RE: Re[2]: [sniffer] POP Approach

[Daniel Bayerdorffer]

Hello Pete,

Are you going to implement something similar for false positives?

Thanks,
Daniel 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Friday, October 14, 2005 12:32 AM
 To: William Van Hefner
 Subject: Re[2]: [sniffer] POP Approach
 
 On Wednesday, October 12, 2005, 6:30:45 PM, William wrote:
 
 WVH Pete,
 
 WVH Was just wondering, I have all of my e-mail pass through 
 an IMGate/Postfix
 WVH machine prior to hitting my main mail server. Sometimes, 
 e-mail (especially
 WVH spam) gets forwarded from the secondary MX as well. If 
 we use the POP method
 WVH of redirecting spam to an appropriate mailbox are you 
 just going to be
 WVH scanning the messages for content, or inspecting the 
 headers for IP
 WVH information as well?
 
 We will inspect all parts of the messages manually and with automated
 tools. This is true of all spam that arrives at our system no matter
 how it gets there.
 
 WVH Reason I'm asking is, I just want to make sure that one 
 of my own servers
 WVH doesn't end up included in some type of blacklist rule. 
 It seems like it
 WVH would take an awful lot of work on your part to ensure 
 that any filters
 WVH don't contain IPs of one of your customer's machines, if 
 you are scanning
 WVH header information. When you throw-in the fact that the 
 redirect may come
 WVH from the client of an entirely different network with no 
 link whatsoever to
 WVH our DNS records, that would seem to make taking any 
 header information
 WVH (except maybe the Subject or From lines) into account a 
 very risky
 WVH proposition. Thanks!!!
 
 Actually, we can often be very precise about the routing of messages
 pulled from pop accounts.
 
 That said, there is always a non-zero risk that an IP which is listed
 in certain black lists and also arrives at one of our traps may be
 added to our rulebase. This is almost always an automated process
 since we have determined that manually entered IPs are prone to
 errors.
 
 If an IP on one of your servers does get tagged, then you would be
 able to use to rule-panic procedure for immediate relief and once the
 problem was solved it could not be recreated.
 
 Part of our system is that it remembers every mistake we ever made and
 prevents us making that same mistake again --- unless we're really,
 really determined ;-)
 
 Understand, I'm not making light of this possibility... we take all
 false positive cases (real or imagined) very seriously. I do want to
 point out that these cases are rare, easily solved, and nearly
 impossible to repeat. I should also point out that this risk is not
 increased by using the pop3 method.
 
 Hope this helps,
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer]

[Daniel Bayerdorffer]

Hi Pete,

Thanks for the info. I actually already have the current version running.
I'm very happy with it's performance. I just did not have a clear
understanding on those issues.

On another note, when you have the new version install, will it overwrite my
current settings? And will it also install scripts for updating the rule
base, and sending logs? Because I already have that setup now.

Thanks,
Daniel


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Thursday, November 10, 2005 9:33 AM
 To: Daniel Bayerdorffer
 Subject: Re: [sniffer]
 
 On Thursday, November 10, 2005, 8:07:18 AM, Daniel wrote:
 
 DB Hello,
 
 DB Can anyone tell me if the Mdaemon Plug-in runs in 
 persistent mode? Also are
 DB there any plans to bring the plug-in to Version 1 status?
 
 The MDaemon plugin has no need for persistent mode because it is
 loaded and kept in memory by MDaemon itself. As a result, the
 performance is always optimal because the rulebase is only ever loaded
 when a new file is present.
 
 Persistent mode is a mechanism developed to enhance the performance of
 peer-server implementations (using the command line utility).
 
 The current plugin code is actually at 1.0 status, however we haven't
 released an official 1.0 distribution because we are working on a few
 refinements and an installer. The existing 0.53 download should be
 considered production ready code -- only external things like the
 installer are missing.
 
 When we do release a 1.x version, it will include an Install Shield
 installer and a few new features - primarily to provide some advanced
 configuration options. The core of the program will not change
 however.
 
 This work is currently on hold for back-end improvements on the
 rulebase and rulebase development tools.
 
 Hope this helps,
 
 _M
 



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Lot of Drugs Spam getting through sniffer....

[Daniel Bayerdorffer]

Here too.

--
Daniel Bayerdorffer  [EMAIL PROTECTED]
Numberall Stamp  Tool Co., Inc.
PO Box 187 Sangerville, ME 04479 USA
TEL 207-876-3541  FAX 207-876-3566
www.numberall.com
 
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
 Sent: Friday, May 05, 2006 10:34 AM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Lot of Drugs Spam getting through sniffer
 
 The last few days tons on Drus spam is coming in and sniffer 
 is catching
 none of it.
 
 Chuck Schick
 Warp 8, Inc.
 (303)-421-5140
 www.warp8.com
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer]Ebay Phishing Emails getting through

[Daniel Bayerdorffer]

I've gotten one myself.

The pharmacy ones, are still coming through too for that matter.

 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Herb Guenther
 Sent: Wednesday, May 17, 2006 3:03 PM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Ebay Phishing Emails getting through
 
 I have not see any.
 
 Herb
 
 Jim Matuska Jr. wrote:
  Has anyone else been getting an excess amount of ebay 
 phishing emails making
  it through sniffer today?  I have personally received a 
 couple of them and
  have multiple users reporting the same.  I have forwarded 
 them to the
  sniffer spam@ address if you can take a look Pete it would be much
  appreciated.
 
  Thank You,
 
  Jim Matuska Jr.
  Computer Tech2, CCNA
  Nez Perce Tribe
  Information Systems
  [EMAIL PROTECTED]
 
   
 
 
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to 
 [EMAIL PROTECTED]
  Send administrative queries to  [EMAIL PROTECTED]
 

 
 -- 
 Herb Guenther
 Lanex, LLC
 www.lanex.com
 (262)789-0966x102 Office
 (262)780-0424 Direct
 
 
 This e-mail is confidential and is for the use of the 
 intended recipient(s)only. If you are not an intended 
 recipient please advise us of our error by return e-mail then 
 delete this e-mail and any attached files. You may not copy, 
 disclose or use the contents in any way.
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Uptick in spam

[Daniel Bayerdorffer]

Hello,

I've had a lot more stock spam coming through lately. Has anyone else noticed
this?

Thanks,
Daniel




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Blank Header Emails still getting Through

[Daniel Bayerdorffer]

Hello,

I've sent examples of these, every time I get them for several weeks, and they
are still getting through. Is there something about them that is difficult?
Because the body always has the same message. Something about doing email
campaigns for charities.

Thanks,
Daniel 

--
Daniel Bayerdorffer  [EMAIL PROTECTED]
Numberall Stamp  Tool Co., Inc.
PO Box 187 Sangerville, ME 04479 USA
TEL 207-876-3541  FAX 207-876-3566
www.numberall.com http://www.numberall.com/ 
 



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Mdaemon Plug-in Update

[Daniel Bayerdorffer]

Hi Pete,

Thanks for the info. I will keep my eyes peeled for the beta release.

Thanks,
Daniel

 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, June 27, 2007 10:05 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Mdaemon Plug-in Update
 
 Hello Daniel,
 
 Wednesday, June 27, 2007, 9:06:14 PM, you wrote:
 
  Hi Pete and everyone,
 
  Has there been any more progress on the MDaemon Plug-In?
 
 Yes. We have an alpha version of the plugin running on several systems
 (both large and small) with very good results. We are working to
 complete the feature set and fine tune the default parameters. Once we
 have a functionally complete feature set -- that is, enough features
 that the vast majority of installations have everything they need from
 SNF -- then we will convert the project to beta status and begin wider
 testing and refinement.
 
 The next step, during the wide beta test period, will be to build and
 refine documentation and installation utilities and to ultimately
 release a production ready product.
 
 As we go through these stages of development we will post information
 about it here on this list inviting more folks to participate and
 comment.
 
 The command line version is also in late alpha testing on a similar
 variety of systems and both projects will continue to be developed in
 parallel.
 
 Hope this helps,
 
 Thanks!
 
 _M
 
 -- 
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: pricing

[Daniel Bayerdorffer]

Also Pete, I don't think the plugin works with his version of MDaemon. I think
you need Version 8 and up.
 
Daniel


  _  

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of
Pete McNeil
Sent: Thursday, August 09, 2007 9:29 AM
To: Message Sniffer Community
Subject: [sniffer] Re: pricing



Hello Jason,




Thursday, August 9, 2007, 2:24:51 AM, you wrote:







hi all

may I know the pricing of message sniffer plugins for Mdaemon?

is it a one time cost or depends on users?




A subscription to the rulebase is $495 / year per server.




Thanks,




_M







-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.



#



This message is sent to you because you are subscribed to



  the mailing list sniffer@sortmonster.com.



To unsubscribe, E-mail to: [EMAIL PROTECTED]



To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]



To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]



Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Spam no using CAPTCHA!

[Daniel Bayerdorffer]

Hi Everyone,

I just sent a spam sample to Message Sniffer, that was using CAPTCHA, it
said CIALIS in the CAPTCHA. I'm curios to see what Pete thinks of this new
tactic?

Regards,
Daniel

--
Daniel Bayerdorffer, VP  [EMAIL PROTECTED]
Numberall Stamp  Tool Co., Inc.  www.numberall.com
PO Box 187, Sangerville, ME 04479 USA
TEL: 207-876-3541  FAX: 207-876-3566


smime.p7s
Description: S/MIME cryptographic signature

[sniffer] Re: It's official. SNF Version 3.0 is Ready!

[Daniel Bayerdorffer]

Hi Pete,

You are correct I meant the rulebase update. I did use the getRulebase.cmd
and it seemed to be working, it downloads the file. I did make one mistake,
I meant gzip said it was an invalid gz file. I didn't even get to the
snf2chk command.

Thanks,
Daniel 


--
Daniel Bayerdorffer, VP  [EMAIL PROTECTED]
Numberall Stamp  Tool Co., Inc.  www.numberall.com
PO Box 187, Sangerville, ME 04479 USA
TEL: 207-876-3541  FAX: 207-876-3566

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Thursday, June 26, 2008 9:39 PM
To: Message Sniffer Community
Subject: [sniffer] Re: It's official. SNF Version 3.0 is Ready!

Hello Daniel,

Thursday, June 26, 2008, 8:58:36 PM, you wrote:

 Hi Pete,

 I've installed the Mdaemon Plugin version. I can't download a valid
update.
 snf2chk keeps saying it's an invalid gzip. Do you have any suggestions on
 what I can try to track down the problem?

I'm a little bit confused.

I'm going to guess that you're talking about a rulebase update.

getRulebase.cmd script should be able to do everything that's needed.

What I think you've said is that you downloaded the file -- accepted a
gzip, and then tried to check it with snf2check. You would first have
to unzip the file and then check the unzipped file with snf2check.

Hope that makes sense.

Please straighten me out if it doesn't.

Thanks,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



smime.p7s
Description: S/MIME cryptographic signature

[sniffer] Alt-n Security Gateway

[Daniel Bayerdorffer]

Hi Everyone,

Can SNF be used with Alt-N's Security Gateway product?

http://www.altn.com/Products/SecurityGateway-Email-Firewall/

I know the plug-in works great with Mdaemon itself, but I might be 
switching to Exchange. And want to use this product with it.

Thanks,
Daniel

--
Daniel Bayerdorffer, VP  [EMAIL PROTECTED]
Numberall Stamp  Tool Co., Inc.  www.numberall.com
PO Box 187, Sangerville, ME 04479 USA
TEL: 207-876-3541 FAX: 207-876-3566


-Original Message-
From: Peer-to-Peer (Support) [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Date: Thu, 28 Aug 2008 09:19:29 -0400
Subject: [sniffer] Re: Stampede - amazing!

 Not the same as you're describing below, but I can confirm we were
 slammed
 with NDR's last night.  Classic joe-job (i.e. millions of messages sent
 out
 to unknown users using your return address).
 
 --Paul
 
 
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
 Behalf Of Pete McNeil
 Sent: Thursday, August 28, 2008 5:13 AM
 To: Message Sniffer Community
 Subject: [sniffer] Stampede - amazing!
 
 
 Hello Sniffer Folks,
 
 I had been wondering why the blackhats had been pushing so hard for
 new bots these last few weeks.
 
 Then the other day I saw something very strange in the SNF telemetry.
 A storm came in that seemed to stop all other traffic. For more than
 an hour I really thought something was broken -- but I wasn't sure I'd
 really seen it.
 
 Just a short time ago our SortMonster on duty (Mitchell Skull)
 called all-hands for a new spam storm. This was another of the new
 penis spams.
 
 We coded the rules quickly and as they went out I saw it again:
 
 T rates fell to zero on many systems and close to that on all of the
 others. This means that virtually all of the IPs were brand-new. At
 the same time traffic spiked on all systems and capture rates went
 off-scale high as the new rules tagged virtually every message.
 
 This is not an entirely new tactic by the blackhats-- I've talked
 about it before. It is essentially a high-amplitude burst - where a
 new campaign is pre-tested against all known filters and then launched
 on a large number of new bots that are unknown to IP reputation
 systems.
 
 What is new is the purity of these recent events. When we've seen them
 before they were mixed in with a lot of other traffic from other bot
 nets and even other campaigns from the same bot net. While there was
 still a trickle of this activity, the purity of this burst was
 astounding.
 
 This was a stampede where essentially all visible bots started running
 in a single new direction.
 
 T rates have recovered now by and large -- so the new bots are already
 largely recognized by GBUdb, but the wild swing in telemetry across
 the network was amazing to watch -- as is the new telemetry showing
 dramatically increased traffic and capture rates indicating a nearly
 pure stream of spam from this new herd.
 
 Theories, comments, and observations welcome.
 
 Thanks,
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Milter Version

[Daniel Bayerdorffer]

Hello,

Years ago we were a Message Sniffer customer. We had an email server in house 
(MDaemon). Loved Message Sniffer, it totally controlled our spam. Then we 
switched to outsourced Exchange. It was a good move at the time, but various 
world events have caused us to reconsider and we are now bringing our email 
server back in house. This time we are going to a Linux based solution, 
www.axigen.comhttp://www.axigen.com.

Axigen supports the Milter interface, and I see that Message Sniffer does as 
well. I've been reading the Install notes, but one thing that is not clear is 
that the Milter version is up to date. Is it current and if not will it be in 
the near future?

Thanks in advance,
Daniel

--
Daniel Bayerdorffer, VP  dani...@numberall.commailto:dani...@numberall.com
Numberall Stamp  Tool Co., Inc.  www.numberall.comhttp://www.numberall.com/
PO Box 187, Sangerville, ME 04479 USA
TEL: 207-876-3541  FAX: 207-876-3566

[sniffer] Re: Saccades anyone?

[Daniel Bayerdorffer]

Hi Pete,

Any plans to modify the milter code to this in the future?

Thanks,
Daniel

--
Daniel Bayerdorffer, VP  dani...@numberall.com
Numberall Stamp  Tool Co., Inc.  www.numberall.com
PO Box 187, Sangerville, ME 04479 USA
TEL: 207-876-3541  FAX: 207-876-3566


-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of 
Pete McNeil
Sent: Thursday, February 13, 2014 1:35 PM
To: Message Sniffer Community
Subject: [sniffer] Saccades anyone?

Hello Sniffer Folks,

We are preparing to release a new version of the Message Sniffer engine that 
includes an exciting new technology.

The saccades engine allows SNF to intelligently skip large portions of most 
messages without missing any important content. The engine borrows from 
MicroNeil's synthetic intelligence research relating to visual systems 
processing and essentially gives SNF a behavior similar to what we all do with 
our eyes: http://en.wikipedia.org/wiki/Saccade

The engine learns where matches are most likely to occur and then applies what 
it is learning in real-time. This allows SNF to rapidly identify messages of a 
type it has already seen without having to scan the entire contents.

This has the potential to improve scanning efficiency by 90% or more. 
That is, scanning typical messages can happen with 1/10th the work for a 10x 
improvement in efficiency. Not kidding, we're actually seeing these results on 
some of our testbed servers! You may have seen me tweet about
it: https://twitter.com/codedweller/status/434020178352148480

If you'd like to get in on the fun early and you are using SNFServer.exe then 
you can find a copy of the new engine at the following link:

http://www.armresearch.com/message-sniffer/download/SNFServerV3.0.2-E3.1.0.zip

To swap it in,

* Download and unzip the new engine.
* Stop your Message Sniffer.
* Rename your SNFServer.exe to something like SNFServer.exe.bakup (always a 
good idea to keep a backup).
* Rename the new engine to SNFServer.exe
* Restart your Message Sniffer.

Please let us know how this works for you.

Thanks!
_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Saccades anyone?

[Daniel Bayerdorffer]

Thanks,

I'll take a look!

On 2014-02-18 17:02, Daniel Bayerdorffer wrote:
 Any plans to modify the milter code to this in the future?
Yes. All platforms will be updated shortly.
In fact, if you wish, you can download the snfmulti source from our SVN server 
and then recompile your milter with the new code. Here is a link:

Examine it here with websvn
https://svn.microneil.com/websvn/listing.php?repname=SNFMulti

Get the source here via svn
https://svn.microneil.com/svn/SNFMulti/trunk/


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hi Linda, 

Thank you for the useful advice! I will be working on this next week, and I'll 
let you know how it turns out. I also found some useful information on Zimbra's 
Wiki. 

https://wiki.zimbra.com/wiki/SpamAssassin_Customizations 

I'm looking forward to the reduction in spam! 

Thanks, 
Daniel 


From: Linda Pagillo linda.pagi...@mailsbestfriend.com 
To: Daniel Bayerdorffer dani...@numberall.com 
Sent: Tuesday, February 3, 2015 5:40:34 PM 
Subject: [sniffer] Re: Adding Message Sniffer to Zimbra 



Hi Daniel. I was hanging out in the Message Sniffer Community forums and saw 
that you had a question about Message Sniffer and Zimbra. I have actually set 
up a Zimbra/Postfix/SpamAssassin server with the SNF4SA plug-in. When I set it 
up, I simply added the lines for the SNF4SA to SpamAssassin’s local.cf file and 
it has been working without issue since. However, we have not upgraded the 
Zimbra server, so I’m not sure if those settings would be overwritten if we 
did. To avoid that, you could create a file called something like aaalocal.cf 
and add the SNF4SA lines to that file. That would prevent the settings from 
being overwritten if a Zimbra upgrade did overwrite the local.cf. I hope this 
helps. Thanks! 



Linda Pagillo 
Mail's Best Friend 
Email: linda.pagi...@mailsbestfriend.com 
Web: www.mailsbestfriend.com 
Office: 703.988.3605 x7016 

[sniffer] Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hello Everyone, 

Does anyone have any advice or tips for adding Message Sniffer to Zimbra 8.6? 
Specifically with Zimbra's implementation of spam assassin? 

Thanks, 
Daniel 

-- 
Daniel Bayerdorffer, VP dani...@numberall.com 
Numberall Stamp  Tool Co., Inc. www.numberall.com 
PO BOX 187, Sangerville, ME 04479 USA 
TEL: 207-876-3541 FAX: 207-876-3566 

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hi Pete,

That is my expectation too. I just wasn't sure if Zimbra might try to overwrite 
any spam assassin conf files and such. Zimbra maintains all it's settings in 
ldap attributes, so it can maintain consistency across servers. So I was 
curious if anyone had already run into that issue.

I'll do some more digging in the Zimbra documentation to verify it won't 
overwrite anything.

Thanks,
Daniel

- Original Message -
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, February 3, 2015 1:38:56 PM
Subject: [sniffer] Re: Adding Message Sniffer to Zimbra

On 2015-02-02 19:53, Daniel Bayerdorffer wrote:
 Does anyone have any advice or tips for adding Message Sniffer to
 Zimbra 8.6? Specifically with Zimbra's implementation of spam assassin?

The SNF4SA plugin included with the Linux source code distribution
should do the trick. SNF4SA looks to SpamAssassin like any other SA
plugin. It creates a temp file of the message, calls SNFServer to scan
the message, and then processes the results in a way SA expects so it
can be scored.

It _should_ be as easy as that.

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hi Pete,

I implemented the identifier option. Thanks for the advice. I've also finally 
seen an email where spamassassin is acknowledging some input from SNF.

X-Spam-Status: Yes, score=14.214 tagged_above=-10 required=6.6
tests=[BAYES_95=3, KB_DATE_CONTAINS_TAB=2.751,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SNF4SA=4.000, TAB_IN_FROM=0.499]
autolearn=no autolearn_force=no

That is mostly what I'm looking for, but the identifier option will be helpful 
for debugging.

Thanks again for all your help!
Daniel


- Original Message -
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, February 10, 2015 9:20:31 AM
Subject: [sniffer] Re: Adding Message Sniffer to Zimbra

Unfortunately, some implementations of SA are hiding these headers.
We've seen this a few times recently. There doesn't seem to be a way
around it outside of hacking SA itself. (A few people have done that,...
but it was ugly).

If you want to be able to more easily associate SNF logs with messages
you might consider changing SNF's message identifier to use the Message ID.

http://www.armresearch.com/Documentation/QA/ltidentifiergt-2021367617.jsp



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hi Pete,

Thanks for the help, that worked perfectly. I have snf running and the snf4sa 
installed as well. I can see that snf is scanning messages from it's 
license.20150210.log.xml file

s u='20150210060732' m='/tmp/snf4sa/u4EHALz_Is' s='60' r='4609060'
m s='60' r='4609060' i='1045' e='1057' f='m'/
m s='60' r='1482320' i='1060' e='1071' f='m'/

But there are no headers in the messages showing snf's results. I can see that 
the snf4sa.cf has it set to add them though.

# Header line containing the results from SNFServer.
add_header all SNF-Result  _SNFRESULTTAG_
add_header all MessageSniffer-Scan-Result _SNFMESSAGESNIFFERSCANRESULT_
add_header all MessageSniffer-Rules _SNFMESSAGESNIFFERRULES_
add_header all GBUdb-Analysis _SNFGBUDBANALYSIS_

Do you have any more suggestions?

Thanks again for the help,
Daniel


- Original Message -
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Monday, February 9, 2015 6:12:45 PM
Subject: [sniffer] Re: Adding Message Sniffer to Zimbra

On 2015-02-09 16:23, Daniel Bayerdorffer wrote:
 libpthread package they have listed for 14.04. But the config script still 
 can't find that library. Can you offer any advice?

apt-get install build-essential

seems to be the equivalent of CentOS

yum groupinstall Development Tools

which usually solves this problem for redhat variants.

Give that a shot and see if it fills in the holes.
Usually by the time I've got g++ up and running on ubuntu it just
works -- hopefully that's not broken in 14.

Best,

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hi Linda (and the Sniffer community), 

I just wanted to let everyone know what I ended up doing to work with Zimbra. 

I copied the snf4sa.pm and snf4sa.cf files to the 

/opt/zimbra/data/spamassassin/localrules 

directory per this Zimbra wiki article 

https://wiki.zimbra.com/wiki/SpamAssassin_Customizations 

The spamassassin implementation in Zimbra blocks SNF Headers from being added 
to emails. So I took Pete's advice and turned on the identifier/ option in 
the /etc/snf-server/SNFServer.xml file 

http://www.armresearch.com/Documentation/QA/ltidentifiergt-2021367617.jsp 

Everything appears to be working great! 

Thanks, 
Daniel 





From: Daniel Bayerdorffer [mailto:dani...@numberall.com] 
Sent: Wednesday, February 04, 2015 10:08 AM 
To: Linda Pagillo; Message Sniffer Community 
Subject: Re: [sniffer] Re: Adding Message Sniffer to Zimbra 





Hi Linda, 





Thank you for the useful advice! I will be working on this next week, and I'll 
let you know how it turns out. I also found some useful information on Zimbra's 
Wiki. 





https://wiki.zimbra.com/wiki/SpamAssassin_Customizations 





I'm looking forward to the reduction in spam! 





Thanks, 


Daniel 






From: Linda Pagillo  linda.pagi...@mailsbestfriend.com  
To: Daniel Bayerdorffer  dani...@numberall.com  
Sent: Tuesday, February 3, 2015 5:40:34 PM 
Subject: [sniffer] Re: Adding Message Sniffer to Zimbra 





Hi Daniel. I was hanging out in the Message Sniffer Community forums and saw 
that you had a question about Message Sniffer and Zimbra. I have actually set 
up a Zimbra/Postfix/SpamAssassin server with the SNF4SA plug-in. When I set it 
up, I simply added the lines for the SNF4SA to SpamAssassin’s local.cf file and 
it has been working without issue since. However, we have not upgraded the 
Zimbra server, so I’m not sure if those settings would be overwritten if we 
did. To avoid that, you could create a file called something like aaalocal.cf 
and add the SNF4SA lines to that file. That would prevent the settings from 
being overwritten if a Zimbra upgrade did overwrite the local.cf. I hope this 
helps. Thanks! 



Linda Pagillo 
Mail's Best Friend 
Email: linda.pagi...@mailsbestfriend.com 
Web: www.mailsbestfriend.com 
Office: 703.988.3605 x7016 

[sniffer] Re: Adding Message Sniffer to Zimbra

[Daniel Bayerdorffer]

Hello Pete,

I've run into a snag on installing Message Sniffer.

We are installing on Ubuntu 14.04.1 LTS Server. I'm running the config script 
and it says I don't have the libpthread library installed. I've done a search 
on Ubuntu's package website, and I've installed every libpthread package they 
have listed for 14.04. But the config script still can't find that library. Can 
you offer any advice?

http://packages.ubuntu.com/search?suite=defaultsection=allarch=anykeywords=libpthreadsearchon=names

Thanks,
Daniel



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: ShortMatch Resolved - Update your SNF software to remain immune.

[Daniel Bayerdorffer]

Hi Pete,

Thanks for the update on this situation.

Just so I understand correctly, can we use the packages to install over a 
current installation that was compiled from source?

Thanks,
Daniel

- Original Message -
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Thursday, December 3, 2015 6:07:11 PM
Subject: [sniffer] ShortMatch Resolved - Update your SNF software to remain 
immune.

Hi Sniffer Folks,

According to our latest data, the Short-Match FP problem has subsided -
most likely due to rule sequestration. We have not seen any significant
events in our detection software since 2100e last evening.

In the mean time we have updated the SNF software to check for
short-match events and treat them as rule-panic events. This renders
them inert so that if this kind of rulebase corruption occurs again the
SNF engine will be immune.

Please update your SNF software to this latest version using the links
below.

NOTE: The Windows installer is in the process of being redesigned and
does not have the latest software. This will take some time. If you are
using SNF on Windows and use(d) the installer then use this procedure to
update your software:

* Stop your SNF service (usually XYNT Service based).
* Copy your SNFServer.exe file to SNFServer.old
* Download SNFServer-windows-7-prox32-3.1.0.exe (32 bit) or 
SNFServer-windows-7-prox64-3.1.0.exe (64 bit) and rename it to
SNFServer.exe to replace your previous SNFServer.exe.
* Start your SNF service.

If you were using the 32 bit version (very likely) then replace it with
the 32 bit version. There really isn't any difference, but just in case
it's simpler to keep things the same. There is no benefit to running the
64 bit version -- It is not faster and is in fact less efficient due to
the use of extra large (64 bit) pointers that aren't necessary ;-) Some
folks really want a 64 bit version, so we have one.

Here are some links to updated versions:

http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox32-3.1.0.exe
http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox64-3.1.0.exe
http://www.armresearch.com/message-sniffer/download/updates/snf-server-3.1.0.tar.gz
http://www.armresearch.com/message-sniffer/download/updates/snf-milter-1.1.1.tar.gz
http://www.armresearch.com/message-sniffer/download/updates/SNFMultiSDK_Windows_3.2.zip

And for the really adventurous:

http://www.armresearch.com/message-sniffer/download/packages/

In the packages link you will find all of the latest snapshots and some
old ones from our LabRats. The LabRats compile and test SNF for all of
the different platforms. You will find RPM and DEB packages as well as
tarballs and even the windows stuff that's posted in the updates links
above. Be sure to pick the latest version in all cases.

It will take a bit of time before all of the ordinary links on our web
site are updated with the latest software, so please use the above links
instead if you're going to update right now.

Best,

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: ShortMatch Resolved - Update your SNF software to remain immune.

[Daniel Bayerdorffer]

Got it! I'll compile from source. Thanks for the detailed description.

- Original Message -
From: "Pete McNeil" <madscient...@armresearch.com>
To: "Message Sniffer Community" <sniffer@sortmonster.com>
Sent: Thursday, December 3, 2015 9:47:57 PM
Subject: [sniffer] Re: ShortMatch Resolved - Update your SNF software to remain 
immune.

On 2015-12-03 21:24, Daniel Bayerdorffer wrote:
> Just so I understand correctly, can we use the packages to install over a 
> current installation that was compiled from source?

Probably not -- the deployment might not be exactly the same.

If you originally compiled from source then your easiest solution will
be to use the tarball and compile from source again. Then you can simply
replace the executable you have with the new one you make -- everything
is compatible and nothing will need to move.

If you use the packages you are essentially starting over. The packages
are deployed differently than the source instructions.

For example, to do the generic postfix integration with SNF Server you
would need to install two packages: the snf-server_ package and then the
snf-server-postfix_ integration package. If you wanted to roll your own
integration you might just install the snf-server_ package and then
build your own scripts and other software on top of that. It's a
different paradigm.

Hope this helps,

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

[sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers

[Daniel Bayerdorffer]

Hi Pete,

Thanks for clearing that up. I believe I'll take your initial advice and skip 
the make-install. However it's good to know I could do it that way for future 
updates.

Thanks,
Daniel

- Original Message -
From: "Pete McNeil" <madscient...@armresearch.com>
To: "Message Sniffer Community" <sniffer@sortmonster.com>
Sent: Monday, January 4, 2016 1:46:37 PM
Subject: [sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers

On 2016-01-04 11:44, Daniel Bayerdorffer wrote:
> Are there any other gotcha's I should be aware of?
I took a quick look through the tarball and was reminded -- all of the
configuration elements are provided as samples after make-install. The
instructions say to copy the samples to their correct names and then
modify them appropriately-- so that part of it is a manual process. In
that case it should be safe to do make install and just skip those steps
since your configuration is already happy.

All that said; again -- you're really only interested in updating your
SNFServer binary. The rest isn't changed.

Best,

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

[sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers

[Daniel Bayerdorffer]

Hi Pete,

I have a couple of questions about upgrading. We will be upgrading SNF4SA 
running on Ubuntu 14.04 with Zimbra email server.

I previously compiled the source code to install SNF4SA. Can I compile the 
latest version and run the make-install to overwrite the existing version? If 
so, do I need to re-apply our license information to the configuration files, 
etc.?

Are there any other gotcha's I should be aware of?

Thanks,
Daniel


- Original Message -
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Thursday, December 24, 2015 4:17:08 PM
Subject: [sniffer] New Version -- SNFMulti 3.2.0 -- Strangers

Hello Sniffer Folks,

A new version of Message Sniffer is available. The most exciting new
feature for this version is: Strangers.

The "Strangers" algorithm replaces the previous White-Guard algorithm.

Strangers prevents high-intensity pre-tested spam from poisoning IP
reputations in GBUdb and enhances SNF's sensitivity to these kinds of
attacks. Once pattern rules begin to match the pre-tested attack the IP
reputations quickly climb into the black enhancing all of SNF's learning
systems. Normal, but new, IP sources are held to low-confidence
reputations for several hours, but after that are allowed to develop
normally.

Short summary: Strangers lets SNF close the door more quickly on
pre-tested spam while enhancing SNF's learning sensitivity to those
events and without interfering with normal IP reputation processing.

Here are some links:

Packages from the LabRats...
http://www.armresearch.com/message-sniffer/download/packages/

SNFMilter tarball...
http://www.armresearch.com/message-sniffer/download/updates/snf-milter-1.2.0.tar.gz

SNFServer tarball...
http://www.armresearch.com/message-sniffer/download/updates/snf-server-3.2.0.tar.gz

SNFServer 32bit Windows exe...
http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox32-3.2.0.exe

Not better, but if you _really_ want it ... SNFServer 64bit Windows exe...
http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox64-3.2.0.exe

Thanks! and Happy Holidays!

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] DEB Packages

[Daniel Bayerdorffer]

Hello, 

I'm in the process of upgrading our email server. I see that the DEB packages 
for Message Sniffer are for Ubuntu 14.04. Will these work with 16.04? 

Thanks, 
Daniel 

-- 
Daniel Bayerdorffer, VP dani...@numberall.com 
Numberall Stamp & Tool Co., Inc. www.numberall.com 
PO BOX 187, Sangerville, ME 04479 USA 
TEL: 207-876-3541 FAX: 207-876-3566 

[sniffer] Re: DEB Packages

[Daniel Bayerdorffer]

Hi Everyone,

Just wanted to give a status update. The DEB packages work just fine on Ubuntu 
16.04 Server. I used Ansible to download, install, and add the proper 
configuration files. It couldn't have gone more smoothly. Highly recommended!

Regards,
Daniel

- Original Message -
From: "Daniel Bayerdorffer" <dani...@numberall.com>
To: "Message Sniffer Community" <sniffer@sortmonster.com>
Sent: Friday, December 2, 2016 3:11:26 PM
Subject: [sniffer] Re: DEB Packages

Hi Pete,

Thanks for the info. I'll be sure to report my results back here.

Daniel

- Original Message -
From: "Pete McNeil" <madscient...@armresearch.com>
To: "Message Sniffer Community" <sniffer@sortmonster.com>
Sent: Thursday, December 1, 2016 6:21:11 PM
Subject: [sniffer] Re: DEB Packages

On 12/01/2016 02:07 PM, Daniel Bayerdorffer wrote:
> I see that the DEB packages for Message Sniffer are for Ubuntu 14.04. 
> Will these work with 16.04?
>

They should -- there haven't been any significant changes in SNF nor in 
the parts of Ubuntu that SNF cares about.

Still, the packages are considered experimental (mostly due to a lack of 
exhaustive testing) so be ready to roll back just in case; and do share 
your results with us.

Best,

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

#
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

[sniffer] Re: Our IP got listed on GBUdb Truncate

[Daniel Bayerdorffer]

Hi Pete,

Thank you for the information and advice on how to check our own messages for 
the problem. Since asking about this issue I've discovered another user got 
hacked. Their account sent out about 45,000 spam emails today. It seems pretty 
clear that was culprit.

I'm now in the process of forcing all our users to use a password manager and 
to use complex, unique passwords for everything.

Thanks Again,
Daniel


- Original Message -
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Friday, November 2, 2018 2:21:45 PM
Subject: [sniffer] Re: Our IP got listed on GBUdb Truncate

On 11/2/18 11:52, Daniel Bayerdorffer wrote:
>
> Is there anyway for us to see what the offending email was that got us
> on the list? Or some other data point to help us clean up our system?

SNF doesn't leak message info -- With the exception of auto-sampling of
spam (truncated messages, and only if you have it enabled) we don't see
message content. What we do get are anonymous statistics and training data.

The good news is that you are running SNF, so you can scan your messages
and identify any content that might have triggered SNF.

Truncate is trained by counting good and bad events -- bad events are
when a message matches spam/malware patterns.

... so you can actually check with your own scanner.

Truncate is completely automated... so we can't change the list data. It
actually doesn't come from a database but rather by skimming the
telemetry for these events. In effect the reputation for any given IP
resides in each SNF instance around the globe and the truncate list
works by eves-dropping on the conversations between those nodes as they
"discuss" IP reputations.

If the IP is still listed and you send a note to support with the IP
requesting a trace then we can collect some events with timestamps. That
may help you track things down -- but since you're an SNF user you would
probably do better with your own scanner.

Hope this helps.

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] rspamd integration

[Daniel Bayerdorffer dani...@numberall.com]

Hello, 

I'm looking into switching from spamassassin to rspamd with Zimbra MTA. [ 
https://rspamd.com/ | https://rspamd.com/ ] 

Is there any documentation on integrating Message Sniffer with rspamd? Or does 
anyone have any experience with rspamd? 

Thanks, 
Daniel 

-- 
Daniel Bayerdorffer, VP dani...@numberall.com 
Numberall Stamp & Tool Co., Inc. www.numberall.com 
Reuleaux Models www.reuleauxmodels.com 
CypherSafe www.cyphersafe.io 
PO BOX 187, Sangerville, ME 04479 USA 
TEL: 207-876-3541 FAX: 207-876-3566