The false@ address handles filtering differently than our normal addresses (for obvious reasons).
An explanation about our Experimental IP rule program:
A few months ago when DNSBLs started to be heavily attacked and defeated by spammers, we implemented a policy of capturing source IPs to verified spam that reaches our spamtraps. This is in addition to our standard practices of capturing domains, links, structural features, obfuscation mechanisms, etc...
Recently we have had a higher than normal rate of false positives on experimental IP rules - probably due to the increase in worm activity.
Our policy on Experimental IP rules is very conservative and has just been made more so:
1. We only add single IP sources as part of this program, not blocks. (blocks may be added through other research).
2. We only add source IPs when we have no doubt about the message we are reviewing and the source is through one of our spamtraps - user submissions are not used for sourcing IP rules.
3. IP source rules are permanently removed on the first legitimate false positive report. Once an IP rule is removed, it cannot be added back to the core rulebase. It can be added to specific rulebases by request only.
The intent of the Experimental IP rule program is two fold:
1. Incrementally build and maintain an IP map of sources where there is unanimous agreement that the source is not legitimate (as defined by our user base). That means, if anybody finds an FP on an IP it is no longer eligible for this program.
2. Call attention to compromised equipment quickly wherever it is appropriate and assist in correcting the problem if possible. For example, we recently worked with a local military base to identify and correct a source on their network that was being used to relay porn (and other) spam.
As is always the case, our registered users can block this rule group or any specific rules if they wish. If after seeing this explanation you wish to block this rule group from your rulebase please send a note to support@ (off list). I don't advise this since this program is very effective, but I don't wish to discourage it either. In the end the rulebase must be compatible with your specific policies.
Hope this helps, Thanks! _M
At 06:00 PM 2/10/2004, you wrote:
List Folks!
The Sniffer guys are awesome and responded immediately with a phone call when my previous post today finally went thru! I have been sending support e-mails with header info, snippets from my logs, etc. to support@ and the list - but they were not getting thru. Unfortunately, I was not sending to the correct address even though I read it many times to o so. The reason I did not, is as I was concerned that my rule base would have been updated allowing e-mail from those domains we host to be wide open. I learned that this would not have been the case and I would have been contacted prior to any such changes.
The cause was due to our e-mails failing Code 84701 Symbol 62 which was catching a rule base filtering on IP 65.32.5.132 which is Road Runner in Tampa Bay. This was causing our own e-mail domains we host to fail. Once identified on phone it was immediately corrected and all back to normal.
Unfortunately, I did not submit my e-mails to [EMAIL PROTECTED] as instructed... (see http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html) ...which would have avoided all my frustrations. Also, I found out that they do have a phone number on the Micro Neil site. Pete informed me that they are going to look into another contact or reporting e-mail address / procedure when someone gets to the point of panic mode, which I was nearing.
I want to reiterate that Micro Neil, once they got my message responded immediately and professionally and I was really at fault by not submitting my info to the false@ address. Thanks.
-Don
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist Sent: Tuesday, February 10, 2004 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Rule Strength Analysis Window Change.
We didn't get your notes. I'll call you right away. _M
At 05:11 PM 2/10/2004, you wrote: >I have sent email several times to this list and support and even Pete's >email addy which I picked up from a post and both from my personal email >and our special registered email address [EMAIL PROTECTED] I am again >trying today. I know of no other way to contact someone there and if I >could secure a phone number would call. It seems none of our emails are >getting through. We are having a major problem whereas any e-mail sent >from any domain hosted to another domain hosted are getting caught by >Sniffer. Can someone there PLEASE contact me. This is really >frustrating. Thanks. > >-Don > >Don Schreiner >CompBiz, Inc. >407-322-8654 > > > >This E-Mail came from the [EMAIL PROTECTED] mailing list. For >information and (un)subscription instructions go to >http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html ------------------------------ CompBiz.Net scanned for Virus'
This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
