RE: [sniffer] Rule Strength Analysis Window Change.
I found myself wondering why the message suddenly got through so I did some digging. Turns out the message that got through was sent via 65.32.5.133 which was another Experimental IP rule that had just been pulled. I'm guessing the rule was in place when your previous notes were sent. The false@ address handles filtering differently than our normal addresses (for obvious reasons). An explanation about our Experimental IP rule program: A few months ago when DNSBLs started to be heavily attacked and defeated by spammers, we implemented a policy of capturing source IPs to verified spam that reaches our spamtraps. This is in addition to our standard practices of capturing domains, links, structural features, obfuscation mechanisms, etc... Recently we have had a higher than normal rate of false positives on experimental IP rules - probably due to the increase in worm activity. Our policy on Experimental IP rules is very conservative and has just been made more so: 1. We only add single IP sources as part of this program, not blocks. (blocks may be added through other research). 2. We only add source IPs when we have no doubt about the message we are reviewing and the source is through one of our spamtraps - user submissions are not used for sourcing IP rules. 3. IP source rules are permanently removed on the first legitimate false positive report. Once an IP rule is removed, it cannot be added back to the core rulebase. It can be added to specific rulebases by request only. The intent of the Experimental IP rule program is two fold: 1. Incrementally build and maintain an IP map of sources where there is unanimous agreement that the source is not legitimate (as defined by our user base). That means, if anybody finds an FP on an IP it is no longer eligible for this program. 2. Call attention to compromised equipment quickly wherever it is appropriate and assist in correcting the problem if possible. For example, we recently worked with a local military base to identify and correct a source on their network that was being used to relay porn (and other) spam. As is always the case, our registered users can block this rule group or any specific rules if they wish. If after seeing this explanation you wish to block this rule group from your rulebase please send a note to support@ (off list). I don't advise this since this program is very effective, but I don't wish to discourage it either. In the end the rulebase must be compatible with your specific policies. Hope this helps, Thanks! _M At 06:00 PM 2/10/2004, you wrote: List Folks! The Sniffer guys are awesome and responded immediately with a phone call when my previous post today finally went thru! I have been sending support e-mails with header info, snippets from my logs, etc. to support@ and the list - but they were not getting thru. Unfortunately, I was not sending to the correct address even though I read it many times to o so. The reason I did not, is as I was concerned that my rule base would have been updated allowing e-mail from those domains we host to be wide open. I learned that this would not have been the case and I would have been contacted prior to any such changes. The cause was due to our e-mails failing Code 84701 Symbol 62 which was catching a rule base filtering on IP 65.32.5.132 which is Road Runner in Tampa Bay. This was causing our own e-mail domains we host to fail. Once identified on phone it was immediately corrected and all back to normal. Unfortunately, I did not submit my e-mails to [EMAIL PROTECTED] as instructed... (see http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html) ...which would have avoided all my frustrations. Also, I found out that they do have a phone number on the Micro Neil site. Pete informed me that they are going to look into another contact or reporting e-mail address / procedure when someone gets to the point of panic mode, which I was nearing. I want to reiterate that Micro Neil, once they got my message responded immediately and professionally and I was really at fault by not submitting my info to the false@ address. Thanks. -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist Sent: Tuesday, February 10, 2004 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Rule Strength Analysis Window Change. We didn't get your notes. I'll call you right away. _M At 05:11 PM 2/10/2004, you wrote: I have sent email several times to this list and support and even Pete's email addy which I picked up from a post and both from my personal email and our special registered email address [EMAIL PROTECTED] I am again trying today. I know of no other way to contact someone there and if I could secure a phone number would call. It seems none of our emails are getting through. We are having a major problem whereas any e-mail sent from any domain hosted to another domain hosted are getting caught by Sniffer. Can someone
[sniffer] Sniffer, mxguard
I've installed trial versions of both mxguard and sniffer. What happens to a message when it is scored as spam? I still see all of my spam coming through. Thanks, Stephen This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Autoupdating rule file
Title: Message I am working out the details on a Python script that will be triggered by a program alias to update. The script is based on the Python programming (www.python.org) language and hope to be completed with it today. There are a few files located at http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htmlthat may help you. I have been asked why Python? and I say cuz I don't like batch files and I like Python :-) Anyway when I get this bad boy done (hopefully today) I will send it over to you if you want it. -Patrick.--Patrick RateliffNetwork AdministratorLakeville Area Public Schools952.469.7947[EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy C. BohenSent: Thursday, February 12, 2004 7:58 AMTo: [EMAIL PROTECTED]Subject: [sniffer] Autoupdating rule file I bought Pyrobatch FTP, nice little program, figured I could use itfor other things. But I'm having some problems getting the script going to update my file. Anyone willing to send me a script that I can use? Thanks!! Timothy C. BohenCMSInter.Net LLC / Crystal MicroSystems LLC===web : www.cmsinter.netemail: [EMAIL PROTECTED]phone: 989.235.5100 x222fax : 989.235.5151
RE: [sniffer] Autoupdating rule file
I use WGET, which is available for free on the internet. This is my script: c: cd \MDaemon\Sniffer wget http://sniffer:[EMAIL PROTECTED]/Sniffer/Updates/12345678.snf -O serial.tst if exist 12345678.tst goto Test goto Done :Test snf2check.exe 12345678.tst abcdefghijklmnop if errorlevel 1 goto Done if exist 12345678.old del 12345678.old ren 12345678.snf 12345678.old ren 12345678.tst 12345678.snf :Done if exist 12345678.tst del 12345678.tst - Replace '12345678' with your licenseID and 'abcdefghijklmnop' with your rulebase password. This script also keeps a .old file which is your previous rulebase in case you need to rollback. You can execute this script automatically every few hours or have it triggered when the update notice is mailed to you. Regards, Michiel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy C. Bohen Sent: donderdag 12 februari 2004 14:58 To: [EMAIL PROTECTED] Subject: [sniffer] Autoupdating rule file I bought Pyrobatch FTP, nice little program, figured I could use it for other things. But I'm having some problems getting the script going to update my file. Anyone willing to send me a script that I can use? Thanks!! Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email: [EMAIL PROTECTED] phone: 989.235.5100 x222 fax : 989.235.5151 --- This message has been scanned for spam and viruses by Reject http://www.reject.nl This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Autoupdating rule file
At 10:49 AM 2/12/2004, you wrote: On Feb 12, 2004, at 8:58 AM, Timothy C. Bohen wrote: Anyone willing to send me a script that I can use? Sure, here's mine written in Perl. It knows enough to check the timestamps so it doesn't fetch files when unecessary, keeps a backup copy, and does everything in a safe manner such as to not leave your system in an unusable state at any time. It relies on the fact that the rename() function is atomic. I don't make that guarantee on non-unix systems. Slightly off topic - Be careful with that assumption. rename() is NOT atomic on windows systems. You script should work since it won't be competing with multiple instances of itself and is not coordinating with other threads, but it's good to keep in mind for other projects. Similarly, writes to files in append mode are also not atomic in windows. Watch out! _M This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Recent hotmail false positives and click atdmt
Hello folks, Rule 11075 in the gray hosting group has been temporarily suspended. This is one of our strongest rules which has been in place for more than 500 days. Microsoft recently began using this service to post an advertising link at the bottom of all of their messages. We have been trying to compensate for this by creating white rules, however the combinations are growing without bounds - particularly where forwarding is concerned - so we are abandoning this rule for the time being. Due to the rule's strength ( 4.0) there will likely be an increase in spam for a short period while we develop additional black rules to compensate for specific spam associated with this service. Faced with the choice of creating false positives for all hotmail, or dealing with increased spam as a result of dropping the rule our policy is always to avoid the false positives wherever practical. I wanted to let everyone know about this since there may be a sudden noticeable change in filtering effectiveness, however short lived we can make it. Thanks, _M This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Tanx / Bagle.b
Hello folks, The new worm Tanx / Bagle.b seems to be spreading quickly. We have added a rule to Sniffer for this and we are currently pushing it out to all rulebases. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Referrals page.
Pete, We interface with your product very well. Please consider adding our *mxGuard for IMail* website to your list: http://www.mxguard.com/postmaster Regards, David Gregg dgSoft Internet Services +1.949.584-1514 --- mxGuard for IMail Server based spam and virus protection for under $100 Request a free trial at http://www.mxGuard.com/postmaster --- - Original Message - From: Madscientist [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 9:11 AM Subject: [sniffer] Referrals page. Our referrals page is up and running. http://www.sortmonster.com/MessageSniffer/Referrals.html Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] rule idea
At one time we had floated the idea of a rule that would mark any email that was more than 24-48 hrs ahead or behind the actual current time and date as spam. I just got two You've been invited to a blind date messages that were dated last summer. 99.9% of these off date messages are spam, and anyone real who has there date that far off should fix it. Would it be hard to add such a rule to sniffer? Herb -- Herb Guenther Lanex, LLC (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s) only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] rule idea
Please don't, my Grandmother probably couldn't get through then :) The more solid the basis for the rules, the higher the score I can give to the test. Most spammers nowadays will have a time that is only off by a few hours when they hard code the headers for a zombie attack, however once you start getting out several days, or even months or years, the likelihood that this is not spam increases. There's no good rule of thumb IMO. Scott from Declude has been testing this idea out for several months now without releasing the functionality to the public, probably because it's unreliable I'm thinking. It it was to be scored, I would much rather it be separate from other tests. Matt Herb Guenther wrote: At one time we had floated the idea of a rule that would mark any email that was more than 24-48 hrs ahead or behind the actual current time and date as spam. I just got two You've been invited to a blind date messages that were dated last summer. 99.9% of these off date messages are spam, and anyone real who has there date that far off should fix it. Would it be hard to add such a rule to sniffer? Herb -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Referrals page.
Now I understand. Certainly - we will add the referral link. Thanks! _M At 02:56 PM 2/17/2004, you wrote: In that case, I should rephrase my request: In addition to our software product for IMail, we also offer email services to individuals and businesses. http://www.mxguard.com/individual http://www.mxguard.com/organization We currently describe how the service works at: http://www.mxguard.com/individual/how_it_works.asp There is a blurb about Sniffer at the bottom of the page (that I just noticed needs an image and a link to you). Maybe you can link to these pages? You guys are already linked through our Installation pages - you have a page to your selves in fact :-) http://www.sortmonster.com/MessageSniffer/Installation/IMail-mxGuard.html The referrals page is for links to service/product providers who use and reference Sniffer. Hope this helps, _M At 12:30 PM 2/17/2004, you wrote: Pete, We interface with your product very well. Please consider adding our *mxGuard for IMail* website to your list: http://www.mxguard.com/postmaster Regards, David Gregg dgSoft Internet Services +1.949.584-1514 --- mxGuard for IMail Server based spam and virus protection for under $100 Request a free trial at http://www.mxGuard.com/postmaster --- - Original Message - From: Madscientist [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 9:11 AM Subject: [sniffer] Referrals page. Our referrals page is up and running. http://www.sortmonster.com/MessageSniffer/Referrals.html Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] SLOW False Positive Processing
_M / Support, This week I have noticed that the processing of our false positives are not occurring as quickly as they previously were. This is the second time this week where I havent had a response to my false positive and had to send a note about it. I sent in a false positive yesterday after 5pm and still havent heard back on it. Is something going on? Darrell
RE: [sniffer] System status...
Pete, Sorry to here .. Been there done that .. Never fun .. Hope it goes fast and you get some sleep. Brian R. Watters Senior Director http://www.americanbroadbandservice.com [EMAIL PROTECTED] 866-827-4638 ext. 0205 559-420-0205 direct 559-272-5266 fax This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist Sent: Friday, February 20, 2004 2:17 PM To: [EMAIL PROTECTED] Subject: [sniffer] System status... Hello folks, We've had a suspected database failure this afternoon. Slaves and backups are all live and happy so there is no cause for alarm. Also, we have verified that the current rulebase files are in good shape. I will be rebuilding our primary database server through the evening. What this means to you is that we will be somewhat delayed on the next rulebase update and our response time on false positives and support questions may be slowed for this afternoon and evening due to short staffing. Our expectation is that the primary database server will be up and happy by roughly midnight ET. Thanks! _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com. Vox 703-406-2016, Fax 703-406-2017 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [Scanned for viruses SPAM with safE-Mail by American Broadband Services] --- BEGIN:VCARD VERSION:2.1 N:Watters;Brian;R. FN:Brian R. Watters ([EMAIL PROTECTED]) ORG:American Broadband Services TITLE:Senior Director of IS TEL;WORK;VOICE:(559) 420-0205 TEL;CELL;VOICE:(559) 246-1644 TEL;WORK;FAX:(559) 291-1895 ADR;WORK:;;5718 East Shields Avenue;Fresno;CA.;USA;93727 LABEL;WORK;ENCODING=QUOTED-PRINTABLE:5718 East Shields Avenue=0D=0AFresno, CA. USA=0D=0A93727 URL;WORK:www.americanbroadbandservice.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020817T164704Z END:VCARD
[sniffer] System Status Update...
Hello folks, The primary database server went online with full data at 2100. Full synchronization and testing was completed by 2300. Spamtraps have been cleared. False submissions have been cleared. Another full compile is underway. Thanks for your patience and your support! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] F-Prot and netsky
Mike, No ideas on f-prot, but justsomething we do: Weuse a combination of 2 virusscanners, McAfee (updated automatically with dailydat every day, automatic install of extra.dat emergency datspossible from version 7 and up) and Kaspersky, which I update every hour. Using this combo, we blocked all non-zip netsky viruses because of the restricted attachments list we use, and about 50 netsky zipped viruses slipped through because of the time between discovery and fix. This resulted in 3 actual infected networks which we had to clean. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike VandeBergSent: dinsdag 24 februari 2004 15:33To: [EMAIL PROTECTED]Subject: [sniffer] F-Prot and netsky I was wondering if anyone else is using F-prot for their virus engine in declude, and what they now think about it. Netsky was discovered on the 18th, and F-Prot actually had it posted on their website as being discovered by them on the 19th. But they didn't update their definition files to actually catch it until early this morning. This meant that netsky ran rampant under F-Prots nose for 6 days. I feel this is completely unacceptable, and I am going to change my virus engine this week unless someone can tell me that there is a good reason why I shouldn't. Any ideas or feedback from someone using F-Prot? Thanks Mike VandeBergNetworkAdministratorNTS Services Corp309-353-5632 ext. 227 Mobile 309-241-8973[EMAIL PROTECTED] ---This message has been scanned for spam and viruses by Reject
RE: [sniffer] F-Prot and netsky
Thanks for the replies folks, I think I may just stay with F-Prot. But one thing is still confusing me.. Why did some people get a def file on the 18th that caught netsky, but mine didn't. On the 20th, I even went so far as to re-install f-prot which initially installs a July 02 def file, and ran the updater just to make sure that I was getting the latest updated file as it was being distributed by F-Prot, and I still got the 18th def file, which according to Terry here, was catching it, but mine wasn't... Any ideas with that glitch? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smart Business Support Sent: Tuesday, February 24, 2004 9:28 AM To: Mike VandeBerg Subject: Re: [sniffer] F-Prot and netsky Mike, Tuesday, February 24, 2004 you wrote: MV I was wondering if anyone else is using F-prot for their virus MV engine in declude, and what they now think about it. Netsky was MV discovered on the 18th, and F-Prot actually had it posted on their MV website as being discovered by them on the 19th. But they didn't MV update their definition files to actually catch it until early this MV morning. This meant that netsky ran rampant under F-Prots nose for 6 MV days. I feel this is completely unacceptable, and I am going to MV change my virus engine this week unless someone can tell me that there is a good reason why I shouldn't. This is not our experience. Here's an excerpt form our virus reporter for the 18th. Scanner 1 is Fprot. Scanner 2 is NAI (McAfee). So on the 18th Fprot caught 39 it identified as Netsky. However, some of these were corrupted. All in all I'm happy with F-prot but I see enough difference to run 2 and might add a 3rd: From: 02/18/2004 00:00:30 Thru 02/18/2004 23:59:36 Log files: vir0218.log Scanner 1 Virus names VBS/Haptime.F = 1 W32/[EMAIL PROTECTED] = 4 W32/[EMAIL PROTECTED] (corrupted) = 1 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 5 W32/[EMAIL PROTECTED] = 39 Scanner 1 Days 02/18/2004 = 52 Scanner 2 Virus names VBS/[EMAIL PROTECTED] virus = 1 W32/[EMAIL PROTECTED] virus = 4 W32/Bugbear.b.dam virus = 1 W32/[EMAIL PROTECTED] virus = 1 W32/[EMAIL PROTECTED] virus = 1 W32/[EMAIL PROTECTED] virus = 3 W32/[EMAIL PROTECTED] virus = 2 W32/[EMAIL PROTECTED] virus = 14 W32/Sober!data trojan = 3 Scanner 2 Days 02/18/2004 = 30 Terry Fritts This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] F-Prot and netsky
Title: Message ClamAV works very well, and is lightening fast when run daemonized (clamd).It's also hard to beat the price! I run is along with F-Prot and McAfee's uvscan, and Clam seems to keep up with the commercial scanners as far as virus updates. Bill -Original Message-From: Fred [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] F-Prot and netsky Does anyone run ClamAV? I've been hearing a lot of good reviews on it.. Frederic TaraseviciusInternet Information Services, Inc. --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
[sniffer] Moving follow up...
Hello Sniffer Folks. The critical portions of our move have been completed. We had very few outages. We are not expecting any more. False and Spam processing schedules will stabilize over the next day or so. Thanks for your support! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bagle J others
At 01:33 PM 3/3/2004, you wrote: On Mar 3, 2004, at 12:44 PM, Madscientist wrote: We have adopted the current policy at least for the short term: 1 ) We block all potentially hazardous extensions including .zip. Can these virus rules be bypassed? We have real virus checking and don't want our spam checker doing any virus blocking. Thanks. Yes. Any rule can be blocked from any rulebase. I made a mistake when I posted my original message. It is confusing. The Malware rules we are coding into the system only block messages that match known virii/worm patterns, and of those, we are focusing only on those that have .zip file attached. We are not focusing on other .exe types. Just to be clear, the malware rules we are putting in place are very much the same as malware rules we have coded in the past. We are not creating any rules that block attachments. I apologize again for the confusion. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Rules Question
I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? Thanks, Keith This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rules Question
At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rules Question
Thanks for the aid. One last question, you mentioned: In a case where a white rule is present and a black rule is present the white rule will always win So if the White Rule fired 000, it would override a Porn Rule of 54? If so, how are these White Rules entered? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Madscientist Sent: Wed 3/3/2004 6:01 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [sniffer] Rules Question At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html winmail.dat
RE: [sniffer] Rules Question
White rules are entered either upon request or in response to a false positive report with your permission. In some cases we will enter a white rule based on our own research or in response to a false positive report if we feel a core white rule would be more appropriate. We add core white rules without permission. We add local rules of any type only with permission or by request. Hope this helps, _M At 06:43 PM 3/3/2004, you wrote: Thanks for the aid. One last question, you mentioned: In a case where a white rule is present and a black rule is present the white rule will always win So if the White Rule fired 000, it would override a Porn Rule of 54? If so, how are these White Rules entered? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Madscientist Sent: Wed 3/3/2004 6:01 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [sniffer] Rules Question At 04:55 PM 3/3/2004, you wrote: I am using Declude and have indiv. Sniffer Tests and lets say the following gets tripped in an email SNIFFER-WHTLIST result code 000 SNIFFER-PORNresult code 054 Which would take precedence over the other, as far as which would be the final code passed to Declude? There is some confusion about this. A zero result from Message Sniffer as seen by Declude could mean that a white rule has fired, or it could mean that no rules matched at all. In the first case - where an actual white rule has fired, the Message Sniffer log will show a White entry and the Final result will reflect that white rule. In this case, the white rule takes precedence. Declude will see a 0 result code. In the second case - where no rules matched, the Message Sniffer log will show a Clean entry and Declude will see a zero result. So, from Declude's perspective it will see a zero result in both the Clean and the White case. As a result, your SNIFFER-WHTLIST result code 000 test will fire. In a case where a white rule is present and a black rule is present the white rule will always win. So, if Sniffer saw both rules match a message it would return a zero result. SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to name the zero result test this way because most of the time a zero result doesn't mean White but instead means Clean. If you wish to have the white rules in your rulebase separated out then we could code those to a 1 result and then you would be able to legitimately create a SNIFFER-WHTLIST test checking for a result of 1. I will point out here that this has been tried once or twice and in both cases the user switched back almost immediately because the results were confusing. In Sniffer we use white rules to force a non result more than we ever use them to indicate a true white result. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html p/ This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] updater script for Linux
Has anyone written a good Sniffer updater script for Linux which has the error checking like the one for Windows has? Bill This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] updater script for Linux
I'm not sure - but I think there are user submitted perl based update scripts on the help page that probably do all of this: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Hope this helps, _M At 11:05 PM 3/5/2004, you wrote: Has anyone written a good Sniffer updater script for Linux which has the error checking like the one for Windows has? Bill This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Config When Using Sniffer With Declude...
Hello All, I am running Sniffer with Declude and was wanting to get some ideas on how everyone has Declude setup. Currently I just have the basic setup as follows. SNIFFER external nonzero d:\imail\declude\sniffer2_2\winx\snifferprog.exe sniffer auth 10 0 I hold anything with a weight of 10m therefore anything failing sniffer gets held and reviewed. I was thinking that sniffer had a way to check and see why it failed, but I have not found much on that. I guess I am just not looking in the right place... Anyone give me some hints? Thanks! Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Call for beta testers... snfrv2r3b1
Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later this evening. We have many updates and rulebase mods to attend to at the moment since we shifted resources heavily toward development last evening and through the night... The current spam storm continues to rage with more than 500 core rule-base changes yesterday alone! Be careful. Backup your current production version. Watch carefully. Enjoy :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Call for beta testers... snfrv2r3b1
I am still working a problem at our hosting facility (a t1 is down) so it will be a while before I can get back to the list, however I wanted to clear this one up to minimize confusion. A persistent server instance uses a dynamic poll timing algorithm to minimize system loads while maximizing response times. It is probably not appropriate to use a fixed time interval for polling since this can cause unnecessary system loading and since the dynamic approach we're using has proven in our labs to offer improved all-around performance. When the server has processed a job for a client it polls again immediately without waiting. If no job is found then it will wait a short time before polling again. If there are no available clients on a poll then the wait time between polls will increase in a natural spiral based on a Fibonacci sequence. This wait time will continue to expand until either a new job is found or the limit is reached. The limit is currently set to 1/2 the maximum client base wait time - which amounts to 4 seconds. It's worth noting that in order for a server instance to get to a given wait time (such as 4 seconds) there must have been no messages to process for that amount of time. It's also worth noting that some folks using spamassassin regularly report message processing times on the order of 5 to 9+ full seconds for each message (I just read this on the sa list). Based on these two factors I've considered that waiting a maximum of 4 seconds to process a message after a 4 second lull in activity is probably not an issue - especially considering that once the message is processed it will likely take only an additional 30ms or so on average for a total of 4.030 sec (ymmv). This also represents the worst case given the current tuning parameters... Once a job is found then the wait time is reset to the minimum. Once again, the first poll after a job has been processed has no wait time... so if there is a burst of message activity after a 4+ second lull, the first message waits a maximum of 4 seconds and the rest wait only a few tens of milliseconds. The monitor messages you are seeing are only a debugging/tuning aid and they will be removed for the production version. The timing message is only emitted when the server instance has found no messages to process during the previous poll. Hope this helps, _M PS: In a situation where peer-server instances become mixed it is possible for more than one server instance to become active for a period of time. The Fibonacci timing spiral helps to ensure a distributed scattering of lock requests when multiple instances are active - thus reducing collisions. At 03:04 PM 3/17/2004, you wrote: Pete, After my previous message, I noticed that 'polling' really means that Sniffer is waiting that many milliseconds before it processes another e-mail. If I'm seeing this correctly, I'd like to request another option available when spawning the persistent exe: /polling:x (where x = a fixed amount of milliseconds between polling) Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 17 maart 2004 20:05 To: [EMAIL PROTECTED] Subject: [sniffer] Call for beta testers... snfrv2r3b1 Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later
Re: [sniffer] SLM files
At 03:30 PM 3/17/2004, you wrote: I have Imail 7.07 running on Win2000, with Declude Junkmail I come up with errors scanning .SLM files. Does sniffer use SLM files to process the messages. Attached a snip from my log files Sniffer scans whatever file is passed to it with the expectation that it is an SMTP message. It doesn't make any special allowances for the type of file that is passed. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Call for beta testers... snfrv2r3b1
Paul, Did you have the persistent sniffer.exe running when this log was generated? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 15:15 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Groet, RE: MDaemon: I guess I'm confused on how to determine the Content Filter poll time. Here's a (.txt snippet of my CF log file which does not show a delay (or at least to my level of skill abilities; which is minimal by-the-way). I'll be happy to test some things on our server if you have any specific instructions for me. We share the same objectives. Regards, Paul Roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michiel Prins Sent: Thursday, March 18, 2004 2:59 AM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Paul, Aren't you having problems that the polling times just make the waiting times in the CF longer? While normally my bottleneck was the loading of the rulebase, now it's the polling time which is way longer. Pete, With Mdaemon, where there's only one message being processed at a time, and there's no multithreading content filter yet, I would like to be able to set polling time to a fixed 25 or 30 ms. Normally, loading the rulebase would take 200, with polling I understand this could be reduced to 30 ms - if the time can be set to a fixed ms. Could you also consider the other options I asked? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 4:21 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 _M, FYI: Have been running the beta ver 2.3b1 on MDaemon 7.0.0 for several hours now and all is stable. Everything is performing as advertised... paul roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, March 17, 2004 2:05 PM To: [EMAIL PROTECTED] Subject: [sniffer] Call for beta testers... snfrv2r3b1 Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later this evening. We have many updates and rulebase mods to attend to at the moment since we shifted resources heavily toward development last evening and through the night... The current spam storm continues to rage with more than 500 core rule-base changes yesterday alone! Be careful. Backup your current production version. Watch carefully. Enjoy :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
Re: [sniffer] Call for beta testers... snfrv2r3b1
At 08:08 PM 3/17/2004, you wrote: What is the number after Polled waited: That is the number of milliseconds the persistent server waited to poll the working directory for more jobs. This number will increase each time no jobs are found. When a job is found the persistent server will not wait before looking for the next job - so you will only see these messages when the persistent server finds no messages to process. I also noticed that when many emails are coming in I still see multiple Sniffer.exe programs running. That is normal. Each message being processed will load an instance of Sniffer. With the persistent server running all of the other instances should elect to be clients so they will simply record a job record (.QUE) and wait for the server instance to process their message (.FIN). Then they will pick up the result and exit - reporting the result back to the calling program. Client instances take very little memory and spend most of their time sleeping so they require very few CPU or IO resources. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Bagle.Q rule added
We have just added a rule for the Bagle.Q worm derived from data at the following link: http://www.auscert.org.au/render.html?it=3957 The rule should be present in your next update. A full rule-base compile is under way. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] RunExeSvc for Persistent sniffer.
Ok, I think I did it. Only took a minute (thanks Bill). Here are some more precise directions, but consider them to be "beta" directions (please correct them if you find a problem): 1) Install the Windows 2000 Resource Kit, or download and install the INSTSRV.exe and SRVANY.exe files in a permanent location, preferably within your path. The individual files can be found at the following location: http://www.pyeung.com/pages/win2k/userdefinedservice.html 2) Open a command prompt (Click on the Start Button, Select Run, and type CMD) 3) Enter the following command (customize for the paths of the executables) C:\Progra~1\Resour~1\INSTSRV Sniffer C:\Progra~1\Resour~1\SRVANY.exe 4) Open up the Registry Editor (Click on the Start Button, select Run, and type REGEDIT) 5) Locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer 6) From the Edit menu, select New, select Key, and name the new key Parameters 7) Highlight the Parameters key 8) From the Edit menu, select New, select String Value, and name the new value Application 9) From the Edit menu, select Modify, and type in the full path name and application name, including the drive letter and file extension (don't use quotes, customize path, executable name and authentication code) Example: C:\IMail\Declude\Sniffer\[yourlicx].exe [authenticationxx] persistent [yourlicx] = your license ID [authenticationxx] = your authentication string 10) Open the Services MMC 11) Start the Sniffer service 12) Set the Sniffer service to Automatic Matt Matt wrote: I'm going to give this one a try right now since I have the Resource Kit installed already. Just one question...do I need to change the arguments in my Declude config, or will the service definition take care of the 'persistence'? Thanks, Matt Bill Boebel wrote: We've been using svrany for years with several custom applications and it works great. This utility has been around since the NT4 Resource Kit... http://www.pyeung.com/pages/win2k/userdefinedservice.html Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Pete McNeil Sent: Friday, March 19, 2004 12:25 AM To: [EMAIL PROTECTED] Subject: [sniffer] RunExeSvc for Persistent sniffer. Hello folks, We've been continuing to test the new persistence enabled sniffer engine and some utilities that will allow it to run as a service. We found a free utility that seems to be very solid, and very simple. http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html One of the scripts we used is: debug=false cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7 persistent home=c:\Projects\sniffer2-3\TestBed (Note: The mismatch between the sniffer2-3 directory and the snfrv2r2.exe is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in our example - it was easier that than creating a new license. Note also that the cmdline parameter includes the full path to the executable - you will need to do this also. We could not get the service to start on our NT test bed without including the full path to the .exe) We've tested this on our XP based Toshiba laptop, and on our NT4 based IMail test bed. Both seem to setup and work fine. Auto-start works fine, so does logging out and logging in. Once you've set up a persistent sniffer instance as a service, go into your services control panel (usually via administrative tools), set the service to start automatically, and start it. A window will appear for the program - do not close the window! Minimize it. When you log out sniffer will continue to run in the background. When you log in the window will be visible again - it's harmless. If you close it though you will have ended the sniffer.exe out from under the service. This won't cause you any trouble, but you won't get the benefit of the persistent server until you stop and start the service again to relaunch the program. Using RunExeSvc, the actual service is the RunExeSvc program. That program launches sniffer as a client and stands in as a service stub for your OS. You can use this to run all sorts of things... The developer uses it to run Java based web servers, for example. Eventually we will build a win32 service version of Message Sniffer, but for now this is the fastest way we can bring you the features you need. Please give this a try and let us know how it works for you. If you find a different utility that you like better then please let us know. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and
Re: [sniffer] RunExeSvc for Persistent sniffer.
Pete, Although inconclusive, some screen caps of Task Manager seems to show a dramatic reduction in many of the peaks with the service turned on. It's hard to tell the exact impact due to the virus scanners not always being called, and SKIPIFWEIGHT settings disabling a mountain of custom Declude filters which both are processor hogs, but the smaller peaks. I believe the following before and after screen caps are representative of the impact (I looked for similar E-mail hit frequencies): Before http://www.mailpure.com/no_service.gif After (with service) http://www.mailpure.com/service.gif The real test will have to wait for rush hour though. Thanks, Matt Pete McNeil wrote: The service definition takes care of the persistence. Your Declude config should not be changed. _M At 01:05 AM 3/19/2004, you wrote: I'm going to give this one a try right now since I have the Resource Kit installed already. Just one question...do I need to change the arguments in my Declude config, or will the service definition take care of the 'persistence'? Thanks, Matt Bill Boebel wrote: We've been using svrany for years with several custom applications and it works great. This utility has been around since the NT4 Resource Kit... http://www.pyeung.com/pages/win2k/userdefinedservice.html Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, March 19, 2004 12:25 AM To: [EMAIL PROTECTED] Subject: [sniffer] RunExeSvc for Persistent sniffer. Hello folks, We've been continuing to test the new persistence enabled sniffer engine and some utilities that will allow it to run as a service. We found a free utility that seems to be very solid, and very simple. http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html One of the scripts we used is: debug=false cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7 persistent home=c:\Projects\sniffer2-3\TestBed (Note: The mismatch between the sniffer2-3 directory and the snfrv2r2.exe is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in our example - it was easier that than creating a new license. Note also that the cmdline parameter includes the full path to the executable - you will need to do this also. We could not get the service to start on our NT test bed without including the full path to the .exe) We've tested this on our XP based Toshiba laptop, and on our NT4 based IMail test bed. Both seem to setup and work fine. Auto-start works fine, so does logging out and logging in. Once you've set up a persistent sniffer instance as a service, go into your services control panel (usually via administrative tools), set the service to start automatically, and start it. A window will appear for the program - do not close the window! Minimize it. When you log out sniffer will continue to run in the background. When you log in the window will be visible again - it's harmless. If you close it though you will have ended the sniffer.exe out from under the service. This won't cause you any trouble, but you won't get the benefit of the persistent server until you stop and start the service again to relaunch the program. Using RunExeSvc, the actual service is the RunExeSvc program. That program launches sniffer as a client and stands in as a service stub for your OS. You can use this to run all sorts of things... The developer uses it to run Java based web servers, for example. Eventually we will build a win32 service version of Message Sniffer, but for now this is the fastest way we can bring you the features you need. Please give this a try and let us know how it works for you. If you find a different utility that you like better then please let us know. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
Re: [sniffer] High False Positives
There was a bad rule yesterday. It was removed almost immediately but it looks like you missed the update until 1000pm. It takes a while to compile rulebase updates. Since you mention 4pm and 10pm I'm guessing you have your updates scheduled. A better method would be to trigger updates based on an update notification since this allows us to correct problems like this more quickly. If I've assumed wrong, please disregard. Thanks, _M At 10:27 AM 3/25/2004, you wrote: I had a high number of false positives yesterday starting after my 4:00 PM (CST) Sniffer update. I believe it occurred about the time of the spam storm yesterday, when many spam messages made it through the filter. It appeared to stop at 10:00 PM but I don't know if people quit sending messages for the day or if my Sniffer update fixed the issues. I haven't seen any today (did some spot checks); do I need to submit all the messages that were false positives? Did something happen yesterday? Al Thornberry This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: "Darrell LaRock" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: "'SnifferSupport'" [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[sniffer] log upload trouble
I've been having trouble for the last 24 hrs or maybe a bit more with log uploads failing. The FTP either fails to connect, or it does connect and the upload begins and then fails after a small percentage done. Uploads are scheduled every 6 hours. Yesterday afternoon I tried renaming the log files from a couple failures and triggering the upload manually, and it also failed An upload started a few mins ago, at 12:05 PM. It progressed almost to completion, and then ended with a reported failure from WS_FTP. Glenn Z. WCNet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 1:13 AM Subject: Re: [sniffer] Define Persistent sniffer. At 09:50 PM 3/19/2004, you wrote: Pete, I follow this forum pretty well, however, having been out this week on business it seems I have lost alot with this new feature set. If you don't mind, could you define Persistent Sniffer? We average well over a million emails a day between two servers, what impact might I see on our server if I run this? What is the recommended settings? Thanks for the aid. (Seems I'm in the book writing mode this evening... sorry for the bandwidth) Performance Metrics: Our NT4/SP6a test bed, running IMail/Declude/Sniffer in persistent mode. P2/450, 2x 5400rpm IDE drives, mirrored, 256M Ram (No giggles please - This is an intentionally underpowered server - how better to stress test a program like Sniffer?). Sniffer in persistent mode on this box is able to process 120k msgs / month without issue. Logs show that each message on average now takes about 100ms total. Typical values are 20ms queue, 40ms scan though obviously some messages take longer and occasionally longer queue times do creep in. Prior to testing the persistent version of Sniffer, message scan times varied wildly but averaged about 300ms per message with some messages taking 3-5 seconds while waiting for I/O and other processes (Web Mail, IMAP, etc...). In fact, I intentionally waited until the CPU was at 100% (green line 100%, red line 50%+) before starting the service to see how the creatures would handle the transition under heavy stress - The CPU dropped so much that at first I thought I had broken something (one of those oops moments). The CPU now rests on the floor more often than not and generally runs peaks to about 50% unless something odd is going on - such as a defrag run. YMMV - the above data is based on a very narrow data sample and only loosely calculated - and some of it is anecdotal. However most reports from the field seem to support the general scale of improvement. On the back of the envelope I can calculate something like: 1 million per day is probably on the order of 125000 (1M/8hours) during a peak hour. 125000/3600 = about 35 per second. If message sniffer can scan about 10 per second on an overloaded p2/450, then on a 2.4ghz machine with plenty of memory we might expect at least a linear improvement - approximately 5x, but we will say 4x to be safe - 40/sec covers 35/sec so we have our million based on these assumptions. IO not withstandng I would expect a persistent server version of Sniffer on a well provisioned server with a 2.4ghz processor to handle 1 million per day _IF_ that's all it had to do... since there's always more to do and this would be a maximum load scenario, dividing this across two servers should work nicely - though it would probably be time to start considering a third server. Then again, you are probably not running generic single processor servers if you are handling 1 million messages per day ;-) ___ Definition: Probably the simplest definition of Persistent Sniffer as you put it is a lightweight daemon. It can't actually be launched as a daemon/service on it's own, and it is still compatible with the self-organizing-automata version of Sniffer, but it offers many of the performance savings of a daemon/service - along with some added redundancy and flexibility. For example, if the persistent server instance of Sniffer fails, then the other instances simply return to their normal peer-server mode of operation so there is a drop in performance, but not a loss of service. More Detail: Versions of Message Sniffer prior to 2-2 would always load the rule-base each time a message was to be scanned. Specifically, each instance of Message Sniffer was isolated and did the job itself. Up to 90% of the processing time typically required was bound in loading the rule-base file. On our NT test bed, for example, we would regularly see queue/scan times on the order of 1000/10, though more commonly 360/60 at the time when we developed version 2-2. Beginning with Version 2-2, we implemented a cellular peer-server technology with Message Sniffer. This technology allows instances of Message Sniffer running on the same server to interact and
RE: [sniffer] Spam storm?
That is possible. I'm still looking for an alternate repeatable cause. _M At 08:43 PM 3/24/2004, you wrote: I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
I am having the same problem when I download the update and run snf2check H. - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 2:57 PM Subject: RE: [sniffer] Error_Bad_Matrix I run snf2check.exe against every .snf file downloaded. I just checked it again manually, and no errors were reported. I now have almost 3500 Error_Bad_Matrix entries in today's log. Bill -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Error_Bad_Matrix On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote: I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I'm curious if the people who are seeing these messages are running snf2check.exe before making the rule files live. I do so, and have not seen a single instance of this error. Can you run snf2check.exe on the current bad matrix you have and see if it reports an error? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
This has been a bad week here! A big increase in total email volume, a huge increase in false positives as well as a huge increase in spam getting past our filters. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
We've found that when we do a manual download, everything works fine. It's the automatic download on the Windows 2000 server that seems to corrupt things. M. Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 6:05 PM Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Call for beta testers... snfrv2r3b1
I think the problem is in the file extension. It should not be .com, but rather .cmd. Hope this helps, _M At 12:32 PM 3/25/2004, you wrote: Hi, When I try to run the .com file, I get an error. I have attached the error dialog box and a copy of the .com file (name altered to .co_) that I am using. Can you see what I am doing wrong? The program seems to be running OK in normal mode. Thanks, Bill Morgan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, March 17, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: [sniffer] Call for beta testers... snfrv2r3b1 Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later this evening. We have many updates and rulebase mods to attend to at the moment since we shifted resources heavily toward development last evening and through the night... The current spam storm continues to rage with more than 500 core rule-base changes yesterday alone! Be careful. Backup your current production version. Watch carefully. Enjoy :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: Darrell LaRock [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'SnifferSupport' [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Error_Bad_Matrix
I've been looking at that. The problem seems to be related to downloads, not generation. That is, every rulebase that I use locally has been clean throughout this episode. Also, folks who manually download the rulebase seem to be able to correct the problem. I'm not sure yet what is different between automated and manual downloads - except perhaps wget. I also don't have any obvious changes on our system recently. I continue to dig. _M At 03:39 PM 3/25/2004, you wrote: Pete, I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I am using the latest production version of sniffer. I know you are probably working on this, but I thought you should know for sure that your process for building the rulebase is experiencing some major issues. All times are -0600 GMT. -Original Message- From: Butch Andrews [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [sniffer] Error_Bad_Matrix I am seeing my log file continue to fill with Error_Bad_Matrix errors and sniffer failing since a lot of spam is getting through. I was running the beta but have gone back to the original version just now. I did amanual update when the program change had no effect and it's back up. I checked last nights log and the problem started with date code 20040325083243 and continued until now. This is for your info since I was using the beta. -Butch This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Error_Bad_Matrix
snf2check.exe will catch a partial download but it will not catch corruption in the middle of the file. _M At 03:57 PM 3/25/2004, you wrote: I run snf2check.exe against every .snf file downloaded. I just checked it again manually, and no errors were reported. I now have almost 3500 Error_Bad_Matrix entries in today's log. Bill -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Error_Bad_Matrix On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote: I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I'm curious if the people who are seeing these messages are running snf2check.exe before making the rule files live. I do so, and have not seen a single instance of this error. Can you run snf2check.exe on the current bad matrix you have and see if it reports an error? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
By 8pm we had done at least 6 that I was part of. _M At 04:32 PM 3/25/2004, you wrote: How many updates have happened today...I have only received 1 today.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 2:52 PM Subject: Re: [sniffer] Spam storm? Big uptick of new and broken spam. Half way through the day and already at 445 new rules. We may be getting it under control though... (fingers crossed). _M At 06:02 PM 3/24/2004, you wrote: Am I the only one seeing a spam storm today? This is the worst I have EVER seen!!! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
Pete, FYI, I was trying to set up log uploads yesterday night and it took me a while to figure out that the FTP connection was unreliable from my server. Packets were being dropped/munged somewhere. I also noted a much lower hit rate on SNIFFER-PHARMACY yesterday, but no indication of matrix problems in the logs today (yesterday's were deleted). Every once in a while my colocator's border router goes on the fritz and starts dropping packets. A reboot usually fixes that issue. If your router checks out fine, you might want to take a look at the routes going from your server to the customers that have indicated a problem and those that have indicated that there is none, that might identify something not so obvious if you run out of ideas. I know how these things go and the worst part is not knowing the source while others expect an quick fix. No big deal on my end in the mean time though. Matt Pete McNeil wrote: snf2check.exe will catch a partial download but it will not catch corruption in the middle of the file. _M At 03:57 PM 3/25/2004, you wrote: I run snf2check.exe against every .snf file downloaded. I just checked it again manually, and no errors were reported. I now have almost 3500 Error_Bad_Matrix entries in today's log. Bill -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Error_Bad_Matrix On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote: I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I'm curious if the people who are seeing these messages are running snf2check.exe before making the rule files live. I do so, and have not seen a single instance of this error. Can you run snf2check.exe on the current bad matrix you have and see if it reports an error? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
I'm exploring that possibility - though there is nothing in the logs. I've seen some instability on the Sprint T1 though it seems stable now. Sprint made an announcement that they were going to change their routing and that seems to coincide with these new events. Perhaps instability on that part of the network is causing some ftp/wget downloads to become corrupted - though that's not supposed to happen. I've bounced the server just in case something was hung up there that I couldn't see - although some folks are not having trouble so there is nothing conclusive at this time. _M At 06:19 PM 3/25/2004, you wrote: Could it possibly be your FTP server. This morning it timed out 4 times when trying to manually download using my SecureFX program while this afternoon wget has had no problem. Maybe your getting hammered maliciously with outside requests. -Butch *** REPLY SEPARATOR *** On 3/25/2004 at 6:05 PM Pete McNeil wrote: This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
At 06:25 PM 3/25/2004, you wrote: We also saw many BAD_MATRIX errors last night. If the problem was 'wget', shouldn't the snf2check utility detect a corrupt file? Also, we did a manual update yesterday afternoon and there were no 'wget' error messages. The problem got corrected sometime between last night and this morning. Perhaps though some have had trouble throughout the day. At the very least the verification on snf2check should be improved to catch this issue. Updating with a bad ruleset creates many problems. Agreed. I'm looking for some simple ways to do that without changing the rulebase file format. There aren't any simple mechanisms that come to mind. Perhaps there will be no choice but to change the format in order to prevent this possibility. _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, March 25, 2004 7:06 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
snf2check.exe makes the assumption that if the entire file is there and the head and tail of it can be verified that it must have survived the transfer. Clearly something is happening where that is not the case - something new. One possibility that has been suggested is that we could gzip these files. That would be a somewhat radical change - but so would any change to the file format so this may be the best option. On the other hand the system has worked as is for quite some time. I would like to discover what has changed as that clearly represents a problem that must be corrected. _M At 06:35 PM 3/25/2004, you wrote: If that were the case then there is something wrong with either snf2check.exe and/or autosnf.cmd. The autosnf.cmd calls snf2check.exe to validate the downloaded file. If snf2check.exe found the downloaded file invalid, an error is suppose to be returned to keep it from going into production. So if I assume the file does get corrupted during the download, snf2check.exe must not be returning the correct value to indicate the file is bad, snf2check.exe hasn't changed in a long time. So while I can't argue that the file is bad before or after download. I will try to watch the logs more closely and manually test the snf files that begin to generate bad_matrix errors to see if their bad at that time. -Original Message- From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 25 Mar 2004 18:05:39 -0500 Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- --- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
RE: [sniffer] Spam storm?
At 06:51 PM 3/25/2004, you wrote: Looks like a bandwidth issue to me, since even doing the download manually, my connection stalled 5 times before I could complete a successful download. And the download speeds were atrocious, many times in bytes/second rather than even kb/second - and my connection speeds to the Internet are in multiple 100mb connections. Have you considered mirror sites or adding bandwidth? Normally our bandwidth is sufficient. We have considered mirror sites also, and we have plans to move our hosting into a local Equinix facility where we will have similar bandwidth to yours and other benefits. Unfortunately we are not quite up to that level of revenue yet. We currently have two T1s through two networks (Savvis Sprint). More than 90% of the time more than 80% of our bandwidth is avaialable. There are occasional short-lived peaks where this is not the case, but those are rare. Rulebase compilation is metered so that each file is generated in about the same amount of time it takes to download the file through a single T1. Generally this pacing leaves our bandwidth mostly open most of the time. However, it appears that something odd has been going on recently with the Sprint side of the network - I suspect that what you've observed is related to some flapping going on under some heavy load conditions and that this has led to a number of dropped packets. I am investigating this further. An event such as this would reduce our bandwidth by more than half and many packets would be lost. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
I'm getting to be pretty sure it's Sprint. After bouncing the router there have been 109 carrier transitions in 3 hours. That's insane. I will be pounding on them. _M At 11:44 PM 3/25/2004, you wrote: Pete, FYI, I was trying to set up log uploads yesterday night and it took me a while to figure out that the FTP connection was unreliable from my server. Packets were being dropped/munged somewhere. I also noted a much lower hit rate on SNIFFER-PHARMACY yesterday, but no indication of matrix problems in the logs today (yesterday's were deleted). Every once in a while my colocator's border router goes on the fritz and starts dropping packets. A reboot usually fixes that issue. If your router checks out fine, you might want to take a look at the routes going from your server to the customers that have indicated a problem and those that have indicated that there is none, that might identify something not so obvious if you run out of ideas. I know how these things go and the worst part is not knowing the source while others expect an quick fix. No big deal on my end in the mean time though. Matt Pete McNeil wrote: snf2check.exe will catch a partial download but it will not catch corruption in the middle of the file. _M At 03:57 PM 3/25/2004, you wrote: I run snf2check.exe against every .snf file downloaded. I just checked it again manually, and no errors were reported. I now have almost 3500 Error_Bad_Matrix entries in today's log. Bill -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Error_Bad_Matrix On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote: I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I'm curious if the people who are seeing these messages are running snf2check.exe before making the rule files live. I do so, and have not seen a single instance of this error. Can you run snf2check.exe on the current bad matrix you have and see if it reports an error? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
snf2check does a byte length and partial checksum by default. The first and last few kbytes of the file are encrypted in sequence using Mangler. If any single bit of those two segments is missing or altered then the file will fail to authenticate. The only thing missing is a CRC for the middle parts of the file. In theory this is covered by TCP - but in practice not so much :-( _M At 12:48 AM 3/26/2004, you wrote: How about a byte length compare or checksum of some sort? Matt Pete McNeil wrote: At 06:25 PM 3/25/2004, you wrote: We also saw many BAD_MATRIX errors last night. If the problem was 'wget', shouldn't the snf2check utility detect a corrupt file? Also, we did a manual update yesterday afternoon and there were no 'wget' error messages. The problem got corrected sometime between last night and this morning. Perhaps though some have had trouble throughout the day. At the very least the verification on snf2check should be improved to catch this issue. Updating with a bad ruleset creates many problems. Agreed. I'm looking for some simple ways to do that without changing the rulebase file format. There aren't any simple mechanisms that come to mind. Perhaps there will be no choice but to change the format in order to prevent this possibility. _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, March 25, 2004 7:06 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 01:57 AM 3/26/2004, you wrote: I once noticed that transferring data through TCP/IP is NOT error-free, if the connection is very slow. At least not if it is going through Microsoft's software (Windows). Me 2. One possibility that has been suggested is that we could gzip these files. That would be a somewhat radical change - but so would any change to the file format so this may be the best option. Why don't you just put gzip files in addition to the uncompressed files into the download directory. Those who want to download the zipped files then would have to make a only small change in their download script. I think we will probably try this. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
Thanks for the insight. You're also sharing a maxed out T1 so I'm not sure how to interpret that data - I suppose that 10K isn't awful if 10 other systems are hitting it at once. I have to stop my testing now. I've got Sprint queued up to do some intrusive testing so I have to bring the line back up. Hopefully we'll get to the bottom of things though. _M At 03:23 AM 3/26/2004, you wrote: I'm doing a download as we speak. I am on a 100mb connection. Getting between 6-10K with several short stops in download. H. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 2:17 AM Subject: RE: [sniffer] Spam storm? At 02:50 AM 3/26/2004, you wrote: -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Normally our bandwidth is sufficient. We have considered mirror sites also, and we have plans to move our hosting into a local Equinix facility where we will have similar bandwidth to yours and other benefits. Unfortunately we are not quite up to that level of revenue yet. We currently have two T1s through two networks (Savvis Sprint). More than 90% of the time more than 80% of our bandwidth is avaialable. There are occasional short-lived peaks where this is not the case, but those are rare. Ah, that's probably it, since one of our Internet circuits is with Sprint, as well, so the traffic would have been prioritized over the Sprint network. Since we're both up at this insane hour. Would you mind making a test? I've just shut down the Sprint line - so we're running through Savvis exclusively. If I'm right about the connectivity issue then you should be able to get a good download. Would you give that a shot for me and tell me the stats when you're done? Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
At 03:39 AM 3/26/2004, you wrote: -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Since we're both up at this insane hour. Would you mind making a test? I've just shut down the Sprint line - so we're running through Savvis exclusively. If I'm right about the connectivity issue then you should be able to get a good download. Would you give that a shot for me and tell me the stats when you're done? Well, it didn't start out well, stalled, restarted, and then picked up: Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 07:42 AM 3/26/04 -0500, Russ Uhte (Lists) wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I have a Sprint T as well, and have had no download problems using wget on Win2000 aside from periodic slowdowns. Just ran a download this morning and speed never went over 5K. I also have had no bad_matrix instances. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 07:42 AM 3/26/2004, you wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I also wanted to pass on a tool that I've heard a lot about. It's called Matt's Traceroute. I've never actually used it myself, but I'm told it's excellent for detecting flaky T circuits and such. Here is the link to the program. http://www.bitwizard.nl/mtr/ I don't no if it will help with what you're doing or not, but thought I'd suggest it! Hope one of these days everything gets back to normal, and you can finally get some sleep!! Thanks for that. I'm sure we're on to something now. Sprint tested the circuit and detected an increasing number of errors. Now it's just a matter of finding out where they are and fixing that piece of work. I'm off to the shop for that right after this rule-base update. I will be forcing the Sprint line down until I get ready to do some more testing. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
Have you considered isolating this by type of mail server? We run MDaemon and no error_bad_matrix in our log files over the past week. We use wget on Win2000 server over a Verizon network. Just a thought. Paul Roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, March 26, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? At 07:42 AM 3/26/2004, you wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I also wanted to pass on a tool that I've heard a lot about. It's called Matt's Traceroute. I've never actually used it myself, but I'm told it's excellent for detecting flaky T circuits and such. Here is the link to the program. http://www.bitwizard.nl/mtr/ I don't no if it will help with what you're doing or not, but thought I'd suggest it! Hope one of these days everything gets back to normal, and you can finally get some sleep!! Thanks for that. I'm sure we're on to something now. Sprint tested the circuit and detected an increasing number of errors. Now it's just a matter of finding out where they are and fixing that piece of work. I'm off to the shop for that right after this rule-base update. I will be forcing the Sprint line down until I get ready to do some more testing. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
At 09:10 AM 3/26/2004, you wrote: On Mar 25, 2004, at 8:10 PM, Pete McNeil wrote: ERROR_BAD_MATRIX is definitely a corrupted rulebase file. A manual download should solve the problem. Should not snf2check.exe detect this? If the sniffer can detect it, it seems that the checker should too. No. snf2check.exe does a static check on part of the file. ERROR_BAD_MATRIX is a run time error produced when one of the creatures tries to run into memory space that it shouldn't. Only the creature running into that bad part of the token matrix discovers the problem currently - that part of the file was not checked by snf2check. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
We have also seen some slow downloads here, but we are currently on a 256k connection from CoreComm/Voyager, but we are updating to a full T1 in the next couple of weeks thru someone different. 03/26/04 10:20:37 Fast traceroute sortmonster.com Trace sortmonster.com (216.88.37.62) ... 1 208.15.190.65 0ms0ms0ms TTL: 0 (No rDNS) 2 64.77.152.137 210ms 80ms 150ms TTL: 0 (se1-3-17.rtr0.wb2023.smor.in.voyager.net bogus rDNS: host not found [authoritative]) 3 64.77.152.9 50ms 190ms 150ms TTL: 0 (se3-1-0.rtr0.clmb.in.voyager.net ok) 4 209.212.206.26 421ms 180ms 91ms TTL: 0 (s60.rtr0.ipls.in.voyager.net bogus rDNS: host not found [authoritative]) 5 169.207.224.93 441ms 80ms 130ms TTL: 0 (483.at-0-1-0.rtr0.chcg1.il.voyager.net ok) 6 63.208.138.173 431ms 331ms 290ms TTL: 0 (ge-8-0-513.ipcolo1.Chicago1.Level3.net ok) 7 4.68.112.201220ms 231ms 210ms TTL: 0 (so-7-0-0.bbr1.Chicago1.Level3.net ok) 8 4.68.112.190 90ms 130ms 110ms TTL: 0 (so-8-0.core1.Chicago1.Level3.net ok) 9 209.0.225.2 60ms 50ms 221ms TTL: 0 (uschcg-j20c.savvis.net bogus rDNS: host not found [authoritative]) 10 209.83.222.49 111ms 310ms 281ms TTL: 0 (at-1-2-802.uswash2-01.j20c.savvis.net bogus rDNS: host not found [authoritative]) 11 216.88.33.46440ms 260ms 471ms TTL: 0 (microneil-1.uswash.savvis.net fraudulent rDNS) 12 No Response * * * 13 No Response * * * 14 No Response * * * 15 No Response * * * 16 No Response * * * 17 No Response * * * 18 No Response * * * 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * * Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Stanford Sent: Friday, March 26, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? I have notices this week that the download is also slow over here. I am getting around 2.8 to 3 K/s. We also use Wget, and have with no problems,...just slow download speed. Here is my tracert if it helps... U:\tracert www.sortmonster.net Tracing route to www.sortmonster.net [216.88.37.61] over a maximum of 30 hops: 1 3 ms 2 ms 2 ms 10.100.1.1 2 5 ms 3 ms 2 ms 63.145.109.65 3 7 ms 8 ms 9 ms dal-edge-08.inet.qwest.net [63.145.96.117] 4 8 ms 8 ms 8 ms dal-core-01.inet.qwest.net [205.171.25.117] 517 ms 9 ms 8 ms dal-brdr-02.inet.qwest.net [205.171.25.46] 6 9 ms 8 ms 8 ms POS5-2.BR2.DFW9.ALTER.NET [204.255.168.229] 710 ms 8 ms 8 ms 0.so-1-3-0.xl2.dfw9.alter.net [152.63.99.214] 8 8 ms11 ms11 ms 0.so-0-0-0.tl2.dfw9.alter.net [152.63.2.181] 950 ms51 ms52 ms 0.so-5-0-0.tl2.nyc9.alter.net [152.63.0.110] 1053 ms50 ms51 ms 0.so-3-0-0.xl2.nyc1.alter.net [152.63.29.113] 1151 ms51 ms51 ms 0.so-0-0-0.xr2.nyc1.alter.net [152.63.19.97] 1252 ms51 ms51 ms 508.atm7-0.gw8.nyc1.alter.net [152.63.20.1] 1351 ms50 ms51 ms savvis-ny-gw.customer.ALTER.NET [65.194.72.54] 1450 ms51 ms51 ms so-2-0-0.usnycm2-02.j20c.savvis.net [206.129.9.1 ] 1557 ms56 ms56 ms fe2-3-2.uswash2-01.j20c.savvis.net [209.83.222.7 3] 1673 ms80 ms70 ms microneil-1.uswash.savvis.net [216.88.33.46] 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete. At 08:04 AM 03/26/2004, you wrote: At 08:13 AM 3/26/2004, you wrote: I have a Sprint T as well, and have had no download problems using wget on Win2000 aside from periodic slowdowns. Just ran a download this morning and speed never went over 5K. I also have had no bad_matrix instances. I am consistently getting 45K/sec or better
Re: [sniffer] Error_Bad_Matrix
That's one option we're considering. _M At 10:34 AM 3/26/2004, you wrote: Maybe it is time to look at a new snf2check.exe. One that has some checksum ability. Say you download two files not one. One with the rules and the other a checksum file. Just a thought on how to keep corrupt rules from being put into production. Fred - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 10:26 AM Subject: Re: [sniffer] Error_Bad_Matrix At 09:10 AM 3/26/2004, you wrote: On Mar 25, 2004, at 8:10 PM, Pete McNeil wrote: ERROR_BAD_MATRIX is definitely a corrupted rulebase file. A manual download should solve the problem. Should not snf2check.exe detect this? If the sniffer can detect it, it seems that the checker should too. No. snf2check.exe does a static check on part of the file. ERROR_BAD_MATRIX is a run time error produced when one of the creatures tries to run into memory space that it shouldn't. Only the creature running into that bad part of the token matrix discovers the problem currently - that part of the file was not checked by snf2check. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
It's starting to come together now. Wget on windows + errors on the Sprint line since the move = corrupted downloads for folks who end up routing through sprint along the way? Could be. We use Windows 2k, Wget and have our connection at our end from Sprint... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Application popup error smtp32.exe imail1.exe
I've been getting the error message below for the past two weeks. I get it for both smtp32.exe and imail1.exe Application popup: smtp32.exe - Application Error : The application failed to initialize properly (0xc142). Click on OK to terminate the application. I did a search on ipswith's kb and I found the following: Microsoft resource (which will cause 0xC142 pop-ups for each E-mail that is received afterwards, until the server crashes). For further details, see: http://www.declude.com/dq.htm under the heading, Flaw #1 - Server crashing: Microsoft's Mystery Heap. I changed the number of delivery threads from 60 to 30 yesterday but I had the same problem this morning. Before making this change the cpu utilization was about 100% most of the time. After the change it decreased to 60%-70%. I noticed that this started happening when I installed message sniffer so today I disabled message sniffer and now the cpu utilization stays below 50% but a few times the queue manager makes it spike to 90%. Is there a way to use message sniffer without having this problem? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
This seems like a rulebase thing. We spoke on the phone. If the problem isn't solved by getting a fresh rulebase then we should go hunting for a rule. Send a note to yourself with sniffer on, then grab the sniffer log entries for the captured message and send them to us at [EMAIL PROTECTED] I'll look them up to see what they are and see if we've coded something that's matching your outgoing messages. Thanks, _M At 12:34 PM 3/26/2004, you wrote: Here is what I have figured out.. With sniffer on I CANT send mail to my self although my wife can send mail to me... With sniffer off I CAN send mail to myself There has to be something in the rule base that is doing this...or maybe my Windows NT update broke something??? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:02 PM Subject: Re: [sniffer] Help MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: Darrell LaRock [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'SnifferSupport' [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Application popup error smtp32.exe imail1.exe
At 02:26 PM 3/26/2004, you wrote: I've been getting the error message below for the past two weeks. I get it for both smtp32.exe and imail1.exe Application popup: smtp32.exe - Application Error : The application failed to initialize properly (0xc142). Click on OK to terminate the application. snip I changed the number of delivery threads from 60 to 30 yesterday but I had the same problem this morning. Before making this change the cpu utilization was about 100% most of the time. After the change it decreased to 60%-70%. It seems that your server is heavily loaded so all adjustments are likely to be touchy. Scott (of Declude) has a good deal of experience dealing with this issue. It involves an undocumented resource in the Microsoft OS that seems to get used up when certain DLLs are loaded such as user32.dll - btw: Based on Scott's recommendation we long ago hacked the libraries on our code warrior compiler so that Sniffer does not link to the user32.dll. At the time this had a profound impact on the Mystery Heap problem for Sniffer. Is there a way to use message sniffer without having this problem? The 2-3 beta will definitely help the CPU usage. The Mystery Heap problem is more difficult to solve - the solution appears to be different on each system. In my experience the most important factor appears to be the number of processes opened by services at any one time. This is why reducing delivery threads usually helps. Others on the list - and especially on the Declude list will have more combined experience with this. If you haven't already you should ask there. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Sprint T1 problem - reduced production rate.
Hello folks, We have traced the source of the corrupted rulebase problem to our Sprint T1 line. This line has been shutdown until the problem can be resolved. This has reduced our available bandwidth but should prevent further corrupted downloads. In order to reduce traffic and improve download speeds I have temporarily disabled all but one of our rulebase compilers. The one compiler is capable of producing all licensed rulebases about 3 times per day. We will be adding rules at our normal rates, but rulebase files will be produced more slowly until we have resolved our issue with Sprint. My latest information from them is that they have dispatched the problem to the local Telco (Verizon). _Usually_ this means that things should be back to normal within a few hours. I will keep everyone up to date via the list. You should not take any special action. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Sprint T1 - back to normal.
Hello folks, I have just finished work with Sprint Verizon on the T1 and we now have a clean circuit. I have opened it up for traffic and all appears to be back to normal. Please let me know if there are any lingering symptoms. I will restore the second rulebase compiler to active duty momentarily. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Standard False Positive Response codes.
Hello folks, To facilitate process automation in larger email systems we have developed a coding scheme and a number of standardized response codes for handling false positive submissions. This will allow you to route our responses to your false positive submissions automatically. I have attached the file StdFalse.txt which contains the current list of standard responses from our process and a legend for creating new response codes. We have been working on this project for a while now and the list is fairly stable. However, we are constantly developing and refining our processes so these responses are likely to change from time to time. Thanks! _M[FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. --- [FPR:X] This is an experimental ip rule. These rules are generated from our spamtraps and removed on the first false positive report. These rules generally indicate compromized equipment at the IP specified. The rule has been removed. --- [FPR:GR] Rules in group 60 are gray hosting rules. Gray hosting rules are coded for email sources that transmit both spam and non-spam. The Gray hosting rule group is coded with a block-first / white-rule-later strategy. You may wish to weight this rule group differently on your system. You may also block this group or any of it's rules. Would you like to add a white rule based on the following? --- [FPR:GW] Rules in group 60 are gray hosting rules. Gray hosting rules are coded for email sources that transmit both spam and non-spam. The Gray hosting rule group is coded with a block-first / white-rule-later strategy. You may wish to weight this rule group differently on your system. You may also block this group or any of it's rules. A core white rule has been added based on your submission. --- [FPR:HA] This rule is coded for a potentially dangerous coding that references the local file system of the recipient. This is often found in broken spam and possibly malware. Would you like to block this rule? Would you like to add a white rule (please specify source)? --- [FPR:SN] The rule is strong. Would you like to block this rule? Note: --- [FPR:SR] The rule is strong. Would you like to block this rule? Would you like to add a white rule based on the following? --- [FPR:SA] The rule is strong. Would you like to block this rule? Would you like to add a white rule (please specify source)? --- [FPR:+SR] These rules are strong. Would you like to block one or more of these rules (please specify)? Would you like to add a white rule based on the following? --- [FPR:+SA] These rules are strong. Would you like to block one or more of these rules (please specify)? Would you like to add a white rule (please specify source)? --- [FPR:D] The rule has already been removed. --- [FPR:P] This case will be handled by the resolution of a prior - nearly identical submission. --- [FPR:N] Notes / Response to your notes: --- [FPR:C] Your rulebase has been modified as requested. --- [FPR:U] Please submit false positives from a registered email address or authorized alias.
Re: [sniffer] Help
Everything looks good here now...not only was my rulebase corrupted but my upline provider which does some initial spam filtering for me was having trouble with their filter (nothing to do with sniffer)...so I was broken in two places...thanks for all the help.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:41 PM Subject: Re: [sniffer] Help This seems like a rulebase thing.We spoke on the phone.If the problem isn't solved by getting a fresh rulebase then we should go hunting for a rule. Send a note to yourself with sniffer on, then grab the sniffer log entries for the captured message and send them to us at [EMAIL PROTECTED] I'll look them up to see what they are and see if we've coded something that's matching your outgoing messages.Thanks,_MAt 12:34 PM 3/26/2004, you wrote: Here is what I have figured out.. With sniffer on I CAN"T send mail to my self although my wife can send mail to me...With sniffer off I CAN send mail to myselfThere has to be something in the rule base that is doing this...or maybe my Windows NT update broke something???Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:02 PM Subject: Re: [sniffer] Help MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: "Darrell LaRock" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: "'SnifferSupport'" [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Help
That's good news. Thanks! _M At 01:12 PM 3/27/2004, you wrote: Everything looks good here now...not only was my rulebase corrupted but my upline provider which does some initial spam filtering for me was having trouble with their filter (nothing to do with sniffer)...so I was broken in two places...thanks for all the help.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:41 PM Subject: Re: [sniffer] Help This seems like a rulebase thing. We spoke on the phone. If the problem isn't solved by getting a fresh rulebase then we should go hunting for a rule. Send a note to yourself with sniffer on, then grab the sniffer log entries for the captured message and send them to us at [EMAIL PROTECTED] I'll look them up to see what they are and see if we've coded something that's matching your outgoing messages. Thanks, _M At 12:34 PM 3/26/2004, you wrote: Here is what I have figured out.. With sniffer on I CANT send mail to my self although my wife can send mail to me... With sniffer off I CAN send mail to myself There has to be something in the rule base that is doing this...or maybe my Windows NT update broke something??? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:02 PM Subject: Re: [sniffer] Help MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: Darrell LaRock [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'SnifferSupport' [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Test
Didn't happen this time, nevermind! Frederic TaraseviciusInternet Information Services, Inc.http://www.i-is.com/810-794-4400mailto:[EMAIL PROTECTED] - Original Message - From: Fred To: [EMAIL PROTECTED] Sent: Monday, March 29, 2004 1:42 PM Subject: [sniffer] Test I'm seeing header corruption today on this group, just a test message.. Frederic TaraseviciusInternet Information Services, Inc.http://www.i-is.com/810-794-4400mailto:[EMAIL PROTECTED]
Re: [sniffer] Test
:-) At 04:31 PM 3/29/2004, you wrote: Didn't happen this time, nevermind! Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:[EMAIL PROTECTED] - Original Message - From: Fred To: [EMAIL PROTECTED] Sent: Monday, March 29, 2004 1:42 PM Subject: [sniffer] Test I'm seeing header corruption today on this group, just a test message.. Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:[EMAIL PROTECTED]
RE: [sniffer] Microsoft Entourage Clients
We've noticed that too just today... Nick Marshall Giacom World Networks Ltd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Rateliff Sent: 05 April 2004 16:41 To: [EMAIL PROTECTED] Subject: [sniffer] Microsoft Entourage Clients I have noticed that any messages sent from a Microsoft Entourage (Apple Computers) client are currently being captured by sniffer. I just noticed this and putting a few whitelists and work arounds in place before I explore this further. This effects 2600 machines in our district. Anyone else see this at all? -Patrick. -- Patrick Rateliff Network Administrator Lakeville Area Public Schools 952.469.7947 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- [This e-mail was scanned for viruses by Giacom Anti-Virus] -- [This e-mail was scanned for viruses by Giacom Anti-Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Hmmm, log file from sniffer shows significant increase in performance (up to 50% faster, see below). However, according to my own logs, the total time that sniffer takes is way longer. During non-persistent operation about 300 ms on top of what sniffer logs, which could be because of loading times of sniffer itself. When sniffer is persistent, 'loading' time is about 1.5 seconds. My conclusion from this, is that when sniffer is running persistent, cpu usage and rulebase loading times are decreased but total execution time seems to have tripled from about 550 ms to about 1650 ms. To calculate the total execution time, I store system time in ms just before and after ShellExecuteEx() and calculate the difference. That seems like an honest and reliable way to determine execution time for sniffer. sniffer log: h0t861s420040407080330md5581512.msg26532Clean000221432h0t861s420040407080340md5581513.msg26516Clean000150335h0t861s420040407080356md5581514.msg28278Clean0001366440h0t861s420040407080408md5581515.msg265110Clean0002692944h0t861s420040407080412md5581516.msg28132Clean000219935h0t861s420040407080422md5581517.msg28116Final33612540252040h0t861s420040407080426md5581518.msg25031Clean000263635h0t861s420040407080431md5581519.msg26631Clean000591341h0t861s420040407080436md5581520.msg18846Final105667520352241h0t861s420040407080446md5581521.msg10932Clean000215236h0t861s420040407080454md5581522.msg12547Clean000408335h0t861s420040407080506md5581523.msg18747Clean000520532h0t861s420040407080514md5581524.msg18847Clean000563234h0t861s420040407080524md5581525.msg188109Clean0002476343h0t861s420040407080531md5581526.msg18847Final105667520274239h0t861s420040407080538md5581527.msg18816Clean000196735h0t861s420040407080550md5581528.msg187125Clean0002471850h0t861s420040407080557md5581529.msg18732Clean000323634h0t861s420040407080607md5581530.msg12531Clean000291832h0t861s420040407080620md5581531.msg18732Final105073500237444h0t861s420040407080632md5581532.msg18815Clean000361133h0t861s420040407080638md5581533.msg125125Clean0002756845h0t861s420040407080650md5581534.msg18778Clean0001615533 I'm really puzzled about the cause for the extra delays. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 11:21To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 What does the sniffer log show during this time?_MAt 04:48 AM 4/7/2004, you wrote: Pete,Despite my suggestions with less polling time, I can't seem to get the persistent version to speed up my message processing. I've copied part of my custom log file below. Bold numbers are the amount of ms it takes to execute sniffer (timed by an external program that executes it). Persistent sniffer was turned ON on the blue lines. I've set max polling time to 50ms for this test. However, scanning takes more than a second longer...0,"2004-04-07 10:03:31",md5581512.msg,672,546,78,0,2223,0,0,3,10,"2004-04-07 10:03:40",md5581513.msg,657,531,93,0,1490,0,0,3,10,"2004-04-07 10:03:57",md5581514.msg,734,594,93,0,14601,0,0,3,10,"2004-04-07 10:04:09",md5581515.msg,797,624,93,0,29398,0,0,3,10,"2004-04-07 10:04:13",md5581516.msg,686,562,93,0,42408,2,0,3,10,"2004-04-07 10:04:22",md5581517.msg,749,547,93,0,2611,1,0,3,10,"2004-04-07 10:04:26",md5581518.msg,656,532,93,0,43402,2,0,3,10,"2004-04-07 10:04:32",md5581519.msg,671,547,93,0,6022,0,0,3,10,"2004-04-07 10:04:37",md5581520.msg,1905,1672,92,0,3564,1,0,3,10,"2004-04-07 10:04:47",md5581521.msg,1811,1688,93,0,2152,0,0,3,10,"2004-04-07 10:04:55",md5581522.msg,1811,1688,78,0,4122,0,0,3,10,"2004-04-07 10:05:05",md5581523.msg,1843,1671,93,0,5250,0,0,3,10,"2004-04-07 10:05:13",md5581524.msg,1811,1688,78,0,5677,0,0,3,10,"2004-04-07 10:05:21",md5581525.msg,1797,1671,93,0,273387,0,0,3,10,"2004-04-07 10:05:30",md5581526.msg,1891,1671,93,0,2760,1,0,3,10,"2004-04-07 10:05:37",md5581527.msg,1811,1672,93,0,36384,2,0,3,10,"2004-04-07 10:05:49",md5581528.msg,1796,1656,93,0,27065,0,0,3,10,"2004-04-07 10:05:56",md5581529.msg,1812,1686,79,0,3554,2,0,3,10,"2004-04-07 10:06:06",md5581530.msg,1843,1671,78,0,44939,2,0,3,10,"2004-04-07 10:06:19",md5581531.msg,1874,1655,94,0,2363,1,0,3,10,"2004-04-07 10:06:31",md5581532.msg,1811,1671,94,0,3670,0,0,3,10,"2004-04-07
Re: [sniffer] Final beta (b2) for snfrv2r3
Pete, I haven't been following this thread closely but latest generation SCSI drives can be below 4 ms seek times as rated by their manufacturers. FYI, I haven't seen any issues with the persistent Sniffer beta run as a resource kit service besides some expected brief delays according to the way that processes when traffic is less heavy. Matt Pete McNeil wrote: I must be getting punchy... but this just occurred to me... Anybody else remember when a high performance hard drive had a seek time just under 30ms ?? _M At 06:01 PM 4/7/2004, you wrote: If thats all that happens during the first setup timer than you do have some performance issue on a production machine. My production mail server is not too beefy and does somewhere around 120k+ a day. Heres a snipplet from my logs (with persistent sniffer) for comparison fde2jqoe 20040407041105 D7f587132019a8525.SMD 0 31 Final fde2jqoe 20040407041105 D7f577130019a80fe.SMD 0 15 Final fde2jqoe 20040407041106 D7f5973740202893b.SMD 0 16 Clean fde2jqoe 20040407041109 D7f58737302028553.SMD 0 16 Final fde2jqoe 20040407041109 D7f53712e019a73bf.SMD 0 15 Final fde2jqoe 20040407041120 D7f6490fe0072b647.SMD 0 0 Final fde2jqoe 20040407041120 D7f6590ff0072b721.SMD 15 0 Final fde2jqoe 20040407041120 D7f659172b84a.SMD 0 32 Final fde2jqoe 20040407041120 D7f6591010072ba3e.SMD 0 15 Final fde2jqoe 20040407041120 D7f6691020072bbe4.SMD 0 31 Final fde2jqoe 20040407041121 D7f6691030072bdc9.SMD 0 16 Final fde2jqoe 20040407041123 D7f6991050072c932.SMD 0 16 Clean fde2jqoe 20040407041123 D7f6a91060072cbf2.SMD 0 15 Final fde2jqoe 20040407041123 D7f6a73760202cc6f.SMD 0 16 Final From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pete McNeil Sent: Wednesday, April 07, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 At 04:06 PM 4/7/2004, you wrote: So, making sure I'm following your analysis: I'm looking at my log file and I'm seeing lines similar to snf2beta 20040407020014 D60a4134.SMD 181 30 Match 101576 58 20 38 68 And that 181 figure seems to hold pretty stable. 181 is substantially lower than the values I was seeing prior to the current beta [and I have a production machine similar in content and power to your test machine], but I'm seeing that you achieve numbers 2-6 times faster than I am. Yes... that seems about right. When a persistent server is running the rulebase is almost never reloaded. Only two significant things happen during the setup time as measured by Sniffer: 1) Loading the rulebase, 2) locating a job to process (directory scan + locking). The drop seems to indicate that the rulebase reload has stopped as it should. That only leaves the directory scan and a couple of rename/create operations. _M -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Final beta (b2) for snfrv2r3
What is the best and proper way to setup Persistent mode on a windows 2000 computer and run as a service. Fred - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:30 PM Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Pre-persistant sniffer my times sometimes got high, but never beyond 3 digits. While running the persistant beta, about half of my times are in the thousands. The machine also seems to be far more prone to bogging down under a mail load. This is on a P2/800mhz 1g ram machine. Pre-beta 20040304211333 d9bec001201263026.smd 312 0 Match 89089 20040304211333 d9bec001201263026.smd 312 0 Final 89089 Persistant sniffer 20040407042039 d819316c90154969c.smd 100032 Match 48754 20040407042039 d819316c90154969c.smd 100032 Match 94972 20040407042039 d819316c90154969c.smd 100032 Final 94972 This doesn't make any sense. I have no good theory for this. I am unable to create any scenario where using the persistent engine degrades performance. In all of my tests on three separate platforms the persistent engine produces a significant improvement - even under unreasonably harsh conditions. Aside from rebooting the machine and not starting sniffer in persistant mode, how do I stop sniffer from running persistantly? Sniffer is adaptive. You can turn the persistent instance on and off at will. Simply stop the service - a reboot is not needed. If the persistent instance is turned off then the remaining instances will organize themselves in the usual way. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Sniffer is adaptive. You can turn the persistent instance on and off at will. Simply stop the service - a reboot is not needed. If the persistent instance is turned off then the remaining instances will organize themselves in the usual way. I don't have it running as a service, I started the persistant instance via command line. That's fine... I nearly forgot something important anyway. sniffer.exe stop - will stop the persistent server by sending it a message file. Run 'sniffer.exe stop' at the command line and your persistent instance will exit cleanly on it's own. [ replace sniffer.exe with the name of your executable of course ] If you are running it from the command line then it will stop before the command returns. To restart it simply run your persistent command line again. For those running as a service If you are running it as a service, the persistent instance will stop - possibly under the service stub. If this is the case (as with RunExeSvc) then you will need to stop and start the service when you are ready to bring it back. _M PS: If you do just kill the persistent instance it will leave it's .SVR file behind and will abandon the job it is doing. While this is unkind, it will not be a problem - the normal peer-server instances will quickly clean out the stranded .SVR file and the abandoned job will be handled by the client instance when it gets tired of waiting. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
My findings are that persistent is offering great benefits, havnt tried an excessively harsh test yet, but i'm about to do that. Just ran sniffer in both persistent and non-persistent modes with over 1,000 mesages in the overflow and MaxQueProc at 50. This pegs out my CPU between 90% 100% for the duration of delivery. Screenshots sniffer log snipplets at http://staff.netsmith.net/sniffer/Extreme_Load/ I wont waste the mailing lists bandwith for the attachments for those who dont want them. I dont see an obvious different when the system is under heavy load, at least not by skimming the log files. Could do some math on overall performance statistics I guess... # of messages processed in same timeframe, average times, etc. winmail.dat
RE: [sniffer] Final beta (b2) for snfrv2r3
At 09:11 PM 4/7/04 -0400, Pete McNeil wrote: sniffer.exe stop - will stop the persistent server by sending it a message file. Run 'sniffer.exe stop' at the command line and your persistent instance will exit cleanly on it's own. [ replace sniffer.exe with the name of your executable of course ] Tried the above and got an error message. Tried: sniffer.exe xxauthenticationxx stop and it paused a few seconds and returned to command prompt, so I'm guessing that it stopped. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Final beta (b2) for snfrv2r3
This worked great. Thanks. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:46 PM Subject: Re: [sniffer] Final beta (b2) for snfrv2r3 At 08:36 PM 4/7/2004, you wrote: What is the best and proper way to setup Persistent mode on a windows 2000 computer and run as a service. Fred * Make a backup copy of your current executable (just in case). * Rename the 2-3b2 executable for your license and replace your current executable. At this point your system will be running in the normal way. Next, you can use a third party utility or the windows toolkit to run your sniffer executable as a service with the persistent switch. Here are two links from previous discussions to help. I prefer RunExeSvc because it seems simpler. http://www.mail-archive.com/[EMAIL PROTECTED]/msg00165.html Here it is done with the toolkit... http://www.mail-archive.com/[EMAIL PROTECTED]/msg00169.html Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Tried the above and got an error message. Tried: sniffer.exe xxauthenticationxx stop and it paused a few seconds and returned to command prompt, so I'm guessing that it stopped. That doesn't sound quite right. In the distribution there are some .CMD files that show examples of the commands: stop - Ends the persistent server reload - Reloads the rulebase config file data rotate - Moves the current log file to sniffer.log.mmddhhmmss Note that all commands and configuration options are case sensitive. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Since you're up, sorry to ask, where's the beta? Didn't save the e-mail. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, April 07, 2004 9:23 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Tried the above and got an error message. Tried: sniffer.exe xxauthenticationxx stop and it paused a few seconds and returned to command prompt, so I'm guessing that it stopped. That doesn't sound quite right. In the distribution there are some .CMD files that show examples of the commands: stop - Ends the persistent server reload - Reloads the rulebase config file data rotate - Moves the current log file to sniffer.log.mmddhhmmss Note that all commands and configuration options are case sensitive. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Preliminary tests show there's no I/O problem but I'll do some additional benchmarking here and get back to you on this. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 17:38To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Extraordinary...Compare with a snippet from our IMail/NT4 test platform (severely underpowered)...snf2beta 20040407140913 D0b86122.SMD 30 90 Final 75148 63 0 6891 68snf2beta 20040407140913 D0b8614e.SMD 90 140 Final 103691 57 0 8878 72snf2beta 20040407140914 D0b88122.SMD 40 141 Final 103689 57 0 9003 71snf2beta 20040407140915 D0b880b6.SMD 90 20 Final 106244 52 0 817 65snf2beta 20040407140916 D0b8a0de.SMD 40 210 Final 104044 52 0 8779 76snf2beta 20040407140917 D0b8b122.SMD 30 60 Final 70077 53 0 3727 73snf2beta 20040407140920 D0b8e0b6.SMD 20 40 Clean 0 0 0 2958 54snf2beta 20040407140927 D0b960b6.SMD 30 80 Final 30439 54 0 3885 73snf2beta 20040407140934 D0b930b6.SMD 20 40 Clean 0 0 0 2647 67snf2beta 20040407140935 D0b9e0a8.SMD 20 130 Final 73558 52 0 6242 80snf2beta 20040407140942 D0ba414e.SMD 20 160 Final 105444 52 0 8252 87snf2beta 20040407140942 D0ba40de.SMD 201 60 Final 105825 52 0 3351 68snf2beta 20040407140947 D0baa0b6.SMD 30 121 Final 30439 54 0 3898 72snf2beta 20040407140947 D0baa14e.SMD 40 80 Final 66835 52 0 5358 64snf2beta 20040407140952 D0bad122.SMD 20 110 Final 97422 57 0 6104 79snf2beta 20040407140952 D0bae0d2.SMD 30 81 Final 83761 57 0 4790 72snf2beta 20040407140952 D0bac0b6.SMD 40 90 Final 1686 48 0 5415 80snf2beta 20040407141003 D0bb90b6.SMD 20 40 Final 49992 54 0 2186 69The first thing I notice is that the setup times (first number) on your system are consistently large. According to your log entries it is taking a quarter of a second to scan the working directory for a job... That's a LOT of time for a directory scan to take.The message scan itself doesn't seem to be out of range.The next thing I notice is that your messages arrive several seconds apart consistently. I see 10 sec, 16, 12, 4, 10, etc... In our log we frequently scan several messages in the same second.I see two things going on based on this data:I suspect your system is I/O bound. There is no reason that a directory scan should take more than a few tens of milliseconds except occasionally... That puts your numbers out by nearly an order of magnitude (compare 20s 30s w/ 109, 187, 280+!). Be sure that Sniffer's working directory does not have any extra files in it. Sniffer instances measure their apparent work load by counting the number of files in their working directory... The theory is that aside from a handful of necessary files the rest are jobs waiting to be processed... so if the number of files is large then the load must be high and so a Sniffer instance should be prepared to wait a bit longer for service.Sniffer should be running in it's own directory with no other files present that don't need to be there. Be sure to clean out any dead job files that might have built up with a prior error etc...My thinking on I/O is that if it takes 100-280 msec to scan the directory for job files then it's likely to take quite a while to load any program - including the shell. This can explain the additional time you are seeing in your measurements. Under normal circumstances I would expect that operation to happen almost instantaneously since the Sniffer executable, command shell, and other files that must load should remain consistently in memory due to their being called so frequently. It's a good bet that much of your delay time is bound in this part of the equation.The next place I think you're finding delays is in sleeping. There are several seconds between messages on your system consistently so Sniffer is going to sleep much of the time. If Sniffer can't find work for several seconds the poll delay times will expand accordingly. It's a good bet that the rest of the time in your 1.5 seconds is due to the fact that the next message you're going to process is 5-10 seconds away from the last.After waiting 1 second the poll delay will be ~ 630msAfter about 2.5 seconds the poll delay will be ~ 1650ms...By the time you get beyond 5 seconds the poll delay will be 4000ms, so your average sleep time will be 2 secs. Based on this I think 1.5 seconds is not unlikely... on the other hand since the next message is likely to be 5 or more seconds away this should have no apparent effect on throughput, and since Sniffer is sleeping most of the time your
RE: [sniffer] Final beta (b2) for snfrv2r3
At 05:42 AM 4/8/04 -0400, Pete McNeil wrote: http://www.keyconn.net/misc/sniffer.htm I'll bet you are using b1 - this first 2-3beta does not implement the command interface. Yes, I had b1 in use, trying b2 now. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Log file in GMT?
Pete, My Sniffer log file logs times which are two hours early. I supspect that it's because Amsterdam is in GMT+2. Why does sniffer not log local time? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kirk Mitchell Sent: donderdag 8 april 2004 23:35 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 At 05:42 AM 4/8/04 -0400, Pete McNeil wrote: http://www.keyconn.net/misc/sniffer.htm I'll bet you are using b1 - this first 2-3beta does not implement the command interface. Yes, I had b1 in use, trying b2 now. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Log file in GMT?
Sniffer logs times in GMT so that all events can be easily coordinated. This will become increasingly important as we roll out collaborative AI features in the coming months. Thanks, _M At 04:37 AM 4/9/2004, you wrote: Pete, My Sniffer log file logs times which are two hours early. I supspect that it's because Amsterdam is in GMT+2. Why does sniffer not log local time? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kirk Mitchell Sent: donderdag 8 april 2004 23:35 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 At 05:42 AM 4/8/04 -0400, Pete McNeil wrote: http://www.keyconn.net/misc/sniffer.htm I'll bet you are using b1 - this first 2-3beta does not implement the command interface. Yes, I had b1 in use, trying b2 now. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] log file growing
HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? Thanks, andy This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] log file growing
At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single log file that does not change. External utilities could be used to rotate the log file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by another utility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time stamp in a compressed ISO format. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] log file growing
H, If we were triggering it - then that would have been our update notification message. If that's stopped working then you might want to look at your rulebase to see that it's up to date... What you're looking for is a program alias that launches your update script. That's the best place to start. You can probably send yourself a message to that address to trigger (or not) the events and see what is broken. Hope this helps, _M At 08:23 AM 4/10/2004, you wrote: Ok, That's what's happening. It was being rotated. You helped me set that up. I haven't changed/moved anything so it has stopped working... It was being initiated automatically by an email sent by you to the system in Imail. Where do I look? Thanks, andy - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 3:20 PM Subject: Re: [sniffer] log file growing At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single log file that does not change. External utilities could be used to rotate the log file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by another utility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time stamp in a compressed ISO format. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] log file growing
Usually the log rotation is handled in a different .cmd. I guess it could have been cobbled together but I don't recall doing it. You can get the starter scripts here: http://www.sortmonster.net/Sniffer/Updates/WindowsTools.zip ftp://ftp.sortmonster.net/Sniffer/Updates/WindowsTools.zip A number of user submitted scripts are also available at the bottom of the Automated Updates Help page: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Hope this helps, _M At 12:56 PM 4/12/2004, you wrote: Hi, The .snf file is up to date, so the program alias is working. I ran the autosnf.cmd file you help me setup and it is working with no errors, but it isn't doing anything with rotating the log files, as it was before.I have no idea why., I do know that you had set it up for me to rotate the logs...can you send me the section of the autosnf.cmd file that is missing that does that? Thanks, andy - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 9:12 AM Subject: Re: [sniffer] log file growing H, If we were triggering it - then that would have been our update notification message. If that's stopped working then you might want to look at your rulebase to see that it's up to date... What you're looking for is a program alias that launches your update script. That's the best place to start. You can probably send yourself a message to that address to trigger (or not) the events and see what is broken. Hope this helps, _M At 08:23 AM 4/10/2004, you wrote: Ok, That's what's happening. It was being rotated. You helped me set that up. I haven't changed/moved anything so it has stopped working... It was being initiated automatically by an email sent by you to the system in Imail. Where do I look? Thanks, andy - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 3:20 PM Subject: Re: [sniffer] log file growing At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single log file that does not change. External utilities could be used to rotate the log file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by another utility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time stamp in a compressed ISO format. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] OT: Call for beta testers
All, MailMage is seeking beta testers for our latest utility, MilterSink. MilterSink is a highly configurable DLL event sink for Microsoft's IIS SMTP service (a.k.a. MS SMTP) allowing for the integration of command-line content scanners. Originally designed to wrap our SPAMC32 client for SpamAssassin, MilterSink can also be used with SortMonster's Message Sniffer or any console-mode milter, and even offers rudimentary support for Declude Junkmail. Basic actions to be taken on scanned messages include header insertion, subject modification, server-side quarantine, or deletion. Advanced features will include multiple milter support (up to four per server), compound tests, message rerouting, and more. All interested should subscribe to the miltersink-beta mailing list at http://listbot.cypressintegrated.com and pursue additional discussion there--I don't want to clutter this list. We'll give the list a couple of days to fill up and will likely distribute the 0.5.0 Beta on Wednesday. As always, documentation brings up the rear. :) Regards, Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] OT: Call for beta testers
All, While no one has protested, it's possible that the beta invitation might have looked like a commercial plug to some of you. We initially thought of indicating otherwise outright, but decided that it that might look as if _we_ had protested too much. grin For the record, this project is mostly underway to treat our Exchange clients to a taste of Sniffer and get a little more respect for our coding group. We currently expect to make MilterSink available free of charge. True, it's impossible to rule out a huge volume of feature requests and a pay (shareware-cheap) version down the line, but this is not in any current plan and was not the motivation for my post. Again, sorry if y'all felt spammed. Incidentally, I have kept this off the IMail Forum because it embraces competitive technology, even if free. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Pete, The speed problem has been found. McAfee Netshield 4.51 was making our server RIDICULOUSLY slow, despite the fact that we tried excluding the Sniffer folder and even disabling the service from the tray-icon. Upgrading to Virusscan Enterprise 7.x fixed our problem and our performance levels are in the regions that you mentioned. Thanks for thinking along! Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michiel PrinsSent: donderdag 8 april 2004 21:11To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Preliminary tests show there's no I/O problem but I'll do some additional benchmarking here and get back to you on this. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 17:38To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Extraordinary...Compare with a snippet from our IMail/NT4 test platform (severely underpowered)...snf2beta 20040407140913 D0b86122.SMD 30 90 Final 75148 63 0 6891 68snf2beta 20040407140913 D0b8614e.SMD 90 140 Final 103691 57 0 8878 72snf2beta 20040407140914 D0b88122.SMD 40 141 Final 103689 57 0 9003 71snf2beta 20040407140915 D0b880b6.SMD 90 20 Final 106244 52 0 817 65snf2beta 20040407140916 D0b8a0de.SMD 40 210 Final 104044 52 0 8779 76snf2beta 20040407140917 D0b8b122.SMD 30 60 Final 70077 53 0 3727 73snf2beta 20040407140920 D0b8e0b6.SMD 20 40 Clean 0 0 0 2958 54snf2beta 20040407140927 D0b960b6.SMD 30 80 Final 30439 54 0 3885 73snf2beta 20040407140934 D0b930b6.SMD 20 40 Clean 0 0 0 2647 67snf2beta 20040407140935 D0b9e0a8.SMD 20 130 Final 73558 52 0 6242 80snf2beta 20040407140942 D0ba414e.SMD 20 160 Final 105444 52 0 8252 87snf2beta 20040407140942 D0ba40de.SMD 201 60 Final 105825 52 0 3351 68snf2beta 20040407140947 D0baa0b6.SMD 30 121 Final 30439 54 0 3898 72snf2beta 20040407140947 D0baa14e.SMD 40 80 Final 66835 52 0 5358 64snf2beta 20040407140952 D0bad122.SMD 20 110 Final 97422 57 0 6104 79snf2beta 20040407140952 D0bae0d2.SMD 30 81 Final 83761 57 0 4790 72snf2beta 20040407140952 D0bac0b6.SMD 40 90 Final 1686 48 0 5415 80snf2beta 20040407141003 D0bb90b6.SMD 20 40 Final 49992 54 0 2186 69The first thing I notice is that the setup times (first number) on your system are consistently large. According to your log entries it is taking a quarter of a second to scan the working directory for a job... That's a LOT of time for a directory scan to take.The message scan itself doesn't seem to be out of range.The next thing I notice is that your messages arrive several seconds apart consistently. I see 10 sec, 16, 12, 4, 10, etc... In our log we frequently scan several messages in the same second.I see two things going on based on this data:I suspect your system is I/O bound. There is no reason that a directory scan should take more than a few tens of milliseconds except occasionally... That puts your numbers out by nearly an order of magnitude (compare 20s 30s w/ 109, 187, 280+!). Be sure that Sniffer's working directory does not have any extra files in it. Sniffer instances measure their apparent work load by counting the number of files in their working directory... The theory is that aside from a handful of necessary files the rest are jobs waiting to be processed... so if the number of files is large then the load must be high and so a Sniffer instance should be prepared to wait a bit longer for service.Sniffer should be running in it's own directory with no other files present that don't need to be there. Be sure to clean out any dead job files that might have built up with a prior error etc...My thinking on I/O is that if it takes 100-280 msec to scan the directory for job files then it's likely to take quite a while to load any program - including the shell. This can explain the additional time you are seeing in your measurements. Under normal circumstances I would expect that operation to happen almost instantaneously since the Sniffer executable, command shell, and other files that must load should remain consistently in memory due to their being called so
RE: [sniffer] Final beta (b2) for snfrv2r3
That's fantastic news... Another mystery bites the dust! _M At 09:56 AM 4/13/2004, you wrote: Pete, The speed problem has been found. McAfee Netshield 4.51 was making our server RIDICULOUSLY slow, despite the fact that we tried excluding the Sniffer folder and even disabling the service from the tray-icon. Upgrading to Virusscan Enterprise 7.x fixed our problem and our performance levels are in the regions that you mentioned. Thanks for thinking along! Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michiel Prins Sent: donderdag 8 april 2004 21:11 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Preliminary tests show there's no I/O problem but I'll do some additional benchmarking here and get back to you on this. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pete McNeil Sent: woensdag 7 april 2004 17:38 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Extraordinary... Compare with a snippet from our IMail/NT4 test platform (severely underpowered)... snf2beta 20040407140913 D0b86122.SMD 30 90 Final 75148 63 0 6891 68 snf2beta 20040407140913 D0b8614e.SMD 90 140 Final 103691 57 0 8878 72 snf2beta 20040407140914 D0b88122.SMD 40 141 Final 103689 57 0 9003 71 snf2beta 20040407140915 D0b880b6.SMD 90 20 Final 106244 52 0 817 65 snf2beta 20040407140916 D0b8a0de.SMD 40 210 Final 104044 52 0 8779 76 snf2beta 20040407140917 D0b8b122.SMD 30 60 Final 70077 53 0 3727 73 snf2beta 20040407140920 D0b8e0b6.SMD 20 40 Clean 0 0 0 2958 54 snf2beta 20040407140927 D0b960b6.SMD 30 80 Final 30439 54 0 3885 73 snf2beta 20040407140934 D0b930b6.SMD 20 40 Clean 0 0 0 2647 67 snf2beta 20040407140935 D0b9e0a8.SMD 20 130 Final 73558 52 0 6242 80 snf2beta 20040407140942 D0ba414e.SMD 20 160 Final 105444 52 0 8252 87 snf2beta 20040407140942 D0ba40de.SMD 201 60 Final 105825 52 0 3351 68 snf2beta 20040407140947 D0baa0b6.SMD 30 121 Final 30439 54 0 3898 72 snf2beta 20040407140947 D0baa14e.SMD 40 80 Final 66835 52 0 5358 64 snf2beta 20040407140952 D0bad122.SMD 20 110 Final 97422 57 0 6104 79 snf2beta 20040407140952 D0bae0d2.SMD 30 81 Final 83761 57 0 4790 72 snf2beta 20040407140952 D0bac0b6.SMD 40 90 Final 1686 48 0 5415 80 snf2beta 20040407141003 D0bb90b6.SMD 20 40 Final 49992 54 0 2186 69 The first thing I notice is that the setup times (first number) on your system are consistently large. According to your log entries it is taking a quarter of a second to scan the working directory for a job... That's a LOT of time for a directory scan to take. The message scan itself doesn't seem to be out of range. The next thing I notice is that your messages arrive several seconds apart consistently. I see 10 sec, 16, 12, 4, 10, etc... In our log we frequently scan several messages in the same second. I see two things going on based on this data: I suspect your system is I/O bound. There is no reason that a directory scan should take more than a few tens of milliseconds except occasionally... That puts your numbers out by nearly an order of magnitude (compare 20s 30s w/ 109, 187, 280+!). Be sure that Sniffer's working directory does not have any extra files in it. Sniffer instances measure their apparent work load by counting the number of files in their working directory... The theory is that aside from a handful of necessary files the rest are jobs waiting to be processed... so if the number of files is large then the load must be high and so a Sniffer instance should be prepared to wait a bit longer for service. Sniffer should be running in it's own directory with no other files present that don't need to be there. Be sure to clean out any dead job files that might have built up with a prior error etc... My thinking on I/O is that if it takes 100-280 msec to scan the directory for job files then it's likely to take quite a while to load any program - including the shell. This can explain the additional time you are seeing in your measurements. Under normal circumstances I would expect that operation to happen almost instantaneously since the Sniffer executable, command shell, and other files that must load should
Re: [sniffer] log file growing
Ok, There is a logrotate.cmd that you modified for me. I don't know why it isn't kicking off automatically like it was before, but it isn't. It had been running automatically for months. How do you recommend doing that so that you get the log files when you want them? Thanks, Andy - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Monday, April 12, 2004 2:09 PM Subject: Re: [sniffer] log file growing Usually the log rotation is handled in a different .cmd.I guess it could have been cobbled together but I don't recall doing it.You can get the starter scripts here: http://www.sortmonster.net/Sniffer/Updates/WindowsTools.zip ftp://ftp.sortmonster.net/Sniffer/Updates/WindowsTools.zipA number of user submitted scripts are also available at the bottom of the Automated Updates Help page:http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htmlHope this helps,_MAt 12:56 PM 4/12/2004, you wrote: Hi,The .snf file is up to date, so the program alias is working.I ran the autosnf.cmd file you help me setup and it is working with noerrors, but it isn't doing anything with rotating the log files, as it wasbefore.I have no idea why.,I do know that you had set it up for me to rotate the logs...can you send methe section of the autosnf.cmd file that is missing that does that?Thanks, andy- Original Message -From: "Pete McNeil" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Saturday, April 10, 2004 9:12 AMSubject: Re: [sniffer] log file growing H, If we were triggering it - then that would have been our update notification message. If that's stopped working then you might want tolook at your rulebase to see that it's up to date... What you're looking for is a program alias that launches your updatescript. That's the best place to start. You can probably send yourself a message to that address to trigger (or not) the events and see what is broken. Hope this helps, _M At 08:23 AM 4/10/2004, you wrote: Ok, That's what's happening. It was being rotated. You helped me set thatup. I haven't changed/moved anything so it has stopped working... It wasbeing initiated automatically by an email sent by you to the system in Imail. Where do I look? Thanks, andy - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 3:20 PM Subject: Re: [sniffer] log file growing At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writingto the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single logfile that does not change. External utilities could be used to rotate thelog file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by anotherutility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time stamp in a compressed ISO format. This E-Mail came from the Message Sniffer mailing list. Forinformation and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For informationand (un)subscription instructions go tohttp://www.sortmonster.com/MessageSniffer/Help/Help.htmlThis E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] log file growing
It is working, I tested it from the command line. What time of day do you want it run? - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 7:06 PM Subject: Re: [sniffer] log file growing First, give it a test by launching it manually to make sure it's not broken.If that works then set up a scheduled task to run the .cmd once a day (that's usually enough).That should be it.Thanks!_MAt 05:57 PM 4/13/2004, you wrote: Ok,There is a logrotate.cmd that you modified for me. I don't know why it isn't kicking off automatically like it was before, but it isn't. It had been running automatically for months.How do you recommend doing that so that you get the log files when you want them?Thanks, Andy - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Monday, April 12, 2004 2:09 PM Subject: Re: [sniffer] log file growing Usually the log rotation is handled in a different .cmd. I guess it could have been cobbled together but I don't recall doing it. You can get the starter scripts here: http://www.sortmonster.net/Sniffer/Updates/WindowsTools.zip ftp://ftp.sortmonster.net/Sniffer/Updates/WindowsTools.zip A number of user submitted scripts are also available at the bottom of the Automated Updates Help page: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Hope this helps, _M At 12:56 PM 4/12/2004, you wrote: Hi, The .snf file is up to date, so the program alias is working. I ran the autosnf.cmd file you help me setup and it is working with no errors, but it isn't doing anything with rotating the log files, as it was before.I have no idea why., I do know that you had set it up for me to rotate the logs...can you send me the section of the autosnf.cmd file that is missing that does that? Thanks, andy - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 9:12 AM Subject: Re: [sniffer] log file growing H, If we were triggering it - then that would have been our update notification message. If that's stopped working then you might want to look at your rulebase to see that it's up to date... What you're looking for is a program alias that launches your update script. That's the best place to start. You can probably send yourself a message to that address to trigger (or not) the events and see what is broken. Hope this helps, _M At 08:23 AM 4/10/2004, you wrote: Ok, That's what's happening. It was being rotated. You helped me set that up. I haven't changed/moved anything so it has stopped working... It was being initiated automatically by an email sent by you to the system in Imail. Where do I look? Thanks, andy - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 3:20 PM Subject: Re: [sniffer] log file growing At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single log file that does not change. External utilities could be used to rotate the log file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by another utility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time
Re: [sniffer] log file growing
Any time is fine. How about 0100 ET. - I'm pretty sure that spot is mostly empty. _M At 09:17 PM 4/13/2004, you wrote: It is working, I tested it from the command line. What time of day do you want it run? - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 7:06 PM Subject: Re: [sniffer] log file growing First, give it a test by launching it manually to make sure it's not broken. If that works then set up a scheduled task to run the .cmd once a day (that's usually enough). That should be it. Thanks! _M At 05:57 PM 4/13/2004, you wrote: Ok, There is a logrotate.cmd that you modified for me. I don't know why it isn't kicking off automatically like it was before, but it isn't. It had been running automatically for months. How do you recommend doing that so that you get the log files when you want them? Thanks, Andy - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Monday, April 12, 2004 2:09 PM Subject: Re: [sniffer] log file growing Usually the log rotation is handled in a different .cmd. I guess it could have been cobbled together but I don't recall doing it. You can get the starter scripts here: http://www.sortmonster.net/Sniffer/Updates/WindowsTools.zip ftp://ftp.sortmonster.net/Sniffer/Updates/WindowsTools.zip A number of user submitted scripts are also available at the bottom of the Automated Updates Help page: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Hope this helps, _M At 12:56 PM 4/12/2004, you wrote: Hi, The .snf file is up to date, so the program alias is working. I ran the autosnf.cmd file you help me setup and it is working with no errors, but it isn't doing anything with rotating the log files, as it was before.I have no idea why., I do know that you had set it up for me to rotate the logs...can you send me the section of the autosnf.cmd file that is missing that does that? Thanks, andy - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 9:12 AM Subject: Re: [sniffer] log file growing H, If we were triggering it - then that would have been our update notification message. If that's stopped working then you might want to look at your rulebase to see that it's up to date... What you're looking for is a program alias that launches your update script. That's the best place to start. You can probably send yourself a message to that address to trigger (or not) the events and see what is broken. Hope this helps, _M At 08:23 AM 4/10/2004, you wrote: Ok, That's what's happening. It was being rotated. You helped me set that up. I haven't changed/moved anything so it has stopped working... It was being initiated automatically by an email sent by you to the system in Imail. Where do I look? Thanks, andy - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 3:20 PM Subject: Re: [sniffer] log file growing At 12:18 PM 4/9/2004, you wrote: HI, My log file used to write to a new file everyday, now it is writing to the same file... I didn't change anything, how do I fix it? This is confusing. Message Sniffer has always written to a single log file that does not change. External utilities could be used to rotate the log file as needed. The only time this has changed is with the new beta which includes a command option for persistent servers: [snflicid.exe] rotate If this command is run and you are running a persistent instance of sniffer then the log file will be rotated to [snflicid].log.mmddhhmmss. This does not happen automatically and never did in the past. If your log file was being rotated then it was handled by another utility on your system and that utility has stopped working. Hope this helps, _M PS: snflicid = your specific sniffer license id. mmddhhmmss = date/time stamp in a compressed ISO format. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Download Problem
We had some major BGP flapping with both Sprint and Savvis. Nobody has gotten to the bottom of it yet and it settled down around 0200. No errors or warnings since then. _M At 10:37 PM 4/13/2004, you wrote: Pete. I am seeing major download problems of the SNF file tonight. Any problems with others. Fred This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] logrotate
Hi, In the default logrotate.cmd script is a move in stead of a ren command. Is there any special reason for that? As Ren is an internal command and move an external command I would have expected Ren to be used. p.s. Did my comment about an updated AutoSNF.cmd file make it to you Pete? I sent it to the list friday april 9th but it never made it back overhere? Groetjes, Bonno Bloksma
