Re: [sniffer] false positives which catagories?

[Darin Cox]

If the test fails, but the message does not hit the hold or delete weight.

Not a perfect measurement, as it does not capture all ham (ham that hits the
hold or delete weight), and misses some spam (spam that does not hit the
hold or delete weight), but it is the most accurate and least subjective
measurement.

Darin.


- Original Message - 
From: Keith Johnson [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, August 11, 2005 8:13 AM
Subject: RE: [sniffer] false positives which catagories?


Scott,

HS = Test says ham, final result was spam. This is an inaccurate ham result.
'False negative'

How are you auto determining that an email that was ham was really spam?
Are you keying in this info into your stats based on your viewing of the
email or by user complaint?  Obviously, if Declude triggers and email to
have action on it based on spam settings it was spam and if it didn't take
action on it and it went through to your users it was ham.  Thanks again for
the aid.

Keith



From: [EMAIL PROTECTED] on behalf of Scott Fisher
Sent: Thu 8/4/2005 10:02 AM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] false positives which catagories?


I have my sniffer result histories by category posted at:
http://it.farmprogress.com/declude/Testsbymonth.html
Look about 90% down the page.

- Original Message - 
From: Bonno Bloksma mailto:[EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, August 04, 2005 1:40 AM
Subject: [sniffer] false positives which catagories?

Hi,

I'd like to make a difference in the ways I score the varions sniffer
catagories in Declude.
I hold at 20 and have had the several sniffer catagories all at 19.
As we are a school for tourism I score sniffer travel lower but I would like
to score some catagories higher, at 20.
If we have a false positive it's mostly in the general, exp-abstract,
ip-rules catagorie is my feeling.

Someone must have made a comparison of false positives against sniffer and
in which catagories those fp's are mostly. Right?
Which catagories have virtually no FPs and which should I keep (well) below
my hold level?
Of course all held mail gets reviewed by be, unless it scrores enough other
points te get deleted (at 27 points).


Groetjes,


Bonno Bloksma




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Sniffer Resources

[Darin Cox]

What do the logs say?  What's the average time to process a message?

Darin.


- Original Message - 
From: Richard Farris [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, September 06, 2005 11:07 AM
Subject: [sniffer] Sniffer Resources


When I turn off sniffer my server acts normally on rescources..but when I
turn it on it goes to 100% and stays there most of the time...I have tried
updating the sniffer and rebooting the server but does not help...it has
been doing this for about a month...has anyone else seen this..if not what
can I do to resolve it..right now I have sniffer turned off so I can just
send mail thru the server..

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
Crossroads to a Cleaner Internet

- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Andy Schmidt sniffer@SortMonster.com
Sent: Monday, September 05, 2005 9:43 AM
Subject: Re: [sniffer] Integration with today's new ORF version:


 On Monday, September 5, 2005, 9:26:38 AM, Andy wrote:

 AS http://www.vamsoft.com/orf/agentdefs.asp
 AS
 AS It says to contact  vendor. Here I am G.

 Yes indeed.

 How may I help you?

 _M



 This E-Mail came from the Message Sniffer mailing list. For information
 and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Damn viagra spam

[Darin Cox]

We just reported one to Sniffer support for analysis as well.

Darin.


- Original Message - 
From: Heimir Eidskrem [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Sent: Wednesday, September 14, 2005 3:34 PM
Subject: [sniffer] Damn viagra spam


We are getting tons of spam for viagra and other drugs.

Not being stopped by sniffer.

From - Wed Sep 14 14:23:59 2005
X-Account-Key: account2
X-UIDL: 397213080
X-Mozilla-Status: 0011
X-Mozilla-Status2: 
Received: from chartcourse.com [200.152.123.222] by deepspace.i360.net
  (SMTPD-8.20) id A7660304; Wed, 14 Sep 2005 14:17:58 -0500
Received: from [192.168.232.240] (helo=elevator)
by chartcourse.com with smtp (Paradisaic kw 5.29 (Jactation))
id lBCMAK-xJNrNU-Ty
for [EMAIL PROTECTED]; Wed, 14 Sep 2005 14:17:22 -0500
Message-ID: [EMAIL PROTECTED]
Reply-To: Shayna Riffe [EMAIL PROTECTED]
From: Shayna Riffe [EMAIL PROTECTED]
To: Ealdgyth Rancourt [EMAIL PROTECTED]
Subject: Re: Really Works Very Good Pharmaceu tical
Date: Wed, 14 Sep 2005 14:17:20 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_0047_01C5B937.04839800
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-RBL-Warning: CBL: Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=200.152.123.222;
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 29,
weight 20)
X-Declude-Sender: [EMAIL PROTECTED] [200.152.123.222]
X-Declude-Spoolname: D776501961CDF.SMD
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: CBL, IPNOTINMX, COUNTRYFILTER, CATCHALLMAILS [50]
X-Country-Chain: BRAZIL-destination
X-Note: This E-mail was sent from recreio.speednetrj.com
([200.152.123.222]).
X-IMAIL-SPAM-STATISTICS: (776501961cdf, 0.9721)
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 397213080
X-IMail-ThreadID: 776501961cdf

This is a multi-part message in MIME format.

--=_NextPart_000_0047_01C5B937.04839800
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

LeViAmCiXaVa
viagbi=
alnali
trraenisxum
a  =
nbsp;
$3$1$3
.33.21.75
Our Website
FaBeToEa
st st talsy
DeliPricnbs=
p;ConOrde
veryesfide=
ring
nti
ality=
 ball go? writing represented an incoherent chain of certain utterances, =
certain

--=_NextPart_000_0047_01C5B937.04839800
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
HTMLHEAD
META http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii
META content=3DMSHTML 6.00.2800.1106 name=3DGENERATOR
STYLE/STYLE
/HEAD
BODY bgColor=3D#ff

DIVnbsp;/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierLeBRBVi/BBRAmB=
RBCi/BBRXaBRBVa/B/FONT/DIV

DIV style=3DFLOAT: leftFONT face=3DCourierviBRBag/BBRbi=
BRBal/BBRnaBRBli/B/FONT/DIV
DIV style=3DFLOAT: leftFONT face=3DCouriertrBRBra/BBRen=
BRBis/BBRxBRBum/B/FONT/DIV

DIV style=3DFLOAT: leftFONT face=3DCourieraBRnbsp;BRnbsp;BR=
nbsp;BRnbsp;BRnbsp;/FONT/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierBRB$3/BBRBRB=
$1/BBRBRB$3/B/FONT/DIV

DIV style=3DFLOAT: leftFONT face=3DCourierBRB.33/BBRB=
RB.21/BBRBRB.75/B/FONT/DIV
DIV style=3DCLEAR: bothnbsp;/DIV

DIVA href=3Dhttp://www.amyslate.com;Our Website/A/DIV
DIVnbsp;/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierFaBRBeBRToBREa/FON=
T/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierstnbsp;BRstnbsp;=
BRtalBRsynbsp;/FONT/DIV

DIV style=3DFLOAT: leftFONT face=3DCourierDeliBRPricBRnbs=
p;ConBROrde/FONT/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierveryBResBRfideBR=
ring/FONT/DIV
DIV style=3DFLOAT: leftFONT face=3DCourierBRBRntiBR/FONT/DIV

DIV style=3DFLOAT: leftFONT face=3DCourierBRBRalityBR/FONT=
/DIVDIV style=3DCLEAR: bothnbsp;/DIV/BODY/HTML

--=_NextPart_000_0047_01C5B937.04839800--







-- 

Cordially,

Heimir Eidskrem

i360, Inc.
2825 Wilcrest, Suite 675
Houston, TX 77042
Ph:  713-981-4900
Fax: 832-242-6632
[EMAIL PROTECTED]
www.i360.net
www.i360hosting.com
www.realister.com

Houston's Leading Internet Consulting Company


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Damn viagra spam

[Darin Cox]

Yeah, and whoever is on this list from Poynerlaw.com needs to stop
postmaster replies for messages failing their spam tests.  I got a nice
little automated reply from them when I replied to Hiemir's message.

Since most spam and virus content is forging these days, postmaster replies
just add to the spam problem.

Darin.


- Original Message - 
From: Russ Lists [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Wednesday, September 14, 2005 3:53 PM
Subject: Re: [sniffer] Damn viagra spam


Heimir Eidskrem wrote:

 We are getting tons of spam for viagra and other drugs.

 Not being stopped by sniffer.

Snipped spam

Man, SpamAssassin didn't like that message:

X-Spam-Status: Yes, hits=12.024 tagged_above=2 required=5
 tests=[DRUGS_ERECTILE=0.026, FORGED_RCVD_HELO=0.05,
 RAZOR2_CF_RANGE_51_100=1.485, RAZOR2_CHECK=0.15, SARE_HTML_A_HIDE=0.622,
 SUBJECT_DRUG_GAP_VIA=1.77, UPPERCASE_25_50=0.207, URIBL_AB_SURBL=2.007,
 URIBL_BLACK=3, URIBL_JP_SURBL=1.539, URIBL_SBL=0.629, URIBL_WS_SURBL=0.539]
X-Spam-Level: 
X-Spam-Flag: YES

-Russ
---
[This E-mail scanned for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Declude Actions

[Darin Cox]

Deleting on any one test is not a good idea.  However, we do hold on some
single tests, and review for false positives.  Our hold weight is 100 and
delete is 300.  We rarely see a false positive above 200 though.

Darin.


- Original Message - 
From: Timothy C. Bohen [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, September 15, 2005 11:54 AM
Subject: [sniffer] Declude Actions


I thought I used to have declude delete everything that sniffer found, now
when I went into my $default$.junkmail file I find its set to LOG.

I assume one of my network admins changed this at some time.

Am I relatively safe in setting it to delete or is this a bad idea?




Timothy C. Bohen
CMSInter.Net LLC / Crystal MicroSystems LLC
===
web  : www.cmsinter.net
email: [EMAIL PROTECTED]
phone: 989.235.5100 x222
fax  : 989.400.4980


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New virus...

[Darin Cox]

That's only in Virus Pro, right?  I don't think BANZIPEXTS is available in
Standard or Lite.

Darin.


- Original Message - 
From: John T (Lists) [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, October 06, 2005 3:01 AM
Subject: RE: [sniffer] New virus...


No need to block zips, with Declude just add BANZIPEXTS ON to your
virus.cfg file since the payload is an exe within the zip and since we are
all already banning executable files, correct?

John T
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Wednesday, October 05, 2005 8:41 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] New virus...
 Importance: High

 Hello sniffer,

   Hello folks... watch out for a new virus email with an attachment
   named pword _ change . zip - extra spaces added to skip filters
   ;-)

   We're adding some SNF rules to catch it. No word about it on virus
   lists or scanner services yet (that I can see).

   You may want to temporarily block .zip files - or at least this
   particular zip file until the new rules can be pushed out and the
   virus scanners catch up.

 Thanks,
 _M

 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation
 Chief SortMonster (www.sortmonster.com)
 Chief Scientist (www.armresearch.com)


 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] [Declude.Virus] Possible new virus

[Darin Cox]

Another possible variant overnight at 4:30AM 
ET. Same routing as the new Sober variant from yesterday, but different 
attachment: screen_photo.zip
Darin.


- Original Message - 
From: Darin Cox 
To: Declude.Virus@declude.com 
Sent: Wednesday, October 05, 2005 10:33 PM
Subject: [Declude.Virus] Possible new virus

We're seeing a lot of emails with pword_change.zip 
attached. May want to block it in your virus.cfg.

Subject is"Your new Password" All so 
far were routed through gmx.net or web.de just before delivery, but are 
originating from a variety of dial-up or broadband ISP 
accounts.
Darin.

Re: [sniffer] Spam keeps getting through...

[Darin Cox]

I believe Pete is moving to a POP account approach.  You would set up a POP
account for spam and another for false positives, and send them the login
info to it.  Then have your users forward messages to the POP accounts as
attachments (that's the hardest part, which is why we still have them sent
to us, to make sure the original headers are in it).

Darin.


- Original Message - 
From: Kevin Rogers [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, October 11, 2005 7:44 AM
Subject: Re: [sniffer] Spam keeps getting through...


Sorry - I was talking about false positives.  I assume we need to send
false positives to the false@ address.

Can my users send you these messages directly?
Or do they need to forward them to me first (as the registered user)?
And if they do need to forward false positives to me first, is it OK to
simply forward them on to you?
It says on your site to create a new email from scratch and send the
false positive email as an attachment.  Does that mean I should
right-click on the message, Save As... an .eml file, and then attach
that .eml file to the message I'm sending to you?
And is this true for spam as well - do they need to forward them to me
and then me to you?

Just making sure I'm doing this right.

Thanks


Pete McNeil wrote:

It is helpful to get the full headers, however it is simpler and more
reliable in most cases to simply forward the message.

_M

On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote:

KR Can we just forward them regularly or do we need to change anything
KR about how the headers display when we forward them?



KR Pete McNeil wrote:



On Monday, October 10, 2005, 7:55:51 PM, Serge wrote:





S just to make sure, can we now send several spams as attachements in
one
S email
S ans what adress to use
S i have 3 that got thru my own mailbox in less than 3 hours
S they did not even get tagged, only failed sorbs and sorbs_dul





oops. missed a step.





Please send (redirect/forward) spam that gets through one at a time to
[EMAIL PROTECTED]





Thanks,





_M






This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail was scanned for viruses.]











KR ---
KR [This E-mail was scanned for viruses.]


KR This E-Mail came from the Message Sniffer mailing list. For information
and
KR (un)subscription instructions go to
KR http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail was scanned for viruses.]





---
[This E-mail was scanned for viruses.]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] POP Approach

[Darin Cox]

Hi Pete,

Do you send out notices to licensees to let them know to renew ahead of
time?

I think we're getting close to renewal, and want to make sure we don't
lapse.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Rick Hogue sniffer@SortMonster.com
Cc: [EMAIL PROTECTED]
Sent: Friday, October 14, 2005 11:03 AM
Subject: Re[4]: [sniffer] POP Approach


On Friday, October 14, 2005, 9:39:33 AM, Rick wrote:

RH What is going on with the sniffer not catching any of the spam that is
now
RH coming through? We are getting slammed with medication, mortgage and
other
RH junk email?

Your license has expired.

Please send a note to [EMAIL PROTECTED] to renew. We will send
you an invoice you can pay online.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Message Sniffer is not detecting some really bad email

[Darin Cox]

Title: Message



Yep... send them to spam (at), from the email that 
you have on record with them. Sending as an attachment so they get 
complete headers is usually best, but they can also work with just the body of 
the message.
Darin.


- Original Message - 
From: Gary 
Schick 
To: sniffer@SortMonster.com 
Sent: Wednesday, November 02, 2005 4:48 PM
Subject: [sniffer] Message Sniffer is not detecting some really bad 
email

We havehad 
excellent resultsfrom Message Sniffer for severals years 
now.
However, in the past 
few days items that I feel should have been caught, were 
not.
Can I submit some 
samples to you? I would be glad to zip a couple of raw message files and email 
those to you.
Please 
advise.

Regards,

Gary 
Schick
Manager, Enterprise 
Applications
Iroquois Gas 
Transmission System
Shelton, CT 
06484
[EMAIL PROTECTED]
203 944 
7024

[sniffer] Rash of false positives

[Darin Cox]

Hi Pete,

What's going on over there? We had somewhere 
between 5 and 10 times the usual number of Sniffer false positives this 
morning. They are across the board, so it's not just one rule that's 
catching them, or a particular set of senders or receivers.

Hopefully you can get it under control 
soon.

It would also be extremely helpful if you could 
speed up the false positive processing. Lately it seems to take 2-4 days 
for the rules to be adjusted, which usually means more of the same are caught 
and submitted over that time. I believe speeding up that process would 
result in fewer to process all around.

Thanks,
Darin.

Re: [sniffer] Rash of false positives

[Darin Cox]

We're seeing a continual stream of false 
positives. It's taking all of our time just to keep up with it at the 
moment. If something isn't done soon, we're going to have to disable 
sniffer.
Darin.


- Original Message - 
From: Computer 
House Support 
To: sniffer@SortMonster.com 
Sent: Tuesday, November 08, 2005 9:34 AM
Subject: Re: [sniffer] Rash of false positives

Dear Darin,

Thanks for the heads up. It's going to take me about 
45 minutes to check the 9000 messages that were blocked by Sniffer last night, 
but I'll let you know if we experienced the same thing.


Michael SteinComputer House
www.computerhouse.com


  - Original Message - 
  From: 
  Darin Cox 
  To: sniffer@SortMonster.com 
  Sent: Tuesday, November 08, 2005 8:45 
  AM
  Subject: [sniffer] Rash of false 
  positives
  
  Hi Pete,
  
  What's going on over there? We had 
  somewhere between 5 and 10 times the usual number of Sniffer false positives 
  this morning. They are across the board, so it's not just one rule 
  that's catching them, or a particular set of senders or 
receivers.
  
  Hopefully you can get it under control 
  soon.
  
  It would also be extremely helpful if you could 
  speed up the false positive processing. Lately it seems to take 2-4 days 
  for the rules to be adjusted, which usually means more of the same are caught 
  and submitted over that time. I believe speeding up that process would 
  result in fewer to process all around.
  
  Thanks,
  Darin.
  
  

Re: [sniffer] Rash of false positives

[Darin Cox]

No, we automatically update with every notification 
of a new rulebase.

Looking further, they started just before 5pm ET 
yesterday. So far, it's about 10 times the usual number of Sniffer false 
positives. We've sent quite a few this morning to false (at) for 
processing.
Darin.


- Original Message - 
From: Paul Lushinsky 
To: sniffer@SortMonster.com 
Sent: Tuesday, November 08, 2005 10:10 AM
Subject: Re: [sniffer] Rash of false positives

After reviewing all the blocked messages for the past 2 days on 2 different 
servers, I found no false positives. Do you happen to have an old rule base from 
several days again ? If so, try that to see if it temporarily resolves the false 
positives.

-Original 
  Message-From: "Darin Cox" [EMAIL PROTECTED]To: sniffer@SortMonster.comDate: 
  Tue, 8 Nov 2005 08:45:39 -0500Subject: [sniffer] Rash of false 
  positives
  Hi Pete,
  
  What's going on over there? We had 
  somewhere between 5 and 10 times the usual number of Sniffer false positives 
  this morning. They are across the board, so it's not just one rule 
  that's catching them, or a particular set of senders or receivers. 
  
  
  Hopefully you can get it under control 
  soon.
  
  It would also be extremely helpful if you could 
  speed up the false positive processing. Lately it seems to take 2-4 days 
  for the rules to be adjusted, which usually means more of the same are caught 
  and submitted over that time. I believe speeding up that process would 
  result in fewer to process all around.
  
  Thanks,
  Darin.
  
  

Re: [sniffer] Rash of false positives

[Darin Cox]

I've submitted about 45 so far this morning.  I normally submit at most a
half dozen each morning.

Darin.


- Original Message - 
From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, November 08, 2005 10:19 AM
Subject: Re: [sniffer] Rash of false positives


I too have had to submit a lot more false positives lately.  I also second
that false positive processing seems to be a lot slower than previously.

Darrell
 
Check out http://www.invariantsystems.com for utilities for Declude,
mxGuard, And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.


Scott Fisher writes:

 I don't know if I would call it a rash, but over the last week, I've
submitted about 30 false positives. That's far more than average.
 I've developed a feeling that Message Sniffer has become too tight.

 - Original Message - 
   From: Darin Cox
   To: sniffer@SortMonster.com
   Sent: Tuesday, November 08, 2005 8:54 AM
   Subject: Re: [sniffer] Rash of false positives


   We're seeing a continual stream of false positives.  It's taking all of
our time just to keep up with it at the moment.  If something isn't done
soon, we're going to have to disable sniffer.

   Darin.


   - Original Message - 
   From: Computer House Support
   To: sniffer@SortMonster.com
   Sent: Tuesday, November 08, 2005 9:34 AM
   Subject: Re: [sniffer] Rash of false positives


   Dear Darin,

   Thanks for the heads up.  It's going to take me about 45 minutes to
check the 9000 messages that were blocked by Sniffer last night, but I'll
let you know if we experienced the same thing.


   Michael Stein
   Computer House
   www.computerhouse.com

 - Original Message - 
 From: Darin Cox
 To: sniffer@SortMonster.com
 Sent: Tuesday, November 08, 2005 8:45 AM
 Subject: [sniffer] Rash of false positives


 Hi Pete,

 What's going on over there?  We had somewhere between 5 and 10 times
the usual number of Sniffer false positives this morning.  They are across
the board, so it's not just one rule that's catching them, or a particular
set of senders or receivers.

 Hopefully you can get it under control soon.

 It would also be extremely helpful if you could speed up the false
positive processing.  Lately it seems to take 2-4 days for the rules to be
adjusted, which usually means more of the same are caught and submitted over
that time.  I believe speeding up that process would result in fewer to
process all around.

 Thanks,

 Darin.




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Rash of false positives

[Darin Cox]

Hi Pete,

The rash of false positivesseems to have 
stopped with the last sniffer rulebase update at 10am ET. It had started 
with a rulebase update at 4:30pm ET yesterday, and continued through the updates 
at 8:40pm, 12am, 3am, and 6:20am today.

I'd still like to know what happened, and how we 
can avoid it in the future.

Thanks,
Darin.


- Original Message - 
From: Darin Cox 
To: sniffer@SortMonster.com 
Sent: Tuesday, November 08, 2005 8:45 AM
Subject: [sniffer] Rash of false positives

Hi Pete,

What's going on over there? We had somewhere 
between 5 and 10 times the usual number of Sniffer false positives this 
morning. They are across the board, so it's not just one rule that's 
catching them, or a particular set of senders or receivers.

Hopefully you can get it under control 
soon.

It would also be extremely helpful if you could 
speed up the false positive processing. Lately it seems to take 2-4 days 
for the rules to be adjusted, which usually means more of the same are caught 
and submitted over that time. I believe speeding up that process would 
result in fewer to process all around.

Thanks,
Darin.

Re: Re[4]: [sniffer] Rash of false positives

[Darin Cox]

Arecorrupted rulebase files the 
culprit? How do you update... and do you run snf2check on the 
updates?

Just wondering if the rulebase file is 
theproblem, if the problemoccurs during the update, or if you are 
running into obscure errors with the EXE itself
Darin.


- Original Message - 
From: John Moore 
To: sniffer@SortMonster.com 
Sent: Wednesday, November 09, 2005 12:42 PM
Subject: RE: Re[4]: [sniffer] Rash of false positives


We had this same thing 
happen.
It has been happening 
more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each 
time.
John Moore305 
Spin





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On 
Behalf Of Richard FarrisSent: Wednesday, November 09, 2005 11:38 
AMTo: 
sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false 
positives


This 
morning my server quit sending mail and my tech said the Dr. Watson error on the 
server was my Sniffer file...I rebooted and thought it was OK but quit again..I 
had a lot of mail back logged...so I updated a new rule base but it did not seem 
to helpI reinstalled Imail and things seem OK but slow since there is such a 
back log of mailIf things don't get back to normal I will be 
back..

Richard 
FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech 
Support"Crossroads to a Cleaner Internet"

  
  - 
  Original Message - 
  
  From: Pete 
  McNeil 
  
  To: Darin 
  Cox 
  
  Sent: Tuesday, November 
  08, 2005 3:03 PM
  
  Subject: Re[4]: [sniffer] 
  Rash of false positives
  
  
  On Tuesday, 
  November 8, 2005, 3:25:20 PM, Darin wrote:
  
  
  



  
Hi Pete,

There was a consistent stream of 
false positives over the mentioned time period, not just a blast at a 
particular time. They suddenly started at 5pm (shortly after a 
4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm 
and 6am - 10am today (not many legitimate emails came in between 11pm 
and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 
6:20am. There were a number of different rules involved, and over 
45 false positives in that time period.
  
  This is 
  highly unusual -- I didn't remove many rules, and normally only one or two 
  would be responsible. If you found that a large number of rules were 
  responsible then something else happend and we need to look at that... I'd 
  need to see your SNF logs from that period since the changes (removals anyway) 
  in the rulebase were very small and unrelated - that just doesn't line up with 
  your description.
  
  One thing 
  does-- in the past if snf2check was not used to check a new download then a 
  corrupted rulebase could cause SNF to produce erratic results... since 
  snf2check has been in place we have not seen this. Is it possible that a bad 
  rulebase file got pressed into service on your system? -- probably a look at 
  the logs would help there too since this kind of failure is accompanied by 
  very specific oddities in the logs.
  
  Hope this 
  helps,
  
  _M
  
  This E-Mail 
  came from the Message Sniffer mailing list. For information and 
  (un)subscription instructions go to 
  http://www.sortmonster.com/MessageSniffer/Help/Help.html 
  

Re: [sniffer] Last chance to renew at the old price!

[Darin Cox]

Hi Michael,

How about false positive processing?  That's our biggest headache, but it
would be drastically reduced by faster processing than the 3-5 days we
currently see.

Darin.


- Original Message - 
From: Michael Murdoch [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Cc: Pete McNeil [EMAIL PROTECTED]
Sent: Tuesday, December 27, 2005 2:13 PM
Subject: RE: [sniffer] Last chance to renew at the old price!


Hi Folks,

Actually, here is some more detail as to the reasons for the price
increase.  In addition, please bear in mind that that prices haven't
been raised in approximately 2 years and even with this increase we are
priced very competitively.

The new feature/benefits and more to come are as follows:

* In the past 6 months we have more than doubled the number of updates
per day and we will continue to increase our bandwidth and the speed of
our updates.

* We have more than tripled our staff to improve our monitoring,
support, and rule generation capabilities.  Come January, we are again
doubling this staff as the black-hats have gotten much more
sophisticated and this has become a 24x7 battle.  Even Pete needs to
sleep sometimes. :-)

* We are adding new RD programs for AFF/419 spam and Malware mitigation
(many of the results from these projects have already been implemented).

* During this next year as part of our continuous improvement policy we
will continue to roll out new features and enhancements such as fully
automated reporting, in-band real-time updates, an optimized message
processing pipeline, image and file attachment tagging, advanced header
structure analysis, enhanced adaptive heuristics, improved machine
learning systems, real-time wave-front threat detection, and many
more...

It's important to recognize that many of our improvements don't require
new software to be installed on the client side since they are delivered
through rulebase enhancements. Though this often causes our work to go
unnoticed, it is actually a design feature since it means that your
installation requires very little maintenance. This translates to
lowered administration costs and higher reliability.

As a result of this reliability-first design strategy, it may not
always be obvious that our service is constantly being improved and
enhanced - we never stand still ;-)

We'd hate to see any of you go, but please do compare us with other
services.
I'm sure that you'll find we're well worth the money, but it's always
good to keep your options open. In fact, best practice these days for
spam filtering is to use a blended approach that leverages many
services. We personally encourage that for best results.

Please let me know if you have any questions.  Thank you for your
feedback and business!

Sincerely

Michael Murdoch
The Sniffer Team
ARM Research Labs, LLC
Tel. 850-932-5338 x303


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas
Sent: Tuesday, December 27, 2005 1:03 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Last chance to renew at the old price!

I said the same thing, and the response was, basically,
We haven't raised the price in a long time, we need
the money, like it or lump it.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz
 Sent: Tuesday, December 27, 2005 1:57 PM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Last chance to renew at the old price!

 Pete, why over a 50% increase?  That seems rather drastic


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 12:42 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Last chance to renew at the old price!

 Hello Sniffer folks,

   This is just a friendly reminder that prices will be going up
   January 1.

   You can add a year to your SNF subscription at the current price if
   you renew before January 1.

   Details are here:
 https://www.armresearch.com/message-sniffer/forms/form-renewal.asp

 Thanks,
 _M

 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation Chief SortMonster
 (www.sortmonster.com) Chief Scientist (www.armresearch.com)


 This E-Mail came from the Message Sniffer mailing list. For
 information and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html




 This E-Mail came from the Message Sniffer mailing list. For
 information and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 ---
 [This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to

Re: [sniffer] Last chance to renew at the old price!

[Darin Cox]

Wow... last minute notice.  It's difficult to budgets for these things with
so little notice.  Please consider a couple month's notice the next time.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Sent: Tuesday, December 27, 2005 12:42 PM
Subject: [sniffer] Last chance to renew at the old price!


Hello Sniffer folks,

  This is just a friendly reminder that prices will be going up
  January 1.

  You can add a year to your SNF subscription at the current price if
  you renew before January 1.

  Details are here:
https://www.armresearch.com/message-sniffer/forms/form-renewal.asp

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Last chance to renew at the old price!

[Darin Cox]

Great.  I've tracked ours and it is almost always 3 days, and sometimes up
to 5 days when it goes over a weekend.  This usually results in multiple
reports for false positives for a given rule.

Appreciate anything you can do to speed that up.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Tuesday, December 27, 2005 5:08 PM
Subject: Re[2]: [sniffer] Last chance to renew at the old price!


Part of the purpose for additional staff is to reach a goal of FP
processing measured in minutes to hours, never days as it is sometimes
now. We also have some automated tools on the drawing board that will
help to mitigate many FP cases on a self-serve basis. These will be
coming in this next year.

_M

On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote:

DC Hi Michael,

DC How about false positive processing?  That's our biggest headache, but
it
DC would be drastically reduced by faster processing than the 3-5 days we
DC currently see.

DC Darin.


DC - Original Message - 
DC From: Michael Murdoch [EMAIL PROTECTED]
DC To: sniffer@SortMonster.com
DC Cc: Pete McNeil [EMAIL PROTECTED]
DC Sent: Tuesday, December 27, 2005 2:13 PM
DC Subject: RE: [sniffer] Last chance to renew at the old price!


DC Hi Folks,

DC Actually, here is some more detail as to the reasons for the price
DC increase.  In addition, please bear in mind that that prices haven't
DC been raised in approximately 2 years and even with this increase we are
DC priced very competitively.

DC The new feature/benefits and more to come are as follows:

DC * In the past 6 months we have more than doubled the number of updates
DC per day and we will continue to increase our bandwidth and the speed of
DC our updates.

DC * We have more than tripled our staff to improve our monitoring,
DC support, and rule generation capabilities.  Come January, we are again
DC doubling this staff as the black-hats have gotten much more
DC sophisticated and this has become a 24x7 battle.  Even Pete needs to
DC sleep sometimes. :-)

DC * We are adding new RD programs for AFF/419 spam and Malware mitigation
DC (many of the results from these projects have already been implemented).

DC * During this next year as part of our continuous improvement policy we
DC will continue to roll out new features and enhancements such as fully
DC automated reporting, in-band real-time updates, an optimized message
DC processing pipeline, image and file attachment tagging, advanced header
DC structure analysis, enhanced adaptive heuristics, improved machine
DC learning systems, real-time wave-front threat detection, and many
DC more...

DC It's important to recognize that many of our improvements don't require
DC new software to be installed on the client side since they are delivered
DC through rulebase enhancements. Though this often causes our work to go
DC unnoticed, it is actually a design feature since it means that your
DC installation requires very little maintenance. This translates to
DC lowered administration costs and higher reliability.

DC As a result of this reliability-first design strategy, it may not
DC always be obvious that our service is constantly being improved and
DC enhanced - we never stand still ;-)

DC We'd hate to see any of you go, but please do compare us with other
DC services.
DC I'm sure that you'll find we're well worth the money, but it's always
DC good to keep your options open. In fact, best practice these days for
DC spam filtering is to use a blended approach that leverages many
DC services. We personally encourage that for best results.

DC Please let me know if you have any questions.  Thank you for your
DC feedback and business!

DC Sincerely

DC Michael Murdoch
DC The Sniffer Team
DC ARM Research Labs, LLC
DC Tel. 850-932-5338 x303


DC -Original Message-
DC From: [EMAIL PROTECTED]
DC [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas
DC Sent: Tuesday, December 27, 2005 1:03 PM
DC To: sniffer@SortMonster.com
DC Subject: RE: [sniffer] Last chance to renew at the old price!

DC I said the same thing, and the response was, basically,
DC We haven't raised the price in a long time, we need
DC the money, like it or lump it.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz
 Sent: Tuesday, December 27, 2005 1:57 PM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Last chance to renew at the old price!

 Pete, why over a 50% increase?  That seems rather drastic


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 12:42 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Last chance to renew at the old price!

 Hello Sniffer folks,

   This is just a friendly reminder that prices will be going up
   January 1.

   You can add a year to your SNF subscription at the current price if
   you renew before January 1.

   Details

Re: [sniffer] False Positives

[Darin Cox]

Agreed.  We counted 100 false positives yesterday, compared to our normal
rate of less than 5.

No false positives since 6pm ET yesterday, though.  Thank goodness.

Darin.


- Original Message - 
From: Frederick Samarelli [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 8:42 AM
Subject: Re: [sniffer] False Positives


Same with me. Last night there was a rules update and it fixed the problem.

Check the date of your rules update.


- Original Message - 
From: Ali Resting [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 8:57 AM
Subject: [sniffer] False Positives


 Hi,

 Over the last 2 days I have seen a major increase in false positives.
 Literally all hotmail and yahoo address are being caught by sniffer
 inclusive of other legit domains.

 Please confirm what may be causing this and what I can do to resolve the
 issue.

 Regards,

 Ali

 ---
 This message was scanned for viruses by the Real Image Anti-virus filters



 This E-Mail came from the Message Sniffer mailing list. For information
 and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] problems!!!!

[Darin Cox]

I have an idea. These problems seem to stem 
mostly from changes in the methods of handling rulebase updates.

We were lucky enough not to be affected with the 
latest rule issue, but the previous one made for a very long day 
andsomedisgruntled customers.

Would it be feasible to announce in advance when 
such changes are to be implemented? With advance notice of a date and time 
for the switch we could choose to freeze our rulebases just before that for a 
day to make sure the kinks were worked out before updating. A few spam 
messages that slip through are better than a slough of false positives that 
require review and are delayed in reaching the customer.

Thoughts?
Darin.


- Original Message - 
From: Harry Vanderzand 

To: sniffer@SortMonster.com 
Sent: Wednesday, February 08, 2006 10:02 AM
Subject: [sniffer] problems

With the recent issues at sniffer it has caused tremendous 
problems with the entire client base here.

Sniffer has been so reliable for so lond and al of a sudden 
recently I cannot rely on it any more

What is going on with sniffer

Will these issues get resolved or is it going to be more 
unstable than what we have come to rely on?

I need my spam trap software to work without spend hours 
everyday and without getting a large group of my customers questioning the 
reliability of what I am doing.

Hope there will be some indication of 
improvement.

The following is my sniffer code

SNIFFERexternal nonzero 
"D:\IMail\Declude\sniffer\umzqbs4l.exe dky4t444qqpk69j6" 10 0

Should 
I be doing something different?

This 
has worked very well for a year now.
Harry Vanderzand inTown Internet  Computer Services 519-741-1222


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: 
  sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 
  828931
  
  Goran, this is pretty much what I did to get 
  to re-queuing:gawk "$0 ~ /Final\t828931/ 
  {print substr($3,2,16)}" gxamq2kt.log.20060207* 
  msgids.txtThe file msgids.txt will now contain just the 
  GUID part of the D[guid].SMD from column 3 in the tab delimited Message 
  Sniffer log files.I then used a batch file I had previously created 
  called qm.cmd (for queue and move). Note that the folders I specify are 
  for Declude 1.x, which has an overflow folder. I use the overflow folder 
  so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove 
  d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove 
  d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI 
  then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd 
  %iThat takes of re-queuing all the held messages. I am using a 
  move instead of a copy because I want Declude to be able to move a message it 
  deems spam to the spam folder. If I used a copy, it would fail to do the 
  move because the file is already in the spam folder, and Declude would then 
  pass control back to Imail, which would then deliver the spam 
  inbound.After my queue went back to normal, I then set to work on my 
  dec0207.log file to determine if the entirety of the message was spam or ham 
  based on whether it was held or not (which is the simple scenario I 
  have).I hope that helps,Andrew 8)
  p.s. Another re-posting in HTML so as to 
  preserve the line breaks. Sorry for the duplication, 
  folks.
   -Original 
  Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
  Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM 
  To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 
  828931 I just ran the grep command on my log and I got 850 
  hits. Now is there a way to take the output of the grep 
  command and use it pull out the total weight of corresponding 
  message from the declude log file, or maybe the 
  subject? Goran Jovanovic Omega Network 
  Solutions  -Original 
  Message-  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
   On Behalf Of David Sullivan  Sent: Tuesday, February 07, 2006 
  7:47 PM  To: Landry, William (MED US)  Subject: Re[4]: 
  [sniffer] Bad Rule - 828931   Hello William, 
Tuesday, February 7, 2006, 7:39:05 PM, you wrote: 
LWMU grep -c "Final.*828931" 
  c:\imail\declude\sniffer\logfile.log   That's what I 
  tried. Just figured out I forgot to capitalize the "F".  
  It works.   Confirmed - 22,055  
   I'm writing a program now to parse the sniffer log file, extract 
  the  file ID, lookup the id in sql server, determine 
  quarantine location,  extract q/d pair from quarantine and 
  send to user.   --  Best regards, 
   
  David 
  mailto:[EMAIL PROTECTED]  
 This E-Mail came from the Message Sniffer 
  mailing list. For information  and (un)subscription 
  instructions go to  http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing 
  list. For information and (un)subscription instructions go to 
  

Re: Re[2]: [sniffer] problems!!!!

[Darin Cox]

There was no error in my comment.  I completely understand that some issues
will not be foreseeable... I did say mostly, not entirely.  The switch to
the automated bots caused a rash of false positives in our system.  I'm not
pointing fingers, but instead want to make sure I have the ability to decide
what risks to take on my end.  While mistakes are always possible... we are
human after all... the more controls we have available to minimize possible
impact, the better.

What I would be looking for is an announcement of a specific date/time for a
cutover so we could freeze just before that, and unfreeze once it was clear
that no glut of false positives would result.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Wednesday, February 08, 2006 11:13 AM
Subject: Re[2]: [sniffer] problems


On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote:

DC I have an idea. These problems seem to stem  mostly from changes
DC in the methods of handling rulebase updates.

snip/

DC Would it be feasible to announce in advance when  such changes
DC are to be implemented? With advance notice of a date and time
DC for the switch we could choose to freeze our rulebases just before
DC that for a  day to make sure the kinks were worked out before
DC updating. A few spam  messages that slip through are better than
DC a slough of false positives that  require review and are delayed in
reaching the customer.

That's a good idea, and we do, in fact, follow that procedure.
Whenever we make any large scale changes we always announce them here
on this list,... we usually also put them on our web site.

There is an error in your comment however... the previous event (with
the rule-bots) was completely unforeseeable. There was no way to
announce that known good software would suddenly fail so spectacularly
when no changes within our control were made.

Thankfully, that kind of event is extremely unlikely also.

It is unfortunate that these two events would happen so closely
together.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] problems!!!!

[Darin Cox]

Perhaps I used the wrong terminology about what changed, since I do not know
what your system architecture is, but I remember you mentioning a
significant change at the time.  Immediately afterwards we saw a rash of
false positives.  That is what I would like to have controls in place to
avoid.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Wednesday, February 08, 2006 11:46 AM
Subject: Re[4]: [sniffer] problems


On Wednesday, February 8, 2006, 11:26:46 AM, Darin wrote:

DC There was no error in my comment.  I completely understand that some
issues
DC will not be foreseeable... I did say mostly, not entirely.  The switch
to
DC the automated bots caused a rash of false positives in our system.

snip/

Actually, there is the error I was talking about -- (I'm not pointing
fingers either, just trying to set the record straight.)

The automated bots had been online and part of the system for several
years when the error occurred. There was no cut-over to announce.

DC What I would be looking for is an announcement of a specific date/time
for a
DC cutover so we could freeze just before that, and unfreeze once it was
clear
DC that no glut of false positives would result.

I completely agree, and that is our policy. Before we turn on anything
important, we will announce it, as we have in the past. Even if for no
other reason than we want you to know we've done something cool... but
certainly so that we can have everyone aware and watching out for any
un-expected results (good or bad).

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] False Positive - no reaction?

[Darin Cox]

On average it takes 2 or three days to hear back on false positives.

Darin.


- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, February 21, 2006 9:40 AM
Subject: [sniffer] False Positive - no reaction?


Hi,

I filed this false positive report a day ago and never heard back.

Just trying to see if my emails are blocked again.

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206


-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED]
Sent: Monday, February 20, 2006 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: License ID nwb655oh

This message was a GIF image from one individual to another.

Log Entries:

nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360
Match 836625 61 2245 2388 71
nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360
Final 836625 61 0 32767 71

Original Message:

 Received: from mailout08.sul.t-online.com [194.25.134.20] by
 hm-software.com with ESMTP
  (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500
 Received: from fwd34.aul.t-online.de
 by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19
 Feb 2006 18:24:27 +0100
 Received: from athome
 ([EMAIL PROTECTED]
 ])
 by fwd34.sul.t-online.de
 with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100
 Message-ID: [EMAIL PROTECTED]
 From: Bjoern Schmidt [EMAIL PROTECTED]
 To: Jochen Schug [EMAIL PROTECTED], Harald Mergard
 [EMAIL PROTECTED]
 Subject: Hier das Bild zu meinem Service-request
 Date: Sun, 19 Feb 2006 18:24:15 +0100
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
 boundary==_NextPart_000_0005_01C63581.B0813970
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2900.2180
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt
 X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047

 This is a multi-part message in MIME format.

 --=_NextPart_000_0005_01C63581.B0813970
 Content-Type: multipart/alternative;
 boundary==_NextPart_001_0006_01C63581.B0813970


 --=_NextPart_001_0006_01C63581.B0813970
 Content-Type: text/plain;
 charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable


 Ciao
 Bjoern Schmidt
 [EMAIL PROTECTED]
 www.barchetta.cc  =20
 Barchetta - The Classic and Sports Car Channel  Updated News as
 It = Happens.
 --=_NextPart_001_0006_01C63581.B0813970
 Content-Type: text/html;
 charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable

 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
 HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; =
 charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802
 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff
 DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern
 SchmidtBRA=20
 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20
 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; =
 BRBarchetta -=20 The Classic and Sports Car Channel  Updated
 News as It=20 Happens./FONT/DIV/BODY/HTML

 --=_NextPart_001_0006_01C63581.B0813970--

 --=_NextPart_000_0005_01C63581.B0813970
 Content-Type: image/gif;
 name=Neues Projekt erstellen.gif
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
 filename=Neues Projekt erstellen.gif

 R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy
 vAB
 NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ
 EkZZ3A5
 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud
 Epwb2QL

MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS
 U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf
 ucGlQAB
 swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo
 swA1jzU7qTo9l0A+WBpk1J8
 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u
 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ
 j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o
 j+uVYwvZz
 yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N
 QPUSgjB
 XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi
 FCIknCF
 p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r
 p3Svmk+lL1sWf5

zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS
 wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/
 wpKlzZ+6nT0tnY
 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/
 wALCRTo
 RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy
 pxJs6bN
 mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt
 qzZs2jT
 ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly
 5gza97M
 ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP
 nX6u7nz
 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription 

Re: Re[2]: [sniffer] False Positive - no reaction?

[Darin Cox]

That queue concept would be wonderful!  Hopefully it would have some simple
info extracted to show recipient, sender, subject, header info, and info on
the rule(s) it failed.  One of my ongoing challenges is matching responses
to reports and following up to see what additional actions are required.

Darin.


- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Tuesday, February 21, 2006 11:16 AM
Subject: RE: Re[2]: [sniffer] False Positive - no reaction?


Hi Pete,

I agree that the email notification is tricky - because you might respond to
spam - and, you may NOT respond to someone who did not use an authorized
address.

On the other hand, if I KNEW there was an auto-response and I did NOT get a
response, it would be an indication to me, the user, that I must have done
something wrong. So - in a sense - no response is also a message I can
act on.

The only other suggestion I have is to create a 24 hour 'queue' display on
the web site. All you need to show is a column of the sender domain names of
the email (not the entire sender email address).  If I submit a false
positive I can confirm that it made it into your queue by checking the web
page.  This way, you don't need to send automated emails.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Tuesday, February 21, 2006 11:04 AM
To: Andy Schmidt
Subject: Re[2]: [sniffer] False Positive - no reaction?

On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:

AS Sorry - didn't mean to be pushy. I just thought that false
AS positives are worse than missed spam, so I had assumed that they
AS would always be at the top of the queue.

It is a very tough balancing act. Don't feel bad at all - you're not being
pushy. The current goal is to respond in less than 24 hours and if possible
to review twice per day. Yesterday a number of urgent tasks toppled that
schedule. The first review happened (at around
0600) but there were no FPs at that time. I'm working to increase the review
cycle... there are just a lot of things going on right now.

Just so everyone knows, we do hear - loud and clear - that responding to FPs
is important, and we have been much better about it over the recent past. I
expect that service aspect to improve moving forward along with other
things.

AS I can wait (PS - would have calmed my nerves, if there had been some
AS automatic ticket number response that reassured me that my email
AS was received. The web site makes it sound as if there's a million
AS reasons why a false positive might not be accepted - so an automatic
AS confirmation might be a good self-service tool.

That's a good point. I'll look at that possibility when I rewrite the false
processing bot. We're getting a lot of spam lately at our false@ address and
I would want to make sure that there was no outscatter.

I can tell the bot to only respond to validated senders, but then there is
the issue of email reliability in the response... what if you don't get the
response I mean. ... There are still folks that occasionally (some
frequently) send false reports from unauthorized addresses --- those would
not get a response... I'm overthinking this now %^b

When I get to the false processing bot I will add a response mechanism.

Thanks!

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] False positive processing

[Darin Cox]

Pete,

Thanks for the quicker turnaround in the last few 
days for false positive processing. We're seeing abouthalf day 
now.

Much appreciated!
Darin.

Re: [sniffer] New Rulebot F001

[Darin Cox]

We just reviewed this morning's logs and had a few false positives.  Not
sure if these are due to the new rulebot, but it's more than we've had for
the entire day for the past month.

Rules
--
873261
866398
856734
284831
865663

Darin.


- Original Message - 
From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Monday, March 06, 2006 3:13 PM
Subject: RE: [sniffer] New Rulebot F001


There's been at least one FP ;)

--
Rule - 861038
NameF001 for Message 2888327: [216.239.56.131]
Created 2006-03-02
Source  216.239.56.131
Hidden  false
Blocked false
Origin  Automated-SpamTrap
TypeReceivedIP
Created By  [EMAIL PROTECTED]
Owner   [EMAIL PROTECTED]
Strength2.08287379496965
False Reports   0
From Users  0
[FPR:B]

The rule is below threshold, and/or badly or broadly coded so it will be
removed from the core rulebase.


My concern with automated IP rule coding is that we use Sniffer because
it's extremely accurate.  Coding rules linked to IPs, particularly IPs
that are used by google or any large ISP to send large amounts of
(mostly legitimate) email is contrary to what Sniffer is great at, which
is tagging spam that no one else is.

Is response code 63 going to be utilized for any other purposes?  If
not, I will let Declude know to weight these responses lower than normal
Sniffer.

- Jay
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, March 06, 2006 3:00 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New Rulebot F001

Hello Sniffer folks,

  The first of the new rulebots is coming online.

  Rulebot F001 creates IP rules for sources that consistently fail
  many tests while also reaching the cleanest of our spamtraps.

  The rules will appear in group 63.

  The bot is playing catchup a bit (since there have been few IP rules
  at all since we disabled the old bots).

  The algorithms used in this bot have been tested manually for 2
  weeks with no false positives.

  Expect an increase in your rulebase size while F001 catches up with
  current spamtrap data.

Thanks,

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] New Rulebot F001

[Darin Cox]

Thanks, Pete.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Monday, March 06, 2006 6:17 PM
Subject: Re[2]: [sniffer] New Rulebot F001


On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC We just reviewed this morning's logs and had a few false positives.  Not
DC sure if these are due to the new rulebot, but it's more than we've had
for
DC the entire day for the past month.

DC Rules
DC --
DC 873261
DC 866398
DC 856734
DC 284831
DC 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227


I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M





This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] F001 Rule Bot Change

[Darin Cox]

Good job, Pete.  Through these changes we saw a minimal increase in false
positives on one day, and detection seems to have improved as well.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Sent: Thursday, March 09, 2006 3:08 AM
Subject: [sniffer] F001 Rule Bot Change


Hello Sniffer Folks,

  The F001 Rule Bot has been adjusted. The number of repeat offenses
  required for an IP to be listed has been increased. It's important
  to note also: Messages that are filtered out by other rules are
  excluded from this evaluation. Consequently, for an IP to be added
  to the F001 bot rules it must not only be seen quite a few times,
  but it must also be generating messages that are not filtered using
  other active rules.

  As part of this adjustment we removed approximately 2 IP rules
  that had shown either weak or no activity since they were created.
  This may cause rulebase file sizes to change noticeably.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New RuleBot F002 Online

[Darin Cox]

Totally agree.  I'd like to see some separation between rules created by
newer rulebots and preexisting rules.  That way if there becomes an issue
with a bot, we can turn off one group quickly and easily.

Darin.


- Original Message - 
From: Matt [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Friday, March 10, 2006 3:37 PM
Subject: Re: [sniffer] New RuleBot F002 Online


Pete,

In light of current and prolonged issues, this seems like a good and
safe tactic.  I would appreciate it however if maybe you could place the
rules in another result code since this result code is not as accurate
as some others are and some of us weight it lower than others.

Thanks,

Matt



Pete McNeil wrote:

Hello Sniffer Folks,

  Rulebot F002 has been placed online.

  This rulebot captures and creates geocities web links from the
  chatty campaigns. This is largely a time saver for us humans... we
  will focus our attention more on abstracts for these campaigns now
  that F002 will be capturing the raw links.

  Rules from F002 will produce a 60 result code (Ungrouped).

  The engine is following a standard protocol that we have used for
  months. I expect no false positives from this one.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] New RuleBot F002 Online

[Darin Cox]

Hi Pete,

Don't worry about customizing our local rulebase for this.  Just take this
as a simple suggestion for future segregation to make it easy for new
rulesets to be addressed differently in weighting schemes.

Thanks for all of your efforts!

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Monday, March 13, 2006 10:23 AM
Subject: Re[2]: [sniffer] New RuleBot F002 Online


On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:

DC Totally agree.  I'd like to see some separation between rules created by
DC newer rulebots and preexisting rules.  That way if there becomes an
issue
DC with a bot, we can turn off one group quickly and easily.

There is no way to do this without completely reorganizing the result
codes or defeating the competitive ranking mechanisms.

If you feel strongly about it I can move these rule groups to lower
numbers on your local rulebase or make some other numbering scheme -
but I don't recommend it. Moving these rule groups to lower numbers
would cause them to win competitions with other rules where they would
normally not win.

At some point in the future we might renumber the rule groups again,
but I like to avoid this since there are so many folks that just don't
get the message (no matter what we do to publish it) when we make
changes like this and so any large scale changes tend to cause
confusion for very long periods.

For example: I still, on occasion, have questions about the
gray-hosting group which has not existed for quite a long time.

So far there has not been one FP reported on bot F002 and extremely
few on F001 - the vast majority of those associated with the very
first group of listings prior to the last two upgrades for the bot.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] False positive processing

[Darin Cox]

Nope.  None of them.

I haven't heard back from the replies to a couple of false positives on the
10th, and we haven't heard anything from our submissions on the 16th (6) and
17th (2).  I don't remember if we've heard anything from those on the 15th
(4).

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Darin Cox sniffer@SortMonster.com
Sent: Tuesday, March 21, 2006 11:21 AM
Subject: Re: [sniffer] False positive processing


On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote:

DC
DC
DC Hi Pete,
DC
DC
DC
DC Are you getting behind on false positive  processing? We have
DC gotten a response in a few days, and are still  forwarding false
DC positives for an FP report that we asked for a while rule on  the 10th.

I'm not behind.

Did the message get tagged on it's way out of your system?

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer]Numeric spam

[Darin Cox]

They do, but you have to both specify that email 
for your domains only comes from your mail servers AND use a test in your spam 
filtering that checks SPF and pushes fails over your hold limit.
Darin.


- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Tuesday, June 06, 2006 8:07 PM
Subject: Re: [sniffer]Numeric spam

I thought that having an SPF record would prevent a 
spammer from forging your domain name, but our SPF record did not seem to help 
with these odd numeric E-mails which appear to be coming from our 
owndomain.

Does anyone have any info about SPF records and if they 
really work to combat this type of junkmail?


Michael SteinComputer House



  - Original Message - 
  From: 
  Colbeck, 
  Andrew 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 7:37 
PM
  Subject: Re: [sniffer]Numeric spam
  
  Both of which are reasonable, particularly given the 
  recent Blue Security debacle that showed that it was possible for the spammers 
  as well as the spammees to coordinate their information. It might be in 
  a spammer's best interest to pursue either of your 
  suggestions.
  
  However, I still think it is more credible to assume that 
  this is a case of the spammer being simple-stupid instead of 
  uber-clever.
  
  Andrew 8)
  
  


From: Message Sniffer Community 
[mailto:[EMAIL PROTECTED] On Behalf Of John T 
(Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message 
Sniffer CommunitySubject: Re: [sniffer]Numeric 
spam


My thought is 
they are either building a db of valid names or testing delivery 
techniques.


John 
T
eServices For 
You

"Seek, and ye 
shall find!"


-Original 
Message-From: Message 
Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 
2006 3:46 
PMTo: Message Sniffer 
CommunitySubject: Re: 
[sniffer]Numeric spam




On Jun 6, 2006, at 7:51 AM, Steve 
Guluk wrote:

We're 
getting the same and today it started hitting a different account 
(Domain).



What are these 
things? I thought exploratory, maybe looking for replies to build a DB for a 
later spam wave? Their not malicious in content and look likesomeone's 
virus working incorrectly. But, I doubt they are really so 
benign.



Any understand 
their purpose?






On 
Jun 6, 
2006, at 
6:32 
AM, Goran Jovanovic 
wrote:

I started seeing 
these messages Monday (yesterday) morning EDT. The 
from
and to are the 
same (ie you sent it to yourself). I am tagging it 
but
there is not 
enough stuff to push it into DELETE 
territory.



So no one has 
any idea what the purpose of these emails are?
Random numbers 
for no apparent reason...?

Regards,


Steve 
Guluk
SGDesign
(949) 
661-9333
ICQ: 
7230769

Re: [sniffer]SPF

[Darin Cox]

What's your hold weight? If spam is only 
failing SPF and nothing else, then the message doesn't get held, so you don't 
see it.

Also, I do not recommend negative weighting 
SPFPASS. Spammers have SPF records, too, so you're giving them an 
opportunity to exploit it.

Lastly, I think you may be confused on your SPF 
records. They should not have the "name" portion. There is only one 
SPF record per domain.

So, for computerhouse.com, your SPF record should 
simply be

v=spf1 mx -all

which tells it your MX is allowed to send mail for 
your domain (the "mx" part) , but all others should fail ( the "-all" 
part).

Please keeprelated communication on the list 
for others' benefit as well.
Darin.


- Original Message - 
From: Computer 
House Support 
To: [EMAIL PROTECTED] 
Sent: Tuesday, June 06, 2006 9:40 PM
Subject: SPF

Hi Darin,

Thanks for your offer to help. I am E-mailing you 
off-list.

We do use Declude. The entry in our 
$default$.junkmail filelooks like this:

SPFFAILWARNSPFPASSWARNSPFUNKNOWNWARN

However, I have never seen an "SPF Failure"in the 
header of a spam mail.

Global.cfg: 
SPFFAILspffailx30SPFPASSspfpassx-10


Our SPF Record looks like this:

computerhouse.com. IN TXT "v=spf1 mx 
mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a 
-all"

Your insight is appreciated.


Michael SteinComputer House






  - Original Message - 
  From: 
  Darin Cox 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 9:30 
PM
  Subject: Re: [sniffer]Numeric spam
  
  What do you use for spam filtering? Declude 
  has the ability to test SPF, for example.
  
  Also, what is your SPF record for the domain in 
  question?
  Darin.
  

Re: [sniffer]FP suggestions

[Darin Cox]

The one issue with this I have is

1) Forward full 
original source to Sniffer with license code.
If we could do it without the license code, it 
would be much easier to automate on our end. I already have a process in 
place to copy and reroute false positives by rewriting the Q file. I'm 
hesitant to alter the message itself to add the license code. If we could 
authenticate the FP report via some other means it would help greatly. How 
about connecting IP instead?
Darin.


- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 12:59 AM
Subject: Re: [sniffer]FP suggestions
Pete,Regarding suggestions for easing the 
reporting process, I would recommend the following possible modifications:
1) An E-mail submission tool similar to the one now, but replies 
  would be automated2) Send back links or rather an HTML form with 
  checkboxes in an E-mail auto-response allowing one to block rules.3) Make 
  blocked rules automatic for the submitter, but throw them into a queue for 
  manual review by Sniffer folk in order to determine whether the blocks should 
  become applied to all rulebases.4) Have automatic triggers that lower rule 
  strengths based on users blocking rules regardless of direct Sniffer 
  action.The gist of this is to make it more point and 
click. The fact that you need full source is cumbersome, so the above 
recommendations seek ways to make the process easier for both the customer and 
for Sniffer while dealing with the need to send the full source. No direct 
customer interaction would be necessary in most cases, and you would have a 
queue full of items to review and make a determination about that customers have 
preened for you. To the customer, the process would look like the 
following:
1) Forward full original source to Sniffer with license 
  code.2) Seconds later there would be an automated reply received in HTML 
  format with a check box for every rule failed (or note that no active rules 
  were found), a text box for optional comments, and submit button.3) 
  Customer checks the boxes for the rules he wants to block, adds notes in a 
  text field if they feel like it, and they press submit. End of 
story.You could also add a Web interface for this if you wanted 
to, but E-mail seems the most appropriate for most.I don't think it 
would be beneficial to rehash a lot of things involving how FP's occur, at least 
on this list. I know from my system where my customers have single-click 
reprocessing capability, that they miss about 97% of all FP's either because 
they don't bother to do review, or they don't bother to reprocess anything but 
personal E-mail that may get blocked. I would imagine that Sniffer sees a 
similar rate of customer reported FP's due in part to the difficulty, and in 
part for the same reasons that relate to my own users.The three biggest 
sources of false positives are obscure foreign domains/IP's, rules generated 
from bulk mailings that are too broadly targeted, and things reported to Sniffer 
that are advertising, but not spam. All three of these things are 
difficult and time consuming to deal with, particularly the last two. 
Here's some stats for Sniffer FP's on my system going back about 15 
months:
SNIFFER-GENERAL   
  283SNIFFER-EXPERIMENTAL 167 * 
  Excluded 79 FP's from bad rule event on 1/17 - 
  1/18/2006SNIFFER-IP   

  61SNIFFER-PHISHING 
  52SNIFFER-GETRICH 
   29 * Excluded 115 FP's from 
  bad rule event on 4/18 - 4/19/2006SNIFFER-PHARMACY 
 25SNIFFER-PORN 
  
  24SNIFFER-TRAVEL 
   
  13SNIFFER-INSURANCE
  7SNIFFER-OBFUSCATION 
  6SNIFFER-DEBT
   6SNIFFER-MALWARE 
   
  4SNIFFER-AVSOFT   
   3SNIFFER-CASINO  
2SNIFFER-INK 
   
  1SNIFFER-MEDIA 
   
  1SNIFFER-SPAMWARE
  0It is quite notable how high the FP's are with 
SNIFFER-GENERAL which is where most bulk-mailers and customer reported spam 
rules are tagged. This is also what my numbers show even though my 
customers are much less likely to reprocess bulk mail, and of course they only 
reprocess a small fraction of my overall FP's. This is almost all customer 
reported stuff. I score SNIFFER-GENERAL at 53% of my Hold weight. 
SNIFFER-IP is another standout. I only score SNIFFER-IP at 38% of my Hold 
weight and it hits less than 2% of all Sniffer hits, yet it scored comparably 
high so that is worth noting. The FP rate on SNIFFER-IP hasn't really changed 
since you made adjustments. SNIFFER-EXPERIMENTAL is a top category that 
caught a lot of zombie spam which is important to many systems, but it did seem 
to have a high FP rate. SNIFFER-PHISHING was worse for me until around 
January or February. It seemed to have a lot of FP's on security related 
newsletters and chain letters. I have mixed feelings about those 
things. Maybe more efforts on white rules would help with that stuff, and 
I'm not totally sure if it is appropriate to block chain letters even though I 
detest this stuff myself.Most FP's do 

Re: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

Hi Pete,

Can I interpret this as email address and matching source IP are sufficient
if the correct email address is used to submit?

If not, do you have any suggestions on how you would like to see us
inserting the license ID in the D file?

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, June 07, 2006 8:25 AM
Subject: [sniffer]Re[2]: [sniffer]FP suggestions


Hello Darin,

Wednesday, June 7, 2006, 7:31:29 AM, you wrote:



 The one issue with this I have is



 1) Forward full  original source to Sniffer with license code.

 If we could do it without the license code, it  would be much
 easier to automate on our end. I already have a process in  place
 to copy and reroute false positives by rewriting the Q file. I'm
 hesitant to alter the message itself to add the license code. If we
 could  authenticate the FP report via some other means it would help
 greatly. How  about connecting IP instead?

At the moment that is how it's done: a combination of email address
and source IP are matched with the license ID.

The reason we ask for the license ID is because folks submitting false
positives occasionally forget that we authenticate on their registered
email address and use some other address.

-- The rule is that if the system can't match the email address it
should/may drop the message rather than evaluating it. We get a lot of
spam and attempts to game the system at our false@ address... so when
it's heavy we do drop messages that can't be properly identified.

However, in an effort to provide the best service possible, if the
license ID is present and we have the time we will look to see if it
could be a legit FP submission by researching the source and domain -
and if we think it is likely to be legitimate we will process the FP
and respond with an additional code reminding the submitter that they
must use their registered email address or an authorized alias.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]FP suggestions

[Darin Cox]

Oh, I assumed the rule had been removed. Are 
you saying there was a rule in place, but the FP processing somehow failed to 
find it? If so, I'd say that is a major failing on the part of the FP 
processing.

There's no way thatwe can find time to go 
through the Sniffer logs after this bounces back with "no rule found". 
This would have to be automated to have any chance of occurring, but again I 
would say the FP processing needs to be corrected to identify the rule the 
message failed since the complete message, headers and body, are included in the 
report.
Darin.


- Original Message - 
From: Scott 
Fisher 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 10:08 AM
Subject: Re: [sniffer]FP suggestions

For me the pain of false positives submissions is 
the research that happens when I get a "no rule found" return.

I then need to find the queue-id of the original 
message and then find the appropriate Sniffer log and pull out the log lines 
from there and then submit it. Almost always in these cases, a rule is 
removed.

If this process could be improved that would really 
be a time saver.

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

Awesome.  Great job, Pete.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, June 07, 2006 6:49 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions


Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:


  Pete,

  Since the %WEIGHT% variable is added by Declude, it might make
 sense to have a qualifier instead of making the values space
 delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

 Errors in Declude could cause values to not be inserted,
 and not everyone will want to skip at a low weight. I haven't seen
 any bugs with %WEIGHT% since shortly after it was introduced, but
 you never know. I have seen some issues with other Declude inserted
variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the program not found error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

  One other thing that I came across with the way that Declude calls
 external apps...you can't delimit the data with things like quotes.
 There is no mechanism for escaping a functional quote from a quote
 that should appear in the data that you pass to it...so don't use
 quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30
c:\SNF\sniffer.exe authenticationxx 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe
authenticationxx 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate low weight hight program arg 1, arg 2,... arg n

Where:
  low = a number representing the lowest weight to run progra.
  weight = a number representing the actual weight to evaluate.
  high = a number representing the highest weight to run program.
  program = the program to be activated if weight is in range.
  arg 1, arg 2, ... arg n = arguments for program.

If weight is in the range [low,high] then WeightGate will run
program and pass all of arg 1, arg 2,... arg n to it. Then
WeightGate will collect the exit code of program and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If weight is not in range (less than low or greater than high)
then WeightGate will NOT launch program and will return FAIL_SAFE
(zero) as it's exit code.

As a deubgging aid, I was called with the following arguments:

arg[0] me = WeightGate

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed 

Re: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

Unfortunately, by the time the message gets to us it is sometimes just
different enough that the original pattern cannot be found. There are
some folks who consistently have success, and some who occasionally
have problems, and a few who always have a problem.

Different in what way?  Is the mail client encoding differently in the
forwarding process?  If so, do you know what clients are altering the
messages and how?  If there's one that's better for this, we could always
use it for forwarding since we currently send it to ourselves first, then
forward.

If we rewrite the Q file and queue directly from IMail, encoding shouldn't
change, correct?  If that avoids this issue, we could do that instead.

The best solution is to include the headers during the scan since they
will travel with the message.

What do you mean?  The XHDR?  We would love that for more several reasons,
but Declude is not the same company anymore.

The next best is to automate matching
the log entries with the message so they can be included with the
submission (some do this to prevent the second trip).

Yeah, we'd have to automate it.  I can't imagine taking the time to manually
match for each occurrence of no rule found.  Another item for the
automation list.



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Re: [sniffer]FP suggestions

[Darin Cox]

Of course I'm sending the full message as an 
attachment. You can do that with Outlook byattaching and item, then 
browsing your mail folders for the message to attach. And yes, that's how 
you do it with Outlook Express as well. I don't use Thunderbird or 
Netscape mail, but I would assume you still need to attach the original message 
to avoid the headers being lost.

What I was referring to was a little more involved 
than that... namely the possibility of it not matching a rule because the 
attachment was encoded differently. For example, I've seen mail go 
throughthat baes64 encoded an attached email that was not originally 
base64 encoded.

From Pete's responses, it sounded like "no rule 
found" really did mean no rule was matched. Especially since he has a 
separate code for "rule already removed". FPs we send are always from same 
day, or, at the very least, within 24 hours.
Darin.


- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,Outlook will strip many of the headers when 
forwarding. Outlook Express needs to forward the messages using "Forward 
As Attachment" in order to insert the full original headers. 
Thunderbird/Netscape Mail will work just by forwarding. If you paste the 
full source in a message, you should send as plain text.I have many FP's 
that come back as having no rules found, but these are more likely to be from 
rules that were already removed. So I wouldn't jump to a conclusion that 
the rule was not found because of formatting unless you are not sending the full 
unadulterated original message source. I would imagine that it would 
mostly be IP rules that aren't found when not forwarding the full original 
source.MattDarin Cox wrote: 

  It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.

Understood.

  
  That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...

Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now.  Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



  

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

[Darin Cox]

Thunderbird and Netscape just takes the full original source and
attaches it as a message/rfc822 attachment.  I forwarded this message
back to the list by just pressing Forward.

Interesting that they include the headers with a simple forward, without
specifying forward as attachment.  I haven't ever seen that behaviour before
in a mail client.  Seems like a few forwards would create a very bloated
message with all of the old headers.

I'm pretty sure that
Outlook Express works simply by just pressing Forward As Attachment, or
at least it gives me enough of the original, including the full headers,
to determine how to block the spam.

Yes it does.  However you've missed the point.  The issue is not how to get
the headers.  It is how to keep an email client from encoding the message
and headers differently, so that Sniffer can properly identify the rule that
caught the message.

Please excuse me for wanting more detail about the Outlook attachment
trick, but would you mind attaching this message to a response so that I
could look at the headers and such?

Sorry, I don't use Outlook.  But I can tell you the steps to take in Outlook
2003 (other versions are almost exactly the same).  I have my Outlook users
follow these with no problem.

1. Create a new email message
2. Click the arrow beside the paperclip icon, select item instead of file
from the dropdown
3. Browse mailboxes from the popup dialog to select the message to attach.
4. Viola, original message and headers attached.

There was a discussion about Outlook's behavior with Scott some time
ago.  Apparently Microsoft was pressured by customers to remove headers
when forwarding because they felt that they were a security/privacy
risk.  No one told them that Outlook was a security/privacy risk on it's
own :)  ...but that's another story.  I would probably feel different if
I had the need for groupware though, but digs at Microsoft are
irresistible sometimes.

I don't remember that discussion, and am not sure we're talking about the
same thing.  If you attach the original message via the steps above, you get
the full original message, headers and body.  We have a number of customers
who send spam reports this way, mostly on Outlook 2002 and 2003.

Darin



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: New purchase question

[Darin Cox]

We zip ours nightly and save for 30 days just to make sure we don't miss
anything in reviewing the hold queue.  In practice, a week may be enough,
but two is probably preferable.

Darin.


- Original Message - 
From: Phillip Cohen [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Thursday, June 15, 2006 5:00 PM
Subject: [sniffer] Re: New purchase question


Roger,

Thanks for the info, that is a good way to deal with the mass spam
storage.  Do you ever have the requirement to go back through the
SPAM that you have saved? How long do you save it and do you just
delete it after a certain date? How do your clients ask you or what
do you do to retrieve a possible real message that might have been
considered spam? If sniffer never makes a false positive I guess it
is no big deal just to delete the spam, but on the rare chance there
are false positives I would sure hate to delete an important message.

This mail server supports about 60 domains so having all of the spam
in one folder is a bit of a mess. VOPMAIL allows for individual
mailbox agents so I guess somehow I could have a bat file for each
user or pass parameters to a bat file, but I hate to think about that
one. Going through each mailbox on the server to enter the agent
commands will be a real pain timewise.

Wondering what other VOPMAIL users do out there if there are any of us left.

Phil


At 12:14 PM 6/15/2006, you wrote:
This is how I do it, although there may be better ways.

I create a scheduled task to run a batch file called spam.cmd that
runs from within the spam folder.  This copies the spam caught that
day into a dated folder.  That way I can delete old spam, and keep
the folder organized.  This seems to work well, with imail, but if
there are probably better ways out there.

Here is my batch file

REM This portion gets the date
FOR /F TOKENS=2-4 DELIMS=/  %%F IN ('DATE /T') DO (
  SET MM=%%F
  SET DD=%%G
  SET =%%H
)

REM This portion creates a folder with todays date MM-DD-
mkdir %MM%-%DD%-%%

REM moves the current files into the dated folder.
move *.smd .\%MM%-%DD%-%%\
move *.GSE .\%MM%-%DD%-%%\

Hope thats of help.

Roger



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Lot of stock spam getting through....

[Darin Cox]

Great job, Pete!  And thanks for all of your efforts to simultaneously
increase the catch rate and decrease the FP rate.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Friday, July 07, 2006 11:11 AM
Subject: [sniffer] Re: Lot of stock spam getting through


Hello Chuck,

Friday, July 7, 2006, 10:48:28 AM, you wrote:

 We are seeing a lot of stock spam that is only a picture image getting
 through sniffer.

I had a big fight with one like that all last night -- there are some
unusual characters in the message that made it hard to filter and it
took some time to do the analysis (picking through them with a hex
editor).

I think these are handled now (as of about 0400e this morning) as I
don't have any getting through spamtraps at the moment. I will look
into it again.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Paypal failing SNIFFER-GENERAL

[Darin Cox]

FYI... I just reported one of these, so watch 
out.
Darin.

[sniffer] Re: Paypal failing SNIFFER-GENERAL

[Darin Cox]

Hi Pete,

I'm not sure which column is which, but here are the log lines for the
message (minus the authorization code)

 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502
1551 98
 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798
98

The FP was submitted at 1:34pm ET.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, August 23, 2006 2:22 PM
Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL


Hello Darin,

I may be behind... but I don't see an FP report on this. Do you have
the rule id?

_M

Wednesday, August 23, 2006, 1:36:08 PM, you wrote:



 FYI... I just reported one of these, so watch  out.


 Darin.








-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Significant increase in false positives

[Darin Cox]

Anyone else seeing a sudden increase in FPs? 
We normally report a few each day, but we're seeing a 10x increase in FPs for 
the past three days.
Darin.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

We see this occasionallywith Declude 
1.82. What version are you running?
Darin.


- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:35 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Hi Darin;Not seeing a lot of false pos messages, but 
there are lots of spam messages sneaking through our system because 
declude is not modifying the header correctly. It is adding a header stub 
to the bottom of the message so that users mail client filters which look for 
the modified subject line is not working. Anyone else having that 
issue?HerbDarin Cox wrote: 

  
  

  Anyone else seeing a sudden increase in 
  FPs? We normally report a few each day, but we're seeing a 10x increase 
  in FPs for the past three days.
  Darin.
  
  -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

Ping them on the Declude list for the lack of 
response, and CC David Barker for a response. He seem tobe the best 
means ot getting results these days.

What version are you running? Understandably 
you'll only get a response if you're running the latest 3.x or 4.x, as older 
versions are no longer supported.
Darin.


- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:58 PM
Subject: [sniffer] Re: Declude header not modified 
correctly
It is frustrating because sniffer is catching them and they are 
not getting marked so they still end up in the ol inbox. Have opened some 
tickets at declude a few times and never got a response. So no one has a 
magic bullet on this one?HerbKami Razvan wrote: 

  
  We see that a lot too.. we run 2.14
  
  Kami
  
  
  From: Message Sniffer Community [mailto:sniffer@sortmonster.com] 
  On Behalf Of Darin CoxSent: Monday, October 16, 2006 5:44 
  PMTo: Message Sniffer CommunitySubject: [sniffer] Re: 
  Significant increase in false positives
  We see this occasionallywith Declude 
  1.82. What version are you running?
  Darin.
  
  
  - 
  Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Monday, October 16, 2006 5:35 PM
  Subject: [sniffer] Re: Significant increase in false 
  positives
  Hi Darin;Not seeing a lot of false pos messages, but 
  there are lots of spam messages sneaking through our system because 
  declude is not modifying the header correctly. It is adding a header 
  stub to the bottom of the message so that users mail client filters which look 
  for the modified subject line is not working. Anyone else having that 
  issue?Herb-- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Ahh... good. The first thing they'll probably 
tell you is to update to the latest 4.x version, see if the problem persists, 
then re-report it.
Darin.


- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:51 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Not sure, this is what my declude diags.txt saysDeclude 
4.1.0 DiagnosticsCompilation Platform: SmarterMailCopyright (c) 
2000-2005 Declude, Inc.HerbDarin Cox wrote: 

  
  We see this occasionallywith Declude 
  1.82. What version are you running?
  Darin.
  
  
  - 
  Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Monday, October 16, 2006 5:35 PM
  Subject: [sniffer] Re: Significant increase in false 
  positives
  Hi Darin;Not seeing a lot of false pos messages, but 
  there are lots of spam messages sneaking through our system because 
  declude is not modifying the header correctly. It is adding a header 
  stub to the bottom of the message so that users mail client filters which look 
  for the modified subject line is not working. Anyone else having that 
  issue?HerbDarin Cox wrote: 
  



Anyone else seeing a sudden increase in 
FPs? We normally report a few each day, but we're seeing a 10x 
increase in FPs for the past three days.
Darin.

-- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.-- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

For us, it doesn't calculate the proper weight when 
this happens, and only acts on the weight seen in the topmost headers. One 
of these years I'll finally exercise the right to use our 4.x license, I just 
don't have time for new problems at this point.
Darin.


- Original Message - 
From: Robert Grosshandler 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:57 PM
Subject: [sniffer] Re: Significant increase in false 
positives

That's been a problem for a long time, but for us, it still 
treats that e-mail as spam, with the appropriate weight. 100% of the time 
if Declude does that, the e-mail is beyond our delete 
weight.

Rob


From: Message Sniffer Community 
[mailto:[EMAIL PROTECTED] On Behalf Of Herb 
GuentherSent: Monday, October 16, 2006 4:35 PMTo: Message 
Sniffer CommunitySubject: [sniffer] Re: Significant increase in false 
positives
Hi Darin;Not seeing a lot of false pos messages, but there 
are lots of spam messages sneaking through our system because declude is 
not modifying the header correctly. It is adding a header stub to the 
bottom of the message so that users mail client filters which look for the 
modified subject line is not working. Anyone else having that 
issue?HerbDarin Cox wrote: 

  
  

  Anyone else seeing a sudden increase in 
  FPs? We normally report a few each day, but we're seeing a 10x increase 
  in FPs for the past three days.
  Darin.
  
  -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,

I haven't looked at the Sniffer logs, as cross 
referencing from the Declude logs is a bit of a pain, but many of the FPs did 
have images, so that probably accounts for most of them if it was an 
Experimental rule.
Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 8:46 PM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Darin,

Monday, October 16, 2006, 5:17:26 PM, you wrote:



  
  

  

  Anyone else seeing a sudden increase in FPs? We 
  normally report a few each day, but we're seeing a 10x increase in FPs for 
  the past three days.

Not sure if this is it, but there was an image segment rule that went in over 
the weekend and resulted in an unusual number of false positives today. The rule 
was removed. IIRC the rule id was: 1174356

Hope this helps,

_M

--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Matt,

I know Pete has requested this in the past, but 
Declude hasn't been willing to make the change necessary for this to make it in 
the headers. But I totally agree with you, I'd love to see this in the 
headers so tracking down the rule isn't such a pain.
Darin.


- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 10:03 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Pete,Would you please clarify this a bit. Declude 
of course doesn't record the rule in the headers, so this is difficult to figure 
out. Knowing the pattern may help identify the problematic messages. 
Also knowing the start time and end time of the rule would also help.I 
would be nice too if you talked with Declude about allowing for the insertion of 
headers, or even if you did this on your own. I believe the D* file may be 
editable when the external app is launched. That would make recovery of 
this so much easier for me (minutes instead of hours of 
work).Thanks,MattPete McNeil wrote: 

  
  

  Hello Darin,
  
  Monday, October 16, 2006, 5:17:26 PM, you wrote:
  
  
  


  

  
Anyone else seeing a sudden increase in FPs? 
We normally report a few each day, but we're seeing a 10x increase 
in FPs for the past three days.
  
  Not sure if this is it, but there was an image segment rule that went in 
  over the weekend and resulted in an unusual number of false positives today. 
  The rule was removed. IIRC the rule id was: 1174356
  
  Hope this helps,
  
  _M
  
  --
  Pete McNeil
  Chief Scientist,
  Arm Research Labs, LLC.#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]




  

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,

Can you clarify what this .xhdr option is and how 
we can enable it? I don't remember anything inthe 
documentationthat describes it. I think there were references to the 
config file previously, but there was never anything about it in mine. If 
you could give an example of how to enable and use the info it would be greatly 
appreciated.
Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 11:13 PM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Matt,

Monday, October 16, 2006, 10:03:04 PM, you wrote:



  
  

  

  Pete,
  
  Would you please clarify this a bit. Declude of 
  course doesn't record the rule in the headers, so this is difficult to 
  figure out. Knowing the pattern may help identify the problematic 
  messages. Also knowing the start time and end time of the rule would 
  also help.

The rule was coded for a binary segment in an image file. Here is the rule 
information:



  
  

  
  


  
Rule - 1174356

  
Name
  
image spam binary segment as text 

!1AQaq"2

  
Created
  
2006-10-14

  
Source
  
!1AQaq"2

  
Hidden
  
false

  
Blocked
  
false

  
Origin
  
Spam Trap

  
Type
  
Simple Text

  
Created By
  
[EMAIL PROTECTED]

  
Owner
  
[EMAIL PROTECTED]

  
Strength
  
3.20638481603822

  
False Reports
  
11

  
From Users
  
7

  


Rule belongs to following groups
[252] 
Problematic

I removed the rule as soon as we began receiving reports - about mid-day 
today.



  
  

  

  
  I would be nice too if you talked with Declude about 
  allowing for the insertion of headers, or even if you did this on your 
  own. I believe the D* file may be editable when the external app is 
  launched. That would make recovery of this so much easier for me 
  (minutes instead of hours of work).

I have discussed this with Declude and I am hopeful that we will have better 
integration w/ Declude some time in the future.

In the mean time, our next version will include a feature to inject headers 
into message files. Understand, however, that this is an expensive feature that 
will substantially increase the I/O requirements on any mail server. Injecting 
headers requires that the entire message file must be written to disk an 
additional time. This is not a small consideration-- Where once most spam were 
tiny text/html files (often less than 5K) today's image spam variants are 
frequently 5 to 10 times the size of the old spam we used to know.

Also- note that this kind of thing can be very buggy on Winx systems -- 
sometimes changes to files are not reflected immediately between processes. For 
example, rename operations are not atomic - so when the old message file is 
deleted and the new version is renamed from it's temp file to the original 
message file name, other Winx processes that depend on that file may not respond 
reliably.

For all of these reasons and more I've probably not thought of - this feature 
will be a "use at your own risk / YMMV" option.

All that said, there is an existing option in the current version of SNF to 
produce a .xhdr file for each message. This option is frequently used in *nix 
systems that use SNF. It would be possible to write a short utility (perhaps 
even a script) that would modify quarantined messages out-of-band to include the 
contents of the .xhdr file as X- headers. Such a utility is not currently on our 
development list, however, and I hallucinate that such a device would tend to 
evolve into something somewhat system specific.

The best option would be for Declude to add a feature that picks up x-headers 
created by external programs (perhaps in files named 
message-file-name.xhdr) so that they can be added in a single message 
rewrite along with the headers that Declude already adds. This would solve the 
I/O problems and standardize the mechanism for any other external programs that 
might wish to add headers.

Hope this helps,

_M

--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To 

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,

You're exactly right, but we often get spoiled by 
the high quality of your detection rate. It's easy to expect perfection 
when it means less work for us g.

Thanks for all you do to keep the quality so 
high.
Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Tuesday, October 17, 2006 8:42 AM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Computer,

Monday, October 16, 2006, 11:09:03 PM, you wrote:



  
  

  

  Dear Pete,
  
  Sniffer blocked 35,000 messages today, and roughly 
  7200 of them were blocked by the1174356rule.
  
  Do you think many of these were false positives? 
   Do you know a way of searching through 35,000 Imail messages to 
  find the FP's ?
  
  What would you suggest in this situation.
  

This was not a bad-rule alert or rule-panic situation. Most of these messages 
were probably NOT false positives. The rule does have a higher rate than is 
acceptable (so it was dropped), but it doesn't catch every message with an 
image, and it does catch primarily image spam.

If I felt strongly about researching this there would be 7200 to look through 
(not 35000) and I would probably only look through those that failed no other 
tests or were below some very low weight threshold otherwise - that would 
probably bring the number down into a range  100 messages (based on what 
I've seen reported).

[ Educated guess items:  80% of content is usually spam. On weekends this 
number is higher. This weekend there were some new, aggressive image spam 
campaigns - so the number of spam captured by a rule like this would be higher 
than normal rather than lower. The rule was essentially in place only during the 
weekend and only received FP reports late Sun through early Mon and some systems 
have reported no discernable increase in false positives during this period. 20% 
of 7200 is close to 150, so the conservative number likely not to be spam in 
that group is less than that (due to the weekend) so approximately 100 seems 
reasonable. If there are FPs then it is likely they failed no other tests. ]

Hope this helps,

_M

--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Increase in spam

[Darin Cox]

We saw a sudden ~50% increase on July 16th, but only fluctuations and
moderate growth since then.  On weekdays we're now at 80% spam, 95% or
better on weekends.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, October 18, 2006 9:23 AM
Subject: [sniffer] Re: Increase in spam


Hello K,

Wednesday, October 18, 2006, 8:52:17 AM, you wrote:

   I've been seeing a massive increase in spam over the last 2 days getting
 through with minimal scores. Could this be due to the drawback of the
 filter involved with false positives, or something else?

It's hard to pin down, but not likely to be the pulled rule. We have
seen a relative increase in new spam campaigns over the past 2 days
preceded by a lull. That may be what you're noticing.

I've attached a graph to illustrate.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.






#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

I have an active SA.  I've sent support requests twice in the past few
months to support@ and have gotten no response.

Darin.


- Original Message - 
From: Computer House Support [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, October 25, 2006 9:11 AM
Subject: [sniffer] Re: Declude header not modified correctly


David Waller wrote:  they don't respond to support emails from this
registered user...


Dear David,

I am curious to know if you have an active Service Agreement with Declude?
Among the hundreds of vendors that I deal with, I found their support to be
one of the best.  I seldom wait more than an hour for a response.


Michael Stein
Computer House



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

David Barkerhas also been good about 
responding, but that's not the issue. We should be able to go through 
standard support channels instead of having to remember to redirect support 
requests to alternative personnel.
Darin.


- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Wednesday, October 25, 2006 11:15 AM
Subject: [sniffer] Re: Declude header not modified 
correctly

Dear Sniffer Folks,

As I mentioned in a previous post, we have been very happy 
with the response from Declude Tech Support.

Feel free to use this E-mail address if you need 
help: [EMAIL PROTECTED]

Linda has been very good at responding, and she has given 
permission for me to post her address here.


Michael SteinComputer House

  - Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Wednesday, October 25, 2006 10:06 
  AM
  Subject: [sniffer] Re: Declude header not 
  modified correctly
  I have an active SA, I 
  sent in some service requests and got a ticket number by return email, never a 
  follow up. Then called in and a chap named Chris Asaro fixed the 
  settings on our account so that I could download the correct version and was 
  quite helpful with that. However, that does not solve the problem and 
  all emails of examples and requests for status since 10/18/06 have gone 
  unanswered.So, basically their answer was install the latest version, 
  and beyond that nothing, not even a reply or a we are working on it and will 
  have something to try on X. Out users are seeing hundreds of spam 
  messages unmarked in their email boxes a day, and of course want to know why 
  when it is identified as spam they are still getting it. I personally 
  know that this has been an issue for at least a year. If I were a 
  spammer I would sure code my emails to exploit this.Anyway, have used 
  Declude for about 5 years as I recall and getting kind of to the end of the 
  line.I also spent some time yet again on their web site, and do not 
  see a discussion board or anything to discuss this issue there vs 
  here.HerbDarin 
  Cox wrote: 
  I have an active SA.  I've sent support requests twice in the past few
months to support@ and have gotten no response.

Darin.


- Original Message - 
From: "Computer House Support" [EMAIL PROTECTED]
To: "Message Sniffer Community" sniffer@sortmonster.com
Sent: Wednesday, October 25, 2006 9:11 AM
Subject: [sniffer] Re: Declude header not modified correctly


David Waller wrote:  they don't respond to support emails from this
registered user...


Dear David,

I am curious to know if you have an active Service Agreement with Declude?
Among the hundreds of vendors that I deal with, I found their support to be
one of the best.  I seldom wait more than an hour for a response.


Michael Stein
Computer House



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

  -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
  #

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Declude List

[Darin Cox]

Nope... list is still active.  If you're having trouble, I would suggest
calling Declude

Darin.


- Original Message - 
From: Steve Oren [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Friday, November 03, 2006 1:48 PM
Subject: [sniffer] Re: Declude List


This is list seems broken?

Anyone still getting mail from the Declude Junkmail list?

When you send mail to [EMAIL PROTECTED], you get this:

Unknown user: [EMAIL PROTECTED]

RCPT TO generated following response:
550 Recipient not in route list.

Herb Guenther wrote:
 Thanks Andy;

 I appreciate the info.

 Herb

 Andy Schmidt wrote:

 Hi,

 for discussions on Declude, you need to subscribe to
 Declude.Junkmail or Declude.Virus at [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED]

 Here's their standard trailer line:


 This E-mail came from the Declude.JunkMail mailing list. To

 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

 type unsubscribe Declude.JunkMail. The archives can be found

 at _http://www.mail-archive.com_ http://www.mail-archive.com/.



 Best Regards
 */Andy Schmidt/*/
 /
 Phone:  +1 201 934-3414 x20 (Business)
 Fax:+1 201 934-9206



 
 *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
 Behalf Of *Herb Guenther
 *Sent:* Wednesday, October 25, 2006 10:06 AM
 *To:* Message Sniffer Community
 *Subject:* [sniffer] Re: Declude header not modified correctly

 I have an active SA, I sent in some service requests and got a ticket
 number by return email, never a follow up.  Then called in and a chap
 named Chris Asaro fixed the settings on our account so that I could
 download the correct version and was quite helpful with that.
 However, that does not solve the problem and all emails of examples
 and requests for status since 10/18/06 have gone unanswered.

 So, basically their answer was install the latest version, and beyond
 that nothing, not even a reply or a we are working on it and will have
 something to try on X.  Out users are seeing hundreds of spam messages
 unmarked in their email boxes a day, and of course want to know why
 when it is identified as spam they are still getting it.  I personally
 know that this has been an issue for at least a year.  If I were a
 spammer I would sure code my emails to exploit this.

 Anyway, have used Declude for about 5 years as I recall and getting
 kind of to the end of the line.

 I also spent some time yet again on their web site, and do not see a
 discussion board or anything to discuss this issue there vs here.

 Herb




 -- 
 Herb Guenther
 Lanex, LLC
 www.lanex.com
 (262)789-0966x102 Office
 (262)780-0424 Direct


 This e-mail is confidential and is for the use of the intended
recipient(s)only. If you are not an intended recipient please advise us of
our error by return e-mail then delete this e-mail and any attached files.
You may not copy, disclose or use the contents in any way.

 #

 This message is sent to you because you are subscribed to

   the mailing list sniffer@sortmonster.com.

 To unsubscribe, E-mail to: [EMAIL PROTECTED]

 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

 Send administrative queries to  [EMAIL PROTECTED]



-- 
Best Regards,

Steve Oren
President
ServerSide, Inc.
317-596-5000 voice
317-596-5010 fax
888-682-2544 toll free
www.serverside.net


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Hi Pete,

Why the change?  FTP is more efficient for transferring files than HTTP.

Can we request longer support for FTP to allow adequate time for everyone to
schedule, test, and make the change?

I remember trying dHTTP initially when this was set up, but it wasn't
working reliably, plus FTP is more efficient, so we went that way.  wget may
work better when we have time to try it.

Also, what's this about gzip?  Is the rulebase being changed to a .gz file?
Compression is a good move to reduce bandwidth, but can we put in a plug for
a standard zipfile?

Do you have scripts already written to handle downloads the way you want
them now?  If so, how about a link?

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Friday, January 05, 2007 4:39 PM
Subject: [sniffer] FTP server / firewall issues - Resolved.


Hello Sniffer Folks,

The firewall issues we were having with our new delivery server appear
to have been resolved. I am showing good traffic via FTP at this time.

Normal ftp access for log uploads and SNF rulebase downloads via
www.sortmonster.net / ftp.sortmonster.net should work correctly now.

Note that FTP downloads of SNF rulebases is deprecated. If you are
using FTP to download your rulebase files you should switch to using
http w/ gzip as soon as practical.

FTP access to SNF rulebase files will continue for a time but support
may be removed without notice in the future. It's a safe bet that FTP
access for SNF rulebase files will remain functional through the end
of this month however.

Thanks!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Hi Matt,

Hmmm you're right.  I have heard of FTP configuration issues through some 
firewalls, though I haven't seen the problem myself.  Good point.  Thanks for 
commenting.  And yes, the compression (though it's not being used now) would 
obviously be of significant benefit.  

Darin.


- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Friday, January 05, 2007 11:48 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Darin,

There are many people with firewall or client configuration issues that cause 
problems with FTP, however HTTP rarely experiences issues and is definitely 
easier to support.  As far as efficiency goes, since the rulebases will all be 
zipped, there is little to be gained from on-the-fly improvements to FTP (and 
there are some for HTTP as well).  In such a case, I would consider it to be 
effectively a wash, nothing gained, nothing lost (measurably).

Matt



Darin Cox wrote: 
Thanks, Pete.  Appreciate you taking the time to explain what's happening in
more detail.

I'm curious as to why FTP is more difficult than HTTP to debug, deploy,
secure, and scale, though. I tend to think of them on equal footing, with
the exception of FTP being faster and more efficient to transfer files in my
experience.

Thanks for the link to save some time.  Much appreciated.

Darin.


- Original Message - 
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Friday, January 05, 2007 9:47 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Hello Darin,

Friday, January 5, 2007, 6:23:22 PM, you wrote:

  Hi Pete,

  Why the change?

Many reasons. HTTP is simpler to deploy and debug, simpler to scale,
less of a security problem, etc...

Also, the vast majority of folks get their rulebase files from us with
HTTP - probably for many of the reasons I mentioned above.

  FTP is more efficient for transferring files than HTTP.

Not necessarily ;-)

  Can we request longer support for FTP to allow adequate time for everyone
to
  schedule, test, and make the change?

I'm not in a hurry to turn it off at this point, but I do want to put
it out there that it will be turned off.

  I remember trying dHTTP initially when this was set up, but it wasn't
working reliably, plus FTP is more efficient, so we went that way.  wget
may
  work better when we have time to try it.

  Also, what's this about gzip?  Is the rulebase being changed to a .gz
file?
  Compression is a good move to reduce bandwidth, but can we put in a plug
for
  a standard zipfile?

Gzip is widely deployed and an open standard on all of the platforms
we support. We're not moving to a compressed file -- the plan is to
change the scanning engine and the rulebase binary format to allow for
incremental updates before too long - so for now we will keep the file
format as it is.

Apache easily compresses files on the fly when the connecting client
can support a compressed format. The combination of wget and gzip
handle this task nicely. As a result, most achieve the benefits of
compression during transit almost automatically.

  Do you have scripts already written to handle downloads the way you want
them now?  If so, how about a link?

We have many scripts on our web site:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates

My personal favorite is:

http://www.sortmonster.com/MessageSniffer/Help/UserScripts/ImailSnifferUpdateTools.zip

I like it because it's complete as it is, deploys in minutes with with
little effort, generally folks have no trouble achieving the same
results, and an analog of the same script is usable on *nix systems
where wget and gzip are generally already installed.

There are others of course.

Hope this helps,

_M


  

[sniffer] Re: Spam

[Darin Cox]

Fortunately with Outlook Express we have the Ctrl-W function to initiate the 
forwarding process.  Then we can just type in the first few characters of the 
address and hit Alt-S to send.  Not as quick as a single button, but much 
quicker than Outlook without this toolbar.  Takes me about 4 seconds per 
message.

Darin.


- Original Message - 
From: Bonno Bloksma 
To: Message Sniffer Community 
Sent: Wednesday, May 30, 2007 2:09 AM
Subject: [sniffer] Re: Spam


Hi,

 I recommend SpamSource, if you are an Outlook user. It's a little
 toolbar applet that you can configure any recipient of the forwarded spam
 and it will include all the original mail headers - just the way Sniffer,
[]
It is a wonderful tools! Thanks Andy

Nobody pays us for our work of reporting not cached messages.
The Sniffer staff should offer for free to our community this tools ;-)

Hmmm, if they do I would love to have it for Outlook Express as well.
It seems a great tool, especialy now that we see a lot of missed spam. It would 
be great if I had a tool to deploy on all staf PC's where we use Outlook 
Express mostly (ca. 90%).
One other thing that would be nice if IMail webinterface had a way to forward 
spam with all information intact.




Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer



tio hogeschool hotelmanagement en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl 

[sniffer] Re: July 18

[Darin Cox]

There have been a lot reported today.  It started for us about 8:30am.

We use Declude and added a filter to catch messages with subjects starting 
with Emailing:, ending with .pdf and having a body containing The 
message is ready to be sent with the following file or link.  This 
combination may result in false positives, but has not for us today.  The 
headers appear too varied to identify anything in them for use in the 
filtering process.

Darin.


- Original Message - 
From: [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, July 18, 2007 3:38 PM
Subject: [sniffer] July 18


Not sure what is up but I'm seeing lots of messages getting through
to my primary folder since yesterday.  Lots of .pdf
attachments  -  Just checked and 10/11 were spam messages in my inbox.




Thanks, Greg

CoffeyNet/AllureTech   v 307-473-2323
1546 E. Burlington  cell  307-259-7962
Casper, WY  82601  fax 307-237-3709



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: New campaign not caught

[Darin Cox]

Just got one a short while ago.  Look at these headers:

Received: from p4248-ipbfp02matuyama.ehime.ocn.ne.jp [124.96.113.248] by 
mail.4cweb.com with ESMTP
  (SMTPD-8.22) id A0D001A0; Tue, 07 Aug 2007 12:41:52 -0400
Received: from [126.147.120.198] by p4248-ipbfp02matuyama.ehime.ocn.ne.jp with 
HTTP;
 Wed, 8 Aug 2007 01:42:17 +0900
Message-ID: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Wire instructions-Moi
Date: Wed, 8 Aug 2007 01:42:01 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary==_NextPart_000_000C_01C7D95D.50E32D80
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

Note the with HTTP;.  This looks detectable to me, since it also has OE 
headers.  Not sure if there is more to work with in the Message-ID and MIME 
boundaries.


Darin.


- Original Message - 
From: Scott Fisher 
To: Message Sniffer Community 
Sent: Tuesday, August 07, 2007 12:46 PM
Subject: [sniffer] New campaign not caught


Last night I started getting spam with numbers in the subject and a hex code in 
the body.



This morning that switched over to stock spam PDFs.



Hopefully rules can be targeted towards them!



Scott Fisher

Dir of IT

Farm Progress Companies

191 S Gary Ave

Carol Stream, IL 60188

Tel: 630-462-2323



This email message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
are not the intended recipient, please contact the sender by reply email and 
destroy all copies of the original message. Although Farm Progress Companies 
has taken reasonable precautions to ensure no viruses are present in this 
email, the company cannot accept responsibility for any loss or damage arising 
from the use of this email or attachments.

[sniffer] FPs on 1573590

[Darin Cox]

Hi Pete,

We're getting a number of FPs on SNIFFER-PORN rule 1573590.  The emails are 
clean, NOT porn-related, and no obvious pattern was in the emails that we could 
see that Sniffer might be FPing on..

Darin.

[sniffer] Re: Address

[Darin Cox]

Probably not, but if you have the finder service exposed outside of your 
firewall (not recommended), then yes, this will help.  It has nothing to do 
with SPF.

Darin.


- Original Message - 
From: [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, September 25, 2007 12:52 PM
Subject: [sniffer] Re: Address


I have SPF's set up for all the domains I host.  There is a setting
in Imail that says Hide From Information Services.  That was off but
I just enabled it.  Is that a good thing [for me] or not?

At 06:38 PM 9/24/2007, you wrote:
Hello Greg,

Monday, September 24, 2007, 8:10:23 PM, you wrote:

  Some of the spammers are apparently using my email address as the
 sender.  Any way to defeat
  that or capitalize on it?  I get several bounces a week from all
 over the world.

One little thing you can do if it's not done already is to set up
proper SPF records for your domains. That will at least help others
skip the malware using your addresses more easily.

_M

--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

Thanks, Greg

CoffeyNet/AllureTech   v 307-473-2323
1546 E. Burlington  cell  307-259-7962
Casper, WY  82601  fax 307-237-3709



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Backscatter Spam

[Darin Cox]

SPF does help, and we've used it for about three years here, but only when the 
domain being forged has an SPF policy.  So, it's most useful when the recipient 
domain is being forged as the sender as well.

We've seen some joe job attacks with bounces around 25k to a single address.  
We filtered about 85% of those, but that still meant the customer received a 
bit under 4k.   We've since tweaked our NULL sender filter to catch more, but 
at the risk of catching some read receipts, automated replies, etc.  With 
volumes this high, even 99% filtering results in a huge hit (250 bounces) from 
the customer's perspective.  We're working to get to the 99.9% level consistent 
with the rest of our filtering.

Darin.


- Original Message - 
From: E. H. (Eric) Fletcher 
To: Message Sniffer Community 
Sent: Saturday, June 28, 2008 11:56 PM
Subject: [sniffer] Re: Backscatter Spam


Matt:

We also found SPF records did the trick on the high volume returns to several 
domains especially from some of the appliances.  

Eric
  - Original Message - 
  From: Mxuptime.com 
  To: Message Sniffer Community 
  Sent: Saturday, June 28, 2008 8:50 PM
  Subject: [sniffer] Re: Backscatter Spam


  Intersting idea but the BATV appears to be something that you would need to 
run on the MTA level (i.e the MailServer would need to support the 
functionality) because it rewrites the return address on outgoing emails.

   

  On a side note, I have noticed a significant drop in backscatter when SPF is 
implemented for the particular domain. Most of the backscatter appears to come 
from valid antispam appliances like the Barracuda boxes which would normally 
use SPF. These devices perform the SPF test during the SMTP connection and 
rejects it immediately as opposed to bouncing the message back. So the SPF does 
help.

   

  -Matt

   

  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of 
Matthew J. Grim
  Sent: Sunday, June 29, 2008 1:25 AM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Backscatter Spam

   

  As an aside, Mdaemon has an excellent backscatter prevention system.

  They appear to be using BATV, an internet draft at the moment.

  Matt in Tampa

[sniffer] Problem with Sniffer-Porn rule this morning

[Darin Cox]

Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Any word on this?

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 9:37 AM
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule panic, 5 
of which reached our hold weight.  We've had 27 more hits since adding the rule 
panic.

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 11:30 AM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


I also have hit this. A single hit, also from AOL.


Andrew.





From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Yes.  The rule is inert.  However, according to the logs the rule would have 
been hit 27 more times had we not added the rule panic.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 12:16 PM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


Hello Darin,




Friday, July 18, 2008, 11:39:47 AM, you wrote:




  
 We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule 
panic, 5 of which reached our hold weight.  We've had 27 more hits since adding 
the rule panic.
 




When a rule panic is in place the rule should be inert.




Please check your snf_engine_cfg.log to see if the rule panic was picked up in 
your configuration.




Best,




_M













-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Hmmm... I don't think the rule was already pulled.  We update our rulebase upon 
receipt of the notification of a new rulebase being available, and according to 
our logs the rule was in until at least 11:24am EDT.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 12:12 PM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


Hello Darin,




Friday, July 18, 2008, 9:37:18 AM, you wrote:




  
 Pete,



  There appears to be a problem with rule 1984485 this morning.  I'm 
getting a number of FP hits on it from AOL users.
 




The rule has been pulled already.




_M













-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]

[sniffer] Re: RulePanic on 2654821

[Darin Cox]

We had a lot... 534 hits between 3:26 and 4:41pm ET, which is when we added the 
rule panic.  It appears the rule was added in a rulebase that was automatically 
updated at 3:26pm ET.

Pete?  Status?

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Tuesday, September 08, 2009 5:19 PM
Subject: [sniffer] Re: RulePanic on 2654821


The scores over here for the messages that trigger on rule 2654821 today:

spam that hit the rule: 4
... and were porn: 0
ham that was held by my weight system: 5
ham that was allowed by my weight system: 3
subsequent panic log lines: 139

Thanks for the heads up, Darin.

I was able to re-queue those 5 good messages without the users ever having to 
call the Helpdesk.


Andrew 8)





From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of 
Darin Cox
Sent: Tuesday, September 08, 2009 1:49 PM
To: Message Sniffer Community
Subject: [sniffer] Re: RulePanic on 2654821


Neglected to mention it is a Sniffer-Porn rule.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Tuesday, September 08, 2009 4:47 PM
Subject: [sniffer] RulePanic on 2654821


We had to put a RulePanic on 2654821.  We were getting a ton of FPs on it.

Pete, let us know what's going on with this rule, please.

Darin.

[sniffer] Re: Testing a black-list,.. want to help?

[Darin Cox]

Hi Pete,

We would be interested in testing the DNSBL.

Darin.


- Original Message - 
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Friday, January 22, 2010 12:48 PM
Subject: [sniffer] Testing a black-list,.. want to help?


Hello sniffer folks,

I'm testing a dns based blocking list for a future product release.
The list works in the usual way and is derived from GBUdb IP reputation 
data.
The list I want to test contains IPs that are statistically in the 
Truncate range from the perspective of the larger cloud.

If you are interested in testing this for a time please email support@ 
and we will give you the domain for the list.

This might be particularly helpful for you if you are using a system 
that takes connections first and filters later.

We only have a few slots open for testing.

Thanks!

_M


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] RulePanic on 2908567

[Darin Cox]

We're noticing a lot of FPs on this rule, and have added a RulePanic entry.

Pete, is there a problem with it?

Darin.

[sniffer] Re: RulePanic on 2908567

[Darin Cox]

Update on this rule.  Hits started at ~9:20am ET.  We saw 365 hits in 40 
minutes before we added the rule panic, of which ~5% were FPs. We pulled it 
since that is a large number of FPs for a single rule.

In the next 20 minutes there were another 158 hits logged, but with the rule 
panic in place.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Wednesday, February 03, 2010 9:02 AM
Subject: [sniffer] RulePanic on 2908567


We're noticing a lot of FPs on this rule, and have added a RulePanic entry.

Pete, is there a problem with it?

Darin.

[sniffer] Re: RulePanic on 2908567

[Darin Cox]

We're still seeing hits.  I assume the rule removal hasn't propagated to our 
rulebase yet?

BTW, we were seeing hits on the rule across a broad range of emails that 
related to passport.com.

Darin.


- Original Message - 
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Wednesday, February 03, 2010 9:41 AM
Subject: [sniffer] Re: RulePanic on 2908567


Darin Cox wrote:
 We're noticing a lot of FPs on this rule, and have added a RulePanic
 entry.

 Pete, is there a problem with it?
The rule was for passport.com -- it has already been removed.

_M


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: RulePanic on 3059196

[Darin Cox]

Hi Pete,

We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it.

Can you look at this rule, and/or let me know what it is?

Thanks,

Darin.

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Volume spike Mon 9AM EST

[Darin Cox]

I'm seeing it, too.

Darin.


- Original Message - 
From: Peer-to-Peer (Support) suppor...@peertopeer.net
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Monday, May 10, 2010 9:21 AM
Subject: [sniffer] Volume spike Mon 9AM EST


Just checking to see if anyone else is seeing a massive spike in volume.
Something started occurring around 9AM EST.  Not yet sure what's happening.

Wondering if this is global attack or simply local on our system?

Anyone seeing unusual activity - high volume?



--Paul R.



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Volume spike Mon 9AM EST

[Darin Cox]

Hi Pete,

No.  Not leakage.  Sniffer et al are doing their job well.

Just a large spike in incoming spam volume.  It settled down for us by about 
11am.

Darin.


- Original Message - 
From: Pete McNeil madscient...@armresearch.com
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Monday, May 10, 2010 11:46 AM
Subject: [sniffer] Re: Volume spike Mon 9AM EST


On 5/10/2010 11:12 AM, NetEase Operations Manager wrote:
 I am getting a lot of complaints from my customers concerning the huge
 spikes too.


Do you mean huge spikes in leakage?

Hope not-- because we're not seeing that in our instrumentation.
If anything is leaking please be sure to get it to us so we can filter it.

We did see a few short spikes for new campaigns that have a lot of
bandwidth behind them but those are well captured now and were captured
very quickly.

We would love to get our eyes on anything new that we're not already seeing.

_M


-- 
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: Rule Panic on 3364665

[Darin Cox]

We had 231 hits on that rule from 12:15pm to 3:03pm ET.  At least 90% of them 
were FPs.  Since there was a broad spectrum of customers and content affected, 
I'm guessing there was an error or over-generalization in the rule.

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Tuesday, August 17, 2010 3:31 PM
Subject: [sniffer] Re: Rule Panic on 3364665


I have seen one hit, and it looks like a false positive to me. Sent as a sample 
to the false@ address.

Thanks for the heads-up, Darin.


Andrew.





From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of 
Darin Cox
Sent: Tuesday, August 17, 2010 12:11 PM
To: Message Sniffer Community
Subject: [sniffer] Rule Panic on 3364665


Hi,

We've had a lot of FPs on this rule, and wanted to alert everyone on it.

Pete, can you look into it?

Thanks,

Darin.

[sniffer] Re: Rule Panic on 3364665

[Darin Cox]

Thanks, Pete.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Tuesday, August 17, 2010 3:37 PM
Subject: [sniffer] Re: Rule Panic on 3364665


On 8/17/2010 3:10 PM, Darin Cox wrote: 
  Hi,

  We've had a lot of FPs on this rule, and wanted to alert everyone on it.

  Pete, can you look into it?

It's already dead.
It was a binary rule for an image spam.

_M



-- 
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com

#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: sniffer-...@sortmonster.com

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com

Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] RulePanic on 3741490

[Darin Cox]

Hi guys,

We're seeing a lot of FPs on 3741490 this morning.  I've added a RulePanic for 
it in our systems.

Roughly 150 FPs from 6:55am until a few minutes ago...

Darin.

[sniffer] Re: RulePanic on 3741490

[Darin Cox]

Hmmm... so 70 minutes after the rule was released we were notified of the rule 
update for auto-update of rulebase, but at 10:11ET we still hadn't gotten the 
update for the 8:53am removal.  Anything we can do to speed up the rulebase 
update notifications?

Also, for rules identified as problematic and removed, what about an automated 
email so we can remove it immediately via RulePanic.  For peak times like 
beginning of the business day, that would be very helpful.  An hour could save 
a lot of headaches for both us and our customers.  Or are there so many of 
those that we would be swamped with notifications?

Just trying to figure out a way to avoid this as much as possible in the 
future.  It cost me a half hour this morning, and, more importantly, delayed 
over 150 legitimate messages to our customers.

Thanks in advance for anything you can do.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, January 07, 2011 11:27 AM
Subject: [sniffer] Re: RulePanic on 3741490


On 1/7/2011 10:19 AM, Darin Cox wrote: 
  Hi guys,

  We're seeing a lot of FPs on 3741490 this morning.  I've added a RulePanic 
for it in our systems.

The rule was created at 0539 and removed at 0853 when it was detected by our 
early warning system.
It codes for a binary segment found in some image files.

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 
x7010
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: sniffer-...@sortmonster.com

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com

Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: RulePanic on 3741490

[Darin Cox]

H

Update notifications happen as soon as the rulebase compilers have created a 
new rulebase.

I don't know what your internal processes are, but if I understand this 
correctly the rule was created at 5:39am ET, and was compiled into the rulebase 
somewhere just before 8:53am ET, at which point update notifications were sent.

From the customer point of view, when the rule was created or removed doesn't 
really matter, and those times are meaningless to us.  What matters is when 
the rulebases that include them are published/updated, as that is what we key 
off of for updates.

We have features on the short list to automatically render removed rules inert 
in near real-time (within seconds)

Sounds good.  That would definitely be better than notifications for us to be 
able to put in RulePanics, assuming there's no negative effect to overall 
performance from checking each rule for active/inactive state.  I assume some 
sort of push mechanism to all subscribers, to notify their systems that a rule 
is no longer valid, is what you're planning here.

Best.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, January 07, 2011 1:43 PM
Subject: [sniffer] Re: RulePanic on 3741490


On 1/7/2011 12:33 PM, Darin Cox wrote: 
  Hmmm... so 70 minutes after the rule was released we were notified of the 
rule update for auto-update of rulebase, but at 10:11ET we still hadn't gotten 
the update for the 8:53am removal.  Anything we can do to speed up the rulebase 
update notifications?

Update notifications happen as soon as the rulebase compilers have created a 
new rulebase. We are in the process of reworking our compiler cluster to 
improve it's performance and further shorten update times.



  Also, for rules identified as problematic and removed, what about an 
automated email so we can remove it immediately via RulePanic.  For peak times 
like beginning of the business day, that would be very helpful.  An hour could 
save a lot of headaches for both us and our customers.  Or are there so many of 
those that we would be swamped with notifications?

We have features on the short list to automatically render removed rules inert 
in near real-time (within seconds).



  Just trying to figure out a way to avoid this as much as possible in the 
future.  It cost me a half hour this morning, and, more importantly, delayed 
over 150 legitimate messages to our customers.

We are constantly improving our process to minimize these cases, increase the 
speed with which we can detect and correct these, and add features to automate 
and expedite the process.



  Thanks in advance for anything you can do.

Thanks very much for your feedback!

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 
x7010
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: sniffer-...@sortmonster.com

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com

Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] FPs on Sniffer-Schemes

[Darin Cox]

Hi Pete,

We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784.

Darin.

[sniffer] Re: FPs on Sniffer-Schemes

[Darin Cox]

More info...

Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST).  Not sure 
if the rule has been pulled or corrected yet.

Had 383 hits, and a very high percentage of those were FPs.  Don't have an 
exact number, due to having to release the messages quickly for delivery, but I 
expect at least 30% were FPs for us.  Most were referencing PO #s or orders for 
various customers.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Monday, March 12, 2012 5:17 PM
Subject: [sniffer] FPs on Sniffer-Schemes


Hi Pete,

We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784.

Darin.

[sniffer] Re: FPs on Sniffer-Schemes

[Darin Cox]

HI Pete,

We are running the older version, and get our updates about every 50-60 
minutes.  We're using GBUdb as a test in Declude, separately from Message 
Sniffer.

I'll look up the info on upgrading gracefully.  Hadn't had much time to do that 
previously.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, March 12, 2012 6:22 PM
Subject: [sniffer] Re: FPs on Sniffer-Schemes


On 3/12/2012 5:41 PM, Darin Cox wrote: 
  Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). 
I think I can see part of the problem (possibly).
I do not have telemetry from your system (based on looking up your Id from your 
domain). I suspect this means that you are running an older version of SNF. By 
extension, that would mean a couple of things:

* Your rulebase update would not come as quickly as for most systems.
* Your SNF engine won't match on many of the newer rules.
* Your SNF engine will not have GBUdb and also will not be able to auto-panic 
new rules that conflict with IP reputation data.

Am I right about these assumptions?
If not, then we should figure out why I don't see your telemetry.

Thanks,

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 

#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: sniffer-...@sortmonster.com

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com

Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: GBUdb Tool

[Darin Cox]

Hi Pete,

Would you mind sharing your calculations of confidence and probability?  I'm 
looking at the stats for p=1.0 and curious about the low confidence values. 
I would have expected high confidence where there were no good samples and a 
lot of bad... or do I have something backwards?


Also, while it's easy to parse, it might be nice if the output had one 
delimiter between fields instead of being both tab and comma delimited. 
Makes importing into a database for analysis much easier.


Appreciate it,

Darin.

-Original Message- 
From: Pete McNeil

Sent: Friday, November 23, 2012 3:43 PM
To: Message Sniffer Community
Subject: [sniffer] GBUdb Tool

Hello Sniffer Folks,

We have been playing with a new utility that some of you may enjoy.

http://www.armresearch.com/message-sniffer/download/GBUDBTool-V0.1.zip

GBUDB Tool allows you to create a list of IP addresses from your GBUdb
snapshots (.gbx files). You can select IPs that are blacker or
whiter than a provided probability figure and confidence figure. It
outputs one IP per line, optionally with details about the statistics
for the IP. This can be useful for feeding-forward blacklists to block
at your firewall or for other research purposes.

Run GBUDBTool without any parameters and it will tell you about it's
command line options.

Please let us know if there is more we can do.

Best,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: IP Change on rulebase delivery system

[Darin Cox]

Probably unrelated... and due to a significant increase in spam over the 
past few days.

Darin.



From: Richard Stupek
Sent: Wednesday, March 27, 2013 2:18 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system

Not sure if its related but since yesterday SNFserver CPU utilization has 
been inordinately high (50%) for the middle of the day with not any 
additional volume in mail being received.


On Mon, Mar 25, 2013 at 9:13 AM, Pete McNeil madscient...@armresearch.com 
wrote:

  Hi Sniffer Folks,

  We are about to change the IP of the rulebase delivery system. This change 
should be completely transparent and you should not need to take any action; 
however if you do notice anything unusual please let us know.

  Thanks,

  _M

  -- 
  Pete McNeil
  Chief Scientist
  ARM Research Labs, LLC
  www.armresearch.com
  866-770-1044 x7010
  twitter/codedweller


  #
  This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
  This list is for discussing Message Sniffer,
  Anti-spam, Anti-Malware, and related email topics.
  For More information see http://www.armresearch.com
  To unsubscribe, E-mail to: sniffer-...@sortmonster.com
  To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
  To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
  Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: IP Change on rulebase delivery system

[Darin Cox]

Richard,

Do you have any directories with a large number of files (4k)?  We had a 
similar problem a few months back with sniffer scans taking much longer to 
complete and sniffer temporary files being left over.  We finally traced the 
performance issues to a frequently accessed directory with thousands of 
files.  We’ve also seen issues in the past with directories with a large 
number of files being very poor performing.

Darin.



From: Richard Stupek
Sent: Thursday, March 28, 2013 12:10 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system

Ok looking at the log I see quite a few messages taking over a second to 
process (samples below):

s u='20130328155503' m=\temp\1332407477322.msg' s='0' r='0'
p s='1172' t='1109' l='72697' d='127'/
g o='0' i='12.130.136.172' t='u' c='0.486243' p='-0.625' r='Normal'/
/s

s u='20130328155506' m='\temp\1332407477336.msg' s='60' r='5113015'
m s='60' r='5113015' i='235' e='280' f='m'/
m s='60' r='4346940' i='16722' e='16812' f='m'/
p s='1141' t='937' l='16658' d='129'/
g o='0' i='192.210.233.215' t='u' c='0.360316' p='0.575758' 
r='Normal'/
/s

s u='20130328155513' m='\temp\1332407477360.msg' s='52' r='5470216'
m s='52' r='5470216' i='235' e='295' f='m'/
m s='52' r='5471910' i='949' e='1009' f='m'/
m s='52' r='5431546' i='1074' e='1200' f='m'/
m s='52' r='5479780' i='1857' e='1933' f='m'/
m s='62' r='5303955' i='82' e='2688' f='m'/
m s='52' r='5400681' i='1818' e='9143' f='m'/
p s='1031' t='750' l='8538' d='130'/
g o='0' i='192.210.134.21' t='u' c='0.545993' p='0.82' r='Black'/
/s

s u='20130328155622' m=\temp\1332407477655.msg' s='60' r='5538969'
m s='60' r='5538969' i='221' e='236' f='m'/
m s='61' r='5448415' i='2283' e='2297' f='m'/
m s='61' r='5438936' i='2247' e='2337' f='m'/
m s='60' r='5404555' i='15832' e='15850' f='m'/
m s='60' r='5539002' i='16033' e='16074' f='m'/
m s='62' r='5437246' i='30967' e='30985' f='m'/
p s='1219' t='1312' l='17171' d='135'/
g o='0' i='205.234.138.240' t='u' c='0.634697' p='0.763214' 
r='Normal'/
/s




On Wed, Mar 27, 2013 at 4:42 PM, Pete McNeil madscient...@armresearch.com 
wrote:

  On 2013-03-27 17:16, Richard Stupek wrote:

The spikes aren't as prolonged at the present.



  Interesting. A short spike like that might be expected if the message was 
longer than usual, but on average SNF should be very light-weight.

  One thing you can check is the performance data in your logs. That will 
show how much time in cpu milleseconds it is taking for each scan and how 
long the scans are in bytes. This might shed some light.

  
http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp

  Look for something like p s='10' t='8' l='3294' d='84'/ in each scan.

  From the documentation:


sp//s - Scan Performance Monitoring (performance='yes')
p:s = Setup time in milliseconds
p:t = Scan time in milliseconds
p:l = Scan length in bytes
p:d = Scan depth (peak evaluator count)



  Best,


  _M


  -- 
  Pete McNeil
  Chief Scientist
  ARM Research Labs, LLC
  www.armresearch.com
  866-770-1044 x7010
  twitter/codedweller


  #
  This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
  This list is for discussing Message Sniffer,
  Anti-spam, Anti-Malware, and related email topics.
  For More information see http://www.armresearch.com
  To unsubscribe, E-mail to: sniffer-...@sortmonster.com
  To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
  To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
  Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)

[Darin Cox]

Nice stats, Andrew!

And Pete, thanks for spending so much time and effort to make it work so 
well, despite us beating on you because it doesn’t catch every spam campaign 
from the very first message!  Sniffer has always been our number one tool in 
this battle.

Darin.



From: Colbeck, Andrew
Sent: Thursday, March 28, 2013 7:50 PM
To: Message Sniffer Community
Subject: [sniffer] How fast is *my* MessageSniffer? (was: IP Change on 
rulebase delivery system)

Answer: pretty darn fast for a system that I think is slow anyway



I think my MTA is a busy system, and I know that it’s not MessageSniffer 
that keeps the server busy. A glance with Task Manager or Process Explorer 
shows very little CPU time is spent by MessageSniffer.



I threw some grepping etc and then Excel at the xml file for one average 
business day and came up with…







25% of messages are scanned within 100ms



50% of messages are scanned within 140ms



99% of messages are scanned within 330ms





I also looked at the “setup time”. I’ll spare you the graph; my results are:



80% of messages are loaded so quickly that the time is recorded as zero ms



85% of messages are loaded in 15ms or fewer



95% of messages are loaded in 30ms or fewer



99% of messages are loaded 125ms or fewer



Actually, everything above 98% of my volume takes longer to load but for 
ridiculously smaller volume of messages. A spot check shows that those are 
indeed rodents messages of unusual size.



Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just hadn’t 
bothered to quantify it before.





Andrew.





-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf 
Of Pete McNeil
Sent: Wednesday, March 27, 2013 2:43 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system



On 2013-03-27 17:16, Richard Stupek wrote:

 The spikes aren't as prolonged at the present.



Interesting. A short spike like that might be expected if the message was 
longer than usual, but on average SNF should be very light-weight.



One thing you can check is the performance data in your logs. That will show 
how much time in cpu milleseconds it is taking for each scan and how long 
the scans are in bytes. This might shed some light.



http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp



Look for something like p s='10' t='8' l='3294' d='84'/ in each scan.



From the documentation:



 sp//s - Scan Performance Monitoring (performance='yes') p:s =

 Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan

 length in bytes p:d = Scan depth (peak evaluator count)





Best,



_M





--

Pete McNeil

Chief Scientist

ARM Research Labs, LLC

www.armresearch.com

866-770-1044 x7010

twitter/codedweller





#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: sniffer-...@sortmonster.com

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com

Send administrative queries to  sniffer-requ...@sortmonster.com


image001.png

[sniffer] Re: Slow processing times, errors

[Darin Cox]

When we had sluggish performance similar that yours, resulting in numerous 
sniffer .tmp files in the spool, the cause was eventually traced to a 
proliferation of files in the sniffer directory.  Clearing them out brought 
performance back up to normal.

Darin.



From: e...@protologic.com
Sent: Thursday, June 27, 2013 5:17 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

We were experiencing this several days ago and couldn't find a fix that 
worked or worked for long. We uninstalled SNF and reinstalled and have not 
detected a problem since. I will check the logs and report back if I see 
anything intermittent.




Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and 
other SmartPhones. May use speech to text. If something seems odd please 
don't hesitate to ask for clarification. E.O.E.

On 2013-06-27, at 2:06 PM, Matt wrote:

 Pete,

 I've had many recent incidences where, as it turns out, SNFclient.exe 
 takes 30 to 90 seconds to respond to every message with a result code 
 (normally less than a second), and as a result backs up processing. 
 Restarting the Sniffer service seems to do the trick, but I only tested 
 that for the first time today after figuring this out.

 I believe the events are triggered by updates, but I'm not sure as of yet. 
 Updates subsequent to the slow down do not appear to fix the situation, so 
 it seems to be resident in the service. When this happens, my 
 SNFclient.exe.err log fill up with lines like this:

 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not 
 Connect!

 At the same time, my Sniffer logs start showing frequent ERROR_MSG_FILE 
 results on about 1/8th of the messages.

 I'm currently using the service version 3.0.2-E3.0.17. It's not entirely 
 clear to me what the most current one is.

 Any suggestions as to the cause or solution?

 Thanks,

 Matt


 #
 This message is sent to you because you are subscribed to
 the mailing list .
 This list is for discussing Message Sniffer,
 Anti-spam, Anti-Malware, and related email topics.
 For More information see http://www.armresearch.com
 To unsubscribe, E-mail to:
 To switch to the DIGEST mode, E-mail to
 To switch to the INDEX mode, E-mail to
 Send administrative queries to

[sniffer] Re: Slow processing times, errors

[Darin Cox]

HI Matt,

We started having that problem coincidentally right after we upgraded to 
3.x.  For us the .tmp file creation in the spool was indicative of sniffer 
processing delays.  We do have Sniffer modifying headers.

Darin.



From: Matt
Sent: Thursday, June 27, 2013 5:32 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

Darin,

I'm not seeing that sort of thing.  With 3.x, there doesn't appear to be any 
extraneous file creation in the Sniffer program directory, and never any TMP 
files in my spool.  I do not have Sniffer modifying headers, so that may be 
different on our systems.

Matt



On 6/27/2013 5:25 PM, Darin Cox wrote:

  When we had sluggish performance similar that yours, resulting in numerous 
sniffer .tmp files in the spool, the cause was eventually traced to a 
proliferation of files in the sniffer directory.  Clearing them out brought 
performance back up to normal.

  Darin.



  From: e...@protologic.com
  Sent: Thursday, June 27, 2013 5:17 PM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Slow processing times, errors

  We were experiencing this several days ago and couldn't find a fix that 
worked or worked for long. We uninstalled SNF and reinstalled and have not 
detected a problem since. I will check the logs and report back if I see 
anything intermittent.




  Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and 
other SmartPhones. May use speech to text. If something seems odd please 
don't hesitate to ask for clarification. E.O.E.

  On 2013-06-27, at 2:06 PM, Matt wrote:

   Pete,
  
   I've had many recent incidences where, as it turns out, SNFclient.exe 
takes 30 to 90 seconds to respond to every message with a result code 
(normally less than a second), and as a result backs up processing. 
Restarting the Sniffer service seems to do the trick, but I only tested that 
for the first time today after figuring this out.
  
   I believe the events are triggered by updates, but I'm not sure as of 
yet. Updates subsequent to the slow down do not appear to fix the situation, 
so it seems to be resident in the service. When this happens, my 
SNFclient.exe.err log fill up with lines like this:
  
   20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not 
Connect!
  
   At the same time, my Sniffer logs start showing frequent 
ERROR_MSG_FILE results on about 1/8th of the messages.
  
   I'm currently using the service version 3.0.2-E3.0.17. It's not entirely 
clear to me what the most current one is.
  
   Any suggestions as to the cause or solution?
  
   Thanks,
  
   Matt
  
  
   #
   This message is sent to you because you are subscribed to
   the mailing list .
   This list is for discussing Message Sniffer,
   Anti-spam, Anti-Malware, and related email topics.
   For More information see http://www.armresearch.com
   To unsubscribe, E-mail to:
   To switch to the DIGEST mode, E-mail to
   To switch to the INDEX mode, E-mail to
   Send administrative queries to
  

[sniffer] Re: What is your oldest production CPU?

[Darin Cox]

Hi Pete,

Our oldest production servers still have 1.1 - 1.4 GHz P3's in them. 
However, for mail our oldest are quad core 3Ghz Xeons.


Darin.

-Original Message- 
From: Pete McNeil

Sent: Friday, December 27, 2013 9:43 AM
To: Message Sniffer Community
Subject: [sniffer] What is your oldest production CPU?

Hello Sniffer Folks,

We would like to know what your oldest production CPU is.

When building new binaries of SNF or it's utilities we would like to
select the newest CPU we can without leaving anybody behind.

We're also evaluating whether we should split binaries into a
compatible version base on Intel i686 (or equivalent AMD), and a
current version based on Intel Core2 (or equivalent AMD).

Please respond here.

Thanks for your time!!

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com