Re[2]: [sniffer] Bad Rule - 828931
I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS Dear Pete, CHS In the future, please let us know immediately when you become aware of this. CHS As it is, I will spend the next 3 hours picking out the fales positives from CHS the mailbox and forwarding them to the clients. If I could have put the CHS rulepanic in place an hour ago it would have saved me a lot of work and CHS confused customers. CHS Thank you, CHS Michael Stein CHS Computer House CHS - Original Message - CHS From: Pete McNeil [EMAIL PROTECTED] CHS To: sniffer@sortmonster.com CHS Sent: Tuesday, February 07, 2006 4:07 PM CHS Subject: [sniffer] Bad Rule - 828931 CHS Hello Sniffer folks, CHS I'm sorry to report that another bad rule got past us today. The CHS rule has been removed (was in from about 1200-1500), but it may be CHS in some of your rulebases. CHS To avoid a problem with this rule you can enter a rule-panic entry CHS in your .cfg file for rule id: 828931 CHS If it is not already, the rule will be gone from your rulebase after CHS your next update. CHS Thanks, CHS _M CHS Pete McNeil (Madscientist) CHS President, MicroNeil Research Corporation CHS Chief SortMonster (www.sortmonster.com) CHS Chief Scientist (www.armresearch.com) CHS This E-Mail came from the Message Sniffer mailing list. For information and CHS (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS This E-Mail came from the Message Sniffer mailing list. For CHS information and (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Bad Rule - 828931
Dear Pete, Please excuse my previous E-mail if it seemed a bit harsh. I guess I am so used to your great service, that on the rare occasion when this happens, I panic. Thanks for being there to walk me through the procedure. Sincerely, Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Computer House Support sniffer@SortMonster.com Sent: Tuesday, February 07, 2006 4:24 PM Subject: Re[2]: [sniffer] Bad Rule - 828931 I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS Dear Pete, CHS In the future, please let us know immediately when you become aware of this. CHS As it is, I will spend the next 3 hours picking out the fales positives from CHS the mailbox and forwarding them to the clients. If I could have put the CHS rulepanic in place an hour ago it would have saved me a lot of work and CHS confused customers. CHS Thank you, CHS Michael Stein CHS Computer House CHS - Original Message - CHS From: Pete McNeil [EMAIL PROTECTED] CHS To: sniffer@sortmonster.com CHS Sent: Tuesday, February 07, 2006 4:07 PM CHS Subject: [sniffer] Bad Rule - 828931 CHS Hello Sniffer folks, CHS I'm sorry to report that another bad rule got past us today. The CHS rule has been removed (was in from about 1200-1500), but it may be CHS in some of your rulebases. CHS To avoid a problem with this rule you can enter a rule-panic entry CHS in your .cfg file for rule id: 828931 CHS If it is not already, the rule will be gone from your rulebase after CHS your next update. CHS Thanks, CHS _M CHS Pete McNeil (Madscientist) CHS President, MicroNeil Research Corporation CHS Chief SortMonster (www.sortmonster.com) CHS Chief Scientist (www.armresearch.com) CHS This E-Mail came from the Message Sniffer mailing list. For information and CHS (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS This E-Mail came from the Message Sniffer mailing list. For CHS information and (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of grep M yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Don't know about the proper syntax for baregrep, but for the standard UNIX grep for Win32, the following would give you an accurate count: grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 4:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Final\t828931 and Final.*828931 both found 850 entries in my current log using Baregrep. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 6:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
Hello Pete, Tuesday, February 7, 2006, 7:43:52 PM, you wrote: PM The rule would match the intended spam (and there was a lot of it, so PM 22,055 most likely includes mostly spam. On spot check I'm seeing about 30-40% of the messages are valid. PM Unfortunately it would also match messages containing the listed PM capital letters in that order throughout the message. Essentially, if PM the text is long enough then it will probably match. A greater chance PM of FP match if the text of the message is in all caps. Also if there PM is a badly coded base64 segment and file attachment (badly coded PM base64 might not be decoded... raw base64 will contain many of these PM letters in mixed case and therefore increase the probability of PM matching them all). Not sure, can anyone think of a way to cross check this? What if I put all the released messages back through sniffer? -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
