RE: Re[2]: [sniffer] POP Approach
Hello Pete, Are you going to implement something similar for false positives? Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, October 14, 2005 12:32 AM To: William Van Hefner Subject: Re[2]: [sniffer] POP Approach On Wednesday, October 12, 2005, 6:30:45 PM, William wrote: WVH Pete, WVH Was just wondering, I have all of my e-mail pass through an IMGate/Postfix WVH machine prior to hitting my main mail server. Sometimes, e-mail (especially WVH spam) gets forwarded from the secondary MX as well. If we use the POP method WVH of redirecting spam to an appropriate mailbox are you just going to be WVH scanning the messages for content, or inspecting the headers for IP WVH information as well? We will inspect all parts of the messages manually and with automated tools. This is true of all spam that arrives at our system no matter how it gets there. WVH Reason I'm asking is, I just want to make sure that one of my own servers WVH doesn't end up included in some type of blacklist rule. It seems like it WVH would take an awful lot of work on your part to ensure that any filters WVH don't contain IPs of one of your customer's machines, if you are scanning WVH header information. When you throw-in the fact that the redirect may come WVH from the client of an entirely different network with no link whatsoever to WVH our DNS records, that would seem to make taking any header information WVH (except maybe the Subject or From lines) into account a very risky WVH proposition. Thanks!!! Actually, we can often be very precise about the routing of messages pulled from pop accounts. That said, there is always a non-zero risk that an IP which is listed in certain black lists and also arrives at one of our traps may be added to our rulebase. This is almost always an automated process since we have determined that manually entered IPs are prone to errors. If an IP on one of your servers does get tagged, then you would be able to use to rule-panic procedure for immediate relief and once the problem was solved it could not be recreated. Part of our system is that it remembers every mistake we ever made and prevents us making that same mistake again --- unless we're really, really determined ;-) Understand, I'm not making light of this possibility... we take all false positive cases (real or imagined) very seriously. I do want to point out that these cases are rare, easily solved, and nearly impossible to repeat. I should also point out that this risk is not increased by using the pop3 method. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer]
Hi Pete, Thanks for the info. I actually already have the current version running. I'm very happy with it's performance. I just did not have a clear understanding on those issues. On another note, when you have the new version install, will it overwrite my current settings? And will it also install scripts for updating the rule base, and sending logs? Because I already have that setup now. Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, November 10, 2005 9:33 AM To: Daniel Bayerdorffer Subject: Re: [sniffer] On Thursday, November 10, 2005, 8:07:18 AM, Daniel wrote: DB Hello, DB Can anyone tell me if the Mdaemon Plug-in runs in persistent mode? Also are DB there any plans to bring the plug-in to Version 1 status? The MDaemon plugin has no need for persistent mode because it is loaded and kept in memory by MDaemon itself. As a result, the performance is always optimal because the rulebase is only ever loaded when a new file is present. Persistent mode is a mechanism developed to enhance the performance of peer-server implementations (using the command line utility). The current plugin code is actually at 1.0 status, however we haven't released an official 1.0 distribution because we are working on a few refinements and an installer. The existing 0.53 download should be considered production ready code -- only external things like the installer are missing. When we do release a 1.x version, it will include an Install Shield installer and a few new features - primarily to provide some advanced configuration options. The core of the program will not change however. This work is currently on hold for back-end improvements on the rulebase and rulebase development tools. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lot of Drugs Spam getting through sniffer....
Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer]Ebay Phishing Emails getting through
I've gotten one myself. The pharmacy ones, are still coming through too for that matter. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Herb Guenther Sent: Wednesday, May 17, 2006 3:03 PM To: Message Sniffer Community Subject: Re: [sniffer]Ebay Phishing Emails getting through I have not see any. Herb Jim Matuska Jr. wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. Thank You, Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Uptick in spam
Hello, I've had a lot more stock spam coming through lately. Has anyone else noticed this? Thanks, Daniel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Blank Header Emails still getting Through
Hello, I've sent examples of these, every time I get them for several weeks, and they are still getting through. Is there something about them that is difficult? Because the body always has the same message. Something about doing email campaigns for charities. Thanks, Daniel -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com http://www.numberall.com/ # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Mdaemon Plug-in Update
Hi Pete, Thanks for the info. I will keep my eyes peeled for the beta release. Thanks, Daniel -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, June 27, 2007 10:05 PM To: Message Sniffer Community Subject: [sniffer] Re: Mdaemon Plug-in Update Hello Daniel, Wednesday, June 27, 2007, 9:06:14 PM, you wrote: Hi Pete and everyone, Has there been any more progress on the MDaemon Plug-In? Yes. We have an alpha version of the plugin running on several systems (both large and small) with very good results. We are working to complete the feature set and fine tune the default parameters. Once we have a functionally complete feature set -- that is, enough features that the vast majority of installations have everything they need from SNF -- then we will convert the project to beta status and begin wider testing and refinement. The next step, during the wide beta test period, will be to build and refine documentation and installation utilities and to ultimately release a production ready product. As we go through these stages of development we will post information about it here on this list inviting more folks to participate and comment. The command line version is also in late alpha testing on a similar variety of systems and both projects will continue to be developed in parallel. Hope this helps, Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: pricing
Also Pete, I don't think the plugin works with his version of MDaemon. I think you need Version 8 and up. Daniel _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, August 09, 2007 9:29 AM To: Message Sniffer Community Subject: [sniffer] Re: pricing Hello Jason, Thursday, August 9, 2007, 2:24:51 AM, you wrote: hi all may I know the pricing of message sniffer plugins for Mdaemon? is it a one time cost or depends on users? A subscription to the rulebase is $495 / year per server. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Spam no using CAPTCHA!
Hi Everyone, I just sent a spam sample to Message Sniffer, that was using CAPTCHA, it said CIALIS in the CAPTCHA. I'm curios to see what Pete thinks of this new tactic? Regards, Daniel -- Daniel Bayerdorffer, VP [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. www.numberall.com PO Box 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566 smime.p7s Description: S/MIME cryptographic signature
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Hi Pete, You are correct I meant the rulebase update. I did use the getRulebase.cmd and it seemed to be working, it downloads the file. I did make one mistake, I meant gzip said it was an invalid gz file. I didn't even get to the snf2chk command. Thanks, Daniel -- Daniel Bayerdorffer, VP [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. www.numberall.com PO Box 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 26, 2008 9:39 PM To: Message Sniffer Community Subject: [sniffer] Re: It's official. SNF Version 3.0 is Ready! Hello Daniel, Thursday, June 26, 2008, 8:58:36 PM, you wrote: Hi Pete, I've installed the Mdaemon Plugin version. I can't download a valid update. snf2chk keeps saying it's an invalid gzip. Do you have any suggestions on what I can try to track down the problem? I'm a little bit confused. I'm going to guess that you're talking about a rulebase update. getRulebase.cmd script should be able to do everything that's needed. What I think you've said is that you downloaded the file -- accepted a gzip, and then tried to check it with snf2check. You would first have to unzip the file and then check the unzipped file with snf2check. Hope that makes sense. Please straighten me out if it doesn't. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
[sniffer] Alt-n Security Gateway
Hi Everyone, Can SNF be used with Alt-N's Security Gateway product? http://www.altn.com/Products/SecurityGateway-Email-Firewall/ I know the plug-in works great with Mdaemon itself, but I might be switching to Exchange. And want to use this product with it. Thanks, Daniel -- Daniel Bayerdorffer, VP [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. www.numberall.com PO Box 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566 -Original Message- From: Peer-to-Peer (Support) [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Date: Thu, 28 Aug 2008 09:19:29 -0400 Subject: [sniffer] Re: Stampede - amazing! Not the same as you're describing below, but I can confirm we were slammed with NDR's last night. Classic joe-job (i.e. millions of messages sent out to unknown users using your return address). --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Thursday, August 28, 2008 5:13 AM To: Message Sniffer Community Subject: [sniffer] Stampede - amazing! Hello Sniffer Folks, I had been wondering why the blackhats had been pushing so hard for new bots these last few weeks. Then the other day I saw something very strange in the SNF telemetry. A storm came in that seemed to stop all other traffic. For more than an hour I really thought something was broken -- but I wasn't sure I'd really seen it. Just a short time ago our SortMonster on duty (Mitchell Skull) called all-hands for a new spam storm. This was another of the new penis spams. We coded the rules quickly and as they went out I saw it again: T rates fell to zero on many systems and close to that on all of the others. This means that virtually all of the IPs were brand-new. At the same time traffic spiked on all systems and capture rates went off-scale high as the new rules tagged virtually every message. This is not an entirely new tactic by the blackhats-- I've talked about it before. It is essentially a high-amplitude burst - where a new campaign is pre-tested against all known filters and then launched on a large number of new bots that are unknown to IP reputation systems. What is new is the purity of these recent events. When we've seen them before they were mixed in with a lot of other traffic from other bot nets and even other campaigns from the same bot net. While there was still a trickle of this activity, the purity of this burst was astounding. This was a stampede where essentially all visible bots started running in a single new direction. T rates have recovered now by and large -- so the new bots are already largely recognized by GBUdb, but the wild swing in telemetry across the network was amazing to watch -- as is the new telemetry showing dramatically increased traffic and capture rates indicating a nearly pure stream of spam from this new herd. Theories, comments, and observations welcome. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Milter Version
Hello, Years ago we were a Message Sniffer customer. We had an email server in house (MDaemon). Loved Message Sniffer, it totally controlled our spam. Then we switched to outsourced Exchange. It was a good move at the time, but various world events have caused us to reconsider and we are now bringing our email server back in house. This time we are going to a Linux based solution, www.axigen.comhttp://www.axigen.com. Axigen supports the Milter interface, and I see that Message Sniffer does as well. I've been reading the Install notes, but one thing that is not clear is that the Milter version is up to date. Is it current and if not will it be in the near future? Thanks in advance, Daniel -- Daniel Bayerdorffer, VP dani...@numberall.commailto:dani...@numberall.com Numberall Stamp Tool Co., Inc. www.numberall.comhttp://www.numberall.com/ PO Box 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566
[sniffer] Re: Saccades anyone?
Hi Pete, Any plans to modify the milter code to this in the future? Thanks, Daniel -- Daniel Bayerdorffer, VP dani...@numberall.com Numberall Stamp Tool Co., Inc. www.numberall.com PO Box 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566 -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, February 13, 2014 1:35 PM To: Message Sniffer Community Subject: [sniffer] Saccades anyone? Hello Sniffer Folks, We are preparing to release a new version of the Message Sniffer engine that includes an exciting new technology. The saccades engine allows SNF to intelligently skip large portions of most messages without missing any important content. The engine borrows from MicroNeil's synthetic intelligence research relating to visual systems processing and essentially gives SNF a behavior similar to what we all do with our eyes: http://en.wikipedia.org/wiki/Saccade The engine learns where matches are most likely to occur and then applies what it is learning in real-time. This allows SNF to rapidly identify messages of a type it has already seen without having to scan the entire contents. This has the potential to improve scanning efficiency by 90% or more. That is, scanning typical messages can happen with 1/10th the work for a 10x improvement in efficiency. Not kidding, we're actually seeing these results on some of our testbed servers! You may have seen me tweet about it: https://twitter.com/codedweller/status/434020178352148480 If you'd like to get in on the fun early and you are using SNFServer.exe then you can find a copy of the new engine at the following link: http://www.armresearch.com/message-sniffer/download/SNFServerV3.0.2-E3.1.0.zip To swap it in, * Download and unzip the new engine. * Stop your Message Sniffer. * Rename your SNFServer.exe to something like SNFServer.exe.bakup (always a good idea to keep a backup). * Rename the new engine to SNFServer.exe * Restart your Message Sniffer. Please let us know how this works for you. Thanks! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Saccades anyone?
Thanks, I'll take a look! On 2014-02-18 17:02, Daniel Bayerdorffer wrote: Any plans to modify the milter code to this in the future? Yes. All platforms will be updated shortly. In fact, if you wish, you can download the snfmulti source from our SVN server and then recompile your milter with the new code. Here is a link: Examine it here with websvn https://svn.microneil.com/websvn/listing.php?repname=SNFMulti Get the source here via svn https://svn.microneil.com/svn/SNFMulti/trunk/ # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Adding Message Sniffer to Zimbra
Hi Linda, Thank you for the useful advice! I will be working on this next week, and I'll let you know how it turns out. I also found some useful information on Zimbra's Wiki. https://wiki.zimbra.com/wiki/SpamAssassin_Customizations I'm looking forward to the reduction in spam! Thanks, Daniel From: Linda Pagillo linda.pagi...@mailsbestfriend.com To: Daniel Bayerdorffer dani...@numberall.com Sent: Tuesday, February 3, 2015 5:40:34 PM Subject: [sniffer] Re: Adding Message Sniffer to Zimbra Hi Daniel. I was hanging out in the Message Sniffer Community forums and saw that you had a question about Message Sniffer and Zimbra. I have actually set up a Zimbra/Postfix/SpamAssassin server with the SNF4SA plug-in. When I set it up, I simply added the lines for the SNF4SA to SpamAssassin’s local.cf file and it has been working without issue since. However, we have not upgraded the Zimbra server, so I’m not sure if those settings would be overwritten if we did. To avoid that, you could create a file called something like aaalocal.cf and add the SNF4SA lines to that file. That would prevent the settings from being overwritten if a Zimbra upgrade did overwrite the local.cf. I hope this helps. Thanks! Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3605 x7016
[sniffer] Adding Message Sniffer to Zimbra
Hello Everyone, Does anyone have any advice or tips for adding Message Sniffer to Zimbra 8.6? Specifically with Zimbra's implementation of spam assassin? Thanks, Daniel -- Daniel Bayerdorffer, VP dani...@numberall.com Numberall Stamp Tool Co., Inc. www.numberall.com PO BOX 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566
[sniffer] Re: Adding Message Sniffer to Zimbra
Hi Pete, That is my expectation too. I just wasn't sure if Zimbra might try to overwrite any spam assassin conf files and such. Zimbra maintains all it's settings in ldap attributes, so it can maintain consistency across servers. So I was curious if anyone had already run into that issue. I'll do some more digging in the Zimbra documentation to verify it won't overwrite anything. Thanks, Daniel - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, February 3, 2015 1:38:56 PM Subject: [sniffer] Re: Adding Message Sniffer to Zimbra On 2015-02-02 19:53, Daniel Bayerdorffer wrote: Does anyone have any advice or tips for adding Message Sniffer to Zimbra 8.6? Specifically with Zimbra's implementation of spam assassin? The SNF4SA plugin included with the Linux source code distribution should do the trick. SNF4SA looks to SpamAssassin like any other SA plugin. It creates a temp file of the message, calls SNFServer to scan the message, and then processes the results in a way SA expects so it can be scored. It _should_ be as easy as that. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Adding Message Sniffer to Zimbra
Hi Pete, I implemented the identifier option. Thanks for the advice. I've also finally seen an email where spamassassin is acknowledging some input from SNF. X-Spam-Status: Yes, score=14.214 tagged_above=-10 required=6.6 tests=[BAYES_95=3, KB_DATE_CONTAINS_TAB=2.751, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SNF4SA=4.000, TAB_IN_FROM=0.499] autolearn=no autolearn_force=no That is mostly what I'm looking for, but the identifier option will be helpful for debugging. Thanks again for all your help! Daniel - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, February 10, 2015 9:20:31 AM Subject: [sniffer] Re: Adding Message Sniffer to Zimbra Unfortunately, some implementations of SA are hiding these headers. We've seen this a few times recently. There doesn't seem to be a way around it outside of hacking SA itself. (A few people have done that,... but it was ugly). If you want to be able to more easily associate SNF logs with messages you might consider changing SNF's message identifier to use the Message ID. http://www.armresearch.com/Documentation/QA/ltidentifiergt-2021367617.jsp # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Adding Message Sniffer to Zimbra
Hi Pete, Thanks for the help, that worked perfectly. I have snf running and the snf4sa installed as well. I can see that snf is scanning messages from it's license.20150210.log.xml file s u='20150210060732' m='/tmp/snf4sa/u4EHALz_Is' s='60' r='4609060' m s='60' r='4609060' i='1045' e='1057' f='m'/ m s='60' r='1482320' i='1060' e='1071' f='m'/ But there are no headers in the messages showing snf's results. I can see that the snf4sa.cf has it set to add them though. # Header line containing the results from SNFServer. add_header all SNF-Result _SNFRESULTTAG_ add_header all MessageSniffer-Scan-Result _SNFMESSAGESNIFFERSCANRESULT_ add_header all MessageSniffer-Rules _SNFMESSAGESNIFFERRULES_ add_header all GBUdb-Analysis _SNFGBUDBANALYSIS_ Do you have any more suggestions? Thanks again for the help, Daniel - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, February 9, 2015 6:12:45 PM Subject: [sniffer] Re: Adding Message Sniffer to Zimbra On 2015-02-09 16:23, Daniel Bayerdorffer wrote: libpthread package they have listed for 14.04. But the config script still can't find that library. Can you offer any advice? apt-get install build-essential seems to be the equivalent of CentOS yum groupinstall Development Tools which usually solves this problem for redhat variants. Give that a shot and see if it fills in the holes. Usually by the time I've got g++ up and running on ubuntu it just works -- hopefully that's not broken in 14. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Adding Message Sniffer to Zimbra
Hi Linda (and the Sniffer community), I just wanted to let everyone know what I ended up doing to work with Zimbra. I copied the snf4sa.pm and snf4sa.cf files to the /opt/zimbra/data/spamassassin/localrules directory per this Zimbra wiki article https://wiki.zimbra.com/wiki/SpamAssassin_Customizations The spamassassin implementation in Zimbra blocks SNF Headers from being added to emails. So I took Pete's advice and turned on the identifier/ option in the /etc/snf-server/SNFServer.xml file http://www.armresearch.com/Documentation/QA/ltidentifiergt-2021367617.jsp Everything appears to be working great! Thanks, Daniel From: Daniel Bayerdorffer [mailto:dani...@numberall.com] Sent: Wednesday, February 04, 2015 10:08 AM To: Linda Pagillo; Message Sniffer Community Subject: Re: [sniffer] Re: Adding Message Sniffer to Zimbra Hi Linda, Thank you for the useful advice! I will be working on this next week, and I'll let you know how it turns out. I also found some useful information on Zimbra's Wiki. https://wiki.zimbra.com/wiki/SpamAssassin_Customizations I'm looking forward to the reduction in spam! Thanks, Daniel From: Linda Pagillo linda.pagi...@mailsbestfriend.com To: Daniel Bayerdorffer dani...@numberall.com Sent: Tuesday, February 3, 2015 5:40:34 PM Subject: [sniffer] Re: Adding Message Sniffer to Zimbra Hi Daniel. I was hanging out in the Message Sniffer Community forums and saw that you had a question about Message Sniffer and Zimbra. I have actually set up a Zimbra/Postfix/SpamAssassin server with the SNF4SA plug-in. When I set it up, I simply added the lines for the SNF4SA to SpamAssassin’s local.cf file and it has been working without issue since. However, we have not upgraded the Zimbra server, so I’m not sure if those settings would be overwritten if we did. To avoid that, you could create a file called something like aaalocal.cf and add the SNF4SA lines to that file. That would prevent the settings from being overwritten if a Zimbra upgrade did overwrite the local.cf. I hope this helps. Thanks! Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3605 x7016
[sniffer] Re: Adding Message Sniffer to Zimbra
Hello Pete, I've run into a snag on installing Message Sniffer. We are installing on Ubuntu 14.04.1 LTS Server. I'm running the config script and it says I don't have the libpthread library installed. I've done a search on Ubuntu's package website, and I've installed every libpthread package they have listed for 14.04. But the config script still can't find that library. Can you offer any advice? http://packages.ubuntu.com/search?suite=defaultsection=allarch=anykeywords=libpthreadsearchon=names Thanks, Daniel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: ShortMatch Resolved - Update your SNF software to remain immune.
Hi Pete, Thanks for the update on this situation. Just so I understand correctly, can we use the packages to install over a current installation that was compiled from source? Thanks, Daniel - Original Message - From: "Pete McNeil"To: "Message Sniffer Community" Sent: Thursday, December 3, 2015 6:07:11 PM Subject: [sniffer] ShortMatch Resolved - Update your SNF software to remain immune. Hi Sniffer Folks, According to our latest data, the Short-Match FP problem has subsided - most likely due to rule sequestration. We have not seen any significant events in our detection software since 2100e last evening. In the mean time we have updated the SNF software to check for short-match events and treat them as rule-panic events. This renders them inert so that if this kind of rulebase corruption occurs again the SNF engine will be immune. Please update your SNF software to this latest version using the links below. NOTE: The Windows installer is in the process of being redesigned and does not have the latest software. This will take some time. If you are using SNF on Windows and use(d) the installer then use this procedure to update your software: * Stop your SNF service (usually XYNT Service based). * Copy your SNFServer.exe file to SNFServer.old * Download SNFServer-windows-7-prox32-3.1.0.exe (32 bit) or SNFServer-windows-7-prox64-3.1.0.exe (64 bit) and rename it to SNFServer.exe to replace your previous SNFServer.exe. * Start your SNF service. If you were using the 32 bit version (very likely) then replace it with the 32 bit version. There really isn't any difference, but just in case it's simpler to keep things the same. There is no benefit to running the 64 bit version -- It is not faster and is in fact less efficient due to the use of extra large (64 bit) pointers that aren't necessary ;-) Some folks really want a 64 bit version, so we have one. Here are some links to updated versions: http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox32-3.1.0.exe http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox64-3.1.0.exe http://www.armresearch.com/message-sniffer/download/updates/snf-server-3.1.0.tar.gz http://www.armresearch.com/message-sniffer/download/updates/snf-milter-1.1.1.tar.gz http://www.armresearch.com/message-sniffer/download/updates/SNFMultiSDK_Windows_3.2.zip And for the really adventurous: http://www.armresearch.com/message-sniffer/download/packages/ In the packages link you will find all of the latest snapshots and some old ones from our LabRats. The LabRats compile and test SNF for all of the different platforms. You will find RPM and DEB packages as well as tarballs and even the windows stuff that's posted in the updates links above. Be sure to pick the latest version in all cases. It will take a bit of time before all of the ordinary links on our web site are updated with the latest software, so please use the above links instead if you're going to update right now. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: ShortMatch Resolved - Update your SNF software to remain immune.
Got it! I'll compile from source. Thanks for the detailed description. - Original Message - From: "Pete McNeil" <madscient...@armresearch.com> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Thursday, December 3, 2015 9:47:57 PM Subject: [sniffer] Re: ShortMatch Resolved - Update your SNF software to remain immune. On 2015-12-03 21:24, Daniel Bayerdorffer wrote: > Just so I understand correctly, can we use the packages to install over a > current installation that was compiled from source? Probably not -- the deployment might not be exactly the same. If you originally compiled from source then your easiest solution will be to use the tarball and compile from source again. Then you can simply replace the executable you have with the new one you make -- everything is compatible and nothing will need to move. If you use the packages you are essentially starting over. The packages are deployed differently than the source instructions. For example, to do the generic postfix integration with SNF Server you would need to install two packages: the snf-server_ package and then the snf-server-postfix_ integration package. If you wanted to roll your own integration you might just install the snf-server_ package and then build your own scripts and other software on top of that. It's a different paradigm. Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>
[sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers
Hi Pete, Thanks for clearing that up. I believe I'll take your initial advice and skip the make-install. However it's good to know I could do it that way for future updates. Thanks, Daniel - Original Message - From: "Pete McNeil" <madscient...@armresearch.com> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Monday, January 4, 2016 1:46:37 PM Subject: [sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers On 2016-01-04 11:44, Daniel Bayerdorffer wrote: > Are there any other gotcha's I should be aware of? I took a quick look through the tarball and was reminded -- all of the configuration elements are provided as samples after make-install. The instructions say to copy the samples to their correct names and then modify them appropriately-- so that part of it is a manual process. In that case it should be safe to do make install and just skip those steps since your configuration is already happy. All that said; again -- you're really only interested in updating your SNFServer binary. The rest isn't changed. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>
[sniffer] Re: New Version -- SNFMulti 3.2.0 -- Strangers
Hi Pete, I have a couple of questions about upgrading. We will be upgrading SNF4SA running on Ubuntu 14.04 with Zimbra email server. I previously compiled the source code to install SNF4SA. Can I compile the latest version and run the make-install to overwrite the existing version? If so, do I need to re-apply our license information to the configuration files, etc.? Are there any other gotcha's I should be aware of? Thanks, Daniel - Original Message - From: "Pete McNeil"To: "Message Sniffer Community" Sent: Thursday, December 24, 2015 4:17:08 PM Subject: [sniffer] New Version -- SNFMulti 3.2.0 -- Strangers Hello Sniffer Folks, A new version of Message Sniffer is available. The most exciting new feature for this version is: Strangers. The "Strangers" algorithm replaces the previous White-Guard algorithm. Strangers prevents high-intensity pre-tested spam from poisoning IP reputations in GBUdb and enhances SNF's sensitivity to these kinds of attacks. Once pattern rules begin to match the pre-tested attack the IP reputations quickly climb into the black enhancing all of SNF's learning systems. Normal, but new, IP sources are held to low-confidence reputations for several hours, but after that are allowed to develop normally. Short summary: Strangers lets SNF close the door more quickly on pre-tested spam while enhancing SNF's learning sensitivity to those events and without interfering with normal IP reputation processing. Here are some links: Packages from the LabRats... http://www.armresearch.com/message-sniffer/download/packages/ SNFMilter tarball... http://www.armresearch.com/message-sniffer/download/updates/snf-milter-1.2.0.tar.gz SNFServer tarball... http://www.armresearch.com/message-sniffer/download/updates/snf-server-3.2.0.tar.gz SNFServer 32bit Windows exe... http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox32-3.2.0.exe Not better, but if you _really_ want it ... SNFServer 64bit Windows exe... http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox64-3.2.0.exe Thanks! and Happy Holidays! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] DEB Packages
Hello, I'm in the process of upgrading our email server. I see that the DEB packages for Message Sniffer are for Ubuntu 14.04. Will these work with 16.04? Thanks, Daniel -- Daniel Bayerdorffer, VP dani...@numberall.com Numberall Stamp & Tool Co., Inc. www.numberall.com PO BOX 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566
[sniffer] Re: DEB Packages
Hi Everyone, Just wanted to give a status update. The DEB packages work just fine on Ubuntu 16.04 Server. I used Ansible to download, install, and add the proper configuration files. It couldn't have gone more smoothly. Highly recommended! Regards, Daniel - Original Message - From: "Daniel Bayerdorffer" <dani...@numberall.com> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Friday, December 2, 2016 3:11:26 PM Subject: [sniffer] Re: DEB Packages Hi Pete, Thanks for the info. I'll be sure to report my results back here. Daniel - Original Message - From: "Pete McNeil" <madscient...@armresearch.com> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Thursday, December 1, 2016 6:21:11 PM Subject: [sniffer] Re: DEB Packages On 12/01/2016 02:07 PM, Daniel Bayerdorffer wrote: > I see that the DEB packages for Message Sniffer are for Ubuntu 14.04. > Will these work with 16.04? > They should -- there haven't been any significant changes in SNF nor in the parts of Ubuntu that SNF cares about. Still, the packages are considered experimental (mostly due to a lack of exhaustive testing) so be ready to roll back just in case; and do share your results with us. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> # This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>
[sniffer] Re: Our IP got listed on GBUdb Truncate
Hi Pete, Thank you for the information and advice on how to check our own messages for the problem. Since asking about this issue I've discovered another user got hacked. Their account sent out about 45,000 spam emails today. It seems pretty clear that was culprit. I'm now in the process of forcing all our users to use a password manager and to use complex, unique passwords for everything. Thanks Again, Daniel - Original Message - From: "Pete McNeil" To: "Message Sniffer Community" Sent: Friday, November 2, 2018 2:21:45 PM Subject: [sniffer] Re: Our IP got listed on GBUdb Truncate On 11/2/18 11:52, Daniel Bayerdorffer wrote: > > Is there anyway for us to see what the offending email was that got us > on the list? Or some other data point to help us clean up our system? SNF doesn't leak message info -- With the exception of auto-sampling of spam (truncated messages, and only if you have it enabled) we don't see message content. What we do get are anonymous statistics and training data. The good news is that you are running SNF, so you can scan your messages and identify any content that might have triggered SNF. Truncate is trained by counting good and bad events -- bad events are when a message matches spam/malware patterns. ... so you can actually check with your own scanner. Truncate is completely automated... so we can't change the list data. It actually doesn't come from a database but rather by skimming the telemetry for these events. In effect the reputation for any given IP resides in each SNF instance around the globe and the truncate list works by eves-dropping on the conversations between those nodes as they "discuss" IP reputations. If the IP is still listed and you send a note to support with the IP requesting a trace then we can collect some events with timestamps. That may help you track things down -- but since you're an SNF user you would probably do better with your own scanner. Hope this helps. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] rspamd integration
Hello, I'm looking into switching from spamassassin to rspamd with Zimbra MTA. [ https://rspamd.com/ | https://rspamd.com/ ] Is there any documentation on integrating Message Sniffer with rspamd? Or does anyone have any experience with rspamd? Thanks, Daniel -- Daniel Bayerdorffer, VP dani...@numberall.com Numberall Stamp & Tool Co., Inc. www.numberall.com Reuleaux Models www.reuleauxmodels.com CypherSafe www.cyphersafe.io PO BOX 187, Sangerville, ME 04479 USA TEL: 207-876-3541 FAX: 207-876-3566