[sniffer] Bad Rule Alert 2654821

2017-06-01 Thread Pete McNeil 

Hello Message Sniffer folks,

This morning a dormant rule from 2009 was reactivated when new messages 
reached our spamtraps this morning matching the rule.


Unfortunately rule 2654821 causes a high rate of false positives in our 
current year that it apparently did not cause back in 2009.


Since the rule was not recently coded and had been in the system for so 
many years our monitoring systems did not immediately detect the rule as 
a false positive case.


However, the team did discover the problem after a few hours and removed 
the rule.


This is the only time an old, reactivated rule has caused significant 
false positive cases -- so it is an exceedingly rare event. None the 
less we are in the process of reviewing our tools and processes to 
improve our sensitivity should any similar event occur in the future.


Best,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to

[sniffer] Reminder - the Rule Panic feature

2017-06-01 Thread Pete McNeil 

Hello Sniffer Folks,

In light of today's bad rule event I've discovered that many of you are 
not aware of the rule-panic feature.


The rule panic feature has been built in to the Message Sniffer engine 
for many years now, and I suppose is used so rarely that folks have 
forgotten about it.


The feature allows you to render any single rule inert immediately 
without disrupting anything else in the system. So, it could have been 
used to mitigate this event without taking more drastic measures.


Here is a link to the QA article about the rule panic feature:

http://www.armresearch.com/Documentation/QA/ltrulepanicsgt-628138610.jsp

Best,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to