my snailmail? :p From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Hickman Sent: vrijdag 30 december 2005 16:58 To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Wolf Tombe Sent: Thursday, December 29, 2005 11:23 AM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 9:33 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 9:33 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Yes, you can renew with Declude. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 3:22 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Are they a valid reseller, sniffer-folks?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 8:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
You certainlycrossed a line of ethical integrity at the very least. Pete: If you don't already have a 'non-compete' agreement in your reseller agreement its time. I would never have believed someone would actually try to sell your reseller rates to your customer base. It's simply appalling. And should be grounds for termination. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 8:46 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Absolutely not. In fact, if you read my post after this, I am questioning whether or not it can be sold for a lower price. I am not here to undermine any one, as after all where do you think the license that I sell comes from? After all, we are all here to help one another. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)Sent: Wednesday, December 28, 2005 5:41 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! John T:Did you just solicit the ENTIRE sniffer community with pricing that will undermine Pete? Never bit the hand that feeds you my friend. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 8:17 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Although I am a registered reseller, I normally only sell hardware and software to clients as part of my services. However, if any one is interested in a price, contact me off list. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
1. What is YOUR motive for taking such a tone? 2. I never made an out right solicitation. It was done in for the benefit of others. I am a small business and to my bottom line, every dollar or 5 dollars or 10 dollars count. I clearly said I am not in the business of selling software or hardware. I have turned away requests before from people that have contacted me off list about software. It is extremely rare that I will sell to other than my clients. 3. How do you respond to the posting on this very list by Pete just a bit ago that the seller selling at such a low rate is a valid reseller? 4. How do you respond to the posting on this very list by Michael Murdock that yes you can renew with Declude at a lower cost? Your responses are injecting that I am taking advantage of something or trying to take away something from SortMonster. That is not true at all. Your comment about competing is very unusual, in that in essence many of us are natural competitors to one anther, yet day after day we help each other, in essence helping our competitor. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) Sent: Wednesday, December 28, 2005 6:01 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! You certainlycrossed a line of ethical integrity at the very least. Pete: If you don't already have a 'non-compete' agreement in your reseller agreement its time. I would never have believed someone would actually try to sell your reseller rates to your customer base. It's simply appalling. And should be grounds for termination. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:46 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Absolutely not. In fact, if you read my post after this, I am questioning whether or not it can be sold for a lower price. I am not here to undermine any one, as after all where do you think the license that I sell comes from? After all, we are all here to help one another. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) Sent: Wednesday, December 28, 2005 5:41 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! John T:Did you just solicit the ENTIRE sniffer community with pricing that will undermine Pete? Never bit the hand that feeds you my friend. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:17 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Although I am a registered reseller, I normally only sell hardware and software to clients as part of my services. However, if any one is interested in a price, contact me off list. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
We should probably slow down here a bit .. I don't think it was John T that solicited the guy off-list. John T was simply saying, if anyone wants options, let me know.. oh, and this other guy could be shady since the price is too low. Sure it was a sales tactic, but I don't think he was the first guy ... Jonathan At 08:00 PM 12/28/2005, you wrote: You certainly crossed a line of ethical integrity at the very least. Pete: If you don't already have a 'non-compete' agreement in your reseller agreement its time. I would never have believed someone would actually try to sell your reseller rates to your customer base. It's simply appalling. And should be grounds for termination. -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:46 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Absolutely not. In fact, if you read my post after this, I am questioning whether or not it can be sold for a lower price. I am not here to undermine any one, as after all where do you think the license that I sell comes from? After all, we are all here to help one another. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Peer-to-Peer (Support) Sent: Wednesday, December 28, 2005 5:41 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! John T: Did you just solicit the ENTIRE sniffer community with pricing that will undermine Pete? Never bit the hand that feeds you my friend. -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]]On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 8:17 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Although I am a registered reseller, I normally only sell hardware and software to clients as part of my services. However, if any one is interested in a price, contact me off list. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Last chance to renew at the old price!
I'm sorry that it wasn't more visible. We have been talking about this for several months and have made a few announcements. It has also been on the web site for several months. My announcement today was just to make sure that anyone who had not heard didn't get blind-sided. Sorry it didn't turn out that way. We will be working on some better out-reach problems to help avoid this in the future. _M On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote: DC Wow... last minute notice. It's difficult to budgets for these things with DC so little notice. Please consider a couple month's notice the next time. DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: sniffer@sortmonster.com DC Sent: Tuesday, December 27, 2005 12:42 PM DC Subject: [sniffer] Last chance to renew at the old price! DC Hello Sniffer folks, DC This is just a friendly reminder that prices will be going up DC January 1. DC You can add a year to your SNF subscription at the current price if DC you renew before January 1. DC Details are here: DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp DC Thanks, DC _M DC Pete McNeil (Madscientist) DC President, MicroNeil Research Corporation DC Chief SortMonster (www.sortmonster.com) DC Chief Scientist (www.armresearch.com) DC This E-Mail came from the Message Sniffer mailing list. For information and DC (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html DC This E-Mail came from the Message Sniffer mailing list. For DC information and (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
Great. I've tracked ours and it is almost always 3 days, and sometimes up to 5 days when it goes over a weekend. This usually results in multiple reports for false positives for a given rule. Appreciate anything you can do to speed that up. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, December 27, 2005 5:08 PM Subject: Re[2]: [sniffer] Last chance to renew at the old price! Part of the purpose for additional staff is to reach a goal of FP processing measured in minutes to hours, never days as it is sometimes now. We also have some automated tools on the drawing board that will help to mitigate many FP cases on a self-serve basis. These will be coming in this next year. _M On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: DC Hi Michael, DC How about false positive processing? That's our biggest headache, but it DC would be drastically reduced by faster processing than the 3-5 days we DC currently see. DC Darin. DC - Original Message - DC From: Michael Murdoch [EMAIL PROTECTED] DC To: sniffer@SortMonster.com DC Cc: Pete McNeil [EMAIL PROTECTED] DC Sent: Tuesday, December 27, 2005 2:13 PM DC Subject: RE: [sniffer] Last chance to renew at the old price! DC Hi Folks, DC Actually, here is some more detail as to the reasons for the price DC increase. In addition, please bear in mind that that prices haven't DC been raised in approximately 2 years and even with this increase we are DC priced very competitively. DC The new feature/benefits and more to come are as follows: DC * In the past 6 months we have more than doubled the number of updates DC per day and we will continue to increase our bandwidth and the speed of DC our updates. DC * We have more than tripled our staff to improve our monitoring, DC support, and rule generation capabilities. Come January, we are again DC doubling this staff as the black-hats have gotten much more DC sophisticated and this has become a 24x7 battle. Even Pete needs to DC sleep sometimes. :-) DC * We are adding new RD programs for AFF/419 spam and Malware mitigation DC (many of the results from these projects have already been implemented). DC * During this next year as part of our continuous improvement policy we DC will continue to roll out new features and enhancements such as fully DC automated reporting, in-band real-time updates, an optimized message DC processing pipeline, image and file attachment tagging, advanced header DC structure analysis, enhanced adaptive heuristics, improved machine DC learning systems, real-time wave-front threat detection, and many DC more... DC It's important to recognize that many of our improvements don't require DC new software to be installed on the client side since they are delivered DC through rulebase enhancements. Though this often causes our work to go DC unnoticed, it is actually a design feature since it means that your DC installation requires very little maintenance. This translates to DC lowered administration costs and higher reliability. DC As a result of this reliability-first design strategy, it may not DC always be obvious that our service is constantly being improved and DC enhanced - we never stand still ;-) DC We'd hate to see any of you go, but please do compare us with other DC services. DC I'm sure that you'll find we're well worth the money, but it's always DC good to keep your options open. In fact, best practice these days for DC spam filtering is to use a blended approach that leverages many DC services. We personally encourage that for best results. DC Please let me know if you have any questions. Thank you for your DC feedback and business! DC Sincerely DC Michael Murdoch DC The Sniffer Team DC ARM Research Labs, LLC DC Tel. 850-932-5338 x303 DC -Original Message- DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas DC Sent: Tuesday, December 27, 2005 1:03 PM DC To: sniffer@SortMonster.com DC Subject: RE: [sniffer] Last chance to renew at the old price! DC I said the same thing, and the response was, basically, DC We haven't raised the price in a long time, we need DC the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details
Re[2]: [sniffer] Last chance to renew at the old price!
I can assure you that is not the case - quite the opposite in fact. I would never suggest that you don't keep a plan B handy - everyone, IMO, should always have a plan B, C and D handy - In fact, that MO is one of the reasons we're still at it ;-) None the less, what's really going on here is that we are finally expanding to reach our potential, and I feel it's important to do that sooner rather than later. It took a while to find a partner that was up to the task. I've had a lot of important enhancements and new technologies planned and waiting on the shelf for some time now. The count-down is over. Now it is time to get these things deployed. I know that once you've seen some of the things that are coming you will be well pleased with the results. I know I will. _M On Tuesday, December 27, 2005, 4:25:02 PM, J.D. wrote: JDS JDS The short notice is a little disappointing. JDS However it is the justifications that are indicating that the JDS provider of this solution is may no longer a viable business that really concerns me. JDS Sounds like we need to start looking for Plan B today. JDS JDS J.D. JDS JDS Michael Murdoch wrote: JDS JDS JDS Hi Dave, JDS Your license is set to expire on 01/26/2006, so if receive the renewal JDS before the end of the year. Your cost will be the same as your last JDS renewal. Again, we are grandfathering and giving consideration to our JDS existing clients. If you wait until after the 1st, your educational JDS cost will be 10% off the new retail of $ 495.00. JDS Again and finally, this increase is needed if we are to remain a viable JDS business that is able to provide you with a quality product/service and JDS enhancements. And, just to clarify the percentage of the price JDS increase, it is actually a 34% increase in retail or $ 170.00 per year. JDS I know that they may still seem like a lot to some of you, but it is JDS either this or get out of the business. JDS I trust and hope you will all understand. That's all that I have left JDS to say as we have to get back to work keeping your in-boxes clean. ;-) JDS Thank you all for your business and support. Have a great New Year! JDS Best wishes, JDS Mike Murdoch JDS ARM Research Labs, LLC JDS The Sniffer Team JDS Tel. 850-932-5338 x303 JDS -Original Message- JDS From: JDS [EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Dave Koontz JDS Sent: Tuesday, December 27, 2005 1:42 PM JDS To: [EMAIL PROTECTED]: 'Pete McNeil' JDS Subject: RE: [sniffer] Last chance to renew at the old price! JDS Thanks for the explaination. While this is all fine and good, the JDS reality JDS is that many IT shops are on fixed budgets outside of their control. I JDS can JDS justify a 10-15% increase to our CFO, but over 50% will get shot down JDS immediately. JDS The fact that you haven't raised prices in years is noble, but if you JDS need JDS additional revenue, you should phase the increases in over a period of JDS time, JDS or a modest increase each year. Some customers simply can not turn up JDS the JDS cash buckets into over-drive whenever you deem you need a substantial JDS cash JDS influx. JDS You've got a great product, and I would really hate to lose it as a JDS tool. JDS What will the Educational Institution pricing look like? JDS -Original Message- JDS From: JDS [EMAIL PROTECTED]:[EMAIL PROTECTED] JDS On Behalf Of Michael Murdoch JDS Sent: Tuesday, December 27, 2005 2:14 PM JDS To: [EMAIL PROTECTED]: Pete McNeil JDS Subject: RE: [sniffer] Last chance to renew at the old price! JDS Importance: High JDS Hi Folks, JDS Actually, here is some more detail as to the reasons for the price JDS increase. JDS In addition, please bear in mind that that prices haven't been raised in JDS approximately 2 years and even with this increase we are priced very JDS competitively. JDS The new feature/benefits and more to come are as follows: JDS * In the past 6 months we have more than doubled the number of updates JDS per JDS day and we will continue to increase our bandwidth and the speed of our JDS updates. JDS * We have more than tripled our staff to improve our monitoring, JDS support, JDS and rule generation capabilities. Come January, we are again doubling JDS this JDS staff as the black-hats have gotten much more sophisticated and this has JDS become a 24x7 battle. Even Pete needs to sleep sometimes. :-) JDS * We are adding new RD programs for AFF/419 spam and Malware mitigation JDS (many of the results from these projects have already been implemented). JDS * During this next year as part of our continuous improvement policy we JDS will JDS continue to roll out new features and enhancements such as fully JDS automated JDS reporting, in-band real-time updates, an optimized message processing JDS pipeline, image and file attachment tagging, advanced header structure JDS analysis, enhanced adaptive heuristics, improved machine learning JDS systems, JDS real-time wave-front threat
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Thanks Dean - And thanks to all of you who have been very supportive and understanding of what we are doing here! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Lawrence Sent: Tuesday, December 27, 2005 4:18 PM To: sniffer@sortmonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! You know, I just don't get where all of the doom and gloom comes from. Yes, it is a large percentage increase, but it's still only 2 bucksa day to run the best piece of software on my server. I'm sure that they have taken these comments into consideration and will try to give more advanced notice in the future. But, to start with the Time to start looking for another solutions talk is rediculous. Reading Michael's description of what is going on over there suggests that their business is exploding, not imploding. And to keep on top of it, they need to increase their cash flow, not to buy nicer cars. I think everyone needs to look at how much Sniffer saves you everyday instead of griping about how much it costs you. Just my 2 cents. Dean On 12/27/05, Pete McNeil [EMAIL PROTECTED] wrote: Part of the purpose for additional staff is to reach a goal of FP processing measured in minutes to hours, never days as it is sometimes now. We also have some automated tools on the drawing board that will help to mitigate many FP cases on a self-serve basis. These will be coming in this next year. _M On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: DC Hi Michael, DC How about false positive processing?That's our biggest headache, but it DC would be drastically reduced by faster processing than the 3-5 days we DC currently see. DC Darin. DC - Original Message - DC From: Michael Murdoch [EMAIL PROTECTED] DC To: sniffer@SortMonster.com DC Cc: Pete McNeil [EMAIL PROTECTED] DC Sent: Tuesday, December 27, 2005 2:13 PM DC Subject: RE: [sniffer] Last chance to renew at the old price! DC Hi Folks, DC Actually, here is some more detail as to the reasons for the price DC increase.In addition, please bear in mind that that prices haven't DC been raised in approximately 2 years and even with this increase we are DC priced very competitively. DC The new feature/benefits and more to come are as follows: DC * In the past 6 months we have more than doubled the number of updates DC per day and we will continue to increase our bandwidth and the speed of DC our updates. DC * We have more than tripled our staff to improve our monitoring, DC support, and rule generation capabilities.Come January, we are again DC doubling this staff as the black-hats have gotten much more DC sophisticated and this has become a 24x7 battle.Even Pete needs to DC sleep sometimes. :-) DC * We are adding new RD programs for AFF/419 spam and Malware mitigation DC (many of the results from these projects have already been implemented). DC * During this next year as part of our continuous improvement policy we DC will continue to roll out new features and enhancements such as fully DC automated reporting, in-band real-time updates, an optimized message DC processing pipeline, image and file attachment tagging, advanced header DC structure analysis, enhanced adaptive heuristics, improved machine DC learning systems, real-time wave-front threat detection, and many DC more... DC It's important to recognize that many of our improvements don't require DC new software to be installed on the client side since they are delivered DC through rulebase enhancements. Though this often causes our work to go DC unnoticed, it is actually a design feature since it means that your DC installation requires very little maintenance. This translates to DC lowered administration costs and higher reliability. DC As a result of this reliability-first design strategy, it may not DC always be obvious that our service is constantly being improved and DC enhanced - we never stand still ;-) DC We'd hate to see any of you go, but please do compare us with other DC services. DC I'm sure that you'll find we're well worth the money, but it's always DC good to keep your options open. In fact, best practice these days for DC spam filtering is to use a blended approach that leverages many DC services. We personally encourage that for best results. DC Please let me know if you have any questions.Thank you for your DC feedback and business! DC Sincerely DC Michael Murdoch DC The Sniffer Team DC ARM Research Labs, LLC DC Tel. 850-932-5338 x303 DC -Original Message- DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED]] On Behalf Of Fox, Thomas DC Sent: Tuesday, December 27, 2005 1:03 PM DC To: sniffer@SortMonster.com DC Subject: RE: [sniffer] Last chance to renew at the old price! DC I said the same thing, and the response was, basically, DC We haven't raised the price in a long time, we need DC the money, like it or lump it. -Original Message- From: [EMAIL
Re[2]: [sniffer] Last chance to renew at the old price!
On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
The thought does occur to me of how other companies have dealt with similar issues. That issue being how to address a market requiring internal expansion (i.e. expanded reinvestment) while not alienating an existing satisifed customer base. Many companies simply split their product line into 'basic' and 'premium' services. If the need is as great as Michael says, and the new revisions will result in vastly improved service, than most of their existing customers should want to move forward. However, giving people the option to 'stand still' is viable, good marketing, and good strategy. At this point, you have a certain catch 22. Everyone that pays now (for next year) is still paying you at the same rate (meaning no expanded funds), but is now wondering if they're doing the right thing. Almost seems like the only way to make the current strategy pay off would have been to demand the increased fees from all clients and not given the grace period for renewing at the old rate. At least that way, you'd have gotten something in return for any perceived customer dissatisfaction. Consider expanding to a two-tier service option. It really can work well, especially when in the future you might want to charge even more, but not alienate 'new' customers who need a lower buy-in. Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 2:40 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Your interpretation of a bit as being 50+% is disingenuous at best, and thievery at the worst. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 5:34 PM To: Fox, Thomas Subject: Re[2]: [sniffer] Last chance to renew at the old price! On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Agree wholeheartedly! Bill From: Dean Lawrence [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:18 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! You know, I just don't get where all of the doom and gloom comes from. Yes, it is a large percentage increase, but it's still only 2 bucksa day to run the best piece of software on my server. I'm sure that they have taken these comments into consideration and will try to give more advanced notice in the future. But, to start with the "Time to start looking for another solutions" talk is rediculous. Reading Michael's description of what is going on over there suggests that their business is exploding, not imploding. And to keep on top of it, they need to increase their cash flow, not to buy nicer cars. I think everyone needs to look at how much Sniffer saves you everyday instead of griping about how much it costs you. Just my 2 cents. Dean On 12/27/05, Pete McNeil [EMAIL PROTECTED] wrote: Part of the purpose for additional staff is to reach a goal of FPprocessing measured in minutes to hours, never days as it is sometimes now. We also have some automated tools on the drawing board that willhelp to mitigate many FP cases on a self-serve basis. These will becoming in this next year._MOn Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: DC Hi Michael,DC How about false positive processing?That's our biggest headache, but itDC would be drastically reduced by faster processing than the 3-5 days weDC currently see.DC Darin.DC - Original Message -DC From: "Michael Murdoch" [EMAIL PROTECTED]DC To: sniffer@SortMonster.comDC Cc: "Pete McNeil" [EMAIL PROTECTED]DC Sent: Tuesday, December 27, 2005 2:13 PMDC Subject: RE: [sniffer] Last chance to renew at the old price! DC Hi Folks,DC Actually, here is some more detail as to the reasons for the priceDC increase.In addition, please bear in mind that that prices haven'tDC been raised in approximately 2 years and even with this increase we are DC priced very competitively.DC The new feature/benefits and more to come are as follows:DC * In the past 6 months we have more than doubled the number of updatesDC per day and we will continue to increase our bandwidth and the speed of DC our updates.DC * We have more than tripled our staff to improve our monitoring,DC support, and rule generation capabilities.Come January, we are againDC doubling this staff as the black-hats have gotten much more DC sophisticated and this has become a 24x7 battle.Even Pete needs toDC sleep sometimes. :-)DC * We are adding new RD programs for AFF/419 spam and Malware mitigationDC (many of the results from these projects have already been implemented). DC * During this next year as part of our continuous improvement policy weDC will continue to roll out new features and enhancements such as fullyDC automated reporting, in-band real-time updates, an optimized message DC processing pipeline, image and file attachment tagging, advanced headerDC structure analysis, enhanced adaptive heuristics, improved machineDC learning systems, real-time wave-front threat detection, and many DC more...DC It's important to recognize that many of our improvements don't requireDC new software to be installed on the client side since they are deliveredDC through rulebase enhancements. Though this often causes our work to go DC unnoticed, it is actually a design feature since it means that yourDC installation requires very little maintenance. This translates toDC lowered administration costs and higher reliability.DC As a result of this "reliability-first" design strategy, it may notDC always be obvious that our service is constantly being improved andDC enhanced - we never stand still ;-)DC We'd hate to see any of you go, but please do compare us with other DC services.DC I'm sure that you'll find we're well worth the money, but it's alwaysDC good to keep your options open. In fact, best practice these days forDC spam filtering is to use a blended approach that leverages many DC services. We personally encourage that for best results.DC Please let me know if you have any questions.Thank you for yourDC feedback and business!DC SincerelyDC Michael Murdoch DC The Sniffer TeamDC ARM Research Labs, LLCDC Tel. 850-932-5338 x303DC -Original Message-DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED]] On Behalf Of Fox, ThomasDC Sent: Tuesday, December 27, 2005 1:03 PMDC To: sniffer@SortMonster.comDC Subject: RE: [sniffer] Last chance to renew at the old price!DC I said the same thing, and the response was, basically,DC "We haven't raised the price in a long time, we need DC the money, like it or lump it." -Original Message- From: [EMAIL PROT
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Thomas, if your company cannot afford the rather small monetary increase, and you are running that close to the edge, then maybe you should not be in business. I for one am glad to hear the SNF is adding resources and has mapped out a list of future feature enhancements. Please quit your gripping or take it off list. Bill -Original Message- From: Fox, Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:40 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Your interpretation of a bit as being 50+% is disingenuous at best, and thievery at the worst. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 5:34 PM To: Fox, Thomas Subject: Re[2]: [sniffer] Last chance to renew at the old price! On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
The only problem with that, and one which I do not know how large of a problem it is, is if you have always provided a single product, and suddenly divide it into 2 levels, you end up with twice the amount of critics: Those that pay less but expect more, those that pay more and then expect even more. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Robeson Sent: Tuesday, December 27, 2005 2:54 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! The thought does occur to me of how other companies have dealt with similar issues. That issue being how to address a market requiring internal expansion (i.e. expanded reinvestment) while not alienating an existing satisifed customer base. Many companies simply split their product line into 'basic' and 'premium' services. If the need is as great as Michael says, and the new revisions will result in vastly improved service, than most of their existing customers should want to move forward. However, giving people the option to 'stand still' is viable, good marketing, and good strategy. At this point, you have a certain catch 22. Everyone that pays now (for next year) is still paying you at the same rate (meaning no expanded funds), but is now wondering if they're doing the right thing. Almost seems like the only way to make the current strategy pay off would have been to demand the increased fees from all clients and not given the grace period for renewing at the old rate. At least that way, you'd have gotten something in return for any perceived customer dissatisfaction. Consider expanding to a two-tier service option. It really can work well, especially when in the future you might want to charge even more, but not alienate 'new' customers who need a lower buy-in. Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 2:40 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Your interpretation of a bit as being 50+% is disingenuous at best, and thievery at the worst. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 5:34 PM To: Fox, Thomas Subject: Re[2]: [sniffer] Last chance to renew at the old price! On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch If you don't feel that's the case, then you are free to decide if you think otherwise. Thanks and take care! FT EASY FOX TRANSLATION: FT Like it, or lump it. Translated another way... We could keep things as they are, stand still while spam generation technology advances rapidly, whither away, and die. OR We could charge a bit more, accelerate development and make sure that SNF stays out in front and even expands the gap. I, for one, am not willing to make the first choice, and I doubt that it would be in anyone's best interests - except, perhaps, the blackhats. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Pete, I am both a Sniffer reseller and user, and I was blind sided by this announcement. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 2:11 PM To: Darin Cox Subject: Re[2]: [sniffer] Last chance to renew at the old price! I'm sorry that it wasn't more visible. We have been talking about this for several months and have made a few announcements. It has also been on the web site for several months. My announcement today was just to make sure that anyone who had not heard didn't get blind-sided. Sorry it didn't turn out that way. We will be working on some better out-reach problems to help avoid this in the future. _M On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote: DC Wow... last minute notice. It's difficult to budgets for these things with DC so little notice. Please consider a couple month's notice the next time. DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: sniffer@sortmonster.com DC Sent: Tuesday, December 27, 2005 12:42 PM DC Subject: [sniffer] Last chance to renew at the old price! DC Hello Sniffer folks, DC This is just a friendly reminder that prices will be going up DC January 1. DC You can add a year to your SNF subscription at the current price if DC you renew before January 1. DC Details are here: DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp DC Thanks, DC _M DC Pete McNeil (Madscientist) DC President, MicroNeil Research Corporation DC Chief SortMonster (www.sortmonster.com) DC Chief Scientist (www.armresearch.com) DC This E-Mail came from the Message Sniffer mailing list. For information and DC (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html DC This E-Mail came from the Message Sniffer mailing list. For DC information and (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Last chance to renew at the old price!
On Tuesday, December 27, 2005, 1:31:04 PM, Steve wrote: SJ How can I tell when my subscription expires? You should have a note from your original purchase or your latest renewal. Also, you can ask ;-) I'll send you your current expiration directly. I hope to put up a self-serve tool for checking license status early next year. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Joe Jobs...
IMO, you're absolutely right. These days, automated responses are just as bad (for the same reasons) as challenge/response systems. They amplify spam and malware issues by generating outscatter. None the less, they still happen. _M On Thursday, December 15, 2005, 1:10:31 PM, Kevin wrote: KS That brings a question up...why do some/many/most postmasters feel that it KS is so important to notify senders of a virus to a spoofed email address? KS Also, I have yet to see a legitimate email that contained a virus..so why KS not turn the notification off all together? KS Just curious... KS Kevin KS -Original Message- KS From: [EMAIL PROTECTED] KS [mailto:[EMAIL PROTECTED] KS On Behalf Of Pete McNeil KS Sent: Thursday, December 15, 2005 11:30 AM KS To: sniffer@sortmonster.com KS Subject: [sniffer] Joe Jobs... KS Hello Sniffer Folks, KS Please be aware that there are several spam and possibly virus KS (other malware?) campaigns being transmitted with my madscientist KS address and possibly other addresses from our company in the From: KS headers and SMTP envelope. KS Though this has happened in the past at low levels, I have noted KS recently a very high level of bounces and warnings returning to me KS (erroneously) from systems that claim they have received viruses and KS spam from my address. KS I suspect that this might have been triggered by recent press KS activity, - especially a Washington Post article which included my KS email address without modification. KS If you receive any of these messages, please treat them as the KS spam/malware that they are and ignore the source. KS I have verified that we are not sending any such messages ( KS unintentionally) from any of our systems. KS Thanks, KS _M KS Pete McNeil (Madscientist) KS President, MicroNeil Research Corporation Chief SortMonster KS (www.sortmonster.com) Chief Scientist (www.armresearch.com) KS This E-Mail came from the Message Sniffer mailing list. For information and KS (un)subscription instructions go to KS http://www.sortmonster.com/MessageSniffer/Help/Help.html KS This E-Mail came from the Message Sniffer mailing list. For KS information and (un)subscription instructions go to KS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] POP3 Account Question
On Monday, December 5, 2005, 3:33:33 PM, Andrew wrote: I had the same question, but more specifically: Is is helpful for sniffer trap (spam and user trap) submissions to skip, or to include messages on which sniffer already hits. It's best for those messages to be removed. The trap-bot will remove anything that matches SNF on it's way in. I imagine that all trap hits are useful, and that duplicate submissions reinforce the rule strength for a given hit when we submit spam that is already detected... It is true that if the Trap-Bot filters a message the rules get extra hits, however the best way to get at that data is from your reported logs. This way the Trap-Bots spend all of their time on new things. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html