On Wednesday, April 20, 2005, 1:15:37 PM, Jim wrote:
JM Pete,
JM Should we change the license info in the plugin.cfg file to match our
JM license info or should we wait to do so until the release version comes out?
Please go ahead and make the change. The current code is considered to
be
Pete,
Is there a difference between the normal .snf files I have been downloading
and the one for the plugin? I have setup my script to download the .snf
file and noticed it is a couple mb's smaller than the included demo .snf
file.
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Pete, I've been using this plugin for the last couple of months and can say
it's been rock solid. Nice work!
One little feature request though would be to add an option to auto prune
the sniffer log file to so many days, or X killobytes.
-Original Message-
From: [EMAIL PROTECTED]
Tip for MDaemon plug-in users.
Sniffers .cfg file has an option 'not' to scan files larger than 'X'. If
this option is set than no sniffer headers will be placed into the message
(if the message is larger than 'X').
Beware, if you use MD's Content Filter to instruct where to send messages
based
On Wednesday, April 20, 2005, 4:19:48 PM, Jim wrote:
JM Do you configure rules similar to in the previous versions, or by using this
JM as a plug in is there a GUI for configuration.
We configure the rulebase the same way we have in the past. Using the
plugin is not different from using the
_M i'll try this one,
Jim, you will keep all of your Content Filter rules the same 'except' you
will disable (or delete) the two Sniffer entries 'Run Message Sniffer' Add
Headers'. Those two functions will be generated from the plug-in.
Also, if you are using the results codes (in the Content
That will work, we are actually migrating from another email platform so I
am doing this from scratch. Is there any way I can set this rule to attach
the original spam message to a warning message rather than move it to a
separate directory, like you can for the built in spam tests in Mdaemon?
On Wednesday, April 20, 2005, 3:36:14 PM, Dave wrote:
DK Pete, I've been using this plugin for the last couple of months and can say
DK it's been rock solid. Nice work!
DK One little feature request though would be to add an option to auto prune
DK the sniffer log file to so many days, or X
Put this in local.cf in your /rules directory under SpamAssassin, for
having SA score SNF matches
header MESSAGE_SNIFFER X-SortMonster-MessageSniffer-Result =~ /([1-63])/
describe MESSAGE_SNIFFER Flagged by message sniffer
(www.sortmonster.com)
score MESSAGE_SNIFFER 8.0
This E-Mail came
Hi,
I think I am having a problem with my Declude log file numbers/stats and
I want to try and figure it out. Last week my Sniffer hit rate went from
SNIFFER6,699...64.78%
To yesterday
SNIFFER1,299...10.24%
This is wrong as Sniffer
On Sunday, April 24, 2005, 1:52:53 PM, Goran wrote:
GJ Hi,
GJ I think I am having a problem with my Declude log file numbers/stats and
GJ I want to try and figure it out. Last week my Sniffer hit rate went from
GJ SNIFFER6,699...64.78%
GJ To yesterday
GJ
Does anyone know a way I could setup digest style
notifications in Mdaemon so that messages copied to users spam folder would be
provided notification digest messages letting them know they should check their
spam folder if need be? Also is there a way I can setup a autopurge
feature so
On Apr 25, 2005, at 10:46 AM, Jim Matuska wrote:Does anyone know a way I could setup digest style notifications in Mdaemon so that messages copied to users spam folder would be provided notification digest messages letting them know they should check their spam folder if need be? Also is there a
Look what I got.
Fred
- Original Message -
From: Postmaster [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, April 26, 2005 6:22 PM
Subject: Undeliverable Mail
Delivery failed 10 attempts: [EMAIL PROTECTED]
Unexpected connection response from server:
421 Insufficient System
On Tuesday, April 26, 2005, 6:25:38 PM, Frederick wrote:
FS Look what I got.
There has been some trouble with my mail server --- attacks and other
technical issues while I was on the road. I'm back now and I'm working
through it. Things _appear_ to be settling down.
Sorry for any confusion.
_M
Shame on you for being on the road... you should know better than to leave
your machines alone...you never know what trouble they might get into while
you're gone grin.
I was out for 2 hours over lunch today, and sure enough, IIS stops
responding on one of our hosting servers right after I leave.
I am all of a sudden having all of the mail from one of our hosted domains
fail the sniffer-phishing. The domain is srinternational.com - could you
please check on this. All of the emails are different - just from the same
domain.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
This
On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote:
CS I am all of a sudden having all of the mail from one of our hosted domains
CS fail the sniffer-phishing. The domain is srinternational.com - could you
CS please check on this. All of the emails are different - just from the same
CS domain.
I am finding that most if not all email from Comcast senders are failing
Sniffer.
Fred
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Pete,
Can you send these kinds of emails to Hamed instead of me please.
thanks
Judy Burnett
Everyones Internet, Ltd.
835 Greens Parkway, Suite 150
Houston, TX 77067
713-579-2802
Fax: 713-942-8621
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete
On Tuesday, May 10, 2005, 9:35:59 AM, Frederick wrote:
FS I am finding that most if not all email from Comcast senders are failing
FS Sniffer.
Please submit a false positive report to false@ and include matching
SNF log entries if possible.
Thanks,
_M
This E-Mail came from the Message
On Tuesday, May 10, 2005, 9:37:29 AM, Judy wrote:
JB Pete,
JB Can you send these kinds of emails to Hamed instead of me please.
JB thanks
I have changed your subscription.
Please note you can alter your sniffer@ list subscription at any time.
Information is on our help page:
Hello Sniffer Folks,
A rule was created today by one of the robots which targets
.comcast.net -- This happened when a number of blacklists including
SBL listed comcast IPs causing the robot to be convinced that a
message in the spamtrap warranted tagging the domain.
The rule has been
Whew! Just got done forwarding 90 false positives to mail clients. Sure
glad you caught it!
Michael Stein
Computer House
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Sent: Tuesday, May 10, 2005 10:27 AM
Subject: [sniffer] Rule 353039 -
Thanks for the quick work, Pete.
I put in the Rule-panic entry as soon as you sent the email to this
list.
For what it's worth, I just finished with all my held mail for the last
two days, and I had no false positives from messages with a mailfrom
that included c o m c a s t.
Lots of mail that
Pete,
Is this in the beta/free release of Sniffer rules?
Erik
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 10, 2005 6:20 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Rule 353039 - .comcast.net
Thanks for
Warning!
When you add a RulePanic entry and are running Sniffer in persistent
mode, you have to restart the service for it to take effect. I changed
this earlier and it had no effect until I restarted the service on my
box. Maybe I'm wrong about this, but just changing my config file had
no
Mail from Comcast is still getting caught, even with the panic rule in
place. Any suggestions?
Mike Stein
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
On Tuesday, May 10, 2005, 12:31:18 PM, Erik wrote:
E Pete,
E Is this in the beta/free release of Sniffer rules?
It may not be --- it's new enough that it may have been excluded from
the demo rulebase. To make sure you should make a quick scan of your
SNF log file for that rule number. In any
See my message below...restart your Sniffer service and it should work.
Matt
Computer House Support wrote:
Mail from Comcast is still getting caught, even with the panic rule in
place. Any suggestions?
Mike Stein
This E-Mail came from the Message Sniffer mailing list. For information and
On Tuesday, May 10, 2005, 12:45:53 PM, Computer wrote:
CHS Mail from Comcast is still getting caught, even with the panic rule in
CHS place. Any suggestions?
* be sure you have updated rulbase.cfg
* be sure your entry is in the correct format. You will find examples
at the bottom of your .cfg
On Tuesday, May 10, 2005, 12:41:42 PM, Matt wrote:
M Warning!
M When you add a RulePanic entry and are running Sniffer in persistent
M mode, you have to restart the service for it to take effect.
You can also issue license.exe reload
snip/
M Pete, when you send out these notifications, would
Matt,
Restarting the sniffer service seems to have done the trick. Thank you for
the suggestion!
Michael Stein
Computer House
[EMAIL PROTECTED]
- Original Message -
From: Matt [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, May 10, 2005 12:46 PM
Subject: Re: [sniffer]
What's going on over there?
Our FTP process has been failing since yesterday
afternoon, and when I go to the main website it prompts me for an ID and
PW.
Darin.
On Friday, May 13, 2005, 9:11:15 AM, Hosting wrote:
HS What's going on over there?
HS
HS Our FTP process has been failing since yesterday afternoon,
HS and when I go to the main website it prompts me for an ID and PW.
I'm not seeing a problem - I'm on the site right now in fact, and the
crew
Looks fine now. I couldn't get there earlier this morning through two
different ISPs, though, and updates from 7pm last night through this morning
failed. Maybe a temporary routing or DNS issue.
Darin.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Hosting Support
Hello Darin,
working here, maybe your proxy want's authentication?
:)
Alex
From: Hosting Support
[mailto:[EMAIL PROTECTED] Sent: Friday, May 13, 2005 3:11
PMTo: sniffer@SortMonster.comSubject: [sniffer] FTP and
web down?
What's going on over there?
Our FTP
That one was not blocked by my rulebase...?
Regards,
Michiel
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Bayerdorffer
Sent: vrijdag 13 mei 2005 16:32
To: sniffer@SortMonster.com
Subject: [sniffer] Message Sniffer says Sniffer List is Spam
On Friday, May 13, 2005, 10:31:57 AM, Daniel wrote:
DB Hello,
DB A lot of the email from the Message Sniffer list, gets marked as spam by
DB Message Sniffer! See attached.
That's weird. Can you send me the rule (SNF log snippet) off list at
our support@ address please?
Thanks,
_M
This
Dear Pete,
Does anyone look atthe mail that is forwarded to [EMAIL PROTECTED], or is it a 100%
automatic process?
Thank you,
Michael SteinComputer House[EMAIL PROTECTED]
www.computerhouse.com
On Sunday, May 15, 2005, 8:07:30 PM, Computer wrote:
CHS Thanks for the info. That would explain why my questions were not replied
CHS too. Thought no one was checking. I will resume sending spam.
CHS Can you explain what you meant by: This is to prevent any kind of
social
CHS engineering
On Tuesday, May 17, 2005, 1:27:25 PM, Jim wrote:
JM Is anyone else seeing a huge amount of spam increase over
JM the last couple days. Most is being caught by sniffer but the
JM overall number of messages especial foreign language spam messages
JM seems to be very high.
You are probably
Yes, these messages were caused by Sunday'sSober.O
and Sober.P remote update of
previouslyinfected PCs, causing them to send out millions of
neo-nazi mail. The next update (likely a new spam-wave) is scheduled in 10 days. Somepublic
mailboxes got as many as 50,000 emails in 48 hours to a
I think that is it, do the links in the messages go to the virus rather than
the normal attachment method to avoid the virus scanners?
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To:
Pete,
Is there a possibility of setting up another return
code for situations such as this such as a blacklist rulecode that only has
rules for messages such as these that should be blacklisted immediately. I
wouldn't mind setting certain high priority rules to block immediately.
Jim
On Tuesday, May 17, 2005, 1:44:30 PM, Jim wrote:
JM Pete,
JM Is there a possibility of setting up another return code for
JM situations such as this such as a blacklist rulecode that only has
JM rules for messages such as these that should be blacklisted
JM immediately. I wouldn't mind setting
Thanks Pete, would you be able to provide the current false positive rates
for the return codes?
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Jim Matuska sniffer@SortMonster.com
On Tuesday, May 17, 2005, 2:57:44 PM, Jim wrote:
JM Thanks Pete, would you be able to provide the current false positive rates
JM for the return codes?
This is not something that we are formally capturing at present,
however anecdotally I can't recall the last time we had an FP
submitted for the
Pete,
Your memory fails you :) I reported one just yesterday, however it was
understandable. The rule is below (slightly obfuscated for public
consumption).
MB Final
MB RULE 349776-055: User Submission, 13 days, 3.1979660500
MB NAME: Account and Password Information are
On Tuesday, May 17, 2005, 6:37:12 PM, Chuck wrote:
CS Can't seem to get a response on a major problem we are having.
Responded off list.
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
On Wednesday, May 25, 2005, 9:11:17 AM, Computer wrote:
CHS Dear Pete,
CHS In the past few days, it seems the amount of spam getting through has
CHS increased quite a bit. I am wondering if it is necessary to upgrade to the
CHS latest version of the Declude software. Do you think this would
On Thursday, May 26, 2005, 3:05:45 PM, Jason wrote:
JP I have not downloaded anything. Do I down load the demo then enter an
JP authorization key?
Yes. Generally you start with the Demo rulebase and the current
distribution. Once you have that up and running you download your
registered
Pete,
Just an FYI in case you didn't know.
http://www.declude.com/SearchResults.asp?Cat=3
Every other Icon or Company logo is a link except sniffer...
Marc
---
[This E-mail scanned for viruses by Declude Virus]
This E-Mail came from the Message Sniffer mailing list. For information and
Yes it is, at least it is now. Thanks for pointing it out.
Barry
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Marc Catuogno
Sent: Thursday, May 26, 2005 11:23 PM
To: sniffer@SortMonster.com
Subject: [sniffer] sniffer NOT a link on Declude Partners
Have you looked at MDaemon as an
alternative?
Bill Ball
Lion Network Solutions
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Joe Wolf
Sent: Wednesday, June 01, 2005
4:11 AM
To: sniffer@SortMonster.com
Subject: [sniffer] Sniffer and
SmarterMail?
Not that you would want to do this. But declude does integrate with
smarterMail now. It has for several months.
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
Hi Joe,
Yeah, we had talked about buying the low cost Declude Virus/JM
versions and then letting Sniffer hook into those as well as then
hooking with SmarterMail...
That's an option for you too.
-jason
- - - - - - - - - - - - - - - - - -
Wednesday, June 1, 2005, 7:02:30 PM, you
If you have a current SA with Declude, you can move from iMail Declude
to SmarterMail Declude for free. I suggest that you contact Declude
about this - that is, assuming you are completely shutting down your
iMail server.
-Jay
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Joe,
Wednesday, June 1, 2005 you wrote:
JW If there's a better option than SmarterMail I'd love to hear it,
JW but I can't compare a $4000+ server to a $600 one.
hMailServer is free and open source.
Once I finish the script work for calling Sniffer and the
work-around for ClamDscan
Terry,
Will take a look at it... never heard of it before. It may be going too far
the other way. I'm not looking for something with fewer features than
Imail. I don't think SquirrelMail will allow all the domain management
features like Imail does (add, remove, modify users, passwords,
Here is a consideration.
I am running EWall as an SMTP proxy. You can put it
on a separate box and use it with any mail server.
It offers a path to integration with off the shelf
anti virus products (not per email box, etc). and it allows you to apply
multiple "rules" to mail on Global,
On this same thread, what can the small guy like me do now that I no
longer own my former business. I also cannot afford the Imail/Declude
solution. I have about 20 domains I host as more of a hobby, but need to
move them off my former mail server soon.
I see someone has said that maybe
hMailServer is free and open source.
I like it!
Once I finish the script work for calling Sniffer and the
work-around for ClamDscan and FPROT I'll post it. Clamdscan is the
service (daemon) for ClamAV. No reason that the daemon version of
Sniffer couldn't be used as well.
Sheldon,
Saturday, June 4, 2005 you wrote:
The SquirrelMail web interface is not bad although it is PHP 4.
The web admin interface is pretty good, too, and can be php 5.
SK Does this really matter for us non programmers?
It does actually. Just make sure to install the PHP 4 version
On Monday, June 6, 2005, 5:13:19 PM, Jim wrote:
JM Is anyone else seeing a huge rash of spam/virus messages in
JM the last hour or so? I have multiple users that are getting
JM messages that are forging our own addresses and have a link that
JM appears to go to our website but instead goes
Title: Message
I'm
seeing what Scott sees, but the payload is an encrypted zip.
VirusTotal.com says:
This is a report
processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file.
Antivirus
Version
Update
Result
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher wrote:
Yes I have seen them too:
email starts with:
Dear Valued Member,
According to our site policy you will have to confirm your
account by the following link or else
That's the one I am seeing too.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
- Original Message -
From:
Nick
Hayer
To: sniffer@SortMonster.com
Sent: Monday, June 06, 2005 2:42 PM
Subject: Re: [sniffer] New
Spam/Virus?
Same exact IP
here!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
HayerSent: Monday, June 06, 2005 5:42 PMTo:
sniffer@SortMonster.comSubject: Re: [sniffer] New
Spam/Virus?
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher
On Monday, June 6, 2005, 5:50:38 PM, Dave wrote:
DK Same exact IP here!
We've got a couple of rules for this now -- making the rounds as new
compiles go out.
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
Thanks Pete,
What Return code will this be under?
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Dave Koontz sniffer@SortMonster.com
Sent: Monday, June 06, 2005 3:00 PM
Subject:
New target ip: 205.138.199.146
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Monday, June 06, 2005 3:01 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] New Spam/Virus?
Thanks Pete,
What Return code will this be under?
One rule (369660) will code to 53 (scams).
Another (369650) will code to 53 (scams).
Another (369634) also codes to 53 (scams).
The rules got the scam tag because it presents like a phishing scam.
I'll be watching for evidence of additional polymorphism and we will
adapt. Now that we know this
New rule - 369676 under Malware.
New experimental rule on message structure: 369677
_M
On Monday, June 6, 2005, 6:13:23 PM, Dave wrote:
DM New target ip: 205.138.199.146
DM -Original Message-
DM From: [EMAIL PROTECTED]
DM [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
DM Sent:
FYI,
This virus appears to be using multiple forms of infection. One seems
to link to the IP where you are prompted to run/download the infected
program and the others have infected attachments in the E-mail itself.
Based on reviewing my logs and spam capture file, it appears that
initially
Title: Message
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
This
is the virus that I was seeing. The one that Jim and others are seeing may
be this MyTob, whose description was
I've been doing Sniffer updates via a scheduled
task. Am trying to get it working via a Program Alias in response to
update notifications. Thealias and .cmd fileare in place,
butit won't activate via the notifications, even when I send a test
message to it. I get acopy of the notification
Hello,
I was having this problem and found that I
did not have these files in place.
Send-rotate.cmd
Send-stop.cmd
Send-reload.cmd
This would not explain your being able to
execute the process manually though
Sincerely,
Brian W. Packham
Orange County Online, Inc.
Have you checked out ImailSnifferUpdateTools.zip?
It contains detailed instructions and can be downloaded from http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html
Bill
From: Glenn \ WCNet [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 15, 2005 12:43 PMTo:
Hello Sniffer folks, and Sniffer Support,
I have just completed an analysis of the New Spam Arrival Rates over
the past two weeks.
Two weeks ago at this time, we were receiving a new (as yet
unfiltered) spam at our traps at a rate of approximately 23 messages
per hour.
Over the past
That is what I'm using. I tried editing the .cmd file to do away
with the variables and hard-wire my parameters into it. It works
either way (before or after eliminating the variables) when executed
manually. It does not work via Program Alias -- my .snf file does
not change when an
You might want to try the following which resolved this problem for me (a
while ago)
1. The IMail program alias is: c:\Sniffer\snfupd.bat
2. I created a .bat file which is:
echo off
cd\ c:\sniffer
snfupd.cmd
All of my Sniffer programs and files are in the c:\sniffer
Well blow me down. That did the trick, least-wise it does for triggering by
a test message! I'll know for sure when the next notification arrives.
Thanks!!!
G.Z.
- Original Message -
From: George Kulman [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Wednesday, June 15, 2005
There seemed to be a problem with IMail running a cmd file and since the bat
file worked so I didn't bother checking further.
I did two other things which might be of interest to you:
I set the Alias that receives the notification email (in my case
[EMAIL PROTECTED]) as a standard alias that
I had tried renaming the .cmd as .bat and running that via the Alias, but
that also didn't work. The nested .bat - .cmd does work, for whatever
reason.
I did set up the double-alias situation.
Thanks for the tip on deleting the .tmp file. I suppose that could run into
a conflict if there are
Strange, the script does not leave any temp files in my spool directory.
Bill
-Original Message-
From: George Kulman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 15, 2005 2:55 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Auto Sniffer Updates
There seemed to be a problem
Did you happen to comment out or not change either of the following
variables in your script to point to the correct drive\directory paths?:
SET SnifferDrive=c:
SET SnifferDir=c:\imail\declude\sniffer
Which cause the calls to these variables later in the script's execution to
fail:
Title: Message
I
haven't noticed this spam leaking through, but at your prompting I did
a:
egrep
".+From: .+To: .+IP: 200\.49\." dec0616.log
and
saw about 46. A glance through these to:from:ip: lines definitely shows
messages that fit your description, along with messages that don't (I'm
Title: Message
Also,
thedomains in the body textare not hitting on SURBL
tests.
Andrew
8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34
PMTo: sniffer@SortMonster.comSubject: RE:
Title: Message
Hey Andrew,
Are yousending your logs to a UNIX box, or running a
ported version
of grep/egrep for windows?
Mike
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Thursday, June 16, 2005 17:34To:
sniffer@SortMonster.comSubject: RE:
We have been seeing these.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Scott Fisher
Sent: Thursday, June 16, 2005 4:04 PM
To: sniffer@SortMonster.com
Subject: [sniffer] Spam blocks loading me up
Additional info (justifying the IP block rules just added):
http://www.senderbase.org/search?searchString=200.49.48.0%2F20
I wonder why nobody else is listing these IPs yet. Could we just be
the first? (This exercise has given me some ideas for new research
tasks-- :-) )
Interesting.
_M
On
Today I saw hits from this campaign on another IP block as well, and
plugging that into SenderBase.org gives me:
http://www.senderbase.org/search?searchString=200.49.37.130
Note in the top right that they list:
200.49.36.0/22
belonging to Network Access Point S.R.L., and following that link
Scott,
Not to many incoming for me - about 200 out of
about 125K messages. One thing to note is the ones I am getting are around
that block but even lower like 200.49.44.x.
Darrell
---Check out http://www.invariantsystems.com for
utilities for
I'm also taking out the: 200.49.32.xxx to
200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with
SBL 17983.
The trouble on this spammer for me, is they aren't
listed anywhere (with the 299.49.50.XXXs and are probably burning through domain
names faster than the
Title: Message
Gotta
catch 'em all (not Pokemon, spam)...
Sniffer caught all of them today:
gawk
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log
temp.txt
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight"
If
your volume is quite high, that second line, instead of
Hello sniffer sniffer support,
There appears to be a new malware out... It comes in the disguise of
a Christmas card with a link to the recipient domain. I have created
several rules to capture this.
Watch out for any that you may have already received.
You _may_ be able to recognize
FYI
http://www.securitypipeline.com/news/164901324
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
Hello sniffer folks,
We are working on a special project that is targeted for Exchange
servers. If you work with Exchange and would like to help us test
and develop this project then please contact me off list at
[EMAIL PROTECTED]
If you know someone who is an Exchange consultant and
Hello Sniffer Folks,
We will have a short outage this evening. The plan is to go down
some time near 2300 EDT and to be down for about 4 hours. We don't
expect this to have any significant impact on operations except that
some of you will miss a rulebase update during that period.
The
901 - 1000 of 2914 matches
Mail list logo